a5e72172323fd43fec1f6bdd73a814ab16dc3b29d3b211ec8ddcc7032c35a706

Analysis

max time kernel
150s
max time network
119s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
25-04-2024 14:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe
Size

117KB
MD5

4d2a0000e8b80138e34fff2160604a43
SHA1

3b0293b47fcb08075e55ae1c1af3422efc8ef7ec
SHA256

a5e72172323fd43fec1f6bdd73a814ab16dc3b29d3b211ec8ddcc7032c35a706
SHA512

6500bebcea9874c11742d5a85458a0c9ae2c118ae97723c350b0cbdad8078bacb4fae64cf80c6a6b9e403f3c9aaad5537a1c0dfe027ed9d0e175b88fe744a3e4
SSDEEP

3072:VQVFWhYyfIUBJjgcSv8aJ9QkHs4iqxIfr6adnBa8+RCoo:Vvh3dBJ28aB/Iz6+Ba7RCv

Score

10^/10

evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

SMQgAwoc.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\International\Geo\Nation	SMQgAwoc.exe

Executes dropped EXE 2 IoCs

Processes:

SMQgAwoc.exetOcYMcIs.exe

pid process

1468 SMQgAwoc.exe
2192 tOcYMcIs.exe

Loads dropped DLL 20 IoCs

Processes:

2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exeSMQgAwoc.exe

pid	process
824	2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe
824	2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe
824	2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe
824	2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe
1468	SMQgAwoc.exe
1468	SMQgAwoc.exe
1468	SMQgAwoc.exe
1468	SMQgAwoc.exe
1468	SMQgAwoc.exe
1468	SMQgAwoc.exe
1468	SMQgAwoc.exe
1468	SMQgAwoc.exe
1468	SMQgAwoc.exe
1468	SMQgAwoc.exe
1468	SMQgAwoc.exe
1468	SMQgAwoc.exe
1468	SMQgAwoc.exe
1468	SMQgAwoc.exe
1468	SMQgAwoc.exe
1468	SMQgAwoc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exeSMQgAwoc.exetOcYMcIs.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\SMQgAwoc.exe = "C:\\Users\\Admin\\kYgMQsoA\\SMQgAwoc.exe"	2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\tOcYMcIs.exe = "C:\\ProgramData\\nqgQEwkI\\tOcYMcIs.exe"	2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\SMQgAwoc.exe = "C:\\Users\\Admin\\kYgMQsoA\\SMQgAwoc.exe"	SMQgAwoc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\tOcYMcIs.exe = "C:\\ProgramData\\nqgQEwkI\\tOcYMcIs.exe"	tOcYMcIs.exe

Drops file in Windows directory 1 IoCs

Processes:

SMQgAwoc.exe

description ioc process

File opened for modification \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico SMQgAwoc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File opened for modification	\??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico	SMQgAwoc.exe

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

Processes:

pid	process
1584	reg.exe
1104	reg.exe
1440	reg.exe
1588	reg.exe
1952	reg.exe
1600	reg.exe
1688	reg.exe
2764	reg.exe
2528	reg.exe
1296	reg.exe
1184	reg.exe
952	reg.exe
2488	reg.exe
2140	reg.exe
2320	reg.exe
1984	reg.exe
1080	reg.exe
2912	reg.exe
1584	reg.exe
2472	reg.exe
1048	reg.exe
772	reg.exe
2268	reg.exe
1900	reg.exe
2040	reg.exe
2152	reg.exe
2164	reg.exe
1616	reg.exe
1580	reg.exe
752	reg.exe
1644	reg.exe
2864	reg.exe
2636	reg.exe
2992	reg.exe
1644	reg.exe
1192	reg.exe
1864	reg.exe
1432	reg.exe
2152	reg.exe
2588	reg.exe
2844	reg.exe
1548	reg.exe
2724	reg.exe
3036	reg.exe
3000	reg.exe
908	reg.exe
2992	reg.exe
2912	reg.exe
2312	reg.exe
3008	reg.exe
2660	reg.exe
2900	reg.exe
1880	reg.exe
2920	reg.exe
2688	reg.exe
1684	reg.exe
1604	reg.exe
2252	reg.exe
540	reg.exe
2776	reg.exe
404	reg.exe
1708	reg.exe
2944	reg.exe
2840	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe

pid	process
824	2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe
824	2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe
2640	2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe
2640	2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe
2108	2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe
2108	2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe
2844	2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe
2844	2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe
2032	2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe
2032	2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe
2004	2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe
2004	2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe
2920	2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe
2920	2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe
2608	2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe
2608	2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe
2784	2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe
2784	2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe
3012	2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe
3012	2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe
1672	2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe
1672	2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe
1288	2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe
1288	2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe
1744	2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe
1744	2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe
2920	2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe
2920	2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe
2668	2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe
2668	2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe
2544	2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe
2544	2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe
1136	2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe
1136	2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe
1776	2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe
1776	2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe
404	2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe
404	2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe
2004	2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe
2004	2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe
952	2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe
952	2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe
2632	2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe
2632	2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe
2268	2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe
2268	2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe
2580	2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe
2580	2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe
2980	2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe
2980	2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe
2584	2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe
2584	2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe
2688	2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe
2688	2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe
576	2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe
576	2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe
2460	2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe
2460	2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe
2012	2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe
2012	2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe
2764	2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe
2764	2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe
2308	2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe
2308	2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

SMQgAwoc.exe

pid process

1468 SMQgAwoc.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

SMQgAwoc.exe

pid	process
1468	SMQgAwoc.exe
1468	SMQgAwoc.exe
1468	SMQgAwoc.exe
1468	SMQgAwoc.exe
1468	SMQgAwoc.exe
1468	SMQgAwoc.exe
1468	SMQgAwoc.exe
1468	SMQgAwoc.exe
1468	SMQgAwoc.exe
1468	SMQgAwoc.exe
1468	SMQgAwoc.exe
1468	SMQgAwoc.exe
1468	SMQgAwoc.exe
1468	SMQgAwoc.exe
1468	SMQgAwoc.exe
1468	SMQgAwoc.exe
1468	SMQgAwoc.exe
1468	SMQgAwoc.exe
1468	SMQgAwoc.exe
1468	SMQgAwoc.exe
1468	SMQgAwoc.exe
1468	SMQgAwoc.exe
1468	SMQgAwoc.exe
1468	SMQgAwoc.exe
1468	SMQgAwoc.exe
1468	SMQgAwoc.exe
1468	SMQgAwoc.exe
1468	SMQgAwoc.exe
1468	SMQgAwoc.exe
1468	SMQgAwoc.exe
1468	SMQgAwoc.exe
1468	SMQgAwoc.exe
1468	SMQgAwoc.exe
1468	SMQgAwoc.exe
1468	SMQgAwoc.exe
1468	SMQgAwoc.exe
1468	SMQgAwoc.exe
1468	SMQgAwoc.exe
1468	SMQgAwoc.exe
1468	SMQgAwoc.exe
1468	SMQgAwoc.exe
1468	SMQgAwoc.exe
1468	SMQgAwoc.exe
1468	SMQgAwoc.exe
1468	SMQgAwoc.exe
1468	SMQgAwoc.exe
1468	SMQgAwoc.exe
1468	SMQgAwoc.exe
1468	SMQgAwoc.exe
1468	SMQgAwoc.exe
1468	SMQgAwoc.exe
1468	SMQgAwoc.exe
1468	SMQgAwoc.exe
1468	SMQgAwoc.exe
1468	SMQgAwoc.exe
1468	SMQgAwoc.exe
1468	SMQgAwoc.exe
1468	SMQgAwoc.exe
1468	SMQgAwoc.exe
1468	SMQgAwoc.exe
1468	SMQgAwoc.exe
1468	SMQgAwoc.exe
1468	SMQgAwoc.exe
1468	SMQgAwoc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.execmd.execmd.exe2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.execmd.execmd.exe

description	pid	process	target process
PID 824 wrote to memory of 1468	824	2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe	SMQgAwoc.exe
PID 824 wrote to memory of 1468	824	2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe	SMQgAwoc.exe
PID 824 wrote to memory of 1468	824	2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe	SMQgAwoc.exe
PID 824 wrote to memory of 1468	824	2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe	SMQgAwoc.exe
PID 824 wrote to memory of 2192	824	2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe	tOcYMcIs.exe
PID 824 wrote to memory of 2192	824	2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe	tOcYMcIs.exe
PID 824 wrote to memory of 2192	824	2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe	tOcYMcIs.exe
PID 824 wrote to memory of 2192	824	2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe	tOcYMcIs.exe
PID 824 wrote to memory of 2236	824	2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe	cmd.exe
PID 824 wrote to memory of 2236	824	2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe	cmd.exe
PID 824 wrote to memory of 2236	824	2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe	cmd.exe
PID 824 wrote to memory of 2236	824	2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe	cmd.exe
PID 2236 wrote to memory of 2640	2236	cmd.exe	2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe
PID 2236 wrote to memory of 2640	2236	cmd.exe	2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe
PID 2236 wrote to memory of 2640	2236	cmd.exe	2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe
PID 2236 wrote to memory of 2640	2236	cmd.exe	2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe
PID 824 wrote to memory of 2676	824	2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe	reg.exe
PID 824 wrote to memory of 2676	824	2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe	reg.exe
PID 824 wrote to memory of 2676	824	2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe	reg.exe
PID 824 wrote to memory of 2676	824	2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe	reg.exe
PID 824 wrote to memory of 2720	824	2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe	reg.exe
PID 824 wrote to memory of 2720	824	2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe	reg.exe
PID 824 wrote to memory of 2720	824	2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe	reg.exe
PID 824 wrote to memory of 2720	824	2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe	reg.exe
PID 824 wrote to memory of 2556	824	2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe	reg.exe
PID 824 wrote to memory of 2556	824	2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe	reg.exe
PID 824 wrote to memory of 2556	824	2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe	reg.exe
PID 824 wrote to memory of 2556	824	2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe	reg.exe
PID 824 wrote to memory of 2892	824	2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe	cmd.exe
PID 824 wrote to memory of 2892	824	2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe	cmd.exe
PID 824 wrote to memory of 2892	824	2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe	cmd.exe
PID 824 wrote to memory of 2892	824	2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe	cmd.exe
PID 2892 wrote to memory of 2616	2892	cmd.exe	cscript.exe
PID 2892 wrote to memory of 2616	2892	cmd.exe	cscript.exe
PID 2892 wrote to memory of 2616	2892	cmd.exe	cscript.exe
PID 2892 wrote to memory of 2616	2892	cmd.exe	cscript.exe
PID 2640 wrote to memory of 2712	2640	2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe	cmd.exe
PID 2640 wrote to memory of 2712	2640	2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe	cmd.exe
PID 2640 wrote to memory of 2712	2640	2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe	cmd.exe
PID 2640 wrote to memory of 2712	2640	2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe	cmd.exe
PID 2712 wrote to memory of 2108	2712	cmd.exe	2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe
PID 2712 wrote to memory of 2108	2712	cmd.exe	2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe
PID 2712 wrote to memory of 2108	2712	cmd.exe	2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe
PID 2712 wrote to memory of 2108	2712	cmd.exe	2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe
PID 2640 wrote to memory of 2240	2640	2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe	reg.exe
PID 2640 wrote to memory of 2240	2640	2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe	reg.exe
PID 2640 wrote to memory of 2240	2640	2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe	reg.exe
PID 2640 wrote to memory of 2240	2640	2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe	reg.exe
PID 2640 wrote to memory of 3000	2640	2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe	reg.exe
PID 2640 wrote to memory of 3000	2640	2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe	reg.exe
PID 2640 wrote to memory of 3000	2640	2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe	reg.exe
PID 2640 wrote to memory of 3000	2640	2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe	reg.exe
PID 2640 wrote to memory of 1728	2640	2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe	reg.exe
PID 2640 wrote to memory of 1728	2640	2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe	reg.exe
PID 2640 wrote to memory of 1728	2640	2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe	reg.exe
PID 2640 wrote to memory of 1728	2640	2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe	reg.exe
PID 2640 wrote to memory of 2820	2640	2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe	cmd.exe
PID 2640 wrote to memory of 2820	2640	2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe	cmd.exe
PID 2640 wrote to memory of 2820	2640	2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe	cmd.exe
PID 2640 wrote to memory of 2820	2640	2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe	cmd.exe
PID 2820 wrote to memory of 2800	2820	cmd.exe	cscript.exe
PID 2820 wrote to memory of 2800	2820	cmd.exe	cscript.exe
PID 2820 wrote to memory of 2800	2820	cmd.exe	cscript.exe
PID 2820 wrote to memory of 2800	2820	cmd.exe	cscript.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:824
- C:\Users\Admin\kYgMQsoA\SMQgAwoc.exe
  "C:\Users\Admin\kYgMQsoA\SMQgAwoc.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:1468
- C:\ProgramData\nqgQEwkI\tOcYMcIs.exe
  "C:\ProgramData\nqgQEwkI\tOcYMcIs.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2192
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2236
- - C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe
    C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2640
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2712
    - - C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2108
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock"
        6⤵
        
        PID:2764
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2844
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock"
        8⤵
        
        PID:2040
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2032
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock"
        10⤵
        
        PID:448
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2004
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock"
        12⤵
        
        PID:1752
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2920
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock"
        14⤵
        
        PID:2728
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2608
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock"
        16⤵
        
        PID:2980
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2784
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock"
        18⤵
        
        PID:1516
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3012
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock"
        20⤵
        
        PID:2984
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1672
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock"
        22⤵
        
        PID:2416
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock
        23⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1288
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock"
        24⤵
        
        PID:2736
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock
        25⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1744
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock"
        26⤵
        
        PID:2516
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock
        27⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2920
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock"
        28⤵
        
        PID:2644
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock
        29⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2668
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock"
        30⤵
        
        PID:2160
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock
        31⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2544
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock"
        32⤵
        
        PID:588
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock
        33⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1136
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock"
        34⤵
        
        PID:1672
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock
        35⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1776
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock"
        36⤵
        
        PID:2716
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock
        37⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:404
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock"
        38⤵
        
        PID:1744
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock
        39⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2004
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock"
        40⤵
        
        PID:2524
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock
        41⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:952
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock"
        42⤵
        
        PID:2780
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock
        43⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2632
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock"
        44⤵
        
        PID:1068
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock
        45⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2268
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock"
        46⤵
        
        PID:2992
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock
        47⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2580
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock"
        48⤵
        
        PID:600
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock
        49⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2980
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock"
        50⤵
        
        PID:1700
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock
        51⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2584
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock"
        52⤵
        
        PID:2824
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock
        53⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2688
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock"
        54⤵
        
        PID:1620
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock
        55⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:576
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock"
        56⤵
        
        PID:2256
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock
        57⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2460
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock"
        58⤵
        
        PID:2636
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock
        59⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2012
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock"
        60⤵
        
        PID:1264
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock
        61⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2764
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock"
        62⤵
        
        PID:1776
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock
        63⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2308
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock"
        64⤵
        
        PID:2800
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock
        65⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock"
        66⤵
        
        PID:1584
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock
        67⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock"
        68⤵
        
        PID:960
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock
        69⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock"
        70⤵
        
        PID:1304
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock
        71⤵
        
        PID:2988
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock"
        72⤵
        
        PID:2036
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock
        73⤵
        
        PID:1204
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock"
        74⤵
        
        PID:2844
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock
        75⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock"
        76⤵
        
        PID:2416
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock
        77⤵
        
        PID:2612
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock"
        78⤵
        
        PID:2644
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock
        79⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock"
        80⤵
        
        PID:2864
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock
        81⤵
        
        PID:1768
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock"
        82⤵
        
        PID:824
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock
        83⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock"
        84⤵
        
        PID:1244
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock
        85⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock"
        86⤵
        
        PID:2120
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock
        87⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock"
        88⤵
        
        PID:2484
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock
        89⤵
        
        PID:1896
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock"
        90⤵
        
        PID:1812
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock
        91⤵
        
        PID:2324
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock"
        92⤵
        
        PID:2132
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock
        93⤵
        
        PID:1068
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock"
        94⤵
        
        PID:2748
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock
        95⤵
        
        PID:668
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock"
        96⤵
        
        PID:888
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock
        97⤵
        
        PID:2588
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock"
        98⤵
        
        PID:2044
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock
        99⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock"
        100⤵
        
        PID:1420
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock
        101⤵
        
        PID:952
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock"
        102⤵
        
        PID:1312
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock
        103⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock"
        104⤵
        
        PID:2592
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock
        105⤵
        
        PID:772
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock"
        106⤵
        
        PID:948
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock
        107⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock"
        108⤵
        
        PID:1284
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock
        109⤵
        
        PID:1208
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock"
        110⤵
        
        PID:576
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock
        111⤵
        
        PID:320
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock"
        112⤵
        
        PID:2008
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock
        113⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock"
        114⤵
        
        PID:2640
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock
        115⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock"
        116⤵
        
        PID:1564
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock
        117⤵
        
        PID:1856
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock"
        118⤵
        
        PID:1568
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock
        119⤵
        
        PID:2500
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock"
        120⤵
        
        PID:992
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock
        121⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock"
        122⤵
        
        PID:1092
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock
        123⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock"
        124⤵
        
        PID:1728
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock
        125⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock"
        126⤵
        
        PID:2036
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock
        127⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        128⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        128⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        128⤵
        UAC bypass
        
        PID:1868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        126⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        126⤵
        
        PID:696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        126⤵
        UAC bypass
        
        PID:1420
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\bmcsIAQc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe""
        126⤵
        
        PID:1124
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        127⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        124⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        124⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        124⤵
        UAC bypass
        
        PID:576
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\lUAwIsgg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe""
        124⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        125⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        122⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        122⤵
        Modifies registry key
        
        PID:2900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        122⤵
        UAC bypass
        
        PID:2608
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\AiAwUYAA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe""
        122⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        123⤵
        
        PID:2572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        120⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        120⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        120⤵
        UAC bypass
        
        PID:2320
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\cuYIYccs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe""
        120⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        121⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        118⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        118⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        118⤵
        UAC bypass
        
        PID:1716
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\wIwsQkoU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe""
        118⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        119⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        116⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        116⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        116⤵
        UAC bypass
        Modifies registry key
        
        PID:1588
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\uQMUYMAY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe""
        116⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        117⤵
        
        PID:3000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        114⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        114⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        114⤵
        UAC bypass
        
        PID:2736
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\IosMsEoU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe""
        114⤵
        
        PID:952
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        115⤵
        
        PID:2576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        112⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        112⤵
        Modifies registry key
        
        PID:3036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        112⤵
        UAC bypass
        
        PID:1672
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\zwgwoEEc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe""
        112⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        113⤵
        
        PID:2124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        110⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        110⤵
        Modifies registry key
        
        PID:2944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        110⤵
        UAC bypass
        
        PID:2608
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\jckQccYs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe""
        110⤵
        
        PID:2516
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        111⤵
        
        PID:2572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        108⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        108⤵
        Modifies registry key
        
        PID:1048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        108⤵
        UAC bypass
        Modifies registry key
        
        PID:1296
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\dyQEAswU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe""
        108⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        109⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        106⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        106⤵
        Modifies registry key
        
        PID:908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        106⤵
        UAC bypass
        
        PID:2236
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\hKMUQMsI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe""
        106⤵
        
        PID:1232
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        107⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        104⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        104⤵
        Modifies registry key
        
        PID:1192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        104⤵
        UAC bypass
        
        PID:2328
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\MaEMsEAE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe""
        104⤵
        
        PID:984
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        105⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        102⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        102⤵
        Modifies registry key
        
        PID:2864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        102⤵
        UAC bypass
        
        PID:1124
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\cmMMIoUM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe""
        102⤵
        
        PID:2584
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        103⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        100⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        100⤵
        
        PID:1288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        100⤵
        UAC bypass
        Modifies registry key
        
        PID:2660
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\MQsIsEYU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe""
        100⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        101⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        98⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        98⤵
        
        PID:2628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        98⤵
        UAC bypass
        Modifies registry key
        
        PID:1708
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\SkYcUUgM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe""
        98⤵
        
        PID:636
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        99⤵
        
        PID:2476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        96⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        96⤵
        Modifies registry key
        
        PID:1644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        96⤵
        UAC bypass
        Modifies registry key
        
        PID:3008
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\hccIIsYw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe""
        96⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        97⤵
        
        PID:2576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        94⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        94⤵
        Modifies registry key
        
        PID:2528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        94⤵
        UAC bypass
        
        PID:1140
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\XeQsscAo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe""
        94⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        95⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        92⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        92⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        92⤵
        UAC bypass
        
        PID:2400
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\PYcsQAAM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe""
        92⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        93⤵
        
        PID:1756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        90⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        90⤵
        
        PID:392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        90⤵
        UAC bypass
        
        PID:1556
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\eSAYMsIY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe""
        90⤵
        
        PID:824
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        91⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        88⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        88⤵
        Modifies registry key
        
        PID:2164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        88⤵
        UAC bypass
        Modifies registry key
        
        PID:2920
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ugcsowUM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe""
        88⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        89⤵
        
        PID:1000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        86⤵
        Modifies visibility of file extensions in Explorer
        
        PID:768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        86⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        86⤵
        UAC bypass
        Modifies registry key
        
        PID:2152
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ssgAIQsY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe""
        86⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        87⤵
        
        PID:588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        84⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        84⤵
        Modifies registry key
        
        PID:2912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        84⤵
        UAC bypass
        Modifies registry key
        
        PID:1440
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\QCIAkwEw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe""
        84⤵
        
        PID:812
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        85⤵
        
        PID:1476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        82⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        82⤵
        Modifies registry key
        
        PID:404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        82⤵
        UAC bypass
        
        PID:1584
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\haUgwUgg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe""
        82⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        83⤵
        
        PID:2584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        80⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        80⤵
        Modifies registry key
        
        PID:2764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        80⤵
        UAC bypass
        
        PID:3048
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\baYoIAwk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe""
        80⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        81⤵
        
        PID:448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        78⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        78⤵
        
        PID:2580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        78⤵
        UAC bypass
        
        PID:2044
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ruQwIUAs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe""
        78⤵
        
        PID:604
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        79⤵
        
        PID:1872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        
        PID:600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        UAC bypass
        Modifies registry key
        
        PID:1984
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\zMsgEcsc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe""
        76⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        77⤵
        
        PID:1120
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        UAC bypass
        Modifies registry key
        
        PID:1880
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\UIIQwkkc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe""
        74⤵
        
        PID:1264
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        75⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        Modifies registry key
        
        PID:2040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        UAC bypass
        
        PID:1840
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\sQAAoAEQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe""
        72⤵
        
        PID:2992
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        Modifies registry key
        
        PID:1548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        UAC bypass
        Modifies registry key
        
        PID:1644
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\SYQMsYww.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe""
        70⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        
        PID:3000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        
        PID:1848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        UAC bypass
        Modifies registry key
        
        PID:2320
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\USAcIEko.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe""
        68⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        Modifies registry key
        
        PID:1900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        UAC bypass
        
        PID:1168
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\BaQkUwwU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe""
        66⤵
        
        PID:1420
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        UAC bypass
        
        PID:2832
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\nqswMUoQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe""
        64⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        
        PID:812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        
        PID:2320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        UAC bypass
        
        PID:2612
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\JmwcUUcE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe""
        62⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        
        PID:2652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        
        PID:1540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        UAC bypass
        
        PID:2984
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\NkwAsUIA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe""
        60⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        
        PID:1904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        UAC bypass
        Modifies registry key
        
        PID:752
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\EywIgIMM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe""
        58⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        
        PID:1108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        UAC bypass
        
        PID:824
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\QeoMsosc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe""
        56⤵
        
        PID:1164
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        UAC bypass
        
        PID:1312
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\uWccsEog.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe""
        54⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        UAC bypass
        
        PID:2964
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\muUUYUcE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe""
        52⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        UAC bypass
        
        PID:2492
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\HgswAoYQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe""
        50⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        
        PID:620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        UAC bypass
        
        PID:604
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\bMgcgksk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe""
        48⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:1000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        UAC bypass
        
        PID:1968
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZKwgMkYc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe""
        46⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:2772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        
        PID:1880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        UAC bypass
        
        PID:2600
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\PSYQQAIk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe""
        44⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        Modifies visibility of file extensions in Explorer
        
        PID:772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        Modifies registry key
        
        PID:540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        UAC bypass
        
        PID:764
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\HOEkAMkk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe""
        42⤵
        
        PID:680
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:1420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        UAC bypass
        
        PID:2404
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\YQAEUwog.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe""
        40⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        Modifies registry key
        
        PID:2252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        UAC bypass
        Modifies registry key
        
        PID:2488
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\QIQAEAYU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe""
        38⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        UAC bypass
        Modifies registry key
        
        PID:1604
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\CGgkIYYM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe""
        36⤵
        
        PID:824
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        Modifies registry key
        
        PID:2268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        UAC bypass
        
        PID:1200
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\KGIggYUE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe""
        34⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        
        PID:1092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        UAC bypass
        
        PID:2304
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\VAUEwMgc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe""
        32⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        Modifies registry key
        
        PID:1432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        UAC bypass
        Modifies registry key
        
        PID:772
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tYQksQkY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe""
        30⤵
        
        PID:2228
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:1372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        UAC bypass
        
        PID:2864
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\DoIsQgUk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe""
        28⤵
        
        PID:2988
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:1304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        Modifies registry key
        
        PID:2992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        UAC bypass
        
        PID:2476
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\zkEsUIos.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe""
        26⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        Modifies registry key
        
        PID:1580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        UAC bypass
        
        PID:1636
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\PKkgsMMA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe""
        24⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        
        PID:1792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        UAC bypass
        Modifies registry key
        
        PID:1184
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\uacQgwII.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe""
        22⤵
        
        PID:576
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:3052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        
        PID:392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        UAC bypass
        
        PID:600
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\YSUckgYA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe""
        20⤵
        
        PID:812
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        Modifies registry key
        
        PID:1952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        UAC bypass
        
        PID:2392
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\gYIUIkkw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe""
        18⤵
        
        PID:1220
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        Modifies registry key
        
        PID:1584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        UAC bypass
        Modifies registry key
        
        PID:952
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\KCwAkYcs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe""
        16⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        UAC bypass
        
        PID:2580
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\DUwoMMAo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe""
        14⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:2468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        UAC bypass
        
        PID:1636
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\bWwAEEIE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe""
        12⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        
        PID:1560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        UAC bypass
        
        PID:1564
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\JUUIQUYA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe""
        10⤵
        
        PID:1440
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        UAC bypass
        
        PID:600
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\VScYEUsA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe""
        8⤵
        
        PID:848
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:2420
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2832
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        Modifies registry key
        
        PID:2840
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        UAC bypass
        Modifies registry key
        
        PID:1684
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\diUkYYAg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe""
        6⤵
        
        PID:1568
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:3024
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:2240
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      Modifies registry key
      PID:3000
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      PID:1728
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\lQcwgUoI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2820
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:2800
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:2676
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2720
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:2556
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\UgwAcwQk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2892
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:2616

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "118077760015117047320719419-1339381648539242419-10926912583117775011670738390"
1⤵
PID:2148

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1392599201-1860814936-1888508346-2058789441-1407263028182574679-1098421676256793097"
1⤵
PID:2644

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-16530944391398798150-85851623614478909401500378057-97053547610385810772005376354"
1⤵
PID:1560

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-782163329-1349179662-1675909500-1054073499-1202181044900470353817244855-1976986923"
1⤵
PID:2944

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "6570986547283839013832686652010635342-645261298320935284-1757794132501331791"
1⤵
PID:2780

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-125347805175608568018004006576342215051920246303-338610270719576322-958362283"
1⤵
PID:1420

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:2732

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "7748721951547563536-1333442482-1757351369-481663251-456690129-8463758191066453783"
1⤵
PID:3048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.exe

Filesize
138KB

MD5
24855f83621f7fdf05ee354e5c62148b

SHA1
1fb7dc5f9cdc8ceb88afea0c8ac68464e305fd49

SHA256
aea7c4c02dc6f153b145bb2b010db57249be9dc3bf5d6c0cd6e23a5f910c1f1f

SHA512
13d965f6fb711cbe076f0f8a4655681fbadaa15ef51b8ab75959d0d415a18c95059907ab479d9b1e7bd38814fec07c4a999f93df0c2fafa06f9a61c9fab6f523

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile15.bmp.exe

Filesize
162KB

MD5
a2c90efcfefb3a45508c9bf17e76034a

SHA1
7700d0e2f73b33331666cee98e79f48cac2336f2

SHA256
2a68e7528268a130eb18ac2096aa017ce85f40097c1811d285d8fc598cd763a7

SHA512
f1bb695b606303c33eead752e417965993f033708afca996723b95a85e13b6d2b57a83db2c0a60573e5730b7a45fa70e15d47b548ac59a148c0be6f9a4699409

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile17.bmp.exe

Filesize
159KB

MD5
71db37579cff3b5acd6d34859c26b363

SHA1
65619b315118594a0987bac7c490c8265d740015

SHA256
6c5f1acfa9199bc01045db2cd441f32cdc2133a24686b0ea76c9772aae139cac

SHA512
04e19827cd536facecfcbdfc464609a4e8f644dd97342dbf3b94605410cbbec82e92c3c942baaa4c9df32434e90a243c41afc4c7460dcaab637a46d0f2971b34

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile24.bmp.exe

Filesize
157KB

MD5
1b5669603b7adeff58b8e51408f61cb8

SHA1
4f1aa719b75a3ccbdd2dcf8c8b12e0d3fe977b9f

SHA256
6aaa09abcf9c4712535711dbed6eb61b009d7f884996f2302e0e071c32318488

SHA512
d09f6faedb0a725cbc08768ba5d313725d4eb7c9d0b6aaf0ec0fb969e5a56971d128a5c08d6d2be3b329744c3ff7be038fb3b4b8948daff8ba579eb68b9da9a8

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile25.bmp.exe

Filesize
158KB

MD5
9d91afb7156a3c1639c01c4c369b7515

SHA1
6fb6c99c711ea3c175b07e93697ff474835637b9

SHA256
954251a6e1a0cd67b70836f2cf618cfbd1edc5b46417698a6c1af9f065baeb44

SHA512
19e3b44cebb6955b9bae319e53863f29be3b86ea0ba07d270113832f54a60299f1146bfdddc6b7e96007200451082535b38ef96a3f98480e2cf85b9418f1d14a

Download Submit
C:\ProgramData\nqgQEwkI\tOcYMcIs.exe

Filesize
110KB

MD5
63f8dc36fec43ec214714a5021325be4

SHA1
15ffac92a596f8fdd22d4a568453725504ee071e

SHA256
5d62a560df9e37e989230912df9c222e41271a79cd2a0b938f6ca57ec799d210

SHA512
c0763e6890f04012a52dfce8ac8b5a6ce65cb237b03dffbc49bb9a5d0322ce0f1342531f4732d2ba9c396a149de403130041a89b6eb44fe98194638728d48630

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d2a0000e8b80138e34fff2160604a43_virlock

Filesize
6KB

MD5
76e08b93985d60b82ddb4a313733345c

SHA1
273effbac9e1dc901a3f0ee43122d2bdb383adbf

SHA256
4dc0a8afbf4dbb1a67b9292bb028b7f744f3029b0083c36307b1f84a00692a89

SHA512
4226266b623d502f9b0901355ff388e1fc705e9baff0cbe49a52ef59578e1cc66f5026c030df4c8a8f5000b743523ccf18c533aee269b562d3017d14af014f9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Assu.exe

Filesize
157KB

MD5
1ecde42646405b8f31032f0c48f27c30

SHA1
7a082cd23e932387daf4876c5968f795a8b471a0

SHA256
14d5ccf22caaf1ba21e6fbb3e49a06a701a0a4cbaa26c7602f67d2c77db69460

SHA512
bbbf80be9834f81a747d1a2c2fd8482987c38feb85ba78ddbfcdeceaca8d5407f911c57781748cf2b68459860ecd6a344aad7fe95a9a1cba18ba12bd464a436f

Download Submit
C:\Users\Admin\AppData\Local\Temp\AyUcUcUI.bat

Filesize
4B

MD5
a3d83717c92d8b06c47d7c10af984c1c

SHA1
2d8bde74f01fe3e3b37221f3cd7f1bf6350a7539

SHA256
77f37b0ed43baf1f2ec2d18beef2e260f2e70ba1999221232c9543900344d713

SHA512
3a3b3f81cea4048060f2dcd54174516eaa24fee1fbfe2c26472d036558f970a98e257d149d018da5c88d584d965ca0699b97e761286290d9da2377aed1b1deb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\BygIEEkk.bat

Filesize
4B

MD5
8f4f32335c88cbb62d3a2df371b78465

SHA1
7cd39154acc225a572d2e76cda4bd4df83255ce9

SHA256
e07a63cb8a4783f4da4af695cc017cb6995ea5f66fee8d922b5b386f2474649f

SHA512
17dce5362c1199c81cc78336b63f808490f3602f7ad895f4c2c4fd9b252b6480dc967c6f9d5ca2d782f95018f145dd98146824ae694d9c80f6b24c8a3aa9cbd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\CUcO.exe

Filesize
566KB

MD5
61178c8ecc2e3f0aeff68e6e4dda7138

SHA1
3099f8efc2ff0110927cf89491e596380a5a4306

SHA256
2379472352dc8fd23ab24b8b65bc2f78ca7d944566f23e449b712029ed27611f

SHA512
8089e3a0ab565ab6d7e4e334f7e4367bc6b0f14bc5be1f48c50d1915023ec7407bb53a306b0ef3de535e6f92d644b039b36c57209f350aa58d71be4dc276c133

Download Submit
C:\Users\Admin\AppData\Local\Temp\CcsEMUkU.bat

Filesize
4B

MD5
3e29d2d9cdeaf9f113a2d091bf306f2f

SHA1
141618aacd39a647b199aa8e00cbad03029b55dd

SHA256
f3d61288d7532649a460bce12faaf1ddca428c80d746469d1c3c6f4dc224f6fd

SHA512
3eaf90d8be2ec89f2acc54161145065f011277c2d2f6594c0210b7c820b8a278a0ebccba4bbfab5424b88e2b6fa4226a5d5110fcd9f0524aaed493bd29c7243f

Download Submit
C:\Users\Admin\AppData\Local\Temp\CeEAAAMo.bat

Filesize
4B

MD5
2aa818fbb287231f36f05bfabd2f3f4b

SHA1
14eb7e88fd57ebe9a40bf1ae6180c0bdcd1d0ebb

SHA256
91ee593d006dbf69c4c50bc5e71cbf5a6b34c24c90adec23af36efaef7d2fb9c

SHA512
b2b819a8733b2d4ac6889e86b026b6172e0fe373e29c9c9722f781d4c40233504352d187bb1abf3027ea009825f94c56289e813e67173894adbd774e0ee74434

Download Submit
C:\Users\Admin\AppData\Local\Temp\CgQU.exe

Filesize
159KB

MD5
aff40156db14737d556c70c3ca2a150d

SHA1
9552ef481c9a7417fa7ee15070c0d405595ecb38

SHA256
1426cb1cb4a9fe51734dd9b1e6063917ddda951f3a16059c72143c1f72249b16

SHA512
191284bb0d3eb865443bd1d43c2add949484df3bd9d2c410b3f4493343d663411ad7b98912803a1c57fc9319d85b9535592858e21a7c89afa953ae3a841417a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\EEYo.exe

Filesize
158KB

MD5
3de85694b25c602e99e46577b93460ec

SHA1
fa3e88f132688412ec4c9fc6a795d7883fffa0fe

SHA256
67eac465dd08220d4fcf884f6b953c90ad7aee0c9b2133e58e0dd5124ecfdb8c

SHA512
07975db5b1ecf8dfa84091084455d26a91dc3f16a94a2a83964c067ddbb629246fb658a9c42737c356879161e2dd6e24a120fe7aa4e06801b5bd32c7bb4cdd0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\EIME.exe

Filesize
158KB

MD5
a2915a40c3c536516ca64dd952f7baac

SHA1
8389f1da36c9e1d139acad38a10a1a088be8d0a2

SHA256
75ff6fc53857e4f11ea1072dd143f3142cdc8fb651ba6b124dcbfafd0057dba4

SHA512
e3b30e6eb16a65a527c53a4f1127663bac377fdf2921b455c5db133952fcb7d33b9cc3386781b604845ef33a98c478dd511e4cc6c52aa5895723935ac27016d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\EUIm.exe

Filesize
159KB

MD5
61cad637ad1c84a65d5f25fc76bbfa74

SHA1
cc83b7e99fed84974572d20b8495af5da2a4ebd0

SHA256
d77ed9a430383f22a5d2c6f0ee6c54b42bc79976d7ffd4c07766ede82f38cbea

SHA512
0075d4b254f470d1541e8f17abce856c53d2bb91221f45f8f5cd5479c2ad29bdc741a35b49faed13a052cb8a0e9c2ea2aca144287d6208d724c3ee3632ac1156

Download Submit
C:\Users\Admin\AppData\Local\Temp\EYoO.exe

Filesize
555KB

MD5
d150cbc19924f1b8a520e66794ef321b

SHA1
440f4506016bce0477430d81bb015ad11a06ddbc

SHA256
ee699946bdc7b8fd8ae3cd11527c3376f2dc658b9cff922742fc9ebc5720171c

SHA512
32443c6e6c05133917e58e8f846783b2460f31de13e9511b14f43386e8128a562f6711e3bd091435f1437affa8728e9c947a0cbc20cd712d7f380d0ff427598b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Esou.exe

Filesize
237KB

MD5
18a0760e494689dcd432a00c2bfdb1f4

SHA1
046f474bc4e6fd7200b599a8f118912e2c19d17d

SHA256
ffea8e6690b395ddaa642a360c0d67fcb85842354ca4687c6c5ecb1d87e9ef3d

SHA512
f3111e7572ce14c6766ca89a7e354d921b4d17dd3040a0a25019cb8176a7676724e0d3e15f65f7ead3a58e57a9f2b80eed87dab17d6e476e7a51f21408b99a10

Download Submit
C:\Users\Admin\AppData\Local\Temp\FuAAEMgI.bat

Filesize
4B

MD5
ce0e4438cc93aa9f5e10fe375e7dbdd4

SHA1
ad59b47ff139b225b9b3390bcbe7727209bc41a8

SHA256
39be4e1eefb1cb55740996ea0df1c671301cc9e212e75e4f768ac85c42b5d95a

SHA512
8fe9a36840aa4b356c46982ad7a3bf1924d90918cd15f30dbbc0b100b44935bf2e9509418f286150fb67ccbdcb6e43904f8a6ef333d476fa0623ab75db3a654e

Download Submit
C:\Users\Admin\AppData\Local\Temp\GAAU.exe

Filesize
136KB

MD5
8353fee8f3cd41a7e988f903fd488167

SHA1
1c7d4bb6e02d41749c24c39d3b43d044eead6fbd

SHA256
b91bc8d8df3458f4f46cab4677dea6210120a7be73c419aba29387cbeb35db18

SHA512
bf3f1bdbe18ef6bae8d7c80c7ed46c651cb03e755fb530c7527f99ca2e3fa244711790b5136dc14fe599dd32b7c1763c85509afc71bc682b1b742b53d6122843

Download Submit
C:\Users\Admin\AppData\Local\Temp\GYMU.exe

Filesize
148KB

MD5
c30b406d94d68e91e0745b20fff03c32

SHA1
3048166959f69eea09bd0d65127b792c512a85ff

SHA256
6fe2efb1a8c045a75d17af514bb07ba7d00ca512daf1f29e63a4489ec1aa5456

SHA512
ea0133ea8dacd7a6066aeffa8f7368bee4ff3112d2df55e45275e4a4a584f6873b9d4bb92817abcca16e46238f963ca3aa31a0e5b626d0b8effaea0d1f984726

Download Submit
C:\Users\Admin\AppData\Local\Temp\GYwc.exe

Filesize
158KB

MD5
8c1c1fcbbeb34f8382acbbde801e9949

SHA1
afc2f516112917f5d8fe75ce93c9ec84fa0bd1bc

SHA256
7f24b28e2f35348270a9e8601c86e8b5028f256894f83f102d2198ff9f47d563

SHA512
accbeabcb12e34679f70379dc7962bcf040c95f77cd30c848b54094797b5bb6470e24ce27e9c897a13e14f9038e35eca08ee52ad7ea3358e28a22b6f808d49af

Download Submit
C:\Users\Admin\AppData\Local\Temp\GgAk.exe

Filesize
160KB

MD5
542a5719952dd4f4711040964f2be02e

SHA1
0689b5f204354325c94809496f7a6a4aa741085c

SHA256
b379f4b42f11b8c634d8f7c26992e1572f9bd94d1f22799d47b005fd55b40a08

SHA512
f606d20ba0a9d340251cbed7b81a9efad4f6d304dba868437720488d619a58248a205ac90e5dbc86a58a381025e80c7654b74fb44f889525183aac70dbeb3f15

Download Submit
C:\Users\Admin\AppData\Local\Temp\GgQO.exe

Filesize
158KB

MD5
7dc2ee1dff42f05202b99c45b92f1667

SHA1
5a7002c766392d032f46301f75fc40b830f0bbe2

SHA256
db9ecb95cd47decc2c268676ed090a106fe6819ac4adc8ccf72f976e25031f97

SHA512
ee505a59b6df05ff54b03d94c003a905e84f2cd35fae22ca09839f9f88a5040903f71ce156bd54f53f85e75d23ed0ad685f0adc38ac25c7d53e8c631299ba13a

Download Submit
C:\Users\Admin\AppData\Local\Temp\GsAoEsgM.bat

Filesize
4B

MD5
e07010ed59a2b087469e7977aeb6b4dc

SHA1
9c535b2e1d057dfbf3a90454680eea3779bd22b8

SHA256
3a82e0f85f945afc8a14a88c8e6c8f40c69ff54dec5a5fd713fcaec0a266d24b

SHA512
27fbd21fbea27d0e55dee6a2d0e65dd2c64ba7f018e473815d45fb66718d5fe7256d90c7303d2ce6ce44d8e7a6a56483d62e3fd5d21bbd98530da55ffd00b89c

Download Submit
C:\Users\Admin\AppData\Local\Temp\GwsY.exe

Filesize
1.2MB

MD5
adc3859d12c0dc68a3240727089a2df7

SHA1
a56b3c964ffec592af0a67658b18186c80792a71

SHA256
3192b346922b35db072b8de6ca1c74c772d975a31fc47cb5c9d4c810cbb9beb7

SHA512
2fa11049b8c6cc66d59d1a39186820b1cd35349d704bc4a40dcb5cec88dc06aaf35cf2291d89563c7efee4d163b3e5c5e78551fb0430622d4cbd68497119f946

Download Submit
C:\Users\Admin\AppData\Local\Temp\HCQYgswo.bat

Filesize
4B

MD5
f87b8a56b8fc86c823088dd1d55309bd

SHA1
6b5a20b310201f8ea787b51424742ab328ad956f

SHA256
afc33c0403d72337b5d6cca136bcf263f120b04a3816928ff36fbbc76c891721

SHA512
caee2da5fd7b8430b6b1ca9c76cc677b468d4ade285f99990824479361b6129d2709298fb2f99d1f5d62528669e3acedccc53bf9119d0bd1dfc6ebe67900375a

Download Submit
C:\Users\Admin\AppData\Local\Temp\HewkoYUY.bat

Filesize
4B

MD5
49d5edc3a38ee4edb54bd98777a24b45

SHA1
1bc482b5c480009a1956eb5df815f58ee6eb93cd

SHA256
6da480a7a5008bedf11fa7f727d368c41b0e2f98655e593ee71612f4d6b7f2f5

SHA512
091d1c8f3175b229705ad1011aeaec250e1a17210725a07eda5be5145a13b65cd33900c770bebf22e8b1dbae23d827d40ae226b73ea16f74cc83fd58ef355fd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IIAM.exe

Filesize
866KB

MD5
4d0a658105472f914b5c7cf36e7111e8

SHA1
047bd68a079ca6a5f62a7ffa7cbcaa12248dc288

SHA256
42ff5f1ae23e755121991d074eb4e0a648db4c81d8e7aed9e460f427f3b9be71

SHA512
726b032e8ffb4101d23a894bd5e84b7de4dbde0aff15aeab6434cf039f5be2062c12fdc8f990a102d211b9aeb9815f4c3c5313f6339688986c9da00c2ce8bf39

Download Submit
C:\Users\Admin\AppData\Local\Temp\IcAi.exe

Filesize
910KB

MD5
92543bdd8f8af382c32664753546e839

SHA1
327c0086f33f9de911645df7d84c8fd9a0ca41f5

SHA256
0ca92c17fd900a7904d7ddd293ac5835cd0cf1e17b1df79ece78aa0c4986a683

SHA512
3837a9f58a15e66708875d517aa58439fec3c830d9e7d12b63655ba65f5ff5fcf0825b86f21588de93008c54c363f7c7dbd4deb4a5cfc6dde3873115373845a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IgAO.exe

Filesize
159KB

MD5
4300a873096ca4a1cebfd7b749e7f445

SHA1
ec64c0ebcac3a091bbdef2db4d1f68cd861933b6

SHA256
c0efd47bda1d57cac3fbb6127d0d1ddfa9b6487b8f3cc96244217c253ed07714

SHA512
18d1388bfc155912f91999a41e63705291b4c79362f631fe8c7a484d3fa8f747159af8b2602a962bb0e9e2501f5d9239cc4e719061297e40fd9844fff4c30f34

Download Submit
C:\Users\Admin\AppData\Local\Temp\IgcC.exe

Filesize
157KB

MD5
b19e2063d5bf21e1be353723b6efd238

SHA1
c9bd37ef3a9fc6ae6584bbdb52976ef686a5c8f2

SHA256
db7a3debf1f268b29aac8b21845b57d3a0d500b9558cd878c9ccd1490dbcbd15

SHA512
c7cb406a5daa262b5df6f6c083a9b48dd6dba0ac80d44bd36a2842ac93aa2d081a02c41a29b225b412db62432e01f21f96c779ef142250b2548e335314ad3efe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IkYk.exe

Filesize
160KB

MD5
3bd2cd112210674489a5637fa2681886

SHA1
189335d6701803fec52cc7daa10286642b837508

SHA256
cb4cbf4e374039d4a7ab52b6e8c48c9618cfd7cdd72e548fa60c796bdeeb01b3

SHA512
f951541df2a2e792a2245022f8a44652482cf424302b2639cac7799936da6f721b2c31c9dff96f8eec816ae8ab388dca9cd5c3826d2d84f70151207a8ddec0c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ikkg.exe

Filesize
159KB

MD5
588e9ecd242a9f7b3867c3dde582d431

SHA1
7196f8a649d29ea7bd4c52830a5eba0a1fd17744

SHA256
ea58a8d1e37252625846fd320327fa629551e4908234824b36e206e1eadbf479

SHA512
40ad44041cd161ed185d7e99783deae9798be934ab93f6e6e7a58d01b76632e07e54af3ac3cf58d67ee6cc035d10d69a08345280c7a5bd0ebc073ea48c9487d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IoQm.exe

Filesize
157KB

MD5
ad5f7c18c010699ece7e23bd1abb67e5

SHA1
7ef894e42e7d41330d925d61e9a93a10873bfea7

SHA256
14ddc0b9abc13ebd461370d7be85aafa6976fc0320bbf8efac7a968cfb6c52d3

SHA512
45f4823a840c42937ba683e9107821ddc4529fd652bb9c9f3c53dcce0f35abbf7007b2d078facc2245fdbe387633b17300a2af320e15471a782e588b1a40763e

Download Submit
C:\Users\Admin\AppData\Local\Temp\KMIK.exe

Filesize
158KB

MD5
36e2f9ab4edb416eb8fd16ae5cbbaf92

SHA1
f282fe50812c46e247397a9601cfb767de71ac45

SHA256
ea39a468254fc5dd5d8cec4fcbae83fcbd1e384abec255c83e263e46246111b1

SHA512
dcc8618f475c6a452c9e50e577afe3fd4836fe2432ce589ae0bd7cc04b431b944ef41ab244ea4aaf7411f1bd3242911b7d272bde57c134dfd35f89c05112997b

Download Submit
C:\Users\Admin\AppData\Local\Temp\KkMy.exe

Filesize
239KB

MD5
9e4ac48b3755552b368815a6c3c87cc8

SHA1
3c1d21c8a224b12cdefc8f664961aba3bdfc49b3

SHA256
0206c16aa08e81bf4a260d31dc8c421d7b7327789ce16826aa5996c9677be6a3

SHA512
88c857f2c889e97eb9824d15e10731eab51e9a8d788197df35beae3d21f56de3d2a9b23d3f03177acf4a811f4df6754d751d4d5f27d8dd1b76811677701aa201

Download Submit
C:\Users\Admin\AppData\Local\Temp\MYso.exe

Filesize
237KB

MD5
6cf5d69a13246fb0fe7dc35770fb5fd0

SHA1
253cf3d31fdcd112c88120c236796131a6b123c0

SHA256
e754c14fdc769835f383ba8beb90d1fd765fe146842820d6ea5bd11e4a5fe310

SHA512
d51ea2f9fb991929cf36ce875d8fb1cd00ab5ac219c3ead497f39f6fee9b66357d22a36f307b0da0e5ba2baae25581105f32a2a5ce6b9394136391cd7e1bfec8

Download Submit
C:\Users\Admin\AppData\Local\Temp\MqIQQMgo.bat

Filesize
4B

MD5
d609287bb078de27b914f502c08ef898

SHA1
f143eec71ae61e062c2c9d3a375ddef85ff6116d

SHA256
55a252858eb73a99ab67cc7cd8c7331da9df9f74fa2cf8ea4ee0b6f49ec845dd

SHA512
f8c4485198ce6e1f0154caa4b18d1c6befa8c74d776d6013d05aacef2e9d39580c691d74542403e10dd9fd084da756975584565f76d9da311e4987cd723a07da

Download Submit
C:\Users\Admin\AppData\Local\Temp\MwgO.exe

Filesize
8.1MB

MD5
2fb4e269f289bd4407323bcb95666779

SHA1
54670f39e4d38eaca92fd6dacd523c68c94c2042

SHA256
490b321a2b9b232abc74460ce11dc5b851a7c9dfe41f346b8c3c7c806c621d6b

SHA512
90bcd815eac8d7d95a654d24349fd5dbba06349e094b55baaa659716bca67d00f7ec22a10042e57da196daa45081d6a1c4dc99927c2dd1d3f174e78c523a9af6

Download Submit
C:\Users\Admin\AppData\Local\Temp\MwwI.exe

Filesize
161KB

MD5
25ae9592d6702e70b90d02fbcd49eacb

SHA1
75672f546a49b01117ff46919c0ec3b7c9874bf5

SHA256
bfb29fa67e68d0bef2d2271e88b2f26f3e96a389608b1f3ce77589981e7616a9

SHA512
be54210b72d3c22d0796de9a6671c14ead8dc47ba79dadc5b4aacd4e956dbeb36cd43850156a5b6e9c25dffd1227404ad85a88f8fa94e4ece27814c9addaa7ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\NsEwgkks.bat

Filesize
4B

MD5
b3d9146473e2905fa92caeb1202bd8e8

SHA1
27ed483d87e57909024c88e5c3a7532e092b658a

SHA256
ac7dc54895d566dd4ee03e49b6021c66124e2e82bb985ddcab3c7137cf7d202a

SHA512
c4413634fba83b922ba9f725b04d48ecdf9df0708d827ac96ae53185b56e38a53d04fdaf3f3d7fdc0813eda702b5f2b5892c7b121acabf6f1f0602f582cdb732

Download Submit
C:\Users\Admin\AppData\Local\Temp\OAkoMgcI.bat

Filesize
4B

MD5
4e1fb60fa3e3c6f7f2fb53963e6963b1

SHA1
cc36e35bd83c674c50fe8cf1d35837ebe51d6b25

SHA256
844382cce3cfe8f662abbd7ffedf433d7e2a61d5b58901c80c4e19ef14c20c16

SHA512
1c521ee9a87e72796bc61219c89863929a6df23e5554eb55141f9f5df4b6ea6d46a5cb068ecd3e37c14fe988029e0e8fb0f409ff8d043975435edc429946d8e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\OEUs.exe

Filesize
159KB

MD5
1090a4c8743ae497e5cc09c6a142b6d8

SHA1
5550834214eea84cdba6bde72f14af8e0ff51009

SHA256
fa075754b8366ac906bed2a8f5a74a7eb6dee8e66de234e01ecc0dc360f7af14

SHA512
2e31266a7845902ef7ffccc00e3835644fe125b6f0713e071d07975e6ef2893785b5c9b0fa1f39c57bee1e6dcb5329b9c0f772c0efaf433d4b3f058bdd2dcd83

Download Submit
C:\Users\Admin\AppData\Local\Temp\OUgk.exe

Filesize
158KB

MD5
e1e0bb2aad62f938abf7cd7e29d09cec

SHA1
c8c39d54495e8fc97e8500b4cf563ccf2c9eebfe

SHA256
aa0ad819e80e4c28d7a23a4ea0ecdb22d820f71f3d9cc5ce37f8fdc90f5612a1

SHA512
0e2ae9cfe6b46a05beca740f4c52194f2519e5f95e2428053b1a6c4e91993ef5b4062931f9e459a66c1cb428be8f44cc645f6a04f3d1e3880b1c88eb7612db4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ocsc.exe

Filesize
159KB

MD5
2f11adc75490a960f4ee3ecbecb8da6f

SHA1
4e5a86829bec826ad67c49a0379f1546b1358b3e

SHA256
178b5807646e46863f083dbc8e12503598f70b6fd18175590e5f549cd0667210

SHA512
5901bf92f318994697b2a739daaa595ed82fb365b448f709ccb99512c177ee79b63b40af016268f8cf2c5758840ef43b11bf1e6045d50c67a6982bb6d8772b40

Download Submit
C:\Users\Admin\AppData\Local\Temp\OgQW.exe

Filesize
158KB

MD5
df4681f57333ae4c8326ae86163ea921

SHA1
5655ed37ed8574ba476fdb0521f0e85f2133b588

SHA256
251800644171b15dbe110aa6b3646eeb63486b8b611c4559b15df74a02a941db

SHA512
a8ec908dac043fdd665303bf3ec9efbb9b39b1af9be4505d1d6d5fb1fb9293f2859c0de3fc406ec032d18d9bbda8f5e6fdc8f12971fb3a02d4bdbc9ff47f2dda

Download Submit
C:\Users\Admin\AppData\Local\Temp\OoIk.exe

Filesize
159KB

MD5
9d9527d86c900ee3cd723bb623665258

SHA1
5585bebb16f7ad6edecc564f0c2174f4a571abf3

SHA256
042bb84572a757aa8dc1a83f08c4d70204e0a5fe5e4ae84af34f775177cd5247

SHA512
dcfe8d60062ac4e2379697287b91d98b9ca0a5cfff6608130741714370c7a1a67ea65da1c28e0177dfedd5101071414f26c9205706450ac6659c1da0aedb6a34

Download Submit
C:\Users\Admin\AppData\Local\Temp\OwYe.exe

Filesize
157KB

MD5
e085b105aa0a92640ea79a4a5b1d5ab6

SHA1
1e30f21b13eb985ff161b345e7c9fd8e45babdb4

SHA256
d10e9c49c7c1b5fadba4de1cc80597c59d7cfa8f1485a44618c89aaeadd5769c

SHA512
e305613c9298348209842a7c5f66c78393cd450f88a24faf62c3d8f353c6bbde72efc61ebd98ca404370812518bf1d55c934bd877ff14ec69a741c9859b398b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\QAIG.exe

Filesize
602KB

MD5
e731fa83fe1a193c66c95fb2894d163f

SHA1
ee5c62f16a63021b11d7cf14600db77457f88660

SHA256
098bfa2ceb4de46a9f57fa658d8323d941cebf6c22876d880465a5c3b18cbb6e

SHA512
cd04245803b71250af546635562056c2a1466d4d40cdc635feb8d3c33dde86aaa936433f149d3fe08f0c5205b933e5928c458414b4e6bf8b9c2368218b78ddbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\QCsUEYIE.bat

Filesize
4B

MD5
5ff3c2487836bba63c652ff60fdb8f23

SHA1
89f80207ca4af4a15e887848009939db24252535

SHA256
a2538080860585ef52dad50b513499b6038bfdc9e152abce7833e790bd75e2c8

SHA512
1b5863bfaaf927362ac01d71802ef30041b3df4133f6dc59ca8f7eddaf3f61271afd5796d49386670413562bfd1b195e6e17c274c5767a12f1ccbbdc10910542

Download Submit
C:\Users\Admin\AppData\Local\Temp\QYMQ.exe

Filesize
158KB

MD5
f8922cae16b830fe8fce9f4f43d8a1ea

SHA1
7c736b8a43c7583611c9fef420f41f937a8f5e0b

SHA256
5253eacf1534e94d2307169bd3b48c744efa030d89dfb9bf74186b4c113c2bae

SHA512
2b14c9b0bb96b0c9d0c6b93ed3acb9de6503f4d0bfc53cfcf6bbffd0be00673df88a30f7bf17e357667ab12026a47b7f4f8af441ab58a1a7d14a8f9e21e25d5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\QkMg.exe

Filesize
158KB

MD5
1f42ff2eaf8589331f928156c4e90a87

SHA1
baf827a21a3549884ef0646b37825234c818b4b8

SHA256
c393049d7654aeb39d671b28192a4b8cc526b22837cb8e3cd829419608ccfc37

SHA512
ad99b490cd4454183f316e134910efd7baf2a183d1cdef884bf48460a87cbae58bc2d9eaa183b4317154c065f9c1ccf7bed8bc377cd9517eb282664ded5d9f71

Download Submit
C:\Users\Admin\AppData\Local\Temp\QsYO.exe

Filesize
850KB

MD5
2e97f6368301fcc373c7b05cd6ecd414

SHA1
83748bb6d9d143afeea82873c9fc65098838dee3

SHA256
2749ab892a2a8d85ac634a14d4e6f656c613935e19895389e48545fa60177e10

SHA512
4230d71d939e6e968c5163cc2c3c25a8d2a9e9fa02b58234e12cf4c24e102774fa73b23ac2cffca8a969e56f0f54927e13b9b47bd0f23e93ae5c4e490d7f016c

Download Submit
C:\Users\Admin\AppData\Local\Temp\QwYQcokA.bat

Filesize
4B

MD5
87a43064f3ae821c9f215f62114b7000

SHA1
fd3f778e6b3556cab5a7e60bc3a95150d0355d94

SHA256
79689cd08c71e68a92789aa453ee71bd3eae2f0d5c2cf02805f2f407319ce834

SHA512
761dc8dac4257146834fed2a99dfda6e7ae6db5fa973d7a72af77ef63233e2ef4b52473a09f6b550781962591c9e07b6143aa9ea316f37b037ff869f4b37bbce

Download Submit
C:\Users\Admin\AppData\Local\Temp\SEUAsYwA.bat

Filesize
4B

MD5
d9785291448a03b4eb86c9a745bd6d5b

SHA1
fc28326a4294d739cc30c2a41ce542866cf85a59

SHA256
43e28fefc6c92d83b86a312ddd50d65a7b3ba206b2cfdf225865dac6ad6b1224

SHA512
7a4662c8e74f2e297316e1460f2ddaca7088c4c7b590c208fd31d2f7953d4167946e45986b52f6ebf34714515714ef4db1f3d7b12b79364477d37a696577e5b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\SIkE.exe

Filesize
159KB

MD5
552fe4dfc46109324ad23745b7608f64

SHA1
17c0228b3943f4ac0c8c7fd2828c464145eb64e5

SHA256
cdce2c35ad0e8a111bad972750fb3d1ceb66184a1bbd135b49cfe8fdbf95b973

SHA512
58ee775c7e222c95d3f76f36790cd89a397d1accbbc19acd38c413bb802b8a1817b1b45b2e90bdc28ba982cfa11ac0229ba540db5a933838e4091133c6b48700

Download Submit
C:\Users\Admin\AppData\Local\Temp\SYMEQYEs.bat

Filesize
4B

MD5
f870051032f159f7ce478ab5a9447b25

SHA1
027e6e8c34f8b6f62b9c6d288b228a7baaf1e87f

SHA256
a17043852c401dfacd2743becfa2fdf39d6b93b8d0ac04a8943251e83f9c7f84

SHA512
b5e7019f84f252c91bdd7671ab84a1f3ab1abe9336357eff3c7ab69274aa35fcdc4499be30de9ba7931812db034f37167058b6c8aebb7bfaf8dd9924d6abcb41

Download Submit
C:\Users\Admin\AppData\Local\Temp\SYoq.exe

Filesize
157KB

MD5
0390479b0b2ce7861da609a0a65109e4

SHA1
4b5694c3395620b904b18165282afb681924ac8c

SHA256
df799a3ef79f8d790678f4cf31b81988970696df3a9d164e043eabc25e3443d8

SHA512
5ee6c6f42661cbb3ac0068b1c2c225210a613808176d5e01c0c2e221ff304a1192119123f7cd8f8da41023fc3e3c35c6c1f90e3660c477b5826c07e9bcf0425d

Download Submit
C:\Users\Admin\AppData\Local\Temp\SsMG.exe

Filesize
539KB

MD5
7953c7f87720fc4e57238b88144e62a7

SHA1
224426fa84681c6e9a5bc5f003ec2153c000fd73

SHA256
67d4d8d6241427e42150c85d4a7efeccd27be6a03c2d1bad8dc5fbe5fe599628

SHA512
42b3b912b008265c0ef0d662494c6de1967699bada514b777afadea3d74977e7040ec78bfcaa49c3df9dde3a8cd26f1f34d518cf00bf9a463c00e18d09c378e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\UAgs.exe

Filesize
159KB

MD5
0e083ba5459f9668bf86f04f8d81e783

SHA1
9c1b6a8b4e9e1f05a7f5b7f4e3397389f4e6d537

SHA256
0b380884959d1b37f65ff46bcdc001fceb9e323aabb9b8e4a4f5d35ff4ca293b

SHA512
6d90445c51b0c1b217a9d928a6d2768ab0ee5fa7f5f9244394862ac5ab2301d222d06f31a81f37f72ed9066068312e112d9069e3af6974645d5e83a38ee2f6e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\UasoowAM.bat

Filesize
4B

MD5
31856aab68b6ac35aa7b6cb6e52edca5

SHA1
bce174fa1f0ca55314f346f5898616e00b4faf39

SHA256
bc91b73537c931c6f4e723f80b2a6a90098a39b4e7bf814765b050403ae6e08f

SHA512
586a602ff3d39364f07543bcaba73fe7b8146df38f3581ed639848f0fb11e08f514620c3acb0aafe65256da8df3a3c2dcf9cd0d358085f6c4a80d79ae9bd4b7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\UeoocAok.bat

Filesize
4B

MD5
e8d3c4ff4edd507938a5db7e1709a088

SHA1
65fddcd692f1e383c9facb043737e5e5a82a8e81

SHA256
0e8afc08d6978eaae4245679d28abc042c8064c8c5308d6ebb5ff794fad316a0

SHA512
ff6e3060b0e07be73d52f3a3c0858f788239b4ac631de3d7167702a4e5a620cdb304fa8ab365b81c96c3253f590a98d74a40aed20a3f30d3cb9a8d2c7eaf171c

Download Submit
C:\Users\Admin\AppData\Local\Temp\UgAi.exe

Filesize
158KB

MD5
b4a2eb0423f65307c3211a7ae073cedb

SHA1
7ec09701d9deebe9c9ac4f7666407da97e1a896e

SHA256
935acee24c8a1a894f802815ace069f4f443a993e2576478afa1226945069a46

SHA512
6c4dd3972c63223548f66f6122c73db25932b9efc9b34c307f5a94ae99c08f8107935ada7adfed9a1bd90da4d4837653f70f16be743662861b68d7588ab6bd61

Download Submit
C:\Users\Admin\AppData\Local\Temp\UgEcoMUw.bat

Filesize
4B

MD5
ab565a4bbb87bb71ed81aad082ae420c

SHA1
e65e41e4f2d5e831db16346306d8a39fa5e654b6

SHA256
21fb87b87204ed99eead4bbbc53295686fd0d2d5cbe86c027be5e40165c4ab19

SHA512
0c789e7140d5999491afe14447dd4428034cdcaed995ac68fa9ccaf9aa48ee459385fe54f541c8dcfcba27c1cf92dd11688fe47edb2e9c76be170b2a90b98a58

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ugoo.ico

Filesize
4KB

MD5
6edd371bd7a23ec01c6a00d53f8723d1

SHA1
7b649ce267a19686d2d07a6c3ee2ca852a549ee6

SHA256
0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7

SHA512
65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\UgwAcwQk.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\VYQggcoU.bat

Filesize
4B

MD5
dc5b15cd55fd0031b09cbafead627d23

SHA1
5e066d9093364c25720cd6826e0951e289e0dada

SHA256
83b6060a51d8550f938731cfb92886a8a30e37037de4b214fcaf1d0b504cbd70

SHA512
3127876a6deb4d240420b54f099a287423ae1a7f7c0230a81e63910b9cc8a87a878a44120b752faf3dcd61b215a68526a4c1280e4687c72283a9848ba14af9dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\VwUooIck.bat

Filesize
4B

MD5
97046948c2ca6752513416dd8af096d6

SHA1
9e3f1290726e436e80f5b527f14707a3101d7cd4

SHA256
ec34d4da5bd3f015a27837fbae57f48ee8be24c7e920a0bccc3d9a7d2ff754ae

SHA512
7230f493e094138a754058a7f69ee53120b4c586400fe503050edf8e416905dd2500c905e64433d5334cb53d8fb60509976123aa886aaf04fa86538415e16a81

Download Submit
C:\Users\Admin\AppData\Local\Temp\WAES.exe

Filesize
936KB

MD5
8a78e7b85916a887a59cc789419c9b82

SHA1
e19a8f02c2d8d7672e93c7f5cb315ade8658cf3e

SHA256
f55d97db03a4a69509d9124837ed99dd28cc02806ded86becaa1c65729f599f0

SHA512
5e19734cc05b463a309559de38d5002ec284dc65288af4333910a80636052df5088bef11aadaa62bacb2bc3c2fda3c852044561bb8285198a57bddfa486718c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\WIcG.exe

Filesize
158KB

MD5
155cc9916bdbd01d33a41670e35d0c4a

SHA1
68a0572d9b275bd183310f4adb1b4c437fca769e

SHA256
3d35d6bfa564f980f5e1063af0cd72add292522586403dbc44c8464e6d3998f6

SHA512
b43a483cbff7fc160e251f782c48bfde13f3f4d70d3f582c607ad8549edc27cd778b2c91a2678918673f732b2a90430709ef3ca9266e48ea852bdf27ee71e317

Download Submit
C:\Users\Admin\AppData\Local\Temp\WIgo.exe

Filesize
158KB

MD5
6bc52e028defcf8a8992d5213320950e

SHA1
160baf6be26ee43d14e9051aba294a1f26d6fc9e

SHA256
802016c4d397cee9153d220514d6bc0360387d7bf69e727dbac8afffc6d81e46

SHA512
01de3b79fd08ff3e3b0435b83082dedee1ebfa73a5ca0cb4d21ee709071f6f3df63e38c31e5a8242a89ac3eb3c3275b752c75250c5fc570d72c0fd74cdd8f3b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\WMwq.exe

Filesize
158KB

MD5
58022042e7e2f3abc2892f136e849c47

SHA1
77f4a6d736e6765b16190d8ce967c56b9c70ca47

SHA256
611f46adfdbf4b2656ed9a20a55ee73dd05c001238650e54682a806705f54d18

SHA512
95fa7389a039531dfa5cfa36aa467c7a9e08cea5cab758a52ccc64b7a35d19d531b5ff00406d27e1bf09fd978aa296fcb724f7edc0f3a35fb324e9d3127cc30a

Download Submit
C:\Users\Admin\AppData\Local\Temp\WUgq.exe

Filesize
156KB

MD5
880710f9d64fcfe42625050d731a93d4

SHA1
b5b99261c16983a453a6a78c6fc57bb10229a069

SHA256
841d2bc6a0a0d0497dc3ceb765e37f7bd573f045f5bed1b82c11227417b327f8

SHA512
e29ad62bd70dd9e80d791aafe2c206ee4ff9dd33bfb8996f41c16c45f6f38e21ebe87f7a0f61615e0722be79b24594a124df7293861fc5e6516ea90b0c77c72e

Download Submit
C:\Users\Admin\AppData\Local\Temp\WYQQ.exe

Filesize
138KB

MD5
e33b997aaf94d443d81fc411324ae21e

SHA1
d1366491a555f26d667468721342f1517124216e

SHA256
63019c6e5350fe408bff4748feda5b2a69c9480cc47abf562e27ca59ee6e5a57

SHA512
da1a3c879f799a817d103af2a36c89ce7d1825b891eaf7156517634453dbae921d2e0374698d906c68f47e85a342ee52540c9dc78edc47feedd906280220812b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wasowssg.bat

Filesize
4B

MD5
cf04b26453b244259b84f02fb7e56f2e

SHA1
517b221ab83acaf782aaf05b31a8a8aa15364d1a

SHA256
d539cb3c669d16578d4698602a4cedd8c1ed748ad06ff0bc56cd86aa2847a6b4

SHA512
15ac33cc3c555935c31d5e6981da98421c9a5c165426f0572229558e6c0019df3e1b3a99286f53ea4d4d240afe8803e8e04564d38eef97caa5ff479368ee9efb

Download Submit
C:\Users\Admin\AppData\Local\Temp\WgEW.exe

Filesize
159KB

MD5
ba315df2d7e69af70e06bc8c200e788e

SHA1
f8b4f33e294acfcd97045e064a1849ba00a09140

SHA256
0d7c4c720bd55ffd731c1045dc0c68daef93303cf82a3a4dc65870679c6999c3

SHA512
197e36d35392059110e21dcad95c30d0eb489040923c19919091a7fff04847d610aea3217705e505c7eabdf66a5b6604f20440c92048d57fb7a3544b2fb90600

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wsgo.exe

Filesize
159KB

MD5
ccd6366920ac8e4640170cdf1e484aa3

SHA1
176f87419fbbae4e5047d6ce46c81c6832b88a9a

SHA256
5ce83277e782f4891b74d96c1e0a6c2ca502c19f19ac8daa6792b36775dff3b0

SHA512
75d963dde2f6be3bbecc48edfbacfc843e9c0908e0956b77bd31c174de7ff533f748d683620cdcecaac58f7d415560b40f3da106e3ed25188d485d6ad8909277

Download Submit
C:\Users\Admin\AppData\Local\Temp\XUwYoQMs.bat

Filesize
4B

MD5
68dc6d6ca73309b376ad53d328e88670

SHA1
fc9602f342a86e948771cf773d26e6f7f660356e

SHA256
8d87f4fa6e61979fe0b361e074de08daff6635635a8504105494be52d262b94b

SHA512
d8adf755fe38e1ad0c16a6aa20d5000fbdce364c8baeec92560df20ac69f19a5b4ac8b8d0fad2567e82d61067756a6495e5ddef033aaf5ec8ec18ba36523714a

Download Submit
C:\Users\Admin\AppData\Local\Temp\YAMsMsgo.bat

Filesize
4B

MD5
21b92f51ab858f43a537ea444a8ee609

SHA1
07f1039bc8554af95151430ec2c114262f880d4d

SHA256
5e07b15f8659d1973acb3a223d49418b616e85747c8ea842d6abe4dce1c703c7

SHA512
d115bc3895f0dad793f03c1b73f031d71766f2b512ee74f1d1493fcf5c565eaf417f359d309bd577f9885283c4a80f2982ac917292869b8f397ca358bf4b7d19

Download Submit
C:\Users\Admin\AppData\Local\Temp\YEou.exe

Filesize
690KB

MD5
6a415b22b2f46d359ecf93ac97acc8a8

SHA1
7a6eec94141637382dd3c1008dc97235aa8131ca

SHA256
5e9445da2459be6e59d0ef14c74ad8ef5eb35cf0b2386cc5a0a38d90a859eea0

SHA512
7ced601835b58de03223f03768fc60374e831dd58dc92a00f8f798cb39ec5a0a6efa17ea218e2f81c5649582919204bb3d4dce9545281b52b395a7170dc5400a

Download Submit
C:\Users\Admin\AppData\Local\Temp\YIko.exe

Filesize
158KB

MD5
03c0b075909daebeccde49703f34e44a

SHA1
24fc726509da26ead4dff67e708f66b30428abef

SHA256
f222435f5e3b01fdc286fcea119d7a660a9a17b1f3433e044b2dcd99edadf376

SHA512
77673ae22d37776237c28d87377c109398e0282a11b1125cd06278336604122820bf0563be345a98c9ccbb44fb1bebe6520394a654bff9b4305f1a157995e02e

Download Submit
C:\Users\Admin\AppData\Local\Temp\YQEw.exe

Filesize
158KB

MD5
9b2e23a75bc9f2d7a873c31660ad3240

SHA1
67e1c46ce657f1310d7979e7a6271fd023e049bb

SHA256
4d032cf1b5a2c47cbca042bf736cf750f196679935b3b5ef25a2b1d11012ecda

SHA512
b5ec0f45905c87aa3ec509d3719581dc3d7177bf30da394a65800bb16ed78d446be442a498f9f565a9506b764adebd2f6032ab958d553521ff8e3d12007f3693

Download Submit
C:\Users\Admin\AppData\Local\Temp\YQgEkAII.bat

Filesize
4B

MD5
ec592663b041f4bf0ed684d93df659b9

SHA1
83ab53bc068e28d0d30fea36659edbdc71fc37a4

SHA256
f22d20657b10b1f4e36f7f9015ade24fddca7d3569ddac7ff1554024aa38c882

SHA512
c9699fcb89af1d899148590ee412933209a4bcfd81bccfaaaeeea86dd04adc8b0be84f57c6ef78a496b234e0203a4b3437e6185e5e2f88aba405149c770649df

Download Submit
C:\Users\Admin\AppData\Local\Temp\YUgYEwsk.bat

Filesize
4B

MD5
efcaf07684d7417afc0996a68716156f

SHA1
0c0e37502873c27bba8b189039f55f33d86d78ad

SHA256
6503cd81828b0be48bca135f21433343ce454b928fa2953a9b21b71fcf2e3c72

SHA512
be09322ab4a7db359a7b0edd9c8abadc2ffb4ce2f2c876c1f2df52e26852d59b9bda45675aaed65c562615e694b2b30a0ae49bccd9f44b1e7c6e8c8f4ba4b3b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\YUsw.exe

Filesize
4.0MB

MD5
0e1d3ebd516c2f86e4baf0c113f2fb87

SHA1
21afa0d8ec5b9e37f6f94a6f39d153ee0fdf9111

SHA256
1ea17fb79006da3f3748321cf0375807afd0278ce4b25178a7bdcdd4cb864bab

SHA512
f7ecde5743dbfac40249540472ab10cddc9bb24ce4c9656cf0dc64e1ca35b44b0e7d688c814248796e4db132030d6c5c80e80679f19cf4b85838752d1db8a73b

Download Submit
C:\Users\Admin\AppData\Local\Temp\YYQU.exe

Filesize
160KB

MD5
7c5d6ed7ebf9a0089d516af12b225f26

SHA1
a79e151a90b4203d01444559453559d6f9cd6009

SHA256
92b162c64b71eba35ff1e8ee87978cc4137f3b223cec12ae7830872b1aa4059e

SHA512
d80de1fd04fa7cfb75f21135a340fba0ca04ed19c1c6475b2a67e1293c5aebb7c84926fa0d30d5508ebee497d6a7c7278731b190d640ead710a1f1ab12670021

Download Submit
C:\Users\Admin\AppData\Local\Temp\YsUS.ico

Filesize
4KB

MD5
47a169535b738bd50344df196735e258

SHA1
23b4c8041b83f0374554191d543fdce6890f4723

SHA256
ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf

SHA512
ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZyIAwgks.bat

Filesize
4B

MD5
dda4978e21b1428bb0713c8c042d98f1

SHA1
ad557f3cb2ff88a3f3257f7fdea508f65e271a31

SHA256
6b25c4da36267aad429cf6052cd6ee3e243d2e330ab4535fe491e6fd9615fcd1

SHA512
674ae1cb44f762f7ffdd66e3910c07e09d28dd044e8df712c07adad318c0951b116cfedb2c77e2b769eb3b6a05e52acde697f358fdc0a0b9271070fa530881f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\aSIMEkQo.bat

Filesize
4B

MD5
189b0809d9ff515198660b5d940ab9bc

SHA1
9128d012455648447c662a81b8a728cf7a48c899

SHA256
6ccb1ba107a96caf8796494b3f500ac4f406d81e40581a63d80633930858885b

SHA512
8b02bef5d1f3e56df50021b134832ae9eee7080da9a64e093761790f70adff0d0c559e07ee9f6848f709ff7864b20f997a53bac7c2d54beafdc855984aa5ca10

Download Submit
C:\Users\Admin\AppData\Local\Temp\aUAW.exe

Filesize
158KB

MD5
d3cb4e8133ad0006b86a4dfad7f32de2

SHA1
aac26417c5fe4a5740c491daee720717aa08e1f5

SHA256
6f1914b773ef8cc872413310154bded751ee2346ca1003dc26207962bb56dbd5

SHA512
ba134885218ecb2b988cad687f5d9dfab02a629afb9d21c6217712f9bf4dc3e53bece8c053d57bd3d43fac8766011940dcb0a46f9aa4190428c8bd4b167549b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\agIS.exe

Filesize
160KB

MD5
052ebd393f1349323f29ddc08d5a543e

SHA1
4041adfb532661e536f4f58e655ded35e7f9ff0b

SHA256
cf8b22328dabbace6011dbd2295ceafdc0cf00cad3fe8b4b4ef06de8b6647b91

SHA512
ac878b80d40907f3b3050e19fc32a88fa365d3dc5fa02b2f604d782f01e96451a6e110a7afe638e94e1a8348e8f8fd2a55bf4468392827274f3427580ab13b00

Download Submit
C:\Users\Admin\AppData\Local\Temp\aokoEQoQ.bat

Filesize
4B

MD5
4e72d121928288e61b368b2a48e5adfb

SHA1
ad090b151c252af57ef45b42efd96b070323bdc4

SHA256
616429a749b860c86efc06c3332b3aac00499ce46ebb7e819daeab69f5ae217f

SHA512
eb82786ecf9471b3d9ef8fa3921bfa8cf304409c21a7743d612892dc8f4de6b8d1b4c32d834b2bffe1c4956a55c2c29925f9f8a1cbf15778baa4bd11aa0c9d13

Download Submit
C:\Users\Admin\AppData\Local\Temp\ascS.exe

Filesize
158KB

MD5
e92a2281208bf778b1026ca024a3b992

SHA1
42ccfbfa39636f3fdcafe8d3b4cb7e7935902182

SHA256
e1a7940713371a1bde37dab3e08bea42c05b2130072688bae31b4179ad19e596

SHA512
51bf94b1410ef94031f73efbc2fa11bd5340ee8a0d469640f4628709f1bc94f41bb0f242b9b10bf792cf5adbdbf81c3c289ee84891f15fe7310ad0cabd48c750

Download Submit
C:\Users\Admin\AppData\Local\Temp\ayocMYAU.bat

Filesize
4B

MD5
c966161e8b0be07092dd4d951a7c1e07

SHA1
3341c62e0ca11b4736bb04c0bfd11b948ca6a2cf

SHA256
932f03751d83edffab6235582c0bf35430ec9642d66fd0b2bab1cf7f5f10a7c7

SHA512
2f74dfd4d80574b908e2aba24500d8c2c2151b46bc2174eff4b62e569d4cadc4e89cad31decdf59b60357ae98ac84ece0e97af2615043491a02379589ee97bac

Download Submit
C:\Users\Admin\AppData\Local\Temp\bEwccskY.bat

Filesize
4B

MD5
51636f7665d7eac622074dd1bfe4a06f

SHA1
320fa97f6f2666438a77675366440e2dee87bc22

SHA256
170e67b99826249ff393b311fa1636f8db99837eb4b560ebee9dd8652fd9b0b2

SHA512
0a87111cdba52169086b495271f1f7d460f1e8846a094d760588690a42896c60de40ebf0475fab1c160bd01b4b5fbbbebab11b4e8e10e7912d669e8071a5bb6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\bYgoUoEM.bat

Filesize
4B

MD5
c612f723a9dec571b3c2457bf97aa223

SHA1
a3b02d20717ef88082513af04423c3c5c4e7510e

SHA256
a5e4aab476e62c99a54da03906bdcb6d55f07f9ca3c26318937b27a4ead795f9

SHA512
0073583b624de5abd5309bef2ea00e64dd481bddeaf71d85dfa07c5786203fb9b0c669415fc8669b6db785a1cc69e2717b86e9dcf09bb0d8f92a51097ffc7014

Download Submit
C:\Users\Admin\AppData\Local\Temp\cAkk.exe

Filesize
744KB

MD5
944850b06cd3bcec7d320ac5cceea026

SHA1
77641417d960b08b0f6a679d195eb17ab7bd6e7b

SHA256
69010d2ba3eb435753e67e4a2aab997fa9e9c833a5af863ffadf072294299c6d

SHA512
d7222d93acb9b535a192d4398d928b9df15e17fc63a35f57e3cb5da6e9817cda0166532f956f84d1557ba66cf2a817e7ad67d9b3ecf08121649d73ea9a1a3008

Download Submit
C:\Users\Admin\AppData\Local\Temp\cCQMYAEI.bat

Filesize
4B

MD5
fc31804cd2d5b2c004d3790fa74158c7

SHA1
4c7769746d4e826ad1614595c72825e4d1f96309

SHA256
41bb4d8c409676511f590c8cc3ea0eca80517cc7dd799eb182b3cfc802f2266c

SHA512
dbe8ded2d30c84d2b921852cbbd6ded3298d64eaa9a4f4cc79d652bd8e92bc6c8fcd770f2d9789214734fee7c98b147bf4f255317ca150ccc512d407dfcd85ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\ccAE.exe

Filesize
1.1MB

MD5
9f8cbe38b90913fef090f163b3fbf1ef

SHA1
ad952da707cb4a8e735b48ebda92853fff4e1276

SHA256
dfc33fdf8ee642c77c6b70a718073bd72b1c0bd8184d1f7806c8232390e590e8

SHA512
94a40fe7cb57c88ba9b16304c93a16445af34534670ce3fc747d1dcd1bd5f137644d60f60ebb2f8d6a6c798927b97e1dfdb3cf60ba6b89e30623cc257eac801e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ccQs.exe

Filesize
159KB

MD5
6e1f540a3f710fc98c5020dffa4a533b

SHA1
f8383335e35330f510a513f6c9f66e20ee6f9973

SHA256
c65c742d80bacd65e93fdc69e8e035b5cf24f36e51535fff7f3c7e8a9ad1ccb4

SHA512
f12500e37063529bccf4efc5e98f9e2034385315121042df0e17d968be2c492bcc20f5017645972bb882d31d19c22f0fd664aa0c3809f5b46d23a8464f2b9065

Download Submit
C:\Users\Admin\AppData\Local\Temp\ccwy.exe

Filesize
161KB

MD5
09a960e4d2e016e01f5097c3e60da012

SHA1
f3154279446e9596d9f75921be25cba1c0aaaa27

SHA256
e040203053f2acf77ab968507a2c8e6dcd3f5c79a43e78ea8264e15b95df051e

SHA512
3506538e4772f80f5aa9aa6da1525dedeea352783ff7ad2b5949bc162e0ebbbb893808d64ee3f72ce3af5f282bdbadc904297dee9514c385a7818635a24cdf60

Download Submit
C:\Users\Admin\AppData\Local\Temp\coMI.exe

Filesize
682KB

MD5
e700bc05c56562347c8c3e0bd7f64129

SHA1
8ce126161ee634ac71a2e1365caf310934aef416

SHA256
c8cdf8b1ca4dee93f8457e95fe23e3bc0b083b668d67430ab73658e24e1bccc3

SHA512
08d6a30e0a3ccae712ed9674c753e7437652b77479083994590a9141e2108731bfcc6d497d9099c72c5c3b2b605b9cfd33b8ccea4796a9c6de74c2c0e8fe7a66

Download Submit
C:\Users\Admin\AppData\Local\Temp\dOAwEcAs.bat

Filesize
4B

MD5
c95eaf691132d69f114ee848f0764fdc

SHA1
4b08aa0aedf4aeec924f853b042f076785e63f75

SHA256
4649fd5e7a14561b6c0961a993f37cd0b2aafefea9a72f5fc4319bfb83c92611

SHA512
5b64fd275b895c39829641ac9f97f320a04246d22827b146a8dc40fb5e9c6fe54b759bd2de7ff72b4454618b0f9476e79459b70ddb59feeab1489d268603f600

Download Submit
C:\Users\Admin\AppData\Local\Temp\eAEq.exe

Filesize
1.2MB

MD5
c54d91083ac0ac7726932b5a5a35a634

SHA1
54f94cec21d4d584697a8aec4d76eb7ad0a573bb

SHA256
b69372ab8c7bb31284e3fe7af427de36e2b8ebcf535a728e130c7d778a709504

SHA512
2797288576caeb6da2a25a5352c98e95853f7077a74064ee1f10fc172bedcde11fc9192b90bd08735755d4c261263e2301c4abc2460f2615c331745098d029f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\eEQK.exe

Filesize
160KB

MD5
b34305cd5d60999b0e13336ca06b2ea7

SHA1
d44393bde8c9095171ee6b9256b63f8129a8312d

SHA256
542fca61cb4498cf91822c35689ca7119b10620882c6e0831a1420d8a35c7c4f

SHA512
1472273a9b3f50d63846ae777f76f736f461575ac854604fc022714c24ceca1089b6489202861ad707bf9d3aa6aa2cfec3916211c636bf3289404879b7e638f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\eMUm.exe

Filesize
158KB

MD5
9ff1b4dffc3ef85a8e5426773fa0e8d6

SHA1
5eb006824d474dad752c62cb50ebbbcb18f7590e

SHA256
c0191582a7598a7c74151b31596685e122a5d8d7bf391c539749ede68cac77d4

SHA512
97bdb9d4aeb66a8bae46f30b9ce632e98078a665fb974101a73ae5e8dfd7933078960737455f19898c367aa775bd4dd637df3c7933753afea07cba8f61193c26

Download Submit
C:\Users\Admin\AppData\Local\Temp\eUQm.exe

Filesize
157KB

MD5
cbd024bc46cfcb5842b58ef1a38a6d1f

SHA1
0329eb80e1c8178a5a0928e2d7b91113d4143686

SHA256
95795af288f02aa34b462c4f35392c548d63a23e6a9e06227b3000dd668ab0af

SHA512
68da58783f7fc79ec31c37b8574b54032700852ac899762db464c66232b1927028183aed8f4d3fc8c97b837a8b02b0ba71708860f5375aaeb35cfe04ab8f13cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\eUoMcwIg.bat

Filesize
4B

MD5
ef08ba9e54ac0e159534553760490f00

SHA1
7b8f4dbee80ea254ab2d83c7a287e04e5b915e04

SHA256
b9acde3777dea8b1f8777751b3c752a1d4ca1a4ed346d5e34b327ba4d156004d

SHA512
ee42dd7b411b594cac47e33f6acb07ab6bab07e3049dca54f6a07ad9c7b624a7fcaefc3aea2824f6cff83278cd878b588556db5a665286a6b9d7640c05cb80cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\ecsq.exe

Filesize
159KB

MD5
af68134c3ccee8439bae3eebea3f5142

SHA1
0a62685c0e8661fdcfa2db875391ce865fb4bbf7

SHA256
25a4ba60769132a1c6a4d8c9ad3efca29548ae0138c82df23e95b23c489151a4

SHA512
1e8a643c3f92dbae9d1d473b1d91f4b1531452143738d1eabeeab2d54b1eb0c80a2b577d22aeaa2c53a5976a5dab3dbc39aaa4ce2c7398c45d18d71c2542f061

Download Submit
C:\Users\Admin\AppData\Local\Temp\eoUQ.exe

Filesize
159KB

MD5
6fddd40659de7b81778214368953e48b

SHA1
97c4003a73d46c1771a4a715f96e1e64e68dcfcf

SHA256
24e62ed11f6da329f38339a0f3541543594b5bd2af4def773b56e97463b6a4ba

SHA512
a2d0a9d15eed5368d45949bcc8b666565a4ff20f70941adffd7ba31dcafba245d849b230ed7fa37f60cf18486e4504fbd22e87c657f71649837b7296c25c4a03

Download Submit
C:\Users\Admin\AppData\Local\Temp\ewIw.exe

Filesize
4.7MB

MD5
fe0e72f8281d2f72cce8998d92456cc7

SHA1
8ba19b5e5583ae6622767cce0a2130bc9863fbfc

SHA256
61699370d2dc1068e1026346d55737717662c1fd533c3abbcf131dc49e5a6e4d

SHA512
c424c64cfa84598d715f27fce31a5b9c5ab8c75b59725178e5739829e80e05bed957156c663de67d7c92c6c899a32d013c007bb93d596cb556086ad26b3a2f46

Download Submit
C:\Users\Admin\AppData\Local\Temp\ewUe.exe

Filesize
696KB

MD5
d9ddca471eba4f2bcc3a41c36c1852f0

SHA1
0558572c78e501fd4a9298e0298e5ba41553e404

SHA256
72180efef1cf64c7907b19f8e2f5a86633341563420b5279c56595158b8d822b

SHA512
cb54e3571915def283db37c98754ef45b86614ab177e7b07358a6c903c585d95a0a09ff605764e6d4af6679fd6f959f5437b4e1d13b8d5f44204e2b395750b97

Download Submit
C:\Users\Admin\AppData\Local\Temp\ewgoAYQk.bat

Filesize
4B

MD5
e93df017d306e7026146d7b14f4942fd

SHA1
7c2707cb30b139e894104e6cd5e6eb44dbfbd9ec

SHA256
8ad737e4e37ef67970668c404b985e95a0ac0024ad249513385729e3bd4210ff

SHA512
a53d0f72adc0d178f74d26a403a3606882fa01c9d17c2da91519bffafd3f096a371ecc7c471124a666903060c07d957883c6f0a03a481fbd02c2fd351e5dc52b

Download Submit
C:\Users\Admin\AppData\Local\Temp\fIEYcwEE.bat

Filesize
4B

MD5
d42a9c25fa179567da655ff47ad04175

SHA1
34f01549730928cf2fb55f2d1cb1ff110c9344fb

SHA256
02cbb94e270c0eb57535fe75f04111bc7a43041ae3e3a38c4f128376515ce986

SHA512
843601802c0999034327eef7e40e3126191e3fda2d4255a11b161b6aa3ed6949bab3e237e28dbf5cb601853b37faa7967f1fa5462656f5f3ba153c8e1ed7bc0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gIIi.exe

Filesize
870KB

MD5
9fb18bdc4cf4512ac3a002ba9515cb5b

SHA1
b78ef9f1f73588974b66ac313153771b73e87c1e

SHA256
e976b65ab49816fc70b5b119a4f72b56056f431c9a4fe79639b30b314b9174e0

SHA512
6e07af4cb9725bdb8ef341dc61197b520b67a7cd6c6d6102d5cc671ec8bf4b91227bc8f15b1a1813cf7e75667fdec859a1aff74d320d4fc370937df4b30555fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\gcYK.exe

Filesize
159KB

MD5
f3d3cb024b4973e276287cdf27764593

SHA1
42af202b228bb4b48eb1e29ccc9cdca62ebeb61d

SHA256
ed5f5ba8af0353b881ff52f496f3f903fdd3bad93b7174fe6fd791c7b3b51f95

SHA512
31df654e71c3eb5385d5f2fc13cfccd7a39131f7bf64eb9821332be6d890dde85987af589597d195d97fe24499a3dee843a6a545874919dc6972669785c84d04

Download Submit
C:\Users\Admin\AppData\Local\Temp\goss.exe

Filesize
875KB

MD5
46007335fca2fc2fc35ae47bc4786165

SHA1
b8b9a7a085e1dfb4ceed446c7d6e968bc6ed1bbb

SHA256
b682c5ee2d966f5f4a346d85b0a38e71dfe33d4619d5bec88885048da9239cc4

SHA512
96d73719da56591fbcb102db79b286818e50cb51ab9c84d069574b4675f6fd5e8383a12dd8f86aba03013461759f3346634c6d8f6b9f44863251d37e3d4a4e8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\gssQ.exe

Filesize
159KB

MD5
0f025f7bcc406bdc8293c453e47c9764

SHA1
38fbaedb4322f2de616cc069e1ce6086711484e4

SHA256
5ea2e2a0fdfbb8d3ef49e64faff388c4f859fbe87b6b6d83d076582c4a623620

SHA512
2bcec283dd0ca5fd8561b14a177f1d4f53bd8ce8895396c01f39e73423d8628d216e260c65a349e52bda1208963b6ac2adb87d8fd2ef7a6c067a40b25a52b48e

Download Submit
C:\Users\Admin\AppData\Local\Temp\gwgwQUko.bat

Filesize
4B

MD5
d246df533d134a22e95b1206e5de6b7a

SHA1
9eeceaeb20f0f2a9e2e168d348d7a9c62fbfd954

SHA256
3c6b2a7737296ac90368d6aa131e86941ae1ea8b3f5f78bc950ff38cff971bcf

SHA512
49f7086a6e4f10db040dfc8529873204e1decbf9a529eeeb4a07a067e17c94a0a2dce6fe785be255ad2dc4e824805ca6864f7e7eaef0be3429bc7debceb4be31

Download Submit
C:\Users\Admin\AppData\Local\Temp\hEwEosQA.bat

Filesize
4B

MD5
a099df04c6ffd1d98d682d57852b40ba

SHA1
18edbb9e38ba72cc553fd7d19c74b4966b90be49

SHA256
80df2543df7791f7bfa0ccf90082e99961ca4a8e16f083dc78fa6c30e8305580

SHA512
c26cf839bfd97ea2b0d416d23a1fe904a8067cb76ffe87c7ec71460dc90cea6760fa2c32152e0b3665c12813d0da87453ce65f7d34449f10bd639f5475a4cf88

Download Submit
C:\Users\Admin\AppData\Local\Temp\iEca.exe

Filesize
159KB

MD5
6d0a968dd6883f9177833fffc8e9e735

SHA1
d3c717766cfd7c2b51d335a5836ae65e97a9f70b

SHA256
2293b738ffeea40fab30daee2c1d3e1bcdf5abe1631f02e5fceaf78865ef8138

SHA512
74e26992c7ed418b232e2be0ca017067652db8df3cc2783458a5f92c5b090ef52e5bc939fad0c7a9476642cb5112b915f2cf633124380ed16da4adb0d81dabeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\iMAE.exe

Filesize
158KB

MD5
20e031201908d0a153bb523718a37b02

SHA1
0dd6995f6df21a34b8723cf63bf9cecccbd93a02

SHA256
6e7bdd8e122a4f0a82ce3d98f776795ce202f9138bd7511462c597ee04092fa5

SHA512
e4cd130100cb53a0207d6ee11267b974aec6e11b3c4210bb2d11db5eadebffda12d68501bd265751255bd4e9da41c499e2643583591c5698a32fc3f625baa237

Download Submit
C:\Users\Admin\AppData\Local\Temp\iQAoQsoE.bat

Filesize
4B

MD5
0dcf737eac239d8446f992186c6d51b9

SHA1
cf80037b24a923842e7f04a4bfe66862d46b9578

SHA256
682a23a1601b0de42600e5f73618f7885bfd8a453c40808106b1abeff016b03b

SHA512
082f841202f92b3e940232672764d5b651172ff4f3df82136e2dfc01e1e34471969f3da9945d7dc397e79bfe6b86691b3f17f94ed513654e7c750d6d9ef6cc1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\iQUO.exe

Filesize
160KB

MD5
3a54ff75cfc7fc1fa3bd19b31d2fdaa4

SHA1
0e94e634772b3b1feaf9036cb53e763c5a78ebc5

SHA256
562970cad1fa0eabc45cb6710f217a9b4a735501bce3ce19900fe1b32879935f

SHA512
f41dce33074592e889df08b68f4546346b5859a35c50093f9f091bdba3726a897eecd8667d3754eaf1e9714a407082aca6bf4a30fefea93dc6fecd8a29c5fa79

Download Submit
C:\Users\Admin\AppData\Local\Temp\iUoI.exe

Filesize
159KB

MD5
12a691242277f49e93f29a325ebe8133

SHA1
c00989ca5504006b6c78065f8a7f079978352c9e

SHA256
f0f5ffe8cc2ebf549ae228c2bbfae83b2a6d47935b050633297a7a2146e02991

SHA512
f6f3634a3524f0e7bd943f62102e5792ee8f12b48a740259481ff201b2a76ee0adf4b1586395f527bda397c9026aa168efe2e3c0a3a4892e85aa6e8c348f18f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\iYAM.exe

Filesize
969KB

MD5
84015fa0db4a34ee8fc0b565df416b40

SHA1
7a30c7503ad47b8d964a6650a94769975fb007d6

SHA256
fbf4659523481795aa45d19e2a23d39fb0ca6995a7c406f8623d92049be229a6

SHA512
5d2cef350cd9972927016a3f3d44db30d58b81b3bf64bac768d597286d8303eba2a07dd602f5eb425db387f9f916a267ebc79205483aa56bc4577ca92be9ca7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\icck.exe

Filesize
566KB

MD5
7c6d802d6895f27168aa55c8c6780cea

SHA1
707b3e0f9aba9ab1893affdbfcdb6f6f1ba40eb1

SHA256
30c8520ab83eb3382a73e6cf5cbdf8e2d168643640f942b0f30b0d27038e047a

SHA512
081f910c2a31520b8ab0c2b461a356936a6250c27c49f57766b165dab8db27eb44c371c8b8bbf40a4829d9109d411ca5add80f29855c5cb9fd0d3f731bd143c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\igoq.exe

Filesize
556KB

MD5
c7e29d608019c9da2ffeae0931fd2048

SHA1
0b7b9358dd7c2d886adc63658b7d3d4010ad73be

SHA256
713d0b966a67abec76ffb6c0aa6608b5c47ba0243c2e0dbe9e81128dffce7d83

SHA512
8df3dc30ff946cf245b7996fd36560958bfd4d06ebfc4173eb54ba05ceae413ab6264580153c2e86125905447280ae06ce50e1d768af7e9b0ee355ac1ec788ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\jgMwYsYU.bat

Filesize
4B

MD5
054de15b0903bc515f5fa4a9eccbbfbd

SHA1
39d825e640d8a9128643cf1ccd527c920881aeb4

SHA256
fff16ac7d1564aa65ca538bc91ebd6ec33569aa6b7d4a4fbffcdbcae0ac9fb32

SHA512
a77132e4ef3d7a4f91fa8653f30a0cb103c4d000e0dd63056b39c8f5e4585ddfaa7e5819f2f492095dbdaae6cf8a55cc3e3afb2b7a409ee5b69c9863a2f1b0f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\kQAAcoEk.bat

Filesize
4B

MD5
31c4e9051dc4f3121e352b1ccdb4e6a5

SHA1
38286bd2fefc11d736866ff610580845b61d3089

SHA256
953814aad9d8b2706b568b92ed6cfeda61cc3344b697784f384740ea16e2a115

SHA512
f545cdabca3bcbad341e76ccc510177734340a59a024cfa6a18a191381370bc33efe677ee5b2a3bb799d2d05c79ed3525c8e8aa783fcbe589ff94fb431614a07

Download Submit
C:\Users\Admin\AppData\Local\Temp\kYAs.exe

Filesize
139KB

MD5
17c8e23be3e12148237cfc2e64e467ec

SHA1
871aa14e374c76ad094e71da2f802463a4e873d4

SHA256
f1e7b195ebee49041e9a9867cac1dbdf388f71bd862515e5e6e4a953a60fbbcc

SHA512
c81dcb54c44b0aec5c5291e126ab04c29674f5835f48980b0403a992146f8787e485f50b3bb85563f44044ffc2ed53517d2240f70f6f239f7465cb376fd45690

Download Submit
C:\Users\Admin\AppData\Local\Temp\kocw.exe

Filesize
501KB

MD5
70cea051098103db0aef17bb8b26b28a

SHA1
289f84dfcce2a29087a2dac176ba8cfd9c8981f4

SHA256
38b1c567a0a67cfbd8653d45a20f9fbf5734490fd2cc9dd56bf0bf7d6a013c39

SHA512
6c167fb1783cfeb6d93e78644d5c0174f0145962c99ce5992e54ea0566c97508e1e12cd272a402152f2a03b814b94d1d7c78f464c76ad0686f9cfd847b0b580d

Download Submit
C:\Users\Admin\AppData\Local\Temp\kokW.exe

Filesize
159KB

MD5
f80dcaf41f58a4ed37d3032ad07ebb9e

SHA1
479210daa05eee111cb8b7ac7eb4a1cc1420b6dc

SHA256
bd6e4ae3c7e2b496b94fef434a6b3647965389e44626927b673e4deefd6e6c40

SHA512
cc68cc14a1767132b3ec159ce0f13fee0ade3b5265bc395663d1b893c9795ece4183cf42d39f53e4257150b830657e5053c3209e26f03eab583a76da9a6240c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\kssm.exe

Filesize
158KB

MD5
7ab83280b94f1883881a79d1850b6029

SHA1
71e098bd397de9a8f2025253b25d53aaddbdb44b

SHA256
02ca14e7a3f5c9d6ba1eb801bbcc75203e2708aec17812cbd019773658ccdb30

SHA512
24caee6ddf15cc512a83c5c36fc4a20869f392d0d748fbced9d2db4ff724542846c2e4c4e087b1d6af0ec48b6a97bcb8ff468fc77b70d8a3944b5435ee70f183

Download Submit
C:\Users\Admin\AppData\Local\Temp\lWsIwscE.bat

Filesize
4B

MD5
9528ebd571af5afe9592c48c8f3451aa

SHA1
953a9a06aba76a83dde1beb698201e7c834f5ef6

SHA256
faa93cfee80ac57ad7d21a9014280736168f4ae7f46f6fcf39eb051090a5bfec

SHA512
81a23f5de7d4ba7d723b35b298c8f50ddc30029de522450211bf74e9a78afc05968e41d54456170b74fee7f9bcbd59819035c22743b2ced0960d36e33560381a

Download Submit
C:\Users\Admin\AppData\Local\Temp\lwsooowg.bat

Filesize
4B

MD5
52c60cdd5e497baeb83dda8ce86a656e

SHA1
2e8014fd1a6563f991a31313b410a74b23251b24

SHA256
3ab5723dab5e3f8541980e1fc2278ef670a77ff164a0dba20d52170316078955

SHA512
0103a816efdc201805b7b9be6390e8f93768b0a2e34497907cc8e71fd68dc33f7291e121a9896442db26bc3cedb80712f1150e239e8d900675cdd5def14f58de

Download Submit
C:\Users\Admin\AppData\Local\Temp\mAUm.exe

Filesize
157KB

MD5
f66f85b20b0cbbfa2c05242ce8dc2dca

SHA1
ff07576f27bf3aad5e12906421b4b1c3b88bd7bf

SHA256
cd694cf14df9a909390ad2ebab02bde10b42e272159a5565c880b211668a081c

SHA512
f09ad8dc608f4cdbd1b62cf19f568b25edc71c385f475baea953d97408b8889713f49878bb31ab886bef4cfb9e6dcac4f44f1964d4a3e8b3e1eb72f026bc54a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\mMso.exe

Filesize
158KB

MD5
65892e9f7d67061a31785017379b4647

SHA1
354865b7f293e6d1337b26cb75609caaf893d1c5

SHA256
3f7cfbf001b7d93c20c63583e655b4e0daf55f93392bedd95cfb03e80adb55e0

SHA512
8220c09aac0b424b17408d06ee4c4161d1cdc8f1dc820aa25f9af6a2aa543d71de0b7cf2a2698bfc69053159c8ae3049ebec9004145c6376f6048552c498fdd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\mUMS.exe

Filesize
158KB

MD5
154c458659c634dea39812f084689896

SHA1
746d1298b9aee3039ca02a19c9ce8ce930c7763c

SHA256
1447bb9393ca7c637e2ac5979e9ddafd863a9d34c3ceb0182b195874f2e69403

SHA512
4c6fb5b2cd41d3c6f734e083d449c9f584d636d13689dfa7aadc654271da9161068c278c47d744c87d84ea03ac3d9a3d58282c5a565019096411640f4bca35cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\mcgy.exe

Filesize
156KB

MD5
0f9f90a3d9d309a5feca68bc09f7f7ba

SHA1
3167630005e1c6d346f280a8a70b65e0f4e9c086

SHA256
64384b68770d02a0e3b2f90a2664919362741a7b627087a7d5dadf8a6519a2a4

SHA512
a6a9de605e5158763294b3eb34207ec07b200c1fa934c5671be50589caf07a651470608f98b54326981515be5bd6368b2176f9cdfcf6d91d028f273b69d5dbe6

Download Submit
C:\Users\Admin\AppData\Local\Temp\mkcM.exe

Filesize
159KB

MD5
0e6ee82cdd8ab036a724576461757f33

SHA1
d6aecfc82ef77b8829eccd1117183a774566d602

SHA256
b82d1be3496f347f0dd5940bb5ba6597a60e90a582e90d141f3644a065c27202

SHA512
5669cbcf428f7da0f70b4c6aa35f22be10087d25a0629520766d2fb1acbc82873ed2137e5b2219dfe78abd948305e1665dd9d82272bb7bb843519e26706f8dce

Download Submit
C:\Users\Admin\AppData\Local\Temp\msQA.exe

Filesize
247KB

MD5
4ea90e0be35152947c800e9448088222

SHA1
a716e4ac9cf4ae25c3a31e4b91a3f15c3dccd05b

SHA256
1f70718d611b3d7130365615b65c694153038e404676653fea44e0e8b2ac53c5

SHA512
ded3513d5a033135aacbb17f66ad6abd253344c8926387e096c537447d16c9e0db5b5369b6565ae839c6e247e39d3dbaa1c174a8b3040d3380511d4b3bbfa3e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\myYcooYY.bat

Filesize
4B

MD5
0fa9377d6ce1a67d4fd58c6add764a13

SHA1
3e200c6b98db2cefa1627968b9002159f51d7502

SHA256
457528c8f68db9d24f3b99077c33d0ca637da2d894e1cd188d6c7eff084f92bf

SHA512
d16925dd34a2d23b0e1b915f6961d6856cf0e8b928654373d7cfb76adff0bf3245a4f6b0e7d0cb87667a131fad0b1622bed2f57c5f41cb9e3053abd340afcc17

Download Submit
C:\Users\Admin\AppData\Local\Temp\naAQogQI.bat

Filesize
4B

MD5
12d12b07c002ca01a55f513ae2161a07

SHA1
20975822776e27494b8c8f8978c268e10c8d5a2a

SHA256
7905a760a1d0a4b1b85a87f9a39e85650298dfa3ad6736494d6b52d171ffd5b8

SHA512
c46711ab0a7e4b537a83be9b21a44d61a356f659764abb140347e93b86157e38c5c685b31b6d7c5e533bd1ba9f8f788321e2b41d3467e02790b89bbff706850d

Download Submit
C:\Users\Admin\AppData\Local\Temp\oIQq.exe

Filesize
236KB

MD5
9ef5c802634a30c78470f0a58a66943f

SHA1
9a7f7fffb98e6bf271533bdc4836dfe2cd969ea3

SHA256
45ac950655e9afe0df4607c9ba5c82f7549a0eee84133d2c0561e92c5f63c491

SHA512
35d586c955cf2273582e64ad345621e5d230075d63e447d96628a5495e35ff2694ccaea7d391b36f2e83b4143fa0d48e265bf34e88d4ee1ced95648b536d2060

Download Submit
C:\Users\Admin\AppData\Local\Temp\oMww.exe

Filesize
338KB

MD5
04623a67a427c16c9a0c126ec40120f3

SHA1
00a21fdac4daf03e64d91949a42650f411c4cd4a

SHA256
7034095ffb1edf3e3385f00ea45cd0f917597637fee04d3fd4a4a2d2965ca634

SHA512
d0ee9f5d987f07728045132ce7a0ab9ef987a4b7f890c5cbcaaf999b1bb870458c2669ab2be8ad111b7fdb8f5a8ac8d2506073465f9e7653b3a9ec3610f8df57

Download Submit
C:\Users\Admin\AppData\Local\Temp\oUQI.ico

Filesize
4KB

MD5
f461866875e8a7fc5c0e5bcdb48c67f6

SHA1
c6831938e249f1edaa968321f00141e6d791ca56

SHA256
0b3ebd04101a5bda41f07652c3d7a4f9370a4d64c88f5de4c57909c38d30a4f7

SHA512
d4c70562238d3c95100fec69a538ddf6dd43a73a959aa07f97b151baf888eac0917236ac0a9b046dba5395516acc1ce9e777bc2c173cb1d08ed79c6663404e4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\oYQA.exe

Filesize
139KB

MD5
0b2bbb81155d3e3b6bc684797f0febec

SHA1
43fbfb1e1a13c8f14ec3b1781c604206ec1664cf

SHA256
e8374437b93ed2359e6020a79d8eb3c45aa745c4a9e647af797d2fa61f48371b

SHA512
aa1f9d7f9fd9d73f9925503408dd6ccf458285a477cfee9030ed3ad2e687c7e1ce0dfd7e657309d191c2efcac58044420bdf6757d8a9a91ae96a01915dc3dacf

Download Submit
C:\Users\Admin\AppData\Local\Temp\ocIQ.exe

Filesize
160KB

MD5
33bfded2b7f3d760219ca064a15df4d5

SHA1
36e459baefd15dd6fb47ec73734f85b677153e05

SHA256
aec4489a41255cd785c07953ae76b7220e8020d420e9696c68a0e0ff3710e4e8

SHA512
772e058dd76a29017d077f78ffd2ff8b46e6ad43464bbaca362359919d20446168c2924a4c9094f98a3f0447c784c0f5148d06c5744d0376dba4f0cd865ade00

Download Submit
C:\Users\Admin\AppData\Local\Temp\ogEu.exe

Filesize
159KB

MD5
781ab4a8474d44b5dac25415d0a40358

SHA1
2fd3bcccde581af8139528aa0520c639740a5fec

SHA256
4d98b92167136d1aec90bbd63ce6abf2d657d58b9e01a825134f6db73712ae24

SHA512
c5463ca61ba031c13294ac0a6fc2ad42d470010d5ce4938adba35fefe5d64746f526e1cba3a175a09ae0a4134c7ebef4bcb346083d53417e3a66377f9827785c

Download Submit
C:\Users\Admin\AppData\Local\Temp\okUQ.exe

Filesize
659KB

MD5
d3c76218f44889b40bec830761494baf

SHA1
9a9092743274ded2ad365178952caf9ab00ca07e

SHA256
ece8491ad606c6485ff40ad328b8930de66012022efda537bb18b2d6f5964e45

SHA512
a5785f02c4ec716e8acf1af13e338fce459101d12765f021fb4cd82a1330d21a328d150efccaa622a8bc1278c907df5c8ad531444a03621cecc5b596bb0a8019

Download Submit
C:\Users\Admin\AppData\Local\Temp\pkQUEMoI.bat

Filesize
4B

MD5
691e725f627d950b9d39fcdd4f99cacb

SHA1
eef9a4a376f89a216fefb5efc356e74772d68f2a

SHA256
a3c71edb0ab5ba5f6f3089b5fea7370b30ce34eee9006f6c7005e899dee2ae4d

SHA512
dcd02abe43e7d87e70dab7f26df0fd934a016d52b65bcbad541614e4711ba4798fd765d8ae9597c9eb51c9bc963fd685d584f96c55e9c3901f753a5b3ab4f125

Download Submit
C:\Users\Admin\AppData\Local\Temp\qIYm.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\qWMgYggw.bat

Filesize
4B

MD5
e89448f087fdaeed06948f328d7cb129

SHA1
d43d6aaf6c7171ca81e6fb87a211df03e68da492

SHA256
af9760e38f5509c4e96b4f7f435f51122405279e78ace59284a1d01bbd9b024a

SHA512
965869bfff50ca6a670a2d078e7e827a6fd0a1e83fbd88b8adfd5374d5aa2015787164baa30e862bf7c737fb644fffd7cf2328e19dc678a58b7cae2f60851e86

Download Submit
C:\Users\Admin\AppData\Local\Temp\qYES.exe

Filesize
158KB

MD5
de5da641e8aafc03398f3c69ef925de3

SHA1
0858ae03d2494592ff8d2dea7ce3f8e5c285a502

SHA256
4e0ec455fd71becfe2ba2543dd6c39a7a81082041f174c0518fbb6f1a9219df4

SHA512
6e69682b0f813511882acb6cbc0a0704db0bedb158d62f12b5814c968f82aaaff9e91d52b13a17865d477a3f200f5f43607db47d520812067b28986a95d68b5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\qgEE.exe

Filesize
1.7MB

MD5
f01fa4548c7f4d2e2ba7ee5db84ee858

SHA1
368cb03d15ec89daff57aa223e731d7449d761a3

SHA256
802db101852c276b08fbe8c8d75a88e9dc719b91850510d857c2c3ddc3cee8e4

SHA512
e2194312cb7a65a2e0a6b61286b2d53acb237d6dfa27d1f72966411efc5df68bda18c2773ef595b5556331d884c92248db14783209acc5002f22ea2ae26ee414

Download Submit
C:\Users\Admin\AppData\Local\Temp\qssw.exe

Filesize
158KB

MD5
bd9908b62d3b29eb51eaa3f9cd1db358

SHA1
25a8009d22b8896e27684cd4e3c48d8a1368a228

SHA256
91c41adf271797c7e46f1d37f9150da272506965235cd7d9798fadf1acbee0e0

SHA512
b8f1dac0d42f966fccc8fb4e25656af0c1dbc061f3b0ba1a68d48d96b3c351f70afddc81535cdd7e94084eb54ab7e84cbfd1f309fa2a777a087ff29f1632b11a

Download Submit
C:\Users\Admin\AppData\Local\Temp\rCQwcUQc.bat

Filesize
4B

MD5
cb83df65d782bf45a2e2b5fdc62ebcbe

SHA1
b4afbd9ad045aed1a8ef09b5e93efe6551af5f55

SHA256
641bd935c67c9b3829d978cece08672281d57350197021504dbce3f58133240c

SHA512
2935fa51b959d712a8bf42e4c2405b2a6c5e30328dfe9cb1d04f19012b340f6831eea5243a49f6112129c52510a57658048daae96332aea54f96f06f20e9365e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ragcEUco.bat

Filesize
4B

MD5
5f8dcf93e0ebe18461c6acb2b030e09c

SHA1
4d1dabc639d258cac3fac9db08e4ec087742df81

SHA256
1e44b113415a041a4b72e025ca8be0770ad6b5b07c1a8dc4615ed0f72690976f

SHA512
2ba0d4a4ffedbed0b69f1d5e85f0816627e55ac658bc960c3b7b119124d8270542f989073fce721e9bec1a7d49d7e30f75a348caba7fa178beb46e40e5d2d370

Download Submit
C:\Users\Admin\AppData\Local\Temp\reEAEckA.bat

Filesize
4B

MD5
d2055a3f46056abe6645668fcd0c2356

SHA1
82e58f0d1634c3746a2925dc7b29cd476a3b259c

SHA256
92ccdb57fddc66ba14e87bde5d3c1b4e767242055edee16cc64ece26850b07d9

SHA512
e0ed36b45387900b042b5faf9dd7f99a35e0cac21a3da1fec643b9be33613ce7d73006df92bda236ed91c8d3bc50e5f65849f82222c09cacee552278d6d44628

Download Submit
C:\Users\Admin\AppData\Local\Temp\sIQM.exe

Filesize
717KB

MD5
0e11b0f1685bb81334fb01f1932d1d20

SHA1
e3b07732919b5d6c6e2377be57558f57dc96ff3c

SHA256
a00ff735800836238efa7b91568bb9be4bdc8d4a9287dc2f85bbcdcd1626a2a6

SHA512
2fa4ab86cf12e0afc44570e3cef9fcce8f3560a75447b33dd01193a19b10d17ad1cd45bb1713ea832858ba904276b6060d7d8129da4cbc8c47c436841d8eb4e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\scks.exe

Filesize
159KB

MD5
016545a78f250608bcf408bf2e0b6786

SHA1
7194f9272e457c36889f772a0fbc6cfc8d50fd4c

SHA256
6b0de19285dd980e6b33a03feec518661e3876810221e714ea2524c1c0c4e9bb

SHA512
68f136b579d0dc1b7bad1db6712364fa729fe0b14fe5a261c883d9a82577aae1e10eb320d272a55358a69ad6f01ac8529aca0c7b20783e448f52865036c77e83

Download Submit
C:\Users\Admin\AppData\Local\Temp\sgck.exe

Filesize
153KB

MD5
6100d5c701eaa031c693445ecbc42638

SHA1
3f39bdf2a829774620b9e648820e85b5a2d06dd7

SHA256
19ae2dd561f050e457ed0c3d1ed36315f679e6203ac78bae2cc08cc6ad931757

SHA512
2df05f1b23749984e204a65a739e29400ef3f169d79bb8b9514ccdec835635297e870cd40c351feffd5896d04e9fb93096a61a30946b9118d15930563a4375fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\ssIO.exe

Filesize
155KB

MD5
94a7ed0bc5d4160aa4afcd97bfea421b

SHA1
a47edbe1f408e64bf4be234dd3f68f9763d40166

SHA256
2611115ec759eb2b3e62480bf58d9ce3fd1850b94dd74691545a630792df6bda

SHA512
3b088cd2a85099d04a12eea02d153b2d05604ecb4c6c3f2f4d7a052c1cc824f799464c122396f3a8c7625794600e4e6e78e591f8ce5dab375eb3e7dcf0237ef2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tUMgwwsE.bat

Filesize
4B

MD5
7af7293f7005b909aaa58f3ef66b5d22

SHA1
be1c5cd732e838e838bf5eeb1d6c2bdfeaaaf33c

SHA256
c70cb9ab0a12d62a1e4863ce83889a129627691af82fb5546a290ee4df93e930

SHA512
36d81e68e3153b2937777c56f8527b61c24d0146b49be833f06ab29f1c6cf0d5ff59d2ddb2375d50c1e6dfc1369fd2742af1e548a2af49f478f396b4d745bd60

Download Submit
C:\Users\Admin\AppData\Local\Temp\twIIwYcw.bat

Filesize
4B

MD5
9bbb34491639c5e30e4cf4c907c3d95b

SHA1
b0bb09e979b3c31c8d9f396a5b8fac72e1f38afb

SHA256
1e8495e459b8870adedb1e141609e7525184580f77f5d5f6fb0dcb13dcf71353

SHA512
a28029ad38b70e819d42ef2477ca1f42acc98a1fac3aeb00d18a8d5be6e79646da247ad3520e4ed0a0c5f6657232dc1d8ef4a2d5cc8b150bd51a168dce0ead0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\uGkoUssY.bat

Filesize
4B

MD5
9721b1e309e6dfd781c41ef38cd56bd2

SHA1
959ba065a3febcd48503a680d454e6d035e5d1ce

SHA256
e4ca23eb424ba0854c161732327940c968c9d9da937a7664c9a065b7082438e5

SHA512
58cb72c4e9d71f06889d295d7a75fb14a5eb3796a9a64b4be1ee00c2d8f879cab57f9fefc78ef1abb172aa05ed33240472e02317f3fa4e1856299898dbdc64c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\uOcQcUwk.bat

Filesize
4B

MD5
10b686f42df705d1ef9f45cea78a1110

SHA1
9a2a221343b67cbf1b027ea0b0a8930de8e39dad

SHA256
0941035c1d3b5a6caa4c09a77d932342c4243e2ec70c570863a2f6e19dda3f6c

SHA512
9f83837a6c18cfe3d809b7a2c4eb0069dcad2e4f39928ad8cb0e4bd5aa1d762746152a053fc2556f24f9ca6a39e8840a1b76b80374b3a1116e81a3d73227134c

Download Submit
C:\Users\Admin\AppData\Local\Temp\uUYM.exe

Filesize
158KB

MD5
03a296768326f2bec8cd3f3219269da8

SHA1
533f407a6226f6481ca900c6e2236285b9746524

SHA256
fee6e9c0267824cc0ea2f0ab611fa73d2e38c5d2df5f640110919a90705ba69d

SHA512
3e706f4ff124b133b65b1f0009a4a571a6a99fe87466ea9d84b7d836a09e276b07966b9065f9661b0df59ceace0ee9bcb53a2541597bdc571a49b388d356a4c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\vEUwkEgc.bat

Filesize
4B

MD5
3d0ca0059530590fc1869f03888dafb7

SHA1
2d5e3c6f9b776ae79f1b3aff2500477979d442ea

SHA256
0d257ce29e34eb46f2ffaa93180afd012036963a0cd7774369a337aa78e2a5ac

SHA512
2f5ec4faf4791f616ed8f676d9e2647a8d9127ebdc1526e53d8d445a8df6e15016047952439d8d13ee9549a4ae4303486e26eb307c4bc37137200e75ef746710

Download Submit
C:\Users\Admin\AppData\Local\Temp\vMksEwIU.bat

Filesize
4B

MD5
25b07ca579bdc552c0753db2228f1d24

SHA1
ddd67931e831ce469a22ec7876bc8a8b6026d96c

SHA256
884a3af87394c503360f166346ebf0c164901d00dd4e73db6be4fba3987fd49c

SHA512
678e8c7fef2162abb33b20b5fdf2aab03e9426f2eb6297cb7651a01a77899748ee82b6d0991ac2e7f632a22603274e7f681ab91fde0e2d25a0214c75760e173d

Download Submit
C:\Users\Admin\AppData\Local\Temp\viQoYAos.bat

Filesize
4B

MD5
b89466a9c35976477c269530c8c13b67

SHA1
0e419f21fdf9ffcecaaed3552dd3be1747578e40

SHA256
b6473abeb4863a426e1eea7e162c7fcc0dcb81132504cd37daea8844cdef3a2e

SHA512
476f6cb54cc01710758aa39659eac38a984c9671bed9e38e3fc60b5075d7bc9e525a034bb23f97c42907f49826b642a1fd620628d68afca99a55d66a4b1f8b46

Download Submit
C:\Users\Admin\AppData\Local\Temp\wAEe.exe

Filesize
534KB

MD5
bca2cd72d3b43dfb7b135c2532b88751

SHA1
fa7afb9c532892376c1e5daf70de1120ad1cad07

SHA256
689222571fe20a6ed9497926b996f1e816df62fa623e4268a2964fba615ec8db

SHA512
a2dd6dbd9f079589df62078ff069fa4cc1698777222975a6b07a2cbaed0b6c323e8126c1790c1f266187d3e6717b9ee730c81433764f46c12890bc208e5c7594

Download Submit
C:\Users\Admin\AppData\Local\Temp\wQka.exe

Filesize
159KB

MD5
d65a1c2f697a5248e62d249d45d56436

SHA1
2011cc04ca960aff9fb145b4c69648de44564a7d

SHA256
c2669572bdf0de823793ba5fa6414eb587118ca737524203c9622c1c01e9ca9d

SHA512
f07561f7a2471d35fdb0f3a17f939916df02385512dc1c0c5012bed8d4b38334ea1deae02642d14091d037813c141ffd9aa5789181c3df85e040abdb31edd22c

Download Submit
C:\Users\Admin\AppData\Local\Temp\wYMIwUkk.bat

Filesize
4B

MD5
02f2e389790d553a1dbd1c1f4553f23b

SHA1
43a605f18a50bf4943f6173043d391d34dfcd862

SHA256
d9258f64fa943a3fb913e95c4bd748a233e199acc504b18988327f31efca9739

SHA512
2823cd0ba2d02a0a3698db18d1bdc0277d1011f1de993bd52181a62a47b9550126cddc2d7ea972e9b82f330f06669c69d7dc4e0f5ba71a7abb431ac4c4cccc59

Download Submit
C:\Users\Admin\AppData\Local\Temp\wYgQ.ico

Filesize
4KB

MD5
0e6408f4ba9fb33f0506d55e083428c7

SHA1
48f17bb29dcd3b6855bf37e946ffad862ee39053

SHA256
fee2d2cfa0013626366a5377cb0741f28e6ec7ac15ef5d1fc7e286b755907a67

SHA512
e4da25f709807b037a8d5fb1ae7d1d57dfaf221379545b29d2074210052ef912733c6c3597a2843d47a6bf0b5c6eb5619d3b15bc221f04ec761a284cc2551914

Download Submit
C:\Users\Admin\AppData\Local\Temp\wsUQ.exe

Filesize
745KB

MD5
d383e9c744b004bc94d9ad3094e7978c

SHA1
c6ec56dbfe7235c9789c5121c57a201769da6ddc

SHA256
26002f24d12045529a9de498f55e90644c0c8b33c01a5310b4e0a5da863c8419

SHA512
2cd0705f7a13c7b47589043e14a939b1a674d1145c03e174cf654df52073968ee052c760d2f230f10beff97c2942abe7917855087d51b3763ea4aac358243da2

Download Submit
C:\Users\Admin\AppData\Local\Temp\yCUwQwkE.bat

Filesize
4B

MD5
14cdc6395d3796f5817780043ee47d98

SHA1
cfcb06366224bdef4187795d24ec94e2d279ff37

SHA256
454e72a598a75b0b006f654b3dad005dc463c92259aa565994da9d5eb3ad4116

SHA512
bb49cbfc12ca3fb62ec81b8bf685eb48fc816606968a2617843222b4fbe35cbe3fd29fa60ee3fbfedee251f761aeffe099ffcc30418228cb7c4be10f26f6e3a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\yUcsMUsM.bat

Filesize
4B

MD5
79f7cfca7a52c69df6bcab0539ab5a5b

SHA1
eee5a0f2579ddcdb48d58c2a2c8d7e8d164c8f2b

SHA256
d53cb03aa19b4ccff0a4cfa63c057fba49ad5090087d085af803886b3b4d8ff3

SHA512
055d0b1d7e62ce0553825260abe8e3a0da63c9d2a1b0ed643f4949555ee69828ed079f9da85672dc4a4e7791c5179845cff7c1a63b7b7ef0806317d6f5d83993

Download Submit
C:\Users\Admin\AppData\Local\Temp\ygAC.exe

Filesize
159KB

MD5
0bbd04a2f781dcdff941fef4d451a774

SHA1
38cc188917d9b748a7c40ea56a72cb83113f08bd

SHA256
99576f119c63df63b4aa36e5e4b4865b2ce8d4bafb40a80fd6550fb7a32ba3bd

SHA512
9a77bd277b9bdcd04b00f83f7f779dcd40b7e117f45ff7ac1e7fb7657414415c6fe9b2329421d2bc47d2876219f97989e6d4d524ffcd2336812c53c3a47e054f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ykss.exe

Filesize
159KB

MD5
38afd32d059549c928b4628e7e8e0361

SHA1
1deb93ec839657a8ddd9a735ea02775e3ef6e14b

SHA256
594754ce525c21337b6660cd9f34883925b89a01c2ad38e12be95730ead33ea3

SHA512
62c0ccb7850394794910372b967b2f66ceccfdae2e5c732bcd924f6e2f840a2734eccc1597fe2a9a849b3f432d8c8e1533f5f67889a0f4d5a57e4ed252673533

Download Submit
C:\Users\Admin\AppData\Local\Temp\zMMEQkMU.bat

Filesize
4B

MD5
dbcb104eac855b2507600b07e6e05c73

SHA1
e7cf4d5b55ed1dd1645d8b0229da2e11ce3bd156

SHA256
6715326ef72b760600adb9e74379cd6f734649ba026c4aa6b38c7b4c2faec16b

SHA512
e442514aa4124333113256007536d3144d6a8b7123cff5221c8d2c72dc50b93a01dce07bb8884bd40a2be49a2a1ef2e0dd001660b1497b12745a7c348b43f43b

Download Submit
C:\Users\Admin\AppData\Local\Temp\zcYUwIMo.bat

Filesize
4B

MD5
0524b51b7c204cfa4320de4f1ce23270

SHA1
791cf9d246c3d6c4217a22e6adc10d20085af801

SHA256
875213000e32a5b694b994f2342ea3884bfc54fadad8680710aee9dd5b261e74

SHA512
db5f8be5a48963cc2e7e7a12ac5af59afc540811b87aeb211be99de2f926d2742744aa731bd2386964ec24c5326aca3ccfa6edac3faa4b12432e8f1158c735dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\zgAcgsks.bat

Filesize
4B

MD5
99ab7a4c621521bbb8d9f6c3520a1918

SHA1
6fcf7089a4961378c841225a6cd3160ecceb3e14

SHA256
e2b03b280acca52b0f24d713b82a6501893deb5b891e9b2d683de62c7e852ecb

SHA512
34526a572a6b0bd42f0c19c5a8ff7a7ac8fa6e1a044b087de43ab2a0177f65203bee539dc14d182f8e4c55a21e4b89ebd21a390f5b458c83c7249736bc2b71f2

Download Submit
C:\Users\Admin\AppData\Roaming\BackupCopy.png.exe

Filesize
263KB

MD5
091f6d479e882ac193ef1ef76cfa1ff4

SHA1
b647a216293428fdb7972524c4fbb670d9295b79

SHA256
cb9a69f11f429406554fc5047c57fdafe8cba6a4a0e3c40180a82b93378d8ce8

SHA512
da0e412c6a6bbc12fa55c9d195e4631e5e4c0ab117911a9f9b0dfee1bd1d612888c7291be6aa8f9537ad4de224052d8e009f694cc239dbb0bd0d064cba291af6

Download Submit
C:\Users\Admin\AppData\Roaming\EnableJoin.rar.exe

Filesize
292KB

MD5
1cf8d5ab25c4e3870584b9b908a32376

SHA1
c67de679e4a2dbfbe6eaa2917c043611a6a7fe1d

SHA256
aaac5b811c3d41d0a6b83434f0009dde00e8a9ce53ab1f9846dc34fdb13f8306

SHA512
cde78cb1e50d5b19bef836d52421f4a1464a2604ab10ca895758b67cf74003f6e44fe9f04b1b3f08b38f792eae47334b5851713db745409de536678d3087eb95

Download Submit
\Users\Admin\kYgMQsoA\SMQgAwoc.exe

Filesize
109KB

MD5
86ec5398f84ccf43df00ca323c943846

SHA1
fd189b9b030615254bc8f22392c6233ef6f33492

SHA256
980be98a3ef5cfa145e24f7e253a5fc272b338f1d9b317e7bb34bdaf228852f5

SHA512
c633272c2505efc032840983e1c24282b1983bdeee38b60e153d016640d9347455f5da918ba3ca95eb29ab877e5aeeb474c9d3137bfff6e404e7647b58c84877

Download Submit
memory/448-128-0x0000000000160000-0x000000000017F000-memory.dmp

Filesize
124KB

Download
memory/448-127-0x0000000000160000-0x000000000017F000-memory.dmp

Filesize
124KB

Download
memory/588-385-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/588-386-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/824-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/824-29-0x00000000003B0000-0x00000000003CD000-memory.dmp

Filesize
116KB

Download
memory/824-43-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/824-28-0x00000000003B0000-0x00000000003CD000-memory.dmp

Filesize
116KB

Download
memory/824-9-0x00000000003B0000-0x00000000003CD000-memory.dmp

Filesize
116KB

Download
memory/1136-387-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1288-267-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1288-300-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1468-31-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1516-219-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1672-276-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1672-243-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1672-409-0x0000000000120000-0x000000000013F000-memory.dmp

Filesize
124KB

Download
memory/1744-324-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1744-291-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1752-151-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2004-161-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2004-129-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2032-114-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2032-138-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2040-104-0x0000000000140000-0x000000000015F000-memory.dmp

Filesize
124KB

Download
memory/2108-91-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2108-57-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2160-362-0x0000000000370000-0x000000000038F000-memory.dmp

Filesize
124KB

Download
memory/2160-361-0x0000000000370000-0x000000000038F000-memory.dmp

Filesize
124KB

Download
memory/2192-30-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2236-33-0x0000000000270000-0x000000000028F000-memory.dmp

Filesize
124KB

Download
memory/2236-34-0x0000000000270000-0x000000000028F000-memory.dmp

Filesize
124KB

Download
memory/2416-265-0x0000000000260000-0x000000000027F000-memory.dmp

Filesize
124KB

Download
memory/2416-266-0x0000000000260000-0x000000000027F000-memory.dmp

Filesize
124KB

Download
memory/2516-313-0x0000000002230000-0x000000000224F000-memory.dmp

Filesize
124KB

Download
memory/2516-314-0x0000000002230000-0x000000000224F000-memory.dmp

Filesize
124KB

Download
memory/2544-396-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2544-363-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2608-175-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2608-206-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2640-35-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2640-67-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2644-337-0x0000000000120000-0x000000000013F000-memory.dmp

Filesize
124KB

Download
memory/2644-338-0x0000000000120000-0x000000000013F000-memory.dmp

Filesize
124KB

Download
memory/2668-339-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2668-372-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2712-56-0x0000000000160000-0x000000000017F000-memory.dmp

Filesize
124KB

Download
memory/2712-58-0x0000000000160000-0x000000000017F000-memory.dmp

Filesize
124KB

Download
memory/2728-174-0x0000000000160000-0x000000000017F000-memory.dmp

Filesize
124KB

Download
memory/2736-289-0x0000000000160000-0x000000000017F000-memory.dmp

Filesize
124KB

Download
memory/2736-290-0x0000000000160000-0x000000000017F000-memory.dmp

Filesize
124KB

Download
memory/2764-80-0x0000000000120000-0x000000000013F000-memory.dmp

Filesize
124KB

Download
memory/2764-81-0x0000000000120000-0x000000000013F000-memory.dmp

Filesize
124KB

Download
memory/2784-229-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2784-197-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2844-82-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2844-113-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2920-348-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2920-152-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2920-315-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2920-184-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2984-242-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3012-252-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3012-220-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download