21c1ceae5da2accf9f65d55991e99fc55c435aa23cd95f5a9707e8c6579b6fd3

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
24-05-2024 05:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe
Size

113KB
MD5

de27a41bd5e475550119725fa3165367
SHA1

4c82108c8e75182371d3629d6ff07465a02f0c29
SHA256

21c1ceae5da2accf9f65d55991e99fc55c435aa23cd95f5a9707e8c6579b6fd3
SHA512

891995e1d548c5566ad53ff447b5906c6a1569b21a18d4058628cfd346475e91f73939041f9bc6d8ed25769326dc948f72fa2f1f122e3220114ed2501df8f08c
SSDEEP

1536:aY1+XypbtsjvSpF2cIAzmZPZzNnLyCGlHU0TxGMAdVJG47k5OKWs7Xj/WLfM/qg:mXEbtsjvSK55nhJsLTFAdVI4Q5R2fPg

Score

10^/10

evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\International\Geo\Nation	aEswowUY.exe

Executes dropped EXE 2 IoCs

pid	Process
820	gKgIcQIo.exe
3036	aEswowUY.exe

Loads dropped DLL 20 IoCs

pid	Process
2984	2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe
2984	2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe
2984	2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe
2984	2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe
3036	aEswowUY.exe
3036	aEswowUY.exe
3036	aEswowUY.exe
3036	aEswowUY.exe
3036	aEswowUY.exe
3036	aEswowUY.exe
3036	aEswowUY.exe
3036	aEswowUY.exe
3036	aEswowUY.exe
3036	aEswowUY.exe
3036	aEswowUY.exe
3036	aEswowUY.exe
3036	aEswowUY.exe
3036	aEswowUY.exe
3036	aEswowUY.exe
3036	aEswowUY.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\aEswowUY.exe = "C:\\ProgramData\\AKkAIEYo\\aEswowUY.exe"	2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\aEswowUY.exe = "C:\\ProgramData\\AKkAIEYo\\aEswowUY.exe"	aEswowUY.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\gKgIcQIo.exe = "C:\\Users\\Admin\\FqAMUYkA\\gKgIcQIo.exe"	gKgIcQIo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\gKgIcQIo.exe = "C:\\Users\\Admin\\FqAMUYkA\\gKgIcQIo.exe"	2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
2668	reg.exe
2440	reg.exe
2560	reg.exe
1004	reg.exe
1600	reg.exe
1872	reg.exe
544	reg.exe
1648	reg.exe
2512	reg.exe
2132	reg.exe
2208	reg.exe
2392	reg.exe
2224	reg.exe
240	reg.exe
2292	reg.exe
2164	reg.exe
1908	reg.exe
1732	reg.exe
1708	reg.exe
1980	reg.exe
320	reg.exe
2992	reg.exe
2436	reg.exe
1364	reg.exe
1972	reg.exe
2192	reg.exe
2196	reg.exe
2728	reg.exe
1344	reg.exe
2684	reg.exe
1316	reg.exe
1328	reg.exe
2656	reg.exe
1156	reg.exe
2628	reg.exe
1124	reg.exe
904	reg.exe
840	reg.exe
1152	reg.exe
2920	reg.exe
1408	reg.exe
1152	reg.exe
1616	reg.exe
1732	reg.exe
2976	reg.exe
2380	reg.exe
2344	reg.exe
2252	reg.exe
2876	reg.exe
2932	reg.exe
3044	reg.exe
2916	reg.exe
1600	reg.exe
2240	reg.exe
2768	reg.exe
3056	reg.exe
1328	reg.exe
2768	reg.exe
2680	reg.exe
2168	reg.exe
292	reg.exe
1108	reg.exe
2240	reg.exe
2036	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2984	2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe
2984	2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe
2508	2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe
2508	2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe
2444	2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe
2444	2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe
2016	2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe
2016	2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe
1852	2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe
1852	2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe
1736	2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe
1736	2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe
624	2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe
624	2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe
2232	2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe
2232	2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe
2684	2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe
2684	2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe
240	2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe
240	2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe
2780	2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe
2780	2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe
1484	2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe
1484	2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe
1376	2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe
1376	2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe
2800	2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe
2800	2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe
2672	2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe
2672	2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe
2720	2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe
2720	2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe
2620	2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe
2620	2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe
1304	2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe
1304	2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe
1784	2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe
1784	2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe
2636	2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe
2636	2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe
2712	2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe
2712	2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe
1680	2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe
1680	2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe
328	2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe
328	2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe
1856	2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe
1856	2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe
1612	2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe
1612	2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe
1680	2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe
1680	2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe
2524	2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe
2524	2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe
2772	2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe
2772	2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe
2488	2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe
2488	2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe
2024	2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe
2024	2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe
1132	2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe
1132	2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe
2228	2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe
2228	2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3036	aEswowUY.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3036	aEswowUY.exe
3036	aEswowUY.exe
3036	aEswowUY.exe
3036	aEswowUY.exe
3036	aEswowUY.exe
3036	aEswowUY.exe
3036	aEswowUY.exe
3036	aEswowUY.exe
3036	aEswowUY.exe
3036	aEswowUY.exe
3036	aEswowUY.exe
3036	aEswowUY.exe
3036	aEswowUY.exe
3036	aEswowUY.exe
3036	aEswowUY.exe
3036	aEswowUY.exe
3036	aEswowUY.exe
3036	aEswowUY.exe
3036	aEswowUY.exe
3036	aEswowUY.exe
3036	aEswowUY.exe
3036	aEswowUY.exe
3036	aEswowUY.exe
3036	aEswowUY.exe
3036	aEswowUY.exe
3036	aEswowUY.exe
3036	aEswowUY.exe
3036	aEswowUY.exe
3036	aEswowUY.exe
3036	aEswowUY.exe
3036	aEswowUY.exe
3036	aEswowUY.exe
3036	aEswowUY.exe
3036	aEswowUY.exe
3036	aEswowUY.exe
3036	aEswowUY.exe
3036	aEswowUY.exe
3036	aEswowUY.exe
3036	aEswowUY.exe
3036	aEswowUY.exe
3036	aEswowUY.exe
3036	aEswowUY.exe
3036	aEswowUY.exe
3036	aEswowUY.exe
3036	aEswowUY.exe
3036	aEswowUY.exe
3036	aEswowUY.exe
3036	aEswowUY.exe
3036	aEswowUY.exe
3036	aEswowUY.exe
3036	aEswowUY.exe
3036	aEswowUY.exe
3036	aEswowUY.exe
3036	aEswowUY.exe
3036	aEswowUY.exe
3036	aEswowUY.exe
3036	aEswowUY.exe
3036	aEswowUY.exe
3036	aEswowUY.exe
3036	aEswowUY.exe
3036	aEswowUY.exe
3036	aEswowUY.exe
3036	aEswowUY.exe
3036	aEswowUY.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2984 wrote to memory of 820	2984	2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe	28
PID 2984 wrote to memory of 820	2984	2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe	28
PID 2984 wrote to memory of 820	2984	2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe	28
PID 2984 wrote to memory of 820	2984	2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe	28
PID 2984 wrote to memory of 3036	2984	2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe	29
PID 2984 wrote to memory of 3036	2984	2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe	29
PID 2984 wrote to memory of 3036	2984	2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe	29
PID 2984 wrote to memory of 3036	2984	2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe	29
PID 2984 wrote to memory of 2576	2984	2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe	30
PID 2984 wrote to memory of 2576	2984	2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe	30
PID 2984 wrote to memory of 2576	2984	2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe	30
PID 2984 wrote to memory of 2576	2984	2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe	30
PID 2576 wrote to memory of 2508	2576	cmd.exe	32
PID 2576 wrote to memory of 2508	2576	cmd.exe	32
PID 2576 wrote to memory of 2508	2576	cmd.exe	32
PID 2576 wrote to memory of 2508	2576	cmd.exe	32
PID 2984 wrote to memory of 2672	2984	2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe	33
PID 2984 wrote to memory of 2672	2984	2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe	33
PID 2984 wrote to memory of 2672	2984	2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe	33
PID 2984 wrote to memory of 2672	2984	2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe	33
PID 2984 wrote to memory of 2976	2984	2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe	34
PID 2984 wrote to memory of 2976	2984	2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe	34
PID 2984 wrote to memory of 2976	2984	2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe	34
PID 2984 wrote to memory of 2976	2984	2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe	34
PID 2984 wrote to memory of 2660	2984	2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe	36
PID 2984 wrote to memory of 2660	2984	2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe	36
PID 2984 wrote to memory of 2660	2984	2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe	36
PID 2984 wrote to memory of 2660	2984	2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe	36
PID 2984 wrote to memory of 2516	2984	2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe	38
PID 2984 wrote to memory of 2516	2984	2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe	38
PID 2984 wrote to memory of 2516	2984	2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe	38
PID 2984 wrote to memory of 2516	2984	2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe	38
PID 2516 wrote to memory of 2416	2516	cmd.exe	41
PID 2516 wrote to memory of 2416	2516	cmd.exe	41
PID 2516 wrote to memory of 2416	2516	cmd.exe	41
PID 2516 wrote to memory of 2416	2516	cmd.exe	41
PID 2508 wrote to memory of 1980	2508	2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe	42
PID 2508 wrote to memory of 1980	2508	2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe	42
PID 2508 wrote to memory of 1980	2508	2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe	42
PID 2508 wrote to memory of 1980	2508	2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe	42
PID 1980 wrote to memory of 2444	1980	cmd.exe	44
PID 1980 wrote to memory of 2444	1980	cmd.exe	44
PID 1980 wrote to memory of 2444	1980	cmd.exe	44
PID 1980 wrote to memory of 2444	1980	cmd.exe	44
PID 2508 wrote to memory of 2696	2508	2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe	45
PID 2508 wrote to memory of 2696	2508	2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe	45
PID 2508 wrote to memory of 2696	2508	2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe	45
PID 2508 wrote to memory of 2696	2508	2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe	45
PID 2508 wrote to memory of 2692	2508	2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe	46
PID 2508 wrote to memory of 2692	2508	2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe	46
PID 2508 wrote to memory of 2692	2508	2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe	46
PID 2508 wrote to memory of 2692	2508	2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe	46
PID 2508 wrote to memory of 2704	2508	2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe	47
PID 2508 wrote to memory of 2704	2508	2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe	47
PID 2508 wrote to memory of 2704	2508	2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe	47
PID 2508 wrote to memory of 2704	2508	2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe	47
PID 2508 wrote to memory of 1968	2508	2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe	51
PID 2508 wrote to memory of 1968	2508	2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe	51
PID 2508 wrote to memory of 1968	2508	2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe	51
PID 2508 wrote to memory of 1968	2508	2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe	51
PID 1968 wrote to memory of 2200	1968	cmd.exe	53
PID 1968 wrote to memory of 2200	1968	cmd.exe	53
PID 1968 wrote to memory of 2200	1968	cmd.exe	53
PID 1968 wrote to memory of 2200	1968	cmd.exe	53

C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2984
- C:\Users\Admin\FqAMUYkA\gKgIcQIo.exe
  "C:\Users\Admin\FqAMUYkA\gKgIcQIo.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:820
- C:\ProgramData\AKkAIEYo\aEswowUY.exe
  "C:\ProgramData\AKkAIEYo\aEswowUY.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:3036
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2576
- - C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe
    C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2508
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1980
    - - C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2444
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock"
        6⤵
        
        PID:900
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2016
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock"
        8⤵
        
        PID:1948
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1852
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock"
        10⤵
        
        PID:1504
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1736
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock"
        12⤵
        
        PID:2784
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:624
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock"
        14⤵
        
        PID:2524
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2232
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock"
        16⤵
        
        PID:2516
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2684
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock"
        18⤵
        
        PID:2000
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:240
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock"
        20⤵
        
        PID:1748
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2780
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock"
        22⤵
        
        PID:852
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock
        23⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1484
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock"
        24⤵
        
        PID:980
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock
        25⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1376
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock"
        26⤵
        
        PID:2596
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock
        27⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2800
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock"
        28⤵
        
        PID:2304
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock
        29⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2672
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock"
        30⤵
        
        PID:1616
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock
        31⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2720
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock"
        32⤵
        
        PID:2068
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock
        33⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2620
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock"
        34⤵
        
        PID:1296
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock
        35⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1304
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock"
        36⤵
        
        PID:1364
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock
        37⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1784
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock"
        38⤵
        
        PID:2156
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock
        39⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2636
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock"
        40⤵
        
        PID:2956
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock
        41⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2712
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock"
        42⤵
        
        PID:948
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock
        43⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1680
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock"
        44⤵
        
        PID:1724
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock
        45⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:328
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock"
        46⤵
        
        PID:2932
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock
        47⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1856
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock"
        48⤵
        
        PID:2016
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock
        49⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1612
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock"
        50⤵
        
        PID:964
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock
        51⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1680
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock"
        52⤵
        
        PID:2496
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock
        53⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2524
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock"
        54⤵
        
        PID:2680
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock
        55⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2772
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock"
        56⤵
        
        PID:1604
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock
        57⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2488
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock"
        58⤵
        
        PID:1592
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock
        59⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2024
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock"
        60⤵
        
        PID:2276
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock
        61⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1132
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock"
        62⤵
        
        PID:948
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock
        63⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2228
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock"
        64⤵
        
        PID:2448
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock
        65⤵
        
        PID:1460
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock"
        66⤵
        
        PID:2356
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock
        67⤵
        
        PID:844
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock"
        68⤵
        
        PID:3004
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock
        69⤵
        
        PID:1456
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock"
        70⤵
        
        PID:2788
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock
        71⤵
        
        PID:2568
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock"
        72⤵
        
        PID:1660
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock
        73⤵
        
        PID:1764
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock"
        74⤵
        
        PID:2752
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock
        75⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock"
        76⤵
        
        PID:1520
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock
        77⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock"
        78⤵
        
        PID:1860
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock
        79⤵
        
        PID:1476
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock"
        80⤵
        
        PID:772
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock
        81⤵
        
        PID:2532
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock"
        82⤵
        
        PID:3012
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock
        83⤵
        
        PID:1284
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock"
        84⤵
        
        PID:2072
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock
        85⤵
        
        PID:1216
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock"
        86⤵
        
        PID:2720
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock
        87⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock"
        88⤵
        
        PID:1296
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock
        89⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock"
        90⤵
        
        PID:2976
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock
        91⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock"
        92⤵
        
        PID:2760
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock
        93⤵
        
        PID:1764
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock"
        94⤵
        
        PID:3008
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock
        95⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock"
        96⤵
        
        PID:2672
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock
        97⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock"
        98⤵
        
        PID:1328
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock
        99⤵
        
        PID:896
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock"
        100⤵
        
        PID:1788
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock
        101⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock"
        102⤵
        
        PID:1696
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock
        103⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock"
        104⤵
        
        PID:3008
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock
        105⤵
        
        PID:2504
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock"
        106⤵
        
        PID:1064
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock
        107⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock"
        108⤵
        
        PID:2256
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock
        109⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock"
        110⤵
        
        PID:280
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock
        111⤵
        
        PID:1844
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock"
        112⤵
        
        PID:2224
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock
        113⤵
        
        PID:1376
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock"
        114⤵
        
        PID:712
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock
        115⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock"
        116⤵
        
        PID:2572
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock
        117⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock"
        118⤵
        
        PID:2480
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock
        119⤵
        
        PID:1888
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock"
        120⤵
        
        PID:928
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock
        121⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock"
        122⤵
        
        PID:1660
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock
        123⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock"
        124⤵
        
        PID:1748
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock
        125⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock"
        126⤵
        
        PID:2644
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock
        127⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock"
        128⤵
        
        PID:112
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock
        129⤵
        
        PID:328
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock"
        130⤵
        
        PID:2396
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock
        131⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock"
        132⤵
        
        PID:2168
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock
        133⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock"
        134⤵
        
        PID:2532
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock
        135⤵
        
        PID:1188
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock"
        136⤵
        
        PID:2072
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock
        137⤵
        
        PID:1432
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock"
        138⤵
        
        PID:2516
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock
        139⤵
        
        PID:1040
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock"
        140⤵
        
        PID:1740
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock
        141⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        142⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        142⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        142⤵
        UAC bypass
        
        PID:2340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        140⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        140⤵
        Modifies registry key
        
        PID:1732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        140⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\TKEwoAwc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe""
        140⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        141⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        138⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        138⤵
        
        PID:568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        138⤵
        Modifies registry key
        
        PID:1344
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\vekMMMUI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe""
        138⤵
        
        PID:1376
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        139⤵
        
        PID:864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        136⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        136⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        136⤵
        UAC bypass
        Modifies registry key
        
        PID:1328
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\fsIkYkQo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe""
        136⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        137⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        134⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2144
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        134⤵
        
        PID:1108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        134⤵
        UAC bypass
        
        PID:2992
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\jkYswsUs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe""
        134⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        135⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        132⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        132⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        132⤵
        UAC bypass
        
        PID:2712
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\NsEcooss.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe""
        132⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        133⤵
        
        PID:2432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        130⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        130⤵
        
        PID:2544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        130⤵
        UAC bypass
        Modifies registry key
        
        PID:2208
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\MkEQEEME.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe""
        130⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        131⤵
        
        PID:1284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        128⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2196
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        128⤵
        Modifies registry key
        
        PID:2728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        128⤵
        UAC bypass
        Modifies registry key
        
        PID:1408
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\EigMYYws.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe""
        128⤵
        
        PID:1224
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        129⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        126⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        126⤵
        Modifies registry key
        
        PID:2440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        126⤵
        UAC bypass
        
        PID:2796
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\KokIUgsk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe""
        126⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        127⤵
        
        PID:772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        124⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        124⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        124⤵
        UAC bypass
        
        PID:2816
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\uKMwwIMs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe""
        124⤵
        
        PID:380
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        125⤵
        
        PID:1040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        122⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        122⤵
        
        PID:472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        122⤵
        UAC bypass
        
        PID:3068
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\LKkMAAIU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe""
        122⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        123⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        120⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        120⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        120⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\pcQoQogc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe""
        120⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        121⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        118⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        118⤵
        Modifies registry key
        
        PID:2168
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        118⤵
        UAC bypass
        
        PID:2024
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\BIMkwcgM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe""
        118⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        119⤵
        
        PID:1128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        116⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        116⤵
        
        PID:1004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        116⤵
        UAC bypass
        
        PID:1688
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\HMsgQosg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe""
        116⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        117⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        114⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        114⤵
        Modifies registry key
        
        PID:2628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        114⤵
        UAC bypass
        
        PID:1700
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\UEQUAwQM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe""
        114⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        115⤵
        
        PID:1908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        112⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        112⤵
        Modifies registry key
        
        PID:2292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        112⤵
        UAC bypass
        
        PID:1636
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\uQsAAQMA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe""
        112⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        113⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        110⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2160
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        110⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        110⤵
        UAC bypass
        
        PID:3000
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\YqMgssIA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe""
        110⤵
        
        PID:672
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        111⤵
        
        PID:2476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        108⤵
        
        PID:1548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        108⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        108⤵
        UAC bypass
        Modifies registry key
        
        PID:1156
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\YYMEgEco.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe""
        108⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        109⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        106⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        106⤵
        Modifies registry key
        
        PID:320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        106⤵
        UAC bypass
        
        PID:2964
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\RUMsMUEM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe""
        106⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        107⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        104⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        104⤵
        
        PID:2228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        104⤵
        UAC bypass
        
        PID:2424
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\RkEYsooE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe""
        104⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        105⤵
        
        PID:1792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        102⤵
        Modifies visibility of file extensions in Explorer
        
        PID:384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        102⤵
        
        PID:1524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        102⤵
        UAC bypass
        Modifies registry key
        
        PID:2680
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\xeYMccEs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe""
        102⤵
        
        PID:2572
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        103⤵
        
        PID:1408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        100⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        100⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        100⤵
        UAC bypass
        
        PID:2096
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZcUEUEEM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe""
        100⤵
        
        PID:2440
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        101⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        98⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        98⤵
        Modifies registry key
        
        PID:1980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        98⤵
        UAC bypass
        
        PID:1112
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\fQwMYQwg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe""
        98⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        99⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        96⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        96⤵
        
        PID:1204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        96⤵
        UAC bypass
        
        PID:2420
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\EMYsMgcY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe""
        96⤵
        
        PID:2160
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        97⤵
        
        PID:1284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        94⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        94⤵
        Modifies registry key
        
        PID:2916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        94⤵
        UAC bypass
        Modifies registry key
        
        PID:1908
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\AAgMIMYY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe""
        94⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        95⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        92⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        92⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        92⤵
        UAC bypass
        
        PID:2584
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\wWsIUMcU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe""
        92⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        93⤵
        
        PID:1304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        90⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        90⤵
        Modifies registry key
        
        PID:1972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        90⤵
        UAC bypass
        Modifies registry key
        
        PID:3044
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\nOcggkUc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe""
        90⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        91⤵
        
        PID:2928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        88⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        88⤵
        
        PID:2436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        88⤵
        UAC bypass
        
        PID:2468
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\hisQsAAo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe""
        88⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        89⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        86⤵
        Modifies visibility of file extensions in Explorer
        
        PID:868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        86⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        86⤵
        UAC bypass
        
        PID:1788
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\NskAUgUg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe""
        86⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        87⤵
        
        PID:1132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        84⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        84⤵
        Modifies registry key
        
        PID:2920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        84⤵
        UAC bypass
        
        PID:1812
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\zKskgYUo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe""
        84⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        85⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        82⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        82⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        82⤵
        UAC bypass
        Modifies registry key
        
        PID:1600
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\CIYoMUwQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe""
        82⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        83⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        80⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        80⤵
        
        PID:1096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        80⤵
        UAC bypass
        
        PID:1844
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\oqcYIQok.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe""
        80⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        81⤵
        
        PID:2608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        78⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        78⤵
        Modifies registry key
        
        PID:2132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        78⤵
        UAC bypass
        
        PID:1720
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\AecgIsAA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe""
        78⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        79⤵
        
        PID:1896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        Modifies registry key
        
        PID:1364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        UAC bypass
        
        PID:2728
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\SAIskwoM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe""
        76⤵
        
        PID:472
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        77⤵
        
        PID:2228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        Modifies visibility of file extensions in Explorer
        
        PID:280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\VOwQokkQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe""
        74⤵
        
        PID:2476
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        75⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        UAC bypass
        
        PID:3028
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\rOAQEcsM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe""
        72⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        
        PID:448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        UAC bypass
        Modifies registry key
        
        PID:2436
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\DiowYcsw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe""
        70⤵
        
        PID:1188
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        
        PID:340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        
        PID:1304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        UAC bypass
        
        PID:1132
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\LqoooQEM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe""
        68⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        
        PID:2552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        
        PID:292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        UAC bypass
        
        PID:240
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\zKQgwEUA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe""
        66⤵
        
        PID:1768
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        
        PID:1248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        UAC bypass
        
        PID:1236
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\mCYcYkUU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe""
        64⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        
        PID:840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        
        PID:1888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        UAC bypass
        Modifies registry key
        
        PID:2512
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\GIYgMgok.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe""
        62⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        Modifies registry key
        
        PID:2668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        UAC bypass
        
        PID:1208
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\SWQgkkwo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe""
        60⤵
        
        PID:684
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        UAC bypass
        Modifies registry key
        
        PID:2876
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\SEwUEwEM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe""
        58⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        Modifies visibility of file extensions in Explorer
        
        PID:904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        Modifies registry key
        
        PID:2252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        UAC bypass
        
        PID:852
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\aScIQIQg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe""
        56⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        UAC bypass
        
        PID:1488
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\lMgQsEEo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe""
        54⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:1888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        
        PID:1004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        UAC bypass
        Modifies registry key
        
        PID:2768
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\dMkYQIQk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe""
        52⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        Modifies registry key
        
        PID:1152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        UAC bypass
        Modifies registry key
        
        PID:2240
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\RaIoIQMg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe""
        50⤵
        
        PID:1108
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        Modifies registry key
        
        PID:240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        UAC bypass
        
        PID:2712
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\veUAowgg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe""
        48⤵
        
        PID:1844
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        
        PID:844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        UAC bypass
        
        PID:340
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\fickkUMM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe""
        46⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1296
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        Modifies registry key
        
        PID:1108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        UAC bypass
        
        PID:2004
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\wMwcMoYE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe""
        44⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        Modifies registry key
        
        PID:1328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        Modifies registry key
        
        PID:2224
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\gowggQEM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe""
        42⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:1896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        
        PID:2232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        UAC bypass
        Modifies registry key
        
        PID:840
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\MoUAAQQc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe""
        40⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        Modifies registry key
        
        PID:2380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        UAC bypass
        Modifies registry key
        
        PID:2344
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\SkEkUkIw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe""
        38⤵
        
        PID:1476
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        Modifies registry key
        
        PID:1152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        Modifies registry key
        
        PID:1648
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\nSIcosQk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe""
        36⤵
        
        PID:672
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        Modifies registry key
        
        PID:1708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\dgIEUcwg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe""
        34⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        Modifies registry key
        
        PID:544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        UAC bypass
        
        PID:2772
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\BCIUUkMI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe""
        32⤵
        
        PID:1408
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:1156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        Modifies registry key
        
        PID:2684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        UAC bypass
        
        PID:2172
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\nKgoAssw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe""
        30⤵
        
        PID:1252
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:1764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        Modifies registry key
        
        PID:2392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        UAC bypass
        
        PID:2816
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZmQUcEAE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe""
        28⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        UAC bypass
        
        PID:2784
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\OscYoYYU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe""
        26⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        
        PID:1788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        UAC bypass
        
        PID:2292
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\mwwMMkIc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe""
        24⤵
        
        PID:2476
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        UAC bypass
        
        PID:2328
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\eSUEUssI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe""
        22⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        Modifies visibility of file extensions in Explorer
        
        PID:380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        UAC bypass
        Modifies registry key
        
        PID:1316
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\MgUEYkcs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe""
        20⤵
        
        PID:1208
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:1064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        
        PID:2444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        UAC bypass
        
        PID:2008
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\bwIwEMQM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe""
        18⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        Modifies registry key
        
        PID:2768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        UAC bypass
        
        PID:2532
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\pswcsUQc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe""
        16⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        
        PID:2540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        UAC bypass
        
        PID:2640
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\fOYsUAYo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe""
        14⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        UAC bypass
        
        PID:1988
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\HOcgMgoM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe""
        12⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        UAC bypass
        
        PID:1724
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZgEYsoII.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe""
        10⤵
        
        PID:1040
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:1064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        UAC bypass
        
        PID:1952
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\mOwooYYU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe""
        8⤵
        
        PID:1896
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:2096
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1252
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        Modifies registry key
        
        PID:2164
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        UAC bypass
        
        PID:1684
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\CUssQoII.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe""
        6⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:2868
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:2696
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:2692
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      PID:2704
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\UoEwgsko.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1968
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:2200
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:2672
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:2976
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:2660
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\IgUYAYAo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2516
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:2416

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-13581259692140816868-1281808709-369356701-194755471314701244672669721651767084729"
1⤵
PID:2024

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1552679592219209045995683131-1290520608466085585269520781090324503-1943209405"
1⤵
PID:1592

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1134637098-1206309221379704255775471745660676283-1523165676885730107-1561840437"
1⤵
PID:684

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "544620653-37041193-171449108918460041761544180920909364619-1750304108176978122"
1⤵
PID:2448

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-10048297531606544001-1537129416-1488046327-206465719411945602371447047359-564313086"
1⤵
PID:2700

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-11666024131011716185381725606395682066-1084868179-1911755943-388763951589223972"
1⤵
PID:2916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile19.bmp.exe

Filesize
159KB

MD5
2486b1d03c54b6fad53afad79533c4a3

SHA1
a2525b4d129e04187444863cb9b24071727eb11e

SHA256
79edac76314a424bd1d6959da353f2aab32842d62b60663cf2e5d9df509fd16f

SHA512
e28aae057731169d3f6d25038afa5f1c6fa0825e935ead8055fe62b481360e7ba0cc1463358e7798f45aeb425950adfc84c50453bd00d29d60c97857a6470a38

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile20.bmp.exe

Filesize
160KB

MD5
81fb7e12725b878b2dd86ab89b61765d

SHA1
79b45987b5f2f9b27110d4b3106e0863993708fb

SHA256
85320f2981adeed08049e74d3c3382034607a4dee3e5bbb46de2a018602e2f64

SHA512
a536cb2b89dd2ce2fb54aa14208efd17ceb1c1f1ad8d43413346344a1a56df418cafdb75c1829fcece1271778294c51846378dc606eb342c4bf22e70ac4c5967

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile23.bmp.exe

Filesize
162KB

MD5
b6e938d589bccfa9c1b825c7eeef39cb

SHA1
e73dac47acb0648f52c52441e543a11afd75743b

SHA256
92feabb7d225caf677878ff0ee2600d27df4dc810071390e03dafe8e217099b6

SHA512
7c5c5d0808fd813b265ad89d4774f9510a06fc822b0476df959380c1e313c23ae44051bbd28bb4d3c2952ce10f261f0eac66231c8b22d8486958f50e6fc8839f

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile26.bmp.exe

Filesize
160KB

MD5
ebad5e17f7d3394d3a31a9c74795d9ba

SHA1
a49d4e2a373cc72318f0c5ceabed1baae82495c2

SHA256
4d13b273b12dbf616bd9bfdfeb6fcdfb9e600a5c600c2792ced68f3b80d13350

SHA512
b51c3b66e20bbcaca6688ce302dd6abc7a9de6d96842d3223b28758156020904c1628e6416825f54e9e27f47ca6b2c7525c621dde7bdadafa17fa89dc81c56a2

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile43.bmp.exe

Filesize
162KB

MD5
7c971daf34f5499f34c247e6abaf048f

SHA1
91e007ce44c99a892b4facfcdeeec9f904e8b096

SHA256
c79d17d34bffb156ca148d5c0aa111a7bcc332c3094eb854164305d44635e80d

SHA512
bbbf784200e79217c5c13a4dd4e304a33e891e942907701119406f0d2db3e2b383cee1c8376632b52b069533445e0784c663cfd1932573323b55d2e32f88c30f

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-05-24_de27a41bd5e475550119725fa3165367_virlock

Filesize
2KB

MD5
ff04b357b7ab0a8b573c10c6da945d6a

SHA1
bcb73d8af2628463a1b955581999c77f09f805b8

SHA256
72f6b34d3c8f424ff0a290a793fcfbf34fd5630a916cd02e0a5dda0144b5957f

SHA512
10dfe631c5fc24cf239d817eefa14329946e26ed6bcfc1b517e2f9af81807977428ba2539aaa653a89a372257d494e8136fd6abbc4f727e6b199400de05accd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\AEMi.exe

Filesize
1.7MB

MD5
efea02b664bb6d7ab626212e289004b1

SHA1
8f92a36124f43c524d0a861d0b138a7b9646cda6

SHA256
ee4c59344a1c63287563f57a3f212bd51b7f7fa6b66d40500514fa301991e7d5

SHA512
f853c0c5b586a7ed1bb73c983f7d2d8e9ece713c107c1a6f21a8111918d8e9ceff48609519a7815f428d676b106e58e3d260ffe2874534cdbc8d6243746be4a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\AQQi.exe

Filesize
158KB

MD5
54ad4e52e31b8068b148d637c22c2a67

SHA1
8c0363208712966026e199993b1bea6caeee673e

SHA256
50fa03be94dabe03643ad2299959d590078fe7b281b55471ac3630ed4c9b4ccd

SHA512
9a2ed1ad4758956a6cbe258bcb12ba736edaed19b5d56695d3c46fcc8a5435ddc6baef97d249756ad9bdae3509657b9fa5565965b2d8f8305ee96bebf867158f

Download Submit
C:\Users\Admin\AppData\Local\Temp\AQgW.exe

Filesize
518KB

MD5
66ed1c1853ec8a62c6e3f0412afd08ae

SHA1
e376de004c05d24a26db7ca944591279a035553f

SHA256
f171070efc700e7fdbd2f8f8d836c0b1d422dc12d4550e1e0eb5f441b9db9ddf

SHA512
018d3e69eee983307456a73c3fe4a4e7005cc7c88e6872450b2fd5fd1d9c1f28eb8ca2262d1f5bfb1e03a1d4a27238de7091fb680bb1d16a469866d007860884

Download Submit
C:\Users\Admin\AppData\Local\Temp\AYYYMIwM.bat

Filesize
4B

MD5
57233117b357609a425460ae085c24ba

SHA1
371d9b487788f35285259a7460bbbde4f39763ca

SHA256
91aa08238218082540623c2aab8580ebfd6965b7a72fb525e0a592e41e468f41

SHA512
1fb29e0db8fadb993665e3a0c3b132fe3a52bdeb40bc8f1cb6ce6dcdf71cd743d8462c73f4d8f2139ca550d4118cca9a43cfc22c25c41a0e4bb6d6154d2c012f

Download Submit
C:\Users\Admin\AppData\Local\Temp\AgUggkUc.bat

Filesize
4B

MD5
ed384af383ac6c58fe5245ea346b920f

SHA1
ce8448e31630481dd409f65abc02d93914bc163e

SHA256
d9d5651484becae97e0493c6fe3f510d83da7296170da6b6bc6b30caff7dd399

SHA512
d440a5d3db97f0d7c87b27367a2649ae059764e10c1d8147e5e7ef872e11f56ab7b2cefe8f912c6d1d8ffc01bc98ac694e06a542513d9b35022b2110359a31a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\AsEu.exe

Filesize
547KB

MD5
c5142f95d72e64602e2f374a021fa35e

SHA1
b1a9b69025fc9d260f37620f01661a14b8535773

SHA256
412ca773df351a7da4418019fd8f678c25ff962e25487ee8db378727bcef77a6

SHA512
c0f0faa39f8b977eef508530d358bbe535ded43df1900a614fbd9ce769ee8ff75a3d562545a03572dd1d5ad1a54cd4b8cc2f03e9eeda344155e1bf2a3e0d45e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\BAosEIII.bat

Filesize
4B

MD5
2d49a7343a195a0e847623cce3234f9f

SHA1
4002f7356f76ddcf1000bd0129531868536cfc65

SHA256
5275513c6fb3e7d17a0eaf037bbf08a3655c351fb3191f9205dfc4fbe8b63ea2

SHA512
7d16a453a93ddc5f0fa2d6fd89e761c6ac0c2edcc63edf00fc95f140adb5731e2dd15982fbd9f29838433aa44b9b16f3d5fdd487bda4f8ab45fe6969dbd83ec9

Download Submit
C:\Users\Admin\AppData\Local\Temp\BqgggEgM.bat

Filesize
4B

MD5
36687e57dd8fce1355f6520e048cdb24

SHA1
5ca883adbc4817b5a4f8cf7ee28792568fcd4a1a

SHA256
fa2387550abce66e3ba78a6f331b1e9631a18ab2d45911d2e33a3280250bf99a

SHA512
fb251752c92167df8a92cf5afaae09226e050fca9b5e14fc07f0153b51cc4238905d5af4896918d1b489f1bae8c6133709894a3903fd1d174305a982080e7f7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\CAoG.exe

Filesize
158KB

MD5
57accb5329649f829f5ba4cd8d261445

SHA1
76703b8cd4f4bca51dbec6e37636dde84a462b49

SHA256
66280d1fa081c2a9b6937defc832f11e2dc8f4f06b557401615b56b8c60227bc

SHA512
9664a188523f81a1e464aa01424bb02793e681413cf53cd420cb5da7548e00bb6700e29b3ee3f3aea1cad1267bf4534fde381d6e4f5f2574f50d22c387081c8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\CEgm.exe

Filesize
158KB

MD5
e352d0d72ab13e056a6bb8f8f3f66177

SHA1
12bae0cea658b43ceae230f6fb40f1af29d057ea

SHA256
1553073bcd543218adbeed2248e8c4fea4a3e524a0849f7eb521e49836960a0e

SHA512
df4dbd1246f0e95c4645cc3010c29077cf0474b1192389d2e73ecb52c3fbb6f74bd5b088fd345724c4c1ffbc230e50d3e610ff873ac71887287f5c0bacbb9796

Download Submit
C:\Users\Admin\AppData\Local\Temp\CIgY.exe

Filesize
159KB

MD5
3e2aa243e3dcd79751981adff02f56df

SHA1
f810019ed7618fac60a9f5207308101a3f99d08e

SHA256
4ce3b318458dcb8cacf1aafbe6267382d164c286019b8f5c45af16800e3426c0

SHA512
5c75c2572e08ec13367773b48e8270c6d4263bf141095d1d16530108339f6143f21984ff4d11b493b21fb41b9079cc60c5da89f206ebba245d429c90c0735363

Download Submit
C:\Users\Admin\AppData\Local\Temp\CQgY.exe

Filesize
157KB

MD5
573157bbc276f2dce7b0ec82f80595c0

SHA1
96346dc9548a2a7d1002cffa9e7a32a61a1c9b10

SHA256
1dac19ffbddce84d53531f5943a7977554ce3edeb05a67dac9cb07149967c5bb

SHA512
90bc8bb9d9c24aa92c80a330d028511b8df314aff8e4cfde9ae2e27832297ecb6882f1b17117b42b3f3941afa0154095ea1e7e1918be2a8fa23145733dade27c

Download Submit
C:\Users\Admin\AppData\Local\Temp\CQsQ.exe

Filesize
157KB

MD5
eb6821380e6aff993866890834c23e6f

SHA1
8b6c47400eaa4e749d6524fe4d108d284a828e49

SHA256
e250a7ef129cfe9f4f60c0ea5f429edc343312c02fc790619e7589eeae406aed

SHA512
8978734861c83a389bea173835c2565f5bf5532fd794707567b827a9f606003976fe6adeecd4cc638f86e05d209bcc753b338130e5e4651df13e3e9428667db2

Download Submit
C:\Users\Admin\AppData\Local\Temp\CYEQ.exe

Filesize
152KB

MD5
dd3096871fa3cec59c44a0f8ba7fc186

SHA1
0b32d783b9160666b3f77d1d1c2f320fee37b7df

SHA256
00ad54f3e1b967e3cfb9556f9c37da2d4cca4d7c38359a9b06ad731a0eec6650

SHA512
c33e51e149dbe031f6081c5a525d3a201861a7f9b055f70978a78997cc81546424cee4eab72f5f5801184d814f567448bc5b2648c9f1bdacf308f96a6fa60dbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\DYQUsMcw.bat

Filesize
4B

MD5
02fa489e7940814596c436c1257e1241

SHA1
cfb887d8117e7e909a5d83d33d3abf5cc9de6694

SHA256
1272907bd0ad24a237d890afa9ad6e1f7acc3bef78e23b3f218277e157a528c7

SHA512
98c1520e788fcba696e99600633dfe73c91ed5a167cce8e96f5e10320cf665507e8e644723d87f4eadad1a3ad2c1be8536909664ebeeea4fa16c511cbf390b9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\DiEkEwog.bat

Filesize
4B

MD5
92029a215b5c56a281cf05e71cce0b1e

SHA1
34953c46bb830cc30a1016ffc38599f16b50a42e

SHA256
00da23e31f6ca765568bdcf05cfee935922010ddfc1632df16d9951a1a149f93

SHA512
05b0d8c2cecd6a2d491e196d9beab968fe39912ea0b3ee0c19165e0f9443c31784516a861ce2745eb1906dd467565fed2fe587c9cfc024e2577c4870ba87c9b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\EEQM.exe

Filesize
556KB

MD5
0b4a98a6bcac6ed8b66cdea881ed45c9

SHA1
4727595a08276ec718f4f10338f5b8b040758013

SHA256
fc6884cdc6fb1036ba4bd874529c3c99edd94edc381bd7b6ecfea0b93e791bb5

SHA512
fab5e334c40e80bad2068043ed75929ff0237435747f4b6e2e81769cc8cd75c1789511f60f522109b5c31f6053cb5a61200763e9c8a46b08395bc7524d103f9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\EIMu.exe

Filesize
158KB

MD5
13ce8ddff9e639c6e9e260f789b7673b

SHA1
700c4005314c0941e7eaaa802d2b9c56d66e2f9c

SHA256
4e18f0d4c2ce821677fa6b3e48c610be27dddbe2940ca417f755fd844879f609

SHA512
e7ae0c341219c0de19490bc6260b44784e4114fe4c4aa7f5c1163650d2726d27de2c7799ce3924c5d56ee25bb3e89c08910b42d5176f7014a0651e6cf3abf8e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\EMQi.exe

Filesize
742KB

MD5
3695cee5b745b33a530ba5e5936c9da8

SHA1
64268038cc6223cd2146c1739339769ec5c6f6b4

SHA256
a14b5b7589e8d90f0c0ce588795c09b0ca160d4f8fe0895ef4cd47427fe2c389

SHA512
86ff42b4456e3a7ac5e10e3a36d3224032bb6035c7c7f880d21db83c32f9338a2d003898ad93fe28d54122d98327c6d342e44846f3245137e7401a4445126131

Download Submit
C:\Users\Admin\AppData\Local\Temp\EUka.exe

Filesize
158KB

MD5
9b4d3b4a9ee5cd91203989a0cee6e1e7

SHA1
e27f66414fc464b60787d56219be7d4e6eb91fe7

SHA256
f6cdc2dce3ab780e403d66b73eb6f53d5b80c6b96a311f231a5b4ffa4d466c50

SHA512
3cef27e7b0d6c465b47fe57d979eba7344dd52cdc80fa369146ea026eeb337337714e9ffe66f2eb1a4843a182a6520b05fd3b013f3e4ba97edfe12bd4052cbec

Download Submit
C:\Users\Admin\AppData\Local\Temp\EYcM.exe

Filesize
158KB

MD5
9cf162d81a9b128d096601df6bc7ac3d

SHA1
b037ca07ba00736d4b6c5beeca7b26ee8ed4c625

SHA256
39949e51a2aaa7ef373dec96ca48ea1e6ac2781c2b6fe25055931c1e901d4b8e

SHA512
8bb3be457b547f773abe460a2530d763ce78d5b63a39c5d93d9f73210454c56476ca4bf53298d2111e0ffa9a57fab7928f6a52af7ea31ada407b92311aaad7b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\EgEe.ico

Filesize
4KB

MD5
6edd371bd7a23ec01c6a00d53f8723d1

SHA1
7b649ce267a19686d2d07a6c3ee2ca852a549ee6

SHA256
0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7

SHA512
65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\EsYcEgMA.bat

Filesize
4B

MD5
6a7f9d9065f5e1d3467ce8e3a4d7ba20

SHA1
b48a7064b7f0366aa54b168eb04e7993d2983ecc

SHA256
fe5c57fa5eadaa8cf0dcebaa69dcc9788c23d5f43eb38e4a644b654c31b09547

SHA512
b48d09fe175c605cad4d468cda1e1e8496a8bb8a26e0ce79794097172ae8bfdb9fe7a07efdd9c3128a4b8f1f59aadf905b3f74012317a332dfe4d2b954197aeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\FsEUMYQY.bat

Filesize
4B

MD5
ecf49b19346126db3c5993eeb1746c22

SHA1
2e3475971d06d90a5b118fbe1ed7296f97f672a6

SHA256
42b7e543e312fd3a618f7219620468c9b055f0305d92842163146bcb7b008fd0

SHA512
9c7ef680e0ed4f087c8c507fb47c423d041b4047565bafad129ddf3d753dd177c839c331628bed17a0da1358061b35b88d9c54596a0fecd86e90cd1cd3755bfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\GEkW.exe

Filesize
159KB

MD5
9abe3d2eae828b7aac0391b6b0559d18

SHA1
ad839b1bbb74dbd0b138a8f4462c077c1540cdf5

SHA256
8c9969301b8b987eb7ffe18f04af1cccc246e008107e9e7f3a7c2b64767afcb9

SHA512
798d10cce15a17158d051b7a460674fdf395b8ed6e65ac35ae5308339f878dcb1a42ba21843ce46853fd9c338d7284b4ca02309486dfce97fbdb1664992ee519

Download Submit
C:\Users\Admin\AppData\Local\Temp\GYEYMYUo.bat

Filesize
4B

MD5
14a9c74f75368ba5b2cc797b4fb6a0f9

SHA1
fda2252d8d3c1267495a48633678431a2d0f21ea

SHA256
d77c7f4ed0cbe58b2f92e3b3caa170189491c7a4fbb987de5d3868055b98f083

SHA512
c7e796c60603d951ce5e305ef84881c0f6c08be3092722a5251877122a1cc34259b36101fcb664de460835c05dcb959e77d271f072b2f9925f57374c448ecf01

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gcss.exe

Filesize
159KB

MD5
34aae56a1e473b1cad8e563a0032614e

SHA1
92b83b91b2d869f7300230eeb7b93fff8facc7b1

SHA256
c5c4054da6d7c6301c17bd1f7e6fa2f081dd5f6966244eb98c8b1b2faf0dfc50

SHA512
75bd8aa9801ed9f1a9ade206c51342985fe29a43c0d75212eace9fee3b258a4ecdfeb1e1db25646afda9e3982e3030cd61eea5331d843ff3954c6c01571e377a

Download Submit
C:\Users\Admin\AppData\Local\Temp\GeMkEQUM.bat

Filesize
4B

MD5
8c736edeecc12a7d9726ec888d3648b5

SHA1
14db2a245d6908cf5ccd075269183a538904555b

SHA256
9f578cf0158b69790eaa6099b7268063566e8ab337fa0e4f98c24b7dfa2bb06f

SHA512
540d2580bdd1c3c7f13f0a6ff0130a61393d1d169ed84e9925b3375a92f14d637c2e4b9f0473da1728d516fbafeec39c58e6a491c82d91d8292e69ec66c54616

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gwoq.exe

Filesize
159KB

MD5
1d7bece27b5f6da56da972d3f3547975

SHA1
93ada7ffca1d833df616dfd2e391e876588eaedd

SHA256
ca44fd152c921424729f69e10433f32d3f290ad633449c81f5770ceec8fe4a46

SHA512
4d51da99a8fd71bb7c2c58602cc75d91e6dd1b1cac4d91e2730c3d3a00cc2a47b01b397b199e1ed0c38779a23b1696392126e7086442214bc58e8feba4ac1eee

Download Submit
C:\Users\Admin\AppData\Local\Temp\HoIMkIEU.bat

Filesize
4B

MD5
c17713733d7d050b45b7acd1f72d87ee

SHA1
f643b536d716601ecce10b5df25d39ba021d2e23

SHA256
5a6cb8e3c12fd3a2544e910931e66ff82531de8f3752fd8b184587742c97c123

SHA512
dae32ad2cb90f67de7b0d2217236c34f33f094f97ce00c93ef64dd4a8b79818d2f6c42f79ea11035b7cdb6204975bee5c44b3dd9752e77fb5dc6df352f5c370a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IMAQ.exe

Filesize
158KB

MD5
568ca3bfde6c4909ae0c8d77e65c51dc

SHA1
a248dc9f22f1cf03e9b585ab197a7ddfb1252680

SHA256
24c514a7b3a0a952f415f09bb0fbf9947bc4141a785b7543cdbd4491e27eb1a7

SHA512
82e9d6f53ed9ecfa700fe78668ea8bd10f18488e60a0014581ef8054d1cedc5324c190347c6464180c7ad39e80b78ce768d8cc851d044f246b7bbb24ea17879f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IgUYAYAo.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\IkEg.exe

Filesize
158KB

MD5
fc49a160dfe330e74f7e3c5552a9ae93

SHA1
0f4d186da70ded609553d17cb04ffe67b281a670

SHA256
ba8f6dc12f0e2491051e1d6834f5c4cc367ddddf5ef6ea1f494072b79d333ee3

SHA512
7004feaee99c906b1ed3369d99bdcbea06b0e232e0a3919107d7a13244cbcf426664bf741c034ef12e5e01d249f6e889cb70c45ceca8cafa4f076805d0dbdbfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IkQo.exe

Filesize
158KB

MD5
70125ec93e95315a3c3bfb8f009e31c0

SHA1
a3902319c85faf868ea2b3baf0835e10e4ea424b

SHA256
b907e9126638fc184abe2c5fd9c8334bb6ad72a1c203b353d12a256a8538bec1

SHA512
c8ad89c6745ab440d311d3ccb75111776dd3d988349793eaabf4dc9c9a9302422a8a4d5aa47aa81167d176590a1f227a6b6633c0a4f1cb3c447d9d96aca314d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IwQq.exe

Filesize
158KB

MD5
0a0935f8ede6e8d8fd3be1f1c64fc5f9

SHA1
9e4790bb0bdc1b2110f4ccecaed7e99338d79c31

SHA256
9deafc5fba3891df222abdc8286129c92945a7b0cea46f95f525c1c1d988fcb6

SHA512
a4e1630e2ce6cbee66b17cfb06c9d54d2304949927709db82ecf821df4255423e2df3b41eead0c7cfc932a236cff657c0331fd89cd8566dd3ac8c1e83e1cb467

Download Submit
C:\Users\Admin\AppData\Local\Temp\JggYwwog.bat

Filesize
4B

MD5
e9831bea391fd771f7293a8f41413a9a

SHA1
b0216778c074f78183eed20383e8cc9d7428c5d2

SHA256
ef259e4a022c7f67e84afa51432901fc05f52c415b3ba3037b00f0b25ce2b989

SHA512
6df7329e7c9b961a16456001672647886e6aac7b4f0f75a60fabc4bfba85d5c0e3e0bd105f34d810eec0574df61af07b8b4df64b8ad13637e1fc2330ada3016f

Download Submit
C:\Users\Admin\AppData\Local\Temp\KIcS.ico

Filesize
4KB

MD5
47a169535b738bd50344df196735e258

SHA1
23b4c8041b83f0374554191d543fdce6890f4723

SHA256
ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf

SHA512
ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\KSgkIYoA.bat

Filesize
4B

MD5
3d9057dfb98968a04f0dd30ad78f8bfd

SHA1
669add8348d9e9d2e8324a9f50c2be65bf895de0

SHA256
691651ade6a871e730293294d60eedf75a4bb876aeb246949ac8065eeb60b748

SHA512
0927b3491deab5160dfa445d92f1d10ca27d518a24b9b71ed1fa40e1f7ea3a11f637ef23762340d134d93be4a0065504f7c3de06c7541660aeb892ab4767fe38

Download Submit
C:\Users\Admin\AppData\Local\Temp\KUQIocUk.bat

Filesize
4B

MD5
def2a0711a817a736183b6fcec91a3ee

SHA1
58834cc24a18fabcbe7efa6b74e41a729a8f2b45

SHA256
28dda8c7d7b97754d3c7f8eef0c44c9823910b2566d2c5a1f01c933187dc0495

SHA512
32c42d64eef168f8ead738325a6410e587ae23997375b03aab9ab4ac0fef76f203eebc572f068759980af38fed9d3494e8d050518fa51deaee4fada6bc31075e

Download Submit
C:\Users\Admin\AppData\Local\Temp\KgYQcsEI.bat

Filesize
4B

MD5
cf61470edcb5471b2ddd2e0fb9c41cc7

SHA1
8eab355aa0717f30cd12959a97c97e311dbfe7ec

SHA256
31b36d358991c284f0cf1d3e44b92ad688942557345325f97c047d964a569766

SHA512
1e1c2d9904491a43ef8269526ae70115fb9ab5bb36c02ebfc02b0278ef48df0ce5f068b7c37b880241fcea512ae9a380a49bbed27140238969940277f22b04d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\KsUg.exe

Filesize
135KB

MD5
1b48b77d80cd24974a1605e7070070df

SHA1
f0dc6fafcdc6656e23327f0b592b9c2161384db3

SHA256
10003b18f1eeda2914721921d1f4380e5e692d7bacd64d88715626c4edb58288

SHA512
77c1e16aa63684021db291a18ac0e524218913fc8fa8c919d5fad25c4067560bf39551f7119a9defab11fb68c6a65faddcfccb1e20af28fa4ef01251328b8e27

Download Submit
C:\Users\Admin\AppData\Local\Temp\KskcEUMM.bat

Filesize
4B

MD5
226491be26f63941d08cf2985c6bb8af

SHA1
e6df188f2c847140cb5f857e6290f4c5460a5ccc

SHA256
1247675a904c7c17db54d2a9418e18265299ceafd8fc324d241d60a18a9eaa3f

SHA512
2c2b38837323f18b30f30db3df446c9a78fb415549d3cb8d3a1cf835973e2829433f2814f041d4f02ec5a068951d550bc0a0084b3b53d25adadb31cd092f0f23

Download Submit
C:\Users\Admin\AppData\Local\Temp\LKEsoYUQ.bat

Filesize
4B

MD5
bb394f529d937f7458ca38cb8f6e1929

SHA1
8041c5e160e1b86f7b23f9c6c74ea64cd44b3ec0

SHA256
491bdf210795d48fd86003bb53b57268659fbadab69e20d582e765a3c09f815d

SHA512
c32c2c905ed4e9c25d148a8da04218f04ecf5a8e55b2e704dd8466f319af7b9d7d8fc695bbd288bb3d2f95bca8c1b7023d912dd142ead0af7237530ff7eab9bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\LKMkcooY.bat

Filesize
4B

MD5
0405c622989607ca63f995340c05e14f

SHA1
2794cf186f835b39d5b67598a8350c0d9577a59a

SHA256
cb2f1c39d3761fa3f2d242839aeaa58fa7f6091316159bf7c983221df1a58ab9

SHA512
bc961da40dde78d041012664c3f6e38910384fbdeb9aef220e0980d8e8ec51345615a4aa3bbee2c27dd288f22f63a30db903da640d3e10ac8abb5a595567154a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MAka.exe

Filesize
970KB

MD5
199a469be7344021c0ed0b27e884fa8e

SHA1
5c9c9b4ed1d58f8f3e807ab9f5b2bc5f8200ad63

SHA256
53691ae7ced23edeae7fd1801be01d81ca0adf8e0c15ef037442e246e269ebad

SHA512
651995b0ebdc9ce6cca7209f5599f9d50870e21ab1886a0d3f081f7a464c42b4338bb7517c8b8b7c92d281f95bf6d0c931012626e8656cf450c78e7411a9b54f

Download Submit
C:\Users\Admin\AppData\Local\Temp\MMAg.exe

Filesize
873KB

MD5
a2031c684a12d04d5e8f68ccf8425808

SHA1
dd789c33f96f413fb082b8bd7a5a8f41d634a98e

SHA256
f7d176165a7fa77efe0cccc14bd509272cf662160b9069d21a2203a2be388663

SHA512
1baad24d23a1af98d529ba946b9f5b1cbbe5bb92bf07e472247c111ca57d57b358b19e9e89e1cc2c9a3087090af654e1fc8fdd7e6759808da7ea1e7aa2340fc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\MMYk.exe

Filesize
1.2MB

MD5
6d414112de17a48cf434e0c0d6f1b1c1

SHA1
fc08a24654b539eac049bb66480b07e111f253be

SHA256
041ffb294665e4da6241558fd2223a5c8cf43551fb74d478b18adcdd62a06143

SHA512
9ca715317cecdd862626cf0930083f6ecd459ebfd4a6a2d410a8099cff873272cdd65cf03e3238c73ac26ac48994e116a8a6ca8219823a4b41613cdb64f83dbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\MYce.exe

Filesize
158KB

MD5
adec407b02c80f642dae8575b6d61baa

SHA1
1eff0e09c93f64f8a56ed8e427b9a4eb19c424e9

SHA256
53f16fb18d4686e985b4bdf221afe8e31216176f3a5926d41705cfa64a175730

SHA512
8d1bb5f0fa3034534e21cc802be8c1d216052df2fd1f2c071077603ea6363a668e644bf39187ab114351992ebbe47734130a0cc6edcb8dc588ed84c7f5cbb2c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\McAO.exe

Filesize
159KB

MD5
0e551bb02c33ce25a1fb21db148ad08e

SHA1
479ca43d95338b479b36dc97a7e728d1cfb3c51d

SHA256
a707448ac64d13137c19a2395de629a13436ce1e56742d06a7e52ac0038d3fd0

SHA512
a5f48252aaed67edacba11eaff1d4fb084b613373ede8977e968d269af1a1d0983e745faa2a6db120d3ecf6ef579762e2e69b235d7b4f3ca4a731dbde09a3b93

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mggk.exe

Filesize
154KB

MD5
78e986e2e55c8fda2fa54071b0169f7e

SHA1
a206ff7bc4e8417d5a635de4afe8f7df3e5ec1a7

SHA256
fc825434978be28d57d449bd98c5870366d2153aef3e24122f0b67fc3d6cdafa

SHA512
ebd064a5d17de29817289ace783242e6e4c4b8dbfe874b49bd142d2215a2cb47395f909294bfc858d8e27135c7e9f64e1d2524a18d2e0dd0a0fc0f50739d808a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MoogoQMM.bat

Filesize
4B

MD5
570b79db5ed224b9bb15183216edf1bb

SHA1
dcf6553b6aa189a46d90d3b3082f4df88e401ba5

SHA256
0c2b26a5750f2136435684c580ed2bdc43e6c4d639e9f71f452c8fe88f35e74b

SHA512
05fcca41033ff07d5f0752135624df87ff959febabe297b0ed6a8e492afdb932a1d60a3684a037d3be2b66e06c6b5978532d0c9279f739ce437e534b194fbd65

Download Submit
C:\Users\Admin\AppData\Local\Temp\MwsY.exe

Filesize
565KB

MD5
73680bafe4cc7294200d2517dc3c507b

SHA1
ad30f5b3ce21d2395757083a7ea8df99719af121

SHA256
0aef48f1f4c8d9269f45f1fd7ccf76e51e48907b68c7b4cf7927e5e58ac7d7d6

SHA512
82b1e25a655fe3921ae87456b30802e1b8d4e3fb47221df764ebbf0dfb0c4af746f1eed4fd227741f19c8758c12672a2afb175f119e2b69b6d4ae214c2b6eb6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\NKkUsAYo.bat

Filesize
4B

MD5
83379c44e5df857fa7a8463bf576813a

SHA1
1b3d547ca38a83b6d217fd159b112fe8ff5ed93a

SHA256
392dd55b76a01e2d43b498b53e54667744b417249972291322c976b76150898e

SHA512
e6173b458ce11d2a83edb9e9979b75436a2d973966d388273695d1aca9f145da4a8c3e9db98ca942f65377d310219a37b8438c32079de5a7da6dd2789a0c65df

Download Submit
C:\Users\Admin\AppData\Local\Temp\NMgEgYwE.bat

Filesize
4B

MD5
edaba26823fdc1b73eaa241efcf3bf00

SHA1
9360320d2b57798c576b60b2f102ed2ce54bb7a1

SHA256
d6c12579c797db2acb20fa5f6df9a88c7f70a9c71a28d253d93cd32536e551f5

SHA512
6d8dcca1993619ec23bd11559cf6030bc1ba2001313e118afdc620835489d8c1a17a772e1415900e26919e7f992d788c157289c700df03709f75ef414ef12e3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\OAIq.exe

Filesize
697KB

MD5
f463dbc5469b541d54f407ead9fbfc41

SHA1
b46e861b4d02aefe196f646d4d529237951be066

SHA256
f04e4e16162a8075d421395708059598586057efa535dbddaa3865fb049913e8

SHA512
63e0df4ae62046d8a0effcb8423f1ee05450a9e6b47ee1c418480133d14958a09f1572a17a3d6c1e95579a9aaa72e08f33c3897f1748eb95a0689831600e6d9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\OAMY.exe

Filesize
740KB

MD5
3b98546f05a286272ac737dfea6ea85d

SHA1
b9c92deea91016370c59f62d0e18da019f74f9ed

SHA256
5e7f0180e50b2bc147aa3e98e44122005027eccf49b0ff5789af267cb1e2a25f

SHA512
19d6722a98ff0703e794f59da565b996ba43513d1c43772daab7eaeb68f19e561542ad97638056de506b50127f6235c81482e53825aa8bd5ac2e1113305c4fb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\OAoA.exe

Filesize
158KB

MD5
fbea7969ec0553b49f6f00b08e4406a9

SHA1
00ca379d64b5f5a402ffc8f9346c58d3b3efbd5f

SHA256
448654b904cc7863edc35636c11f4763d6e12c375464e8b11ad0319e92195f93

SHA512
e06fd71f49c928f3358325e4202fa49313e829bb60a262bbff96f4481917396bd4254101a223b995844f5660f28d7a49f6cd4cac6258d745e9acdcb1c37dde0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\OEUs.exe

Filesize
157KB

MD5
dd386120834d3e7cf19a673091d952da

SHA1
5bc5fd87a40478924c821d2a799a028d18df6e99

SHA256
5801d7aade8b1aa4406686e98bc8f952b7c96091bb998e8e94e341b983460890

SHA512
ea9084eadc4484d1f0c1ff918ee5a48897272995292c278b6ba33edb85ac269b9dd009c3e1a0c63de82c5d349b0c1a9c8cfd603c52e20741dd60e815f1cff23b

Download Submit
C:\Users\Admin\AppData\Local\Temp\OMAQ.exe

Filesize
441KB

MD5
51372e626739908756af22abf20a3878

SHA1
ade68884c56ef4e56a3dfe0c6732b9e22ce00b6e

SHA256
65b44233dba35269e373a02d72cbe18de49d0284a7150d8b27de0b964867aa1a

SHA512
0cbc99db03a1a4c8ea27324fd3148a36edfa0334446fa2fe1bba51c9be08c1d797731b4ffb43b3726494d10d7c48464fd9a09a0c905b1c0fb9beb4d3202d24e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\OMUq.exe

Filesize
237KB

MD5
8d6b2eb07e5269ba87db45249acaf3e0

SHA1
7179c4da2ad6d63f91cdcfa137eab1669dda36a7

SHA256
da7710b949fdff26c49e78d6f59e9a700ba817a771d833036216fed0d42e6c02

SHA512
8d53d890fe9e8eba7846efdedde9c9f7f95a90dc166548ee61e8a5adc78a5887be9824e502d77425e43c30745375ce31ad697113c396eba854ff33810ea51158

Download Submit
C:\Users\Admin\AppData\Local\Temp\OQQG.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\OYMk.exe

Filesize
158KB

MD5
b83294491c517d649861d884e73b7b28

SHA1
f2dab21e11b5e2bb9e81f24b55dbe3d1b0c97969

SHA256
fde7c9f7379dd0e89fba6367db6988a0daa088fcd5d4cbb61d093aa62191abd0

SHA512
535dd7d8eb2e8b0a074d71b83fe01be5384a114fa3d8398aa6ce73cd3a224b2b8313a5cfb4fc6d6e87291c82b170678d3461dcf827eb92beae852fc9bcc6be84

Download Submit
C:\Users\Admin\AppData\Local\Temp\OYsC.exe

Filesize
157KB

MD5
dccd42401f654deb0effa8d10e8383e3

SHA1
c58f6adb637af2cd51eba3ef94592091cf3f4205

SHA256
410dd9c68fdad585f88b956294371b6a1374fba4a701fd20eb73ee5173c20f0c

SHA512
b0113e676f7e73f9c3ec18632b294f30aaa79b65fbbd3da3b57481d27e27b5ecc0a296c98437806f371291c096858ac553ed3c529282cfe66d822cde8354593a

Download Submit
C:\Users\Admin\AppData\Local\Temp\QMMY.ico

Filesize
4KB

MD5
5647ff3b5b2783a651f5b591c0405149

SHA1
4af7969d82a8e97cf4e358fa791730892efe952b

SHA256
590a5b0123fdd03506ad4dd613caeffe4af69d9886e85e46cbde4557a3d2d3db

SHA512
cb4fd29dcd552a1e56c5231e75576359ce3b06b0001debf69b142f5234074c18fd44be2258df79013d4ef4e62890d09522814b3144000f211606eb8a5aee8e5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\QcAs.exe

Filesize
467KB

MD5
296d4a38c7e68d72899c6a37838b8589

SHA1
d621c8154a69f988cd43d345571be2796c94938f

SHA256
0dd85f1487bb8a2a03b53f5a5d82003f9ec05cc3969f7fda23bbd86293f13c70

SHA512
570d84265b4a69feba945c3ba23afce41f979ac91d508e95b62ddf08500d5b6dcbd9113c2e24f9c954fc782074a4dfcaae654a3e43ef180bac4c46ebb9bb4c7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qowk.exe

Filesize
157KB

MD5
c574261a77fb91dec87152d3a2ed87d5

SHA1
d9fc4b4198c496fb23c119ec23f0f50635579e96

SHA256
ec3fc9babdb812deae545519e125e733a8f77bcb9ed0582c9963826bfb823cbe

SHA512
7b907b968f41e11275286ecca093e6964b40671e57af13a5c3c012c941331c950d945181c3d902dcb8c012daf33b62cc7ab2e639729ce6c5f4775b8a94f03756

Download Submit
C:\Users\Admin\AppData\Local\Temp\QsoI.exe

Filesize
157KB

MD5
d633289ab5e2924e729e3f9e19523e26

SHA1
d1b23ae2b0845874fbf75e767d6fceb01e2da2f9

SHA256
6cce4729b007d62eaf9454d893cf283f20c97bb4d0c04613ce6f5937f3c48f99

SHA512
cb7a4f71bcfc576599786966517d60239ae3f07cbb38ba6f98cedd963cb22e56e70efb3c27e2acb058a3ed658e5d004b2e59c84c66eb9f9a551c1028f31846a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\QwwC.exe

Filesize
157KB

MD5
e7522a365b7af65d4910429d8c4d1cef

SHA1
cd3058db35581f816df556711016049f80235902

SHA256
555967f08126fdf03ff636110f134d92e1118d1ac4613ff7f2e009db2d34c01e

SHA512
11f3d77edcffe02d431bfc8d9e0aa6e65d290033134801c3a34598bc83bae485642540dcfeb0fb036e5f56c1357e4dcecb1434fae8aab75e3ebf96915a8c3fbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\RSgMIEoo.bat

Filesize
4B

MD5
caf3999049395ae6cd7d51c3764846aa

SHA1
dffa78968957f74cf33cd518966a8d02b4dc00b6

SHA256
1a6a5183dac5d0a2c9a31bd54ac69057c8d331be1bd67d02c8c4c866c2ea41cb

SHA512
65aa188cf8487c253d2908ffe09bb44864a1116871eb975827e223c979ab916d8879236d438722a7501d844ba73c7107141086b8806b76cc0fac7db746fc4f1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\SAAw.exe

Filesize
380KB

MD5
140af6a4c9a6ac2c7c30b9e160edea66

SHA1
daa17a826266f898d5c9e7b72ce2f36aa2224e5d

SHA256
d226a8dfafda40515424b91126032ab7ac18fa72c3ca5d2b78d93157e7d64883

SHA512
64337597b40be1637e2ec936192cd69448e2e3d65f400b216da371a1de57565bb60633a8b2cd4999d9fc8d51ed780fe7391ab4e1c32cbcb0e1572eb5a9d758fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\SAks.exe

Filesize
158KB

MD5
cff5808f99eb6992cc798ebb9e9803dd

SHA1
9a65a61ed919fdd00ccbc4cc932f61ea01a4e820

SHA256
f32116ce48745d31a937f96925bb312258c1093a2dcddf86da46e367aad20461

SHA512
9eb7b04f5e5bfffde163eeefdcc58d1ce849ca751386399a063d33286974c0a5a9d2eaca81038e6c76f64ba06e9c39ac3761d2263069f8ef2b510410d9fd37d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\SMoG.exe

Filesize
158KB

MD5
54b8e0ae149be907b30bd309f304c8a6

SHA1
64531623f3d6c0b59f364350429d19497238d4f5

SHA256
2188ef837736f550ebd27b702d3d1249ebf3888d0bf329d08dbec11c39a853f5

SHA512
3527b1c54fbb198d70f944d4a064c600b3f120e48f752322c5c3b9c52d3a6083bf53bbad4b6ce79319dc84af8fe49fa201051e2bd47de6b648f44cdfa527ba1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sgoi.exe

Filesize
159KB

MD5
6ad32d008d471bd51f0879d66195f993

SHA1
fda1d803a84d097cea6ca09e73e34b88de0879be

SHA256
2dcba813d240b00a5a408eab417bb4ea5e5700326e77b2c2923a1e20a6949dcf

SHA512
355ef479bb518745d9353190ceb87958b179ea480f65eb23e1bb8b198231d8fca7d4ed0bbc1cdac4623e249ca5fc061348a3fd453273a956524f296daf956aae

Download Submit
C:\Users\Admin\AppData\Local\Temp\SsEu.exe

Filesize
158KB

MD5
a162b7b45884f907651e8acc2b8bf552

SHA1
dfb56a3a57d17e7f5c2d07904afe0a624a456ab8

SHA256
4f6a37adf59e7154e76d1ea2300a73cb15980c516f3bd64addc570bcaf5e00a5

SHA512
dd85c05747de930f77cc689f84c81e89073c15d83a25ddc47ccb50426250873dacb1ecd649b7afbc0b70d2a743260feff6c90e22eefa18dbec90335f6d3c0e26

Download Submit
C:\Users\Admin\AppData\Local\Temp\SswcwAgI.bat

Filesize
4B

MD5
bf24f5c357aa6a852f09c9c2798409a2

SHA1
79a2eaee75c04886cfea0a9c0a2de478163f25e2

SHA256
643022b4d0f53f7fdce4599bbd60250ca2d9a4d059f095650b543eeb286785ff

SHA512
2f5880d9f38d6e70bc90c33e3622fd8189490aa0f29cbe7b26d3a040f408cc8b6b1286752eba32a4d63510062fcf15d40bac736673ab2588dc8b67336ac301c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\TqsswgUc.bat

Filesize
4B

MD5
f936b0cdfbba19b5a70f6ea31519620b

SHA1
a1462f5180821da20efc6fe0afe921a4cb327f9c

SHA256
47db30120bb6c1e044e0d03b03fbbd32c66b3fa232f1c49d65f933dbc5530c43

SHA512
f3a3f5ac7ba0395bb26e5ad802c47d117d027f86b40f7540c0bff351339a3f26677d91a329f482865cc77f1d0098c3e814a304410c57e409f5ea43693e2bf334

Download Submit
C:\Users\Admin\AppData\Local\Temp\TscEoUgM.bat

Filesize
4B

MD5
ee44e5f84b1a6095a1f2a3bca7b3cb7f

SHA1
7044ad46b3d3252520ca389164ed6c41ad4745c9

SHA256
2faf1519775cb9f83c34e21bdaad525029fc04944bd42f8fa5ee72fc5de77ac9

SHA512
dd729392e7e15c0f5a2bd8fa9b5a5e766fca622e79d86e4f8e41171cd51a118da3aa26b5f60270fe384b5bf79da586a5fb01d40d830e8990922dc55cc96506bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\TsgQocEg.bat

Filesize
4B

MD5
70a92e508e788289d2f8cd34ba57e7a7

SHA1
0bb64ec4926fa4c948df6e4fc8a4d75defe02dbc

SHA256
53e5bb3179778e6677a4ce920f677958a2baead7b9c8c26ea40dd024ff704f72

SHA512
e4a5a6bbc4c3d2ea89bf2f011db57514341f01c0b29015223b939a52c8eeb7f417ceca2e9f5691dfd2f099f580479929cc1aec6a910275e73239858deab57897

Download Submit
C:\Users\Admin\AppData\Local\Temp\UAsE.exe

Filesize
158KB

MD5
bd0fa76fbcb3a4c4d0d1bdb6a965a874

SHA1
f9c56f12f9a59deed8434f34c765c5e95ba8c375

SHA256
21d7470f8a7b76b0fb45f07277db1f863c082d42dba62cf1eadd6a68a0218544

SHA512
4e4b6587aa416533354958a819223fb5061dc9d1f60582d65da8134679c41f54fd98dde419bebebe638f06a1bc23a44d03710ad1044d0cb131a62dac95d44d34

Download Submit
C:\Users\Admin\AppData\Local\Temp\UIwu.exe

Filesize
381KB

MD5
268070cdf37e3d9230012d86f2fc1827

SHA1
ac596319ec567e4568a64155c7d110c4e0ce49d5

SHA256
e49f3ad2f5112eda6c203687cbb2b131128d47e419abcea0c95725afe5074e9d

SHA512
7c90d7857decd764d449f858202cd22dbdd4506b4e4fcdafe108ad6266395327ff1d0c25c05cf0c10cb224dd5c2803a4d6645ae469cd990f2e3400f8d2804c8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\UiQcMEEg.bat

Filesize
4B

MD5
040a43e503010e8830dc33807ea90c19

SHA1
e7ae861d1e7da4f3a3b7805ee0a3a7cdbe379254

SHA256
58cdb893ed5fcde32332c48873b5366bd4d88600eed4923c07eef2f1a5e9181c

SHA512
527e79790de240a824ef3e183099bfd25a82ef1d308065d51e5f94a2cb8cc73550119a5722aac21f232ca89bf82f18ca70dd94b76909306665974ad34c7337ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\Uwcg.exe

Filesize
869KB

MD5
f33a2e7792c9c44e66b025488e760861

SHA1
89b92ca93a6d1a65f1d33acf57e200581479dce5

SHA256
92fa20c2cb09cf7932cd573fdaaa236a627b19e326b7d45f05bfeefcf8ae0ba8

SHA512
5d6c77da753fcc25db4bb06e49d66133038c4439562d0ea6fcc51d5ed3986b48c7320eb2c217e03ec1873fd335c1e93b4d6deac885714bad0b498218ba872bf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\VAMAEkAs.bat

Filesize
4B

MD5
e3dd23f7a3099f6954b07badfeaa4297

SHA1
e47afcdf2a11c8f94bce309ad15c2b550611d895

SHA256
04b9da7dde8747070e2b537c39d7cdcfecdc5a3342d8dedf845fadb4d5d0b3ca

SHA512
542fa1cec465746f802ed10c083d1a6496f0f244c5cef0084e2b7d0c131649b84952b9a16cd49498c226d3678a26280ab3eedaa4c385851e0c5f8a4a7e342555

Download Submit
C:\Users\Admin\AppData\Local\Temp\WGUQMYcw.bat

Filesize
4B

MD5
4d33cb46133c2d763e5191b030c098dd

SHA1
715ebcea8491c7df16fcacb84e2fa52fe5f580ad

SHA256
90f8b5a1cb389e0e87ccca513f559d806035b3df79522da8d4f62c565dde52af

SHA512
c73537a33464f93c85da883732089ca0caa00abcdcfb487e9535d603ffcf0eb979ecc79b50851683087d08b51baac2c409cce8327b9576ff923a676d8891d319

Download Submit
C:\Users\Admin\AppData\Local\Temp\WcoQ.exe

Filesize
970KB

MD5
2f3d8f58c4a2052f95badc25594cc667

SHA1
1d4b7437b45fcbef90a1c3df51ac26350afdd9ed

SHA256
936ac4b60b9b21e220d1a04701bac73d9f9d5c60c3d9bd90e6b92e58877fe46e

SHA512
6fb11fc567cecb401770579cd36f6101144d9f454a16c554ddb1c66456223782f09e58c441954594ee0172533d05ef2044d5c39aa7bd230f2ad9a3f2a0bda432

Download Submit
C:\Users\Admin\AppData\Local\Temp\WsAY.exe

Filesize
158KB

MD5
49c570517be5d9c0c25bac9e7d99af84

SHA1
a31ef4f72d14adc18674328871ed4d5d6d103451

SHA256
ea36e42ebffb8f4c887a7faf8a7de4a4b58d30746577482d764bacb6b8e72216

SHA512
a339ec3bb895083e4e0d925aeeb41a4e9e408f37d3d69ea131551a994d88ccf150f5d7e9432a7ef6e097e0368115fd8b3f7877eb4a84433cbeb8f1543fc303aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\WsIQ.exe

Filesize
157KB

MD5
6a68f9258349553cea872d90d696e6c6

SHA1
85aa7d0830d5abf5abf112f1e25c8a0054887828

SHA256
b2cb613dff7059b2f7e0608ed20f9e868f3002938ba4c28a563f3ed3dc72bd7a

SHA512
b204f2393733072945a84b3bcf5dc1d9768ac14d2ea71f895cf052ab9110d4197b008c39238dea1919c2d95fd6203dd0a431775f3b3dc8d66e02c83b0ab09208

Download Submit
C:\Users\Admin\AppData\Local\Temp\WwAO.exe

Filesize
159KB

MD5
a9bafc357196dd66854d881fe9875873

SHA1
0d2758c4382e32e93c128b677f6884c00af2546f

SHA256
e7eab80fd5c5abda1373fee025f966a42fd9427f552c65285483cf693fe2bae2

SHA512
24093f3f791d806c3892cdfee43bb56dcde862788f04f067399e5679de72f05bf660ab1a763f00ddff12f654a8b46fad233abe33529d52e6e2da330aaf6301c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\WwwA.exe

Filesize
716KB

MD5
b99a151d4ddb9046dd10673488e2e67b

SHA1
3b2797c37b7045fa721e0ed5fd1e80282a48223c

SHA256
abcc1727747d5dde4f739d88c194b0d346d97376678bbab6e2218c8d4435c7b6

SHA512
0a27116e65cc7cb957b88cab0e64d85a24f0f5ad84c19d0acff39370dc4210fd87de1335d09817d7f62dd6a1d22d8866b0cfcb23d9faffd19e58cf4610240375

Download Submit
C:\Users\Admin\AppData\Local\Temp\XIsAkMAA.bat

Filesize
4B

MD5
97dd4854ac12dd3263377bf272d6824f

SHA1
2690afff31b1fe8017e1eea4f7527ec1c171c4e3

SHA256
7e9e0c936ffd443365438cfa7ad3bb9994bd7ccf847273b6fab6896de792f771

SHA512
e5f4469cacf6a47af079e7179d38b3a8c825bb5f2748aa60ce95210644995a1990028de7fe0608988e62733638b5c6968d14e605b309ccd26c71e7a817d50d7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\YQAC.exe

Filesize
999KB

MD5
fc76916fb96222a986b97953f3daac91

SHA1
37d3b5c47cba6a86dff694f34a7bfc9702eb5f17

SHA256
5c1e497137ec260d06d672c4883e541773d431fcaf5286b32391a8f50a6c5e23

SHA512
a4ca068dab22398dbfa361b5c7823ef80df3137e504b9eccd2d5de6f184c17de851a7b06b9d19319fc22fd8464d87fef047cbdb381f561acf68cd5e483b35b97

Download Submit
C:\Users\Admin\AppData\Local\Temp\YqIMcUwA.bat

Filesize
4B

MD5
8228c84aaa7c19118b934afb9f805716

SHA1
2e3b465c107101b175994169c8cc0259f83e1a95

SHA256
29c1fb3aee9951381d0d7cb3c884d71ca61166f415490d73548280ca3b010318

SHA512
03e1e168f0a8343c603e15c94ec06116647b6374189d1b00556bb1026d4d307df107c68b4e26ed5bf895fc97b6835a40bc6866ed347211302ef87e1ddfbe31b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\YssMMgkM.bat

Filesize
4B

MD5
084efe1b8f8ceec18897cc5ac2b9917c

SHA1
659c94ef1e42bcf990665201828db02570d61596

SHA256
1661ee2b05b07553bc493f74c3832b6ecc2132934bc74081201847acf200e075

SHA512
2bdf3ba9efb07568113c7dd7186c9400c2ca28d24f43900da75b4dc6b56d9e18fafbcc89a3cd2a9371a23f591e44b2dbb4519b3046beaa010152a47e0a8bb34e

Download Submit
C:\Users\Admin\AppData\Local\Temp\aAoa.exe

Filesize
159KB

MD5
c39f7fc9915c47456668534ad8a055d2

SHA1
4145e4587813e95ac0ba44b46f6dc1ae2385813c

SHA256
aca43bbe3388523036edb648de994b402f4a9cda95e13e4be3de01294c833e32

SHA512
d2b2453dc992e0fb757545650268e748f3f2b84937a5f0c468aac4ea8404c3923689651d8027acaa7c1af9f9bfa357c7bfb7bef61ce128981f138fc4838bc0e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\aMsc.exe

Filesize
159KB

MD5
1f9ac5c6b0226b7d7e7d5dea28d664b8

SHA1
0e6636ea38848ff77af7d2e8fb39bec786bb6544

SHA256
e03332a73fe807b058d41280a698f528c46ed53ce01dd18f40785a7198eb4035

SHA512
0cb7ecabcd0b64b936172d08e50d177ee5cd07cf724113ad1740e29263db035e84d867afc3f050b96ce1e6320018291dcc797b90676ff2fe0350f282cff6c793

Download Submit
C:\Users\Admin\AppData\Local\Temp\aUcE.exe

Filesize
555KB

MD5
ce04361bcd7d260c3fbccb21e0530b41

SHA1
261b6cf27a3455c634bcd92844f5b008faf06ff8

SHA256
a6ae605df0cafb5f2e4895bc942e62cd6d815b892544460599a41e36a4e84d9f

SHA512
31bc72a03e586bd730d6d17a0280e034c7b82265d1729fa333b023e22529c3c0f67b3463a3d92b9b2764b3df688de7ab6dadd9e1f526bd48eaa0cfd8254adfb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\akcy.exe

Filesize
139KB

MD5
1a0510366de8cb7cadb0e8a0f4409867

SHA1
2c30bd64932039d1bc0f0db1ca2f420348dcf47d

SHA256
42acc22c11573e6ac4e3a89125966aa2f05832230e6a18c0ba91c5f588228ca6

SHA512
a764cab0d352b6099519bc2ffd025710638fb7d5482c960675cd0407a6d88fb97a94b2f07e7d0653338dd736eaeb0e5dabc85b0acc10f42210db7a3f32798271

Download Submit
C:\Users\Admin\AppData\Local\Temp\asEG.ico

Filesize
4KB

MD5
f461866875e8a7fc5c0e5bcdb48c67f6

SHA1
c6831938e249f1edaa968321f00141e6d791ca56

SHA256
0b3ebd04101a5bda41f07652c3d7a4f9370a4d64c88f5de4c57909c38d30a4f7

SHA512
d4c70562238d3c95100fec69a538ddf6dd43a73a959aa07f97b151baf888eac0917236ac0a9b046dba5395516acc1ce9e777bc2c173cb1d08ed79c6663404e4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\cIsYgAwY.bat

Filesize
4B

MD5
0d310d97dafe58718e6bffb913ea204d

SHA1
7b259f1047b6a5161581fbf4e6ffaa2e9673f079

SHA256
71f235077827e60bca1672ad3e509c4b516b3c5db8849c851b97be03a35d93e8

SHA512
fd43a2f42ebb8aa54622e800ccdb84978f7e78d50a0a42c7190cc36762e3900868b04ea83f8a27a25d51c1614ae12078b957548514f36c1a8aed4b4fbb558aba

Download Submit
C:\Users\Admin\AppData\Local\Temp\cQEW.exe

Filesize
139KB

MD5
7094b8223558a78028d4fa3a7d86706f

SHA1
df0e3a04c0053975d55561906f0508257475fc30

SHA256
203607fc30ab773d147cfa9c516099c99d21e77638b7cff1c2c748588af546e0

SHA512
815fd5975597aeac1fcb2ae2b90f85d5487061c8e2a829d0e31f7ab02bc155b67c301a15399172be0a21162141e5cd9e2c1091edfe141ddff45975008cc33394

Download Submit
C:\Users\Admin\AppData\Local\Temp\cQsA.exe

Filesize
237KB

MD5
060318d1a88e8084fa859f1d8404df06

SHA1
ec0d6a904a6dc7aef7f719f7d64d3db7542e5534

SHA256
544d15e99e1f249302ee9742bf95eab5dbc8bc729e5c1684e9ef2aeffa1eeb90

SHA512
5a6e19d39db2ccfdab3e4be8a9e03ec753e7f061ea8677871166ee3c9db733bc58289c404f315dcff9b12ebc8d9a94a63189879d8b3fdde9bf67d1ed15c6eeab

Download Submit
C:\Users\Admin\AppData\Local\Temp\cUAm.exe

Filesize
1.2MB

MD5
418f22487471a5a013a2f1aa54f75c5a

SHA1
38268f8a13ca51e0b13572435f6625a575de0bf1

SHA256
b6438c09db7207b44c584c4a15cc599b22cf9d21add4535f3e3a2d36eed14980

SHA512
11c5e2da87d5b423221950b7efcc29cfe70e1106e0d12851344bda74ab7f541e9f1425110bae0e0c5d823574e9324acd11dd5d256154e3be86501b67b07449ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\dMsAcQsA.bat

Filesize
4B

MD5
e2bfb28bccb71759ec4c1661953abff1

SHA1
9b82380b3abd2ef7f45bb143ccc02fcbda33140a

SHA256
7d2217811af7d2f91f196a37ecc099ef2e3dff3a320b13e5f0df025418376918

SHA512
5ccc18274c6170521da9ab467f40eb79d0b87235a6235d7a1ac01d21983dcf30c5ef0b8de093d9fe8a90730bf26cfd57b8e7d17ae30f9d1ad7bf7565c8fe8251

Download Submit
C:\Users\Admin\AppData\Local\Temp\dcwoAwYo.bat

Filesize
4B

MD5
2808c03229807780d9fd4c8ae3c8e418

SHA1
bdd672f2b8a579eaf0e6ea46decdb94d84a7db5e

SHA256
9c3573d297778b8dbea2cf5d5d61cd0dd829787c2b39e166dc4182148eeb4294

SHA512
6b139f423f7727f12acbc41c805b6c38abaf04c4e7d34e7c9f44b95da11f11efdb973f972935bed2fd4709c6a435049a4484e22e8068548013f5dd0aa8780582

Download Submit
C:\Users\Admin\AppData\Local\Temp\eAUQ.exe

Filesize
157KB

MD5
51464452d6423ea53bcfd2ab087bc2c1

SHA1
ffe58ee7891eea61931ff541339c736930f310dc

SHA256
f8c1d0ace6818cd0a91382b9f99215aa5c1b8284d7f6e7f4a7afa3f68ee38040

SHA512
ba2f9f03932ac32ce274a49485847ad62216ca858b65861fad6ed88bc63b4f835402b18fa54fdbdb0df608315135a6819e802af1a80ba43e917c834ee275d702

Download Submit
C:\Users\Admin\AppData\Local\Temp\eEkw.exe

Filesize
157KB

MD5
1b0b271b1ce1a5cd4379287448c210e5

SHA1
167eb0dbe9897c04cddefa67d773a94e6fd84f0f

SHA256
105de75e0d3ceffe675b71d71a1750eec2a10c8aa6d8e8de6d0b4d8914daae0b

SHA512
e17e47f9634b698d4c33729e923a1b2ccb44ad7898137c4b5133bdcc8d924a1d7eb10acb2cdce10b8640dd5f82cf722a21caa74751eed64a12b235f0456370f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\eIco.exe

Filesize
159KB

MD5
16150a0e2f2bc8567aa0362beafec93a

SHA1
4ba6857945a9797e049f6c8811132441bd3e9626

SHA256
8a91956409806bb261601bdc7d584f4d4e9d8d180ccc24f3839313ad4c8793b5

SHA512
af690593c540509ad33b69b8a3bae181c0cb8d78d01444a4aacda8a4cbc75e9e0552658c1fa7a86feb7413f70947eaa9b4d12cbf19af0dc0c5c9a46d9c3d4d30

Download Submit
C:\Users\Admin\AppData\Local\Temp\eMMUQwYs.bat

Filesize
4B

MD5
6fd5048fd50b54af606cf438e494798a

SHA1
2f7810fbf656f9410d8be739c2274d268126b71a

SHA256
03f76152ac001fafdbbf7845436d72af9d3eacba73890c992c3ddd3ecdc94acc

SHA512
dd932b1cc894b6748a631f2e0963c8fa4fce89b3ce6ad6b68b7a25967f000ee560739ba1cdfc1c7f3315ce556b3dfb245d640e8bbf2e5feb2f391cdf626500d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\eUoEsUsA.bat

Filesize
4B

MD5
49e53ff8c8614151fe11de3c69444eb1

SHA1
092cd2164eb377b91904ed82a09df54b12bfad17

SHA256
98ef56ba3e92555826703b9d42e1cce2d11a45c3b39650154dd15b24b109016c

SHA512
b42792ce67ff125ac8c8a7cad377f794a41bd4aebbc86710b80e615187855f7915cb2ae04ddca8890f23c741abbf5e88be61a4435d9f4ec01d1b58631951e37c

Download Submit
C:\Users\Admin\AppData\Local\Temp\eYAo.exe

Filesize
157KB

MD5
9eb4c0436778596e22b00c0e09ee5e7b

SHA1
430e368b24d84d257b4d44c380cf6b1ef9d50ded

SHA256
18395545a668f19de7dfb9b35ef2a4fc8ba3dadae60863d2cd5cc405e406de0f

SHA512
9fb3bbb7984418db7a231cc88a2bb545e7a041d1a53a00538c5048a3e377a5fdb81fd1780a209234e0339c2dab0f7ac5eba0be5a3cc61524b86eb1a912c4bebd

Download Submit
C:\Users\Admin\AppData\Local\Temp\eccM.exe

Filesize
158KB

MD5
0fc348c1ffa84238dd442453d25c254c

SHA1
3f7f47fca49b2889057cefacfacfac0e08a10055

SHA256
d26c45fdf81c6c7ad71bde2099eb01c10b25147c5d518815cecfd866c4534191

SHA512
01d40a329af24afe6ef7016171a11da675bfab0d3cff7ddae61077233272f9d58f540acbd1752f134d5bccc7bf6ac607d81bcf148ca3f687530306314a95f119

Download Submit
C:\Users\Admin\AppData\Local\Temp\eggU.exe

Filesize
158KB

MD5
7ffb521c16aff6b3d3ba99f986aae806

SHA1
4aa624de44c17ffb151db119911df94203d89f21

SHA256
5b685fab02056b87739f72a24750fbb5378949f8f5708ffce6394ea522d6332c

SHA512
d4ac58b534b3d1479d77238fb3c345d39e71ac6fec6dff5739c38609dbb40d7ae438151349faef9961e628960ca27f5130b5fd6ab586ecba4d57c5bf612a8805

Download Submit
C:\Users\Admin\AppData\Local\Temp\ekoy.exe

Filesize
158KB

MD5
8bf019b5f7b92bb1647dc828b01aa819

SHA1
095ab53d5a3ef2dcbbdd75e3425f1af4d7170fc9

SHA256
feccc8eb058da394b3b5d613a7b6184ff29b1c87261a94369f8ec0a905cbfa47

SHA512
e8a5f173c90e6a45b5f37fde4518d5677d48dddd7a1d2fdd92158aa4038feed197561e0b09aa53f5c52d5f449fb64edd272bc192bae3c836cefddce5710c3f77

Download Submit
C:\Users\Admin\AppData\Local\Temp\eksQ.exe

Filesize
158KB

MD5
bfe57c2afa4d6cbbefbf743dbe827dde

SHA1
7cecd7fdb90ef99f35ede2fa3528dcbb27291472

SHA256
29c04597e8f066e78b9bf8e69e1c3b9cd4c377a5573d9ce027c12c51529f8a04

SHA512
4d62fb20c7e31f07d21893db302061d9f0dd4a434486816ad98be27fad346738f491b9695ea0caf9372854622912936fdaeabdd371c1bd0ac38339741bd12be4

Download Submit
C:\Users\Admin\AppData\Local\Temp\euosYMMg.bat

Filesize
4B

MD5
439297a976c5f512a472499f07ce1992

SHA1
61b368bf59dc2bf7742b8499f2a3da065257f431

SHA256
899fc77e4c00281043468486fd6aacce1f66e9162efc9a13a4f11809d90d9357

SHA512
1b30a5cbd4d444b04d9e713cc9e650f38048d7d59860100b8926c71b366df347f8e8defcdbdd12a5b9e01ac875419cd55cfba8c30f96bbd35ee1a74907e14cf1

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gYEEAcws.bat

Filesize
4B

MD5
cfb4fefeb36a7ed07b264652af2aa7e0

SHA1
e3fdb6c2b38786795fead64fb7dd21f6b78d3298

SHA256
938bb450f9fe5824ce764869bfd45fc6cfc1167fbc4efbf6f47e1e9eb593d34b

SHA512
54c95a4527a30e541c0717af7f8c3fcf2acf321be8a88ce2b1745718ec2fa0cf9dcc0a67fd9603bd63b7bea5f63051ecb7ca3955f94d33a45e1db9c2f2f64ab6

Download Submit
C:\Users\Admin\AppData\Local\Temp\gwggEsAA.bat

Filesize
4B

MD5
7eeefb42956b207d8d93671636a2cc47

SHA1
ef407d4df224577898ed639dd07faa225f78e5af

SHA256
6608a5e3fdf39a0272c1ff49945d14d4ecb70dd9bf167db8153a1c7168d1b6f3

SHA512
e9ad9a00d60606080de83c9cf8baf68199aac4e65dc99eca36dcb319a62763b5a5413fa747b3885f30f210941d14c3e56ebb5c0f73565268bd97fa5ba149d636

Download Submit
C:\Users\Admin\AppData\Local\Temp\hOAowEsU.bat

Filesize
4B

MD5
3b40f8636071944e3f7d83281bee844c

SHA1
c4f4f4c6a44f1a3d15373a73538d86b79b68f464

SHA256
d0849140d90d4a3b3420a19d8c74d23d4fb22d28c1bcb81e0fc6cf2a50adc12f

SHA512
3d0e011094670763df6e84b02d5a6cf0e5de9a1b2f57de5c7b7160eb93920fc71587a95a3d40bff5a37cf5b8d5b5f82148f688628c961e7c37f1c3c8c211105d

Download Submit
C:\Users\Admin\AppData\Local\Temp\hOUUscIQ.bat

Filesize
4B

MD5
50802adc165990e9bd00c4a9898ada5f

SHA1
c98822c4367bf9950f76010ce14c9755af70d22e

SHA256
c6c2056b713f311d53c8ed3779c48322fe3cb8a2caa1b925e1f4ac9289fb2042

SHA512
9872dd77874cfc00ec53012c2045ab3b59e095548ba9aa1f11a40878c29b4e5e673a723ab6d55bd7f598381ae6b55d32a1cbfcdfcc8a3f7cd5b551c703582ce0

Download Submit
C:\Users\Admin\AppData\Local\Temp\iIwIsIcA.bat

Filesize
4B

MD5
fa4e6b6d0f67919902164afdf1d383ae

SHA1
baec524354473596e1840967ebbd234ac01a675c

SHA256
a0af19fde714cdd014a5f1875a0707e8d884f3d69e4d4beeee91324ea1ee1919

SHA512
6c79eefe22097f767e8ae85bd876967c836b01c85dc5112a6050c4adf35b4b1014ea05a571efe4db3ac38dd14ca488ec3e96cc11b717f67dbccfa4dde3fc1322

Download Submit
C:\Users\Admin\AppData\Local\Temp\iQIY.exe

Filesize
158KB

MD5
3458069f43b0885f8cef13b810ee56e8

SHA1
82d44f75978837377029eaa1a3f08cec17204fbb

SHA256
d0397281eaf47b9c13c4fdf31980d384da27164865c89ea6d6b1ba3df04b69fb

SHA512
9db3529bde7348030bbca2975d62c3b2f404a05cf75ce01cd6c1d15e2dbc848bb2742fc7bd1e5c3c2ba0e529eec1834dec3856b57b289f5a639e19a32c3bdfa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\iYAMEgUY.bat

Filesize
4B

MD5
6e14841d08bf8a6ff3a3d93d3f9927e3

SHA1
5dd08627485315464cdf7c31dd6afcefd046088b

SHA256
abffcbf5376dce758c0dd1bbf853b671616b8a134e8c9048f9b6f7211230a002

SHA512
c2d80ec532b488b78923cfa7c2265447935a2feb4dbfc39d980efee4bf1586a6fc92cb1494cd27a74527f9f4cac9b627899a471b3afe334c83829870f1f86501

Download Submit
C:\Users\Admin\AppData\Local\Temp\icEu.exe

Filesize
158KB

MD5
56205cd26b57743367f8b831428bef68

SHA1
fd838ac3a0f8be0245793f0831a4b804ea599174

SHA256
a723d1a214d646ff12e5fd1f409bc2d723035ad34cff5d3401c34f7618405cc8

SHA512
67a7f00ac61814986a44884a3356d6c13a4cc792cb9d52df2ef7dc19471881a562aededd9f2c892c789d87582e1084ce2c7f702132c0e6c1486ff9969e763aa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\igUu.exe

Filesize
158KB

MD5
eca368ceaa07c0b331208459fadcbdb7

SHA1
c8ecc49333282e7773f7cc0e2067b9f7fd33bfc9

SHA256
ad0dc0c125774f1635dcc0d895d84d229266b912802002773bc86dd1a568d2f6

SHA512
1e665e19c646df307df5ec06bdc702d103edd21cdf3fffe0524b85c227bd25016328264fe0757f0ce8c1b8d57d0e782a34b3e79739a0c14fa0208694775588c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\iwYQUkUU.bat

Filesize
4B

MD5
e11fed8db6abec4935662c19af02d9e1

SHA1
8169e8a1a028db491fca04879d9ab7c0c2f5f046

SHA256
016f2f937959a7c3ee4b9fc254f043d94be9555d60519e1d8b88a061be3bc4a2

SHA512
db904e513793eb5d3e13e9ec8b919944d545cb0ce0c55aeb53ed339e3bc235e6c1a1be8ddf745a932a0df43ee53c67aa064cd393ec90e48e3df8b71cf969cfdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\jiwIYcAw.bat

Filesize
4B

MD5
fa7b70af1161ced8e6af286de79f75ea

SHA1
636d52a5c3a58924d3cb3d3618bf4ef476783106

SHA256
66a25c31f530299dc2f0ca33f863ea73b12eda153ecd71cf329db207ee0fa81f

SHA512
b5323321f27e52b72d98e13e3dbc34dcf0c33def888282d30d1e4cdbbb6ea4cd0709b5eb1fbbe8bc9af0284ae298ae5d43ce46cc2b05aeeaaa3166e00a62c1f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\kIki.exe

Filesize
158KB

MD5
9e980787574543354234b02138661f44

SHA1
bb70a3bcdd5b1e4ce60549ce4cd4f09360e697bb

SHA256
1c0cbd71958a71e7f7f9dd9f2ed38b89d1f62aa73b983ad49125bcfb1d6e2c96

SHA512
b35ccf883be522358d75fc4727fa0e5b6027e575c15da103e4ec0af6181f5a9ef8c8ca18d4ebb8d017bbf9d5d31f382be5b5df955eb477aa98bb253d3eff0f92

Download Submit
C:\Users\Admin\AppData\Local\Temp\kIou.exe

Filesize
160KB

MD5
49269e84d64418f900daf7b0606901da

SHA1
52710f9db1ca5d41f6b07ba4a3b1ab0e79777f30

SHA256
3e773f7346befc1bb6dfb01f5741bf427a2e8782a60f4b004a44789dce7faa93

SHA512
31455be9079d2a2e043c5e55aa5dd1c67ba669d9e15ba8e6231db0b59a60872d61a58a955d4fae1cfcd46d7269cd64e4193fb62914739d6fac84eb6bf69f48d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\kUso.exe

Filesize
661KB

MD5
f78119b83be07f8434deb6e523d87e88

SHA1
18336562dda6d7c4dadd62894d8a65919088c893

SHA256
101b4e0893ba385bf3774e9fd9fa887d90544aebaefb238d723a20041de36586

SHA512
ba461256021afea535e9524ed83a874a24e4f0d5454e96b14d098005369dc83a80c2c372d3aea3f63c1be9aa4d05e7c8ab0cd7fcf15b26295ac70c59f2815fb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\kssU.exe

Filesize
4.7MB

MD5
294514ab726f63e4349123be09cbb306

SHA1
2848b021ab8f5ebed0ca8f66b0ae5ec4d43b3680

SHA256
3039ca0fcbc305ba966c9299c18075ba45cd730c5f8495149114cfa388a091f8

SHA512
0ad7a44934502d0bab4f040c29caf4dfdea37bd00f13d0dc5e199ae32dc1fa88921011bd0405b0b7f0149c8c74da170b7d2b5d7e9e7afa7b2bada65fa798da78

Download Submit
C:\Users\Admin\AppData\Local\Temp\kwke.exe

Filesize
235KB

MD5
ce22dd38d17fab81909a30053a6c6490

SHA1
f01563e186fe50c4dbf00099b0826c0e9b41bb62

SHA256
787ec0c42ec829082e383be4226dcde063aa61caedcdfed3bb2822f5db79f885

SHA512
d459a015ffddee55d6a101cf4301fa377d203a1cd31869586503855ea06145a7ff224364617fe93e00823adfe33a91ec0026f3f33852ece51ea5e3fe17dbafa9

Download Submit
C:\Users\Admin\AppData\Local\Temp\lWEogIIY.bat

Filesize
4B

MD5
ae8740dafc3c96e9d52c381b7a301048

SHA1
a44b4de23a5ac67d631ee8212223ce108b105cf1

SHA256
65a40639d8da8f57b6f8232015ddd283f1edbf9bdfb824a8be69b5b6d2e0d688

SHA512
40580f3ff9f27a47864adb5043343019f51e351767e9a9f5be37efa6de95854bab7e27c4f11501f4db97d4dce8a61fe2a91c7bcae5ce1a3d6bb97e819c225676

Download Submit
C:\Users\Admin\AppData\Local\Temp\laUYQIww.bat

Filesize
4B

MD5
cd119cab907272591c6e0325beaf51df

SHA1
61fcd9b09755693a806f3ebaa0e484bc93fca7d3

SHA256
1f8a60c13c327649c76d42650f72111d15862ec85cfcc9f6cb3cfc880cd1197f

SHA512
b679b7474e8410ee4953d0322e0b77df1b9c69ebeaaf9169c7073614274ae6fed9cafc0b5444dab42762bc2eb63e40dd766ac1ae2be398c7c73f2aa3798463ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\mgok.exe

Filesize
149KB

MD5
ee3db5be082de9f11afc85088e11121d

SHA1
7d803af380f247bc701c072838e6465783be38a9

SHA256
dfc6e1cc89083b54b73565f72c7e8ee264bb02ebdb52c76c1e9e64b5a27daf28

SHA512
9a50d7add285d14349ae0e77968c50fc31785ad598d069d0b4faf0a483897aac7afe697ea480f5937f99c97d3417a864d2fbfb9f36121c7a694f128e0e468a95

Download Submit
C:\Users\Admin\AppData\Local\Temp\mkAI.exe

Filesize
8.1MB

MD5
da67c5d0ab1b2ac438beff58f6b4230b

SHA1
e904ec26582bc7288d001b3524a7f1f25bf69ffc

SHA256
898253a546e8e96d6c00ee2e7aee2844edf5e1f3a470797869e5c8b215d446a9

SHA512
6944718e8b5fc04aa587bf3a8a64135429090e4ee5864abb4b5178c1bcbc1b53cfead88c3f4fa66379189590a67121aeaa07458bbfbf2c7f21a1c1fdd1ac2879

Download Submit
C:\Users\Admin\AppData\Local\Temp\mqQcwocU.bat

Filesize
4B

MD5
31a2dc1656bc7d850d1cb5712adaf6c1

SHA1
a6e6d96125c34747b08be6b29ef57088562f0bed

SHA256
28f5df724c2985c1211300db7edaaa0b75479a364671651212dfb475392afbbe

SHA512
d538b95f834b5a449435cc3cd9b5b7f8ab7babffd308cf5bc7f2bf4ff41b2b5add8b22395b2a40d846fcffbdc3b8dacccb55163665ee7e219622de83d897679b

Download Submit
C:\Users\Admin\AppData\Local\Temp\mwso.exe

Filesize
158KB

MD5
f4f5458c83b2777ba12ef1c3a6eec4b6

SHA1
499085e5ca16aa5901a1096e3526efd5dbde1506

SHA256
adb365c6b81c14028f058eb93b26bbbd9337a1f273da17159e9f7d82523f131c

SHA512
7a4d3f6718eacc4a0a0ced7640b7181bd06a8a017b57aa4924cc6766febc8d354874b459d482496f2798c09e78f9403ecc10bd138991fcc7d8da372f4d91f547

Download Submit
C:\Users\Admin\AppData\Local\Temp\nGwAEQsM.bat

Filesize
4B

MD5
a96a4a8cf1b4a9ac307cd2eaf6c63b95

SHA1
774e556d957aa759729a06c7d8af0f178ca11d59

SHA256
72d88d5b7978762b8022d428dfae608f9a7a7a938af28f36e6bd2e0d93dd21b6

SHA512
7317b3e78a365b64e5e75ecc8530e5567690f4ed0c6c873f68cdf475fbe1bacf063d48adf26819db47ec4270327712e2fd8466e51c9c0dcdd9cf1306e01ce3c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nIYUkMsw.bat

Filesize
4B

MD5
400b0cc299f3b7b85702a8b349a51e77

SHA1
316a8484601265151023ccee4f10d86eac7531be

SHA256
62aa8b203a6092ce446b3423e53a4f46d9d0af70a0fd2199e5df6f7f9d9a01f6

SHA512
8414150fbf930b3a45e5e6891faa114cbbd2469f2be4b5ffb532f404cd1ffc3826ae5c4dbc8bdd74055a0c44e5fb0a3a04047354c11f991d2ad4304e93223f24

Download Submit
C:\Users\Admin\AppData\Local\Temp\nowoEwwk.bat

Filesize
4B

MD5
bec0ab078c1f418bcf86d9c0bae53afa

SHA1
e8fcaeafcc49bb350cc14dc5db2522a18b4ab568

SHA256
f4bb6fb7d016ac7fbdcfa2ec904af5e77a804fcf7edb1dd603b1b052b93c4109

SHA512
cb7af99130a4590624dbf73e8ed0e92fe897e4015bd4126211d45799eb5850283b53b6224ba863110b981a6141743786a07ab09d4ad3c975120e4d1eccff5fcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\oAogYoYs.bat

Filesize
4B

MD5
f140f090414711f1d51a39cf4aaf136e

SHA1
109f3d03e9654482dd654329df53cdec525a9c61

SHA256
fbc188ab06fc394ecd41df4f2807b4fcd0d7a74c3404e20d4bb22ca16bf24d24

SHA512
f54afcb1cdd99d3726de7e4c805df02cdc0af70cbfa32186b05df0ccd335ec9bb04cdfcf728e19d538adafc76362c5df303357d0efe2d83df5b15bd7f8a0472c

Download Submit
C:\Users\Admin\AppData\Local\Temp\oEAi.exe

Filesize
157KB

MD5
d6e7edc27b08657f4dd805b2fcbdcefc

SHA1
b2bcde5df89c851e7bc8a79086724a72b005a852

SHA256
a9a82947eb2d636c1fdffbd679273180b6e73f1b74c83e95b506084025089587

SHA512
b4d3dce352fe23c3e043df8ef603fcc7a754bb485753d31cf2df376454c7b3565f350cd56b5ce6037d598198701a9796d7dd810f51c04ad48e61576282ae18f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ogUq.exe

Filesize
578KB

MD5
f0db4e378af1ada9735e2aaa6e077203

SHA1
4c0bd22b7123d840761925759fed902eb5e925b1

SHA256
5a56b2ae92bdf17e20cf5a2d039bfb68b8773709693263f293017457bd89874f

SHA512
2185cbb28479c8be339831bcc3b11f3559e400109ac8375e91137c8113aed10fa91787bb227e8b75818a96c525301e172eaaa381335e88c101ec396c4b704e3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\omUkUIwo.bat

Filesize
4B

MD5
997740454a53f72ff7be32b834c8f3b8

SHA1
fdcb67e407986975fa7fe63698ba7b173af80c9d

SHA256
81d9317965ae32fc25dca10ac2d4fc1000f89ba9bd557b711c2628eb7946f47e

SHA512
8a5efbb36325db09b9d3a3ba88208e7b7255082376a97dab59d8b000ab457cbd84531ad3aaedc923f8c972f32a260d31336feea54849bcd366e80d666fc7cdd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ooAE.exe

Filesize
693KB

MD5
7834c288a555aaf4d58927784a4ccb61

SHA1
e1b6d28845b801f4ffc89eb4dd4d34537e766419

SHA256
daac7a00318a17b58cca06babe4fd2f326610cc73b08c11249d55adabf91a9ab

SHA512
2000c95686c81ea6149e97b31128f162fa05b6e28a991a0364ba5f74cfdf73c8ecdc4c5daeb53b444048f9b56a457eabd2bc316294b9fa2d372626351b05eb8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\osMI.exe

Filesize
136KB

MD5
ab62339764cf65f0ffedb4f63d402081

SHA1
7f841da5168fde39885f5ab1f9b1fab8684037a0

SHA256
1d8997844a30b6196fd8fea4cb082840bdeb8187537c522bf4925c8947e00f0c

SHA512
e299fa48edae66699c958fc939c435c2c6ce04e0e683442cfa64f2f140a68aa888b721fd9d55ea4972f358d4ad32b121a746edabf23a1315b38970642fa54d97

Download Submit
C:\Users\Admin\AppData\Local\Temp\oyQwEsko.bat

Filesize
4B

MD5
e987a793855342710186f7ff9fcdfa67

SHA1
f13479ce44c27b6b3dbfa787905350766afc1ea7

SHA256
ed9dd442637bba955dd2d47c51c35a52a3d14fcb69405ac02a6d473f45b8e0e6

SHA512
2566572c9343217da3b8346beda9f861a9ec0d36e101d7950a125ea92cee97d274aa58c47434117c86ec86e64c070ac890b9141fa7d1d5cc81576d3f365ee889

Download Submit
C:\Users\Admin\AppData\Local\Temp\pCIYwwUA.bat

Filesize
4B

MD5
58453f437fff6d6c3a27d344dbd5b018

SHA1
a5afd139b00fa7470ab99b28852b230cbfa7a1cd

SHA256
e958458312c63796fa117ad27e7eb2cc251eb1e3eb1f3d20b5d673f9933c95e5

SHA512
4fa38f0547766553af63a0efbd6602466fa6c4a5b18c5bd5af1d0d1167a1b1b307fa215d783d1b3d7d2e25df917452227f5d8eab84be3b7dab2973db5e4844c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\pmkgoEQg.bat

Filesize
4B

MD5
dd0631a49ac5242df59b1921307e5cf8

SHA1
9fa03abb9873faa52cd16df619aef1aba48f36ef

SHA256
429def7bf831c140b64483232fbe8d4223180a4a8bda10583b992490766b0bc7

SHA512
bd08c6db4f732cd0151e759175bee91c5110317885ac0d88d44ead8d49be3aa562a5c294fdb524c1eacfc0d45f34dfcc1363f60bf7250cd4064acb16909f1c6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\qAAEYoMQ.bat

Filesize
4B

MD5
ee969d197605f672bfd52bbb7782e33a

SHA1
2cc75dab2a56225f51742697cfd4d77efce82e76

SHA256
5c497a0c3c2c1835e01f0680fea9ddad082957ee72c637d461263f96b71d5874

SHA512
820fac120bc76b07ceeb1677c3e33832f24f839e3f7df9d4646d4da9eb957504b8044654d42fc2910b310867a17fcc25f1083d93425b72e8fb72dc37d47e21ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\qQcQ.exe

Filesize
908KB

MD5
0f389774fa3bb72c612b4aac8f05af8f

SHA1
c7f996d28e554bc86a1ff316c81db3925f69292c

SHA256
b1b27bf9ddbc4d11390d45a19c61bd8b7d3cf8f37ba03c9bf3e802b4566e7aef

SHA512
54bb74ce80b79cca56cc7b6a13bedc2b98c3a6a140188886bc89564dbd1ff5bfcc4c546f847f7de80cc3bbb386dd946ae83faecd56f9527c3eedeb275ffe2372

Download Submit
C:\Users\Admin\AppData\Local\Temp\qQoq.exe

Filesize
139KB

MD5
52213ee8584aad89df057b3ddec0dc09

SHA1
544e251042c445ccbfbb392039ce9094a5722ae1

SHA256
3fd14b070838f5896edc783977421d8f25196cee484a38a505910e4bfea3e18f

SHA512
7636a206807dad33612c68e296c090f334fe1a61164b2bbf9c051427daa62f406cf677d493c296f674fe7f730d9b8f9df36974616b5a49751f627de1833b3aef

Download Submit
C:\Users\Admin\AppData\Local\Temp\qSEUgUsk.bat

Filesize
4B

MD5
fa135435e5650b041b8b1339275c49aa

SHA1
980673ee2b37b7b66a717bcab9a1ef97ee982fe9

SHA256
d5275ae63ab12269166c3621664f8049818124b0fb3d363d6cee9b54e7993667

SHA512
ef3c854502445ab5c48220573fa749947d6c207bb1e688ee295a28fe4f58580e8ec6bae7deeda07efaa70c9e8f94f0ddf89501077dfd4ba2d1565cd70526faa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\qgQA.exe

Filesize
160KB

MD5
0cb08385aab64bf65d3baf3742ab9346

SHA1
4a43c724beaead61ebed2c72fc5941988bc80f93

SHA256
64417e15e9b102c07ed95b7d21d4b66b3b09dcbf10d2d5cfd2a77adbb4cc8697

SHA512
c829797cbe124ccae924be34c21a827cd755e24315810127c1a361247b16187552dfc895f26d2eb96bf45d11f6cd21ad40fe23d050f30340ad48fbb39b8c80ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\qkME.exe

Filesize
159KB

MD5
447feed61d3a0c14151eb518155cf005

SHA1
9fe04f85d30123119bca2caebf474d0d46b8701a

SHA256
125261966eb861a26c20735555f0189e027b5dfd83a276d26e8bb4f8d4c73df2

SHA512
5b15d6ca86d19335447418c3f07dd52c5b07879fbde6f281ce021cb9882439d5c626360efe3dc16b72236beca1b279bceee4d19401dca1b7c339db9f94f076e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\qoEI.exe

Filesize
838KB

MD5
64dbd82e9d3d97ef4cb61b5601777483

SHA1
c10cf8a45eba8e995dcbf13818e1c63754863008

SHA256
6b41fb15af6133128fd1a4b546546815fe171cc48c87ea5152e67df3fffc6dd9

SHA512
f2f7029fda45ea4277465c2a08ec207c08de0c74de09385cbdda9cd90679ee052d92a940326103bf1623fbd380c6f308fb938869d2b3764182116e58eba341cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\qoQu.exe

Filesize
159KB

MD5
92f41865eaab324d671012fe958ea43c

SHA1
2175e5f6a99925ac4e2d2f46be1b62526fe10983

SHA256
62d202b3211e78eb1bbc14ec475ba78144cab1e0be38ff02463c9616eb3c5977

SHA512
4dcd08d2107b786896d75cb98c28a67e7be80417c19a61b1d07a7d5907498f66a54cc941ac964be5e838a598d74ee46fe94d73ea7f5c28693c9b258f1860ef20

Download Submit
C:\Users\Admin\AppData\Local\Temp\quskQwsQ.bat

Filesize
4B

MD5
606bf50f63d4381d0f1b120a6a1d1c21

SHA1
4ef0ee5ec076741fe18bd500328af4a5078ae6fb

SHA256
5b7b6edcf2e4b63af226c8a9b20bdb481ad8dbfe98de02fff59879e3a7ea5342

SHA512
5d68da32079b2268cc59150b4b18ef5eec4e1ed66ddd22dfc2b5ed6f537b593de4d49d06a85a9e8ac17ba678e3d473ff854972b6c9ddb225f025086021d1716c

Download Submit
C:\Users\Admin\AppData\Local\Temp\qwEo.exe

Filesize
158KB

MD5
ed441315b0b5a8d3ac79fdfe66cb0e5b

SHA1
1e247484894fd83f41b94086c5150ea473702335

SHA256
e0f389a5d03fd4fd4f498a4c986dfe096c6822370b25e8798e8a40b5c12457ac

SHA512
af42596f8498e3a3eb6d3a4b04cef6bff9391ba8a36014810cb9efecc3a1e5be14295c9e5337af4076d21573f7030d85a2133254ab1e743c94c3ace4626df294

Download Submit
C:\Users\Admin\AppData\Local\Temp\rGgYkUoM.bat

Filesize
4B

MD5
5b2ac3f50d97eb3c4cf15e13e410fd19

SHA1
79453d883722da2dbafc1083d1757dd6319d280b

SHA256
45518ad1661789922af3f833b9c2ef264ff3aba4d2a5701860488f961301ede1

SHA512
00f61269f5dd8d6311076a6bb33af89a254e56166c7605821e851611be2d207ad9e8bd59da3c3c8c1dc8800e86703e1ed0ed3c3f6df0efeb886ce047517eedff

Download Submit
C:\Users\Admin\AppData\Local\Temp\reQoYUko.bat

Filesize
4B

MD5
2f259dcf0eacdb7bf45e46f738364cf7

SHA1
94ddb0b95aa01568487c844b90a12f75bce99c3e

SHA256
11acae489c8b3f26328c1e24565c97d3604e442720ba8217146594bc7b4941c9

SHA512
20c0348b69325c0b3eb1d155ce8cb16219f6a01194ffb6982bf78d5c2521f5bde2eca1f63e84407306ed0263ef29015fe31ed76e693daed6700d68a3255664c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\sAgq.exe

Filesize
159KB

MD5
23beb60637e7326f7b66e100517b6d51

SHA1
c802273c09bdccb886f40573564ec3846db6ae76

SHA256
2249328acf2dec2cd4baac7f37fd390cdefe81f76740462b589e9a6baf264f30

SHA512
4e9ef93df9a8cb5ec9b4ce4c474875fb4bd3837b040b8784129111a78c4e9b6bda17f9332fcf3487ec4c5dc864514227acab73528e3d1fff68e9b718e4dbb49b

Download Submit
C:\Users\Admin\AppData\Local\Temp\sGwQskcc.bat

Filesize
4B

MD5
a308a01662826768dc44026eb2ddabf4

SHA1
61867226e0332529eb6fb83ed0a7ad869ebd288e

SHA256
5052f1a2515d9883e6a20a679d30b2b86b87a077b15660057df2b75eec21762b

SHA512
01b968d3fb3dae831c298c254336741a88e0f7a9e74031ccb6767e4791a26ba6be079c9edff6cff478eb3c1ead2d6c9ac1bb6fe3e1b9095ef922b01c315cc483

Download Submit
C:\Users\Admin\AppData\Local\Temp\sQoI.exe

Filesize
159KB

MD5
83d6654ef02c8905cdb69fc4e1e2b51f

SHA1
7f04d4fe1be5d1c5b872224ea401c2a814b834f8

SHA256
b0febbfbe5affedcc022dfb2bf6f8d587a3e1d3cef8e413a16fd2c207792608e

SHA512
6e117f30b0f2307e4944c48ad068390c2e07385ae74a7a25d805c381ea18fa17100fe89e4f5c014659fb2c73c355b71d19565ad6b1f799e2d250081fcc895751

Download Submit
C:\Users\Admin\AppData\Local\Temp\skMk.exe

Filesize
541KB

MD5
33d07059cbe73744810cf3cb810f396d

SHA1
4a1fe154a05e9a25e7a6e1c3c3a8eede23f45761

SHA256
d0cb355315927882be6112cb769328620cf67536a408f5b58946763fa4e98852

SHA512
9279c5ffebe435b0cc9497915b0ee1b5ea2e9911d0d182cedebac209ce04dee0e120f6103c0d9ef473fbdfd3cb37cac3d52933bac6dcdcb94e3a26b707da3209

Download Submit
C:\Users\Admin\AppData\Local\Temp\swUi.exe

Filesize
159KB

MD5
9b5941b06f47815ee9f8f8de42a33f81

SHA1
8e993b7630a342792d22642bbb0a8751dbd281bb

SHA256
470ac94cd0f422d3f00591fa4837a81419ed6705d3b757c7f2756e5d047f99c8

SHA512
9ab2de5784ec54a7ff4febb9ccb08af3afe53974509ef0848c38ec772bfd36eb53f72734920762078e16cde61ac1e6e056323148b2e62e95fa33ee477c801dde

Download Submit
C:\Users\Admin\AppData\Local\Temp\swsY.exe

Filesize
158KB

MD5
d852ae594c11c6275e628c0b70b13bde

SHA1
b0d4218e3a14a276fc5b7e4ccdb57bc60b9ad234

SHA256
13956e352fa21d0114d6fa6225844fe25691b7f53897df68171ea95b8d879bc3

SHA512
3354fd958c9a74834bd06dfd371e9bbf05e4bee050e36d2f239f570fb9680c6291085aa352d2ad53c51e93c2c54476072f857b241d23abd69a7ee235a6dd295b

Download Submit
C:\Users\Admin\AppData\Local\Temp\uAgi.exe

Filesize
157KB

MD5
012509ef38b8ac6e8279070e4d5c36da

SHA1
f2cee9a7de5fa4b52426a2df703bfe7df291bf14

SHA256
156a4b6f80a883fec17de88c62f68cdd2b1e42f8aa03c9f135a92b07afc63eff

SHA512
155456d583835d075b7fc560d3228f19740a4ea21b979ef6e2083b597387a4fd89bb740311a774d4ca8696d7789a045ef05ea93a29d627b6f7d766e857f9626d

Download Submit
C:\Users\Admin\AppData\Local\Temp\uMEY.exe

Filesize
237KB

MD5
42f255ffff272676f4858ae8a84f7627

SHA1
d7611731d0fb1d300aae9b5ec5621fdf00e94c58

SHA256
66a38b89ad18358c7e25b71e37b2f3f71856bef9454b41fa376e981f6526cba3

SHA512
cd1319d53db5f21250c56ad04aadc08ab7ceca0cd2782168f46c38ed390e3e0f804effb3cc835dfb03e4f463713fc98d5a5b5ec76c9a9787de168e2573ad80a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\uMgC.exe

Filesize
150KB

MD5
637becd01b63f2e8620df323548be37b

SHA1
d8c23c465c094b77d3af05503831347a4d72b25e

SHA256
0fffcd8fb6f817e0a4fa07651cfc18bb6b6d63a46af8a9b720230d924939b399

SHA512
9b308745507c278db32c9248eb3850a7b2d21fa4db112a34f16521252456bcab9ce0cb393f71022a54babd706006fb0d23e115c73d7f0178d5ea3402c2a1930d

Download Submit
C:\Users\Admin\AppData\Local\Temp\uQwi.exe

Filesize
158KB

MD5
c67e1d5cf48b6e80fa2a969a1fd9bcbc

SHA1
d61ecab57cd953a0d40416419fc96b1cd0d1e931

SHA256
dc680de44d7094000e46184e5cda06948dbd946dd02a83ef90074fc80fc10bd9

SHA512
f21751f1cf16d0eeeee8fa0c319a661322b9b63fe69d0ac79b85bbcb2c49cf83230d96e1a64caacaa309229db67b1ee1e72dd5070e4e903d1d8806da3bda5894

Download Submit
C:\Users\Admin\AppData\Local\Temp\ukUs.exe

Filesize
946KB

MD5
435d752b2ac51122885f80cf0ad8e17c

SHA1
8baae0be006ed0afc42cffed2a023ea792535bab

SHA256
9ea5fe21e69fe64c7482fff85982c8346a092d383b204fa94907cd1cf5700efb

SHA512
2579a24b83c04fda1378724c1f993a03c770c4656ec6685b0cb013401134d9eb0a92b825854bf89d73fd8b256bb0b500e972ed56f0c60c37e1e1c5484b1e8d70

Download Submit
C:\Users\Admin\AppData\Local\Temp\ukck.exe

Filesize
639KB

MD5
e94a26702d76cc5dbb784757eb6de5c0

SHA1
1c356e7bcc239e95abb65ef50fa5cc8882ea3e70

SHA256
31ba4c6c71cfc6b7fc3567a6fc086cda157064232371b6fb7ce03f3efbee9b70

SHA512
89be519efb12caa9a6ab69d0aa2e7d209478423d698c97a2da3d3a882d29ceaa09fb76411cd406dde46c940e9c7fee080c500f99fabef39dcc184695b4fde1cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\uksc.exe

Filesize
159KB

MD5
d409b2956ba0d702c40ecf597b87d338

SHA1
142a2e93015d4f0164ff7f3039842822d75ff0c9

SHA256
92b8eaa637003c18e48c59d618cb0bd38fffae410ef10ff9302b3ef2bb267e72

SHA512
79c7e2bb75bc54ad86369b25313d9a6e782d36070a7737d396334728e128509cf93320addb440d5575828debdd2cca95720ce854041cd68075dee76c12e211d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\uoEu.exe

Filesize
159KB

MD5
550a3beb1babf6cac669638a39d5d008

SHA1
a2048f401f59ef0c8b3fd6babd293ca54b25526d

SHA256
0a3e458f8fddea6968585bfd8c6a520ea3d7d649a78c5583fb04517540cfe73b

SHA512
64f0bd43fb807149dd314082d8c81458980a12f431a8e7d017bff2040334731830f9becb8bac0ca82fb827912801bd3cc1b76e298c2d9dc55a0505a7b4c3c11a

Download Submit
C:\Users\Admin\AppData\Local\Temp\vksEMIYY.bat

Filesize
4B

MD5
5894ffca49b9c7c1ffd6813c780b9cf5

SHA1
84005f084bb34afb12ec08bb19a67beae0be915d

SHA256
6cf179fedbcf7b5021ca63457a3d50b7fad015d64bbec3e287a8d919ac7daadf

SHA512
b71fa035b89710d7644a9cbc088e08f51f059430b37a2ca9a64507ddbae7d1e656ce18ca8529340e6cbdf2629a6c2a3c767c4a120a940a1b4455384ed83217e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\wCoEAkgc.bat

Filesize
4B

MD5
58803f75146af73072b0975802ab6084

SHA1
88807b5d067562a274a12c74a756eccf5f5d79aa

SHA256
a3c84212d7dfbbe21278b68b883ca4742a5ddc2ed01d8ea368880c815f9d8443

SHA512
ffde26a31963889be81a6adb3dbb15c294571a692b5ac5b125319d5311a14248f17daa14e2f8aefcb631801c4d9e9567c8398b02c45250f754275e0391268010

Download Submit
C:\Users\Admin\AppData\Local\Temp\wcMm.exe

Filesize
157KB

MD5
90a1cf9159f82031bf90ff83dec108e8

SHA1
228fd863aeae5110ada4d51b015219debfcb6b7a

SHA256
e2fc2ed16fe46ce4aebc5ff3fc08d941186475cb66646607590156dc23a7b383

SHA512
39d0f747afe8918663edcff15514f6027b4d286445a7c7e013ba52e5344a698bd2e4622359bd8cf3e636cb38cb382e11a3e4b4e56926591c7606a708d81072c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\wgYU.exe

Filesize
394KB

MD5
5bb9fbec5df8f46e7dafa7f47dff0731

SHA1
3ad458df5f28d7f214d3af5d13266b5d52e069d7

SHA256
63c7c8ce951e6e892bb0b74222de72a2022f873480bc88843da70ba1096c7e17

SHA512
cff87fa4469226ce9a9a73735d0c4868e51e51e4425352e53c185b45542cd349f758d0b8bec46d8d1faddc002d6678af2b0602c9fbca357bc7246586af6c7a49

Download Submit
C:\Users\Admin\AppData\Local\Temp\wkIW.exe

Filesize
570KB

MD5
1363bf9a4670ca94065915bfffc77fb8

SHA1
4bf7bc37f5517cc4a20e0060fbdd0705d07cad97

SHA256
eb78001f54307db0e3326d5d899ed95ecd60061620fad16e1401dcdfd0328fa6

SHA512
d22aa34d7bc2f1329396f1d341f2749c8e0b357560bd7dcc7ff67a4f9c05680f481a1e39bfd85460c2c1e32dc2e7b69b502a6988dc13af2417833e17e437547a

Download Submit
C:\Users\Admin\AppData\Local\Temp\xKcgkgEU.bat

Filesize
4B

MD5
7fc5e180bc02cade792198d1974e92ef

SHA1
432de3b76bd6918a3c879638a371b2416f907749

SHA256
5e2fa6b11b4ce5c184319698923bb0af53403563134067b9391ca7b038900cd1

SHA512
7025a7ecf370d0c8d808bd27587c8781d430a202c1598e1d89b688d224c45d4ee5225270a48182b6ef98b1d48d6d9c2a998c45a114ff0c7a5b263e2c037cf0a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\xKcskcMg.bat

Filesize
4B

MD5
95b8ac5e242de53a8dbcc450803a7e1b

SHA1
24be9409de3adb8df8f2ab9dfedd0e76167fc36c

SHA256
029bf0107de8d8da5a746310796de02ee069a5bec4eae8a8c450351e41730bee

SHA512
0877ffcac0636523a09bb91372e434b7bae6eb9108a057c5a104a1b928d3fed2f70eae5fda1f3d4df2cde51fdcb573d912d1bc262efa9e0c2d69cd87002fd506

Download Submit
C:\Users\Admin\AppData\Local\Temp\yEYG.exe

Filesize
157KB

MD5
05611bef3ee4a3d53d14caf5c8dced6a

SHA1
45896357233cf3a507fdaabaaa5fb7bf6bdb2b1d

SHA256
11c487de60bce61812205c9fbbea77fa8b2ab5371ea7b370701ac083a43cc321

SHA512
40295c7cadf060b095c70727d7fb70bb979e1cf97d2d9a291a963ed07c3220ec03c754691cb9f29343c8f770ec51281d3d9c8b09fdde9e96a0d1d282980d667a

Download Submit
C:\Users\Admin\AppData\Local\Temp\yEsI.exe

Filesize
470KB

MD5
1d11df20051e336fac96234c842525fc

SHA1
dc6bb64a439c698dbc704a7de7aee67cbd6fdf3a

SHA256
88e6b08ad980159063377a45883740382b7c1bb250e0ca92338c59f3321d5a66

SHA512
02d6697755fb600569668329e7c1ac4cbd6f1bcd773506e746e286564d593c9e3c4ff63957dfd57b419b04bb755be9ab5b49e019c117088985edbd379f862632

Download Submit
C:\Users\Admin\AppData\Local\Temp\yIwy.exe

Filesize
4.0MB

MD5
cb3687fcef7b2d815bc563ffdb8bc0a1

SHA1
cb2a758eeffc504a25c91770b923f44aceaa095c

SHA256
54a67a7cb07e07e900c6fcb39c505fcda5629bf3a31e735ec49918510da2a829

SHA512
ae2a56d3af78edef11357e7af63ed936bb2d78ef81257fb81ccd21d98a5894a5b59cc35a36a845b3be4467e6fe9aa468a29848b1ef07873b26febdb43228461d

Download Submit
C:\Users\Admin\AppData\Local\Temp\yYMq.exe

Filesize
160KB

MD5
2c451f48a96377b0d667b556ba798f21

SHA1
570b325d99b4c82a4c6f88e975ce5e777e0f202c

SHA256
701c8527241b8e40154b19feea3872a419b50066db4db209284880755c58e1e5

SHA512
3a48b2147860049ce4feb5c2a9efddcf11767b1abaea70191694aa19f3e1c356c4f9b2f046124baca29f55e87a34e84ddcfdbed2540ce41c409b4a0119d05581

Download Submit
C:\Users\Admin\AppData\Local\Temp\yYkE.exe

Filesize
869KB

MD5
e79ff9cc2a70407a66e569825d58bb6d

SHA1
b5c07677af94039c037ece63b5ae7217d46b1455

SHA256
41bc63b24b171fa9008813fc456c36e363028a4529032e22edd9cf28da0b12e4

SHA512
bb2251c319c719ce0cb63f74d21387a96584b32192042f401e74f03b54b5da13bbe021c02d490c79819ac199bcfbe4aefe98bc6c3ecb865e1a8a72574e254cd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ysMG.exe

Filesize
744KB

MD5
46bf5463ed8576f90fe2d05d4ac695d7

SHA1
2073550e5a889325ebe7093876dcd1491741667a

SHA256
9e47c64c131b886b1251787cc1f8788d516f9f69710e0ac3c891074e8a0736c3

SHA512
a3800174100fe3d0c0d137736f2ef3a807c1ff9dc7151a4be338d0080f8a5b9307a754a55b27adf9521c2968f692a1bde1d04fa59a9e855ccd2d8151caf19383

Download Submit
C:\Users\Admin\AppData\Local\Temp\ysMM.exe

Filesize
566KB

MD5
78d5ea4578071f869820ee1e39045709

SHA1
1b1244cd296416a0e63a05463d89510af8ae1c5c

SHA256
9b95c9350e0de652dc7d00d58b30ad0b17a7abfb943e3f507ca577dcadf0b9ce

SHA512
fea45ac6b79720e0e5f15cd1feb3053fc126a59815a1c4e9a9aaab0d3817dc1b08c01be2d1ccd649a75d62e63d02efb5c96d4133e0056222537db883723b8486

Download Submit
C:\Users\Admin\AppData\Local\Temp\zIIwYQgI.bat

Filesize
4B

MD5
02a80a749639c30f3dfbacf8c6d8f633

SHA1
062983af3fa01973a0eb71f507b29bdf9e155ff0

SHA256
a5bcaad395b1466ed942d4ee855a97a7f28330bf533ef92089ebf7e29dbdd36a

SHA512
70a9af451627ba3363a34a9fc03ccac431872aa4e80b4478e07ee76694ed3efa0bb4854af8a6ff98e0031ed85d7497df3868428e0df9162c16a463dfe0ced46a

Download Submit
C:\Users\Admin\AppData\Local\Temp\zkAIYgsc.bat

Filesize
4B

MD5
0fbe0c629e9545e264fddee316caf114

SHA1
2b3a4ca675221ce705084a1ba520ddba77a06ed8

SHA256
95ebf83d373953989689d181b8c74db247ed3c72fa48f8507a57394787a076e8

SHA512
2878696617aa2d9341d67786b5df41a1d5ba134b32cee66a5a66612ee79043cffe1c898bfb502c16c347e2c183b8e790f2304e8bbb1e385832e22774e329f815

Download Submit
C:\Users\Admin\AppData\Local\Temp\zocMgkEE.bat

Filesize
4B

MD5
eb1ddebdb76917a3386e59e43d83ae4f

SHA1
8becedfac4fa5cb88710d186495fafdb53e1298e

SHA256
6dd1b93c88f418bc1e9e2bfc460256100b3fe0e53403f1a6f2e87d63bac04910

SHA512
1e01b7836163e259741aaadc6727e5b709edde8981ca782bef1acbb81eee32f9c2981c5f2f60ea7e0ae6bcc83434e6ea6fefd365c420f1c8002e57df7a26e10d

Download Submit
\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

Filesize
145KB

MD5
9d10f99a6712e28f8acd5641e3a7ea6b

SHA1
835e982347db919a681ba12f3891f62152e50f0d

SHA256
70964a0ed9011ea94044e15fa77edd9cf535cc79ed8e03a3721ff007e69595cc

SHA512
2141ee5c07aa3e038360013e3f40969e248bed05022d161b992df61f21934c5574ed9d3094ffd5245f5afd84815b24f80bda30055cf4d374f9c6254e842f6bd5

Download Submit
\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.0MB

MD5
4d92f518527353c0db88a70fddcfd390

SHA1
c4baffc19e7d1f0e0ebf73bab86a491c1d152f98

SHA256
97e6f3fc1a9163f10b6502509d55bf75ee893967fb35f318954797e8ab4d4d9c

SHA512
05a8136ccc45ef73cd5c70ee0ef204d9d2b48b950e938494b6d1a61dfba37527c9600382321d1c031dc74e4cf3e16f001ae0f8cd64d76d765f5509ce8dc76452

Download Submit
\ProgramData\AKkAIEYo\aEswowUY.exe

Filesize
110KB

MD5
7476a1ab307febdf20000b1d4ffbcdcd

SHA1
75e9e925ff2e8330876000e3bb296a8155a962c4

SHA256
c7b88bfbec78a7bce42f007a722247cb58aee387efbf89b909f9f7117b919497

SHA512
f5349d65f7849d1022dc66325dc3d603e6a489cad41daf1c608ad8ba362e78483b67012ab03b6d8ac7fbed2db1a71b8ec96353cde3ecd0d32a26cacd164c8554

Download Submit
\Users\Admin\FqAMUYkA\gKgIcQIo.exe

Filesize
109KB

MD5
d6b15418757eec9c097a265678bd6453

SHA1
fb9dc977f51c12cb8d90c8da03c7094ebd3f81e8

SHA256
28dd647af286083f2363de9543de5ce120ddd6104690274f0dd13c6da02abaca

SHA512
61f3eb7b2e9139d63c2c41f30561eb3d633db02138d06d3ca33fb2c2de3a2f6401e534eccfbb05d02f1c19c5f1a4686d394a4d0510c65190c5d9ed3ff6845939

Download Submit
memory/240-222-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/240-253-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/328-762-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/328-642-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/624-185-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/624-153-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/820-20-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/852-267-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/852-266-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/900-80-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/948-567-0x0000000000280000-0x000000000029F000-memory.dmp

Filesize
124KB

Download
memory/948-568-0x0000000000280000-0x000000000029F000-memory.dmp

Filesize
124KB

Download
memory/964-898-0x0000000000260000-0x000000000027F000-memory.dmp

Filesize
124KB

Download
memory/964-897-0x0000000000260000-0x000000000027F000-memory.dmp

Filesize
124KB

Download
memory/980-291-0x0000000000170000-0x000000000018F000-memory.dmp

Filesize
124KB

Download
memory/980-290-0x0000000000170000-0x000000000018F000-memory.dmp

Filesize
124KB

Download
memory/1296-408-0x0000000000120000-0x000000000013F000-memory.dmp

Filesize
124KB

Download
memory/1296-409-0x0000000000120000-0x000000000013F000-memory.dmp

Filesize
124KB

Download
memory/1304-410-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1304-441-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1376-324-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1376-292-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1484-301-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1484-268-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1504-128-0x0000000000120000-0x000000000013F000-memory.dmp

Filesize
124KB

Download
memory/1504-127-0x0000000000120000-0x000000000013F000-memory.dmp

Filesize
124KB

Download
memory/1612-813-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1612-921-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1616-362-0x00000000001A0000-0x00000000001BF000-memory.dmp

Filesize
124KB

Download
memory/1616-361-0x00000000001A0000-0x00000000001BF000-memory.dmp

Filesize
124KB

Download
memory/1680-651-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1680-569-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1680-899-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1724-637-0x0000000000740000-0x000000000075F000-memory.dmp

Filesize
124KB

Download
memory/1724-631-0x0000000000740000-0x000000000075F000-memory.dmp

Filesize
124KB

Download
memory/1736-129-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1736-162-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1784-467-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1784-432-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1852-138-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1852-105-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1856-835-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1856-727-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1948-103-0x0000000000260000-0x000000000027F000-memory.dmp

Filesize
124KB

Download
memory/1948-104-0x0000000000260000-0x000000000027F000-memory.dmp

Filesize
124KB

Download
memory/1980-57-0x0000000000370000-0x000000000038F000-memory.dmp

Filesize
124KB

Download
memory/1980-56-0x0000000000370000-0x000000000038F000-memory.dmp

Filesize
124KB

Download
memory/2000-221-0x0000000000120000-0x000000000013F000-memory.dmp

Filesize
124KB

Download
memory/2016-81-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2016-812-0x0000000000120000-0x000000000013F000-memory.dmp

Filesize
124KB

Download
memory/2016-811-0x0000000000120000-0x000000000013F000-memory.dmp

Filesize
124KB

Download
memory/2016-114-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2068-385-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2156-457-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2156-456-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2232-208-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2232-176-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2304-338-0x0000000000160000-0x000000000017F000-memory.dmp

Filesize
124KB

Download
memory/2304-337-0x0000000000160000-0x000000000017F000-memory.dmp

Filesize
124KB

Download
memory/2444-58-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2444-90-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2496-996-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2508-34-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2508-67-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2516-198-0x0000000000120000-0x000000000013F000-memory.dmp

Filesize
124KB

Download
memory/2524-175-0x0000000002240000-0x000000000225F000-memory.dmp

Filesize
124KB

Download
memory/2576-33-0x0000000000170000-0x000000000018F000-memory.dmp

Filesize
124KB

Download
memory/2576-32-0x0000000000170000-0x000000000018F000-memory.dmp

Filesize
124KB

Download
memory/2596-314-0x0000000000160000-0x000000000017F000-memory.dmp

Filesize
124KB

Download
memory/2620-419-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2620-386-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2636-458-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2636-505-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2672-339-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2672-372-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2684-199-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2684-231-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2712-496-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2712-578-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2720-363-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2720-395-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2780-277-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2780-244-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2784-151-0x0000000000260000-0x000000000027F000-memory.dmp

Filesize
124KB

Download
memory/2784-152-0x0000000000260000-0x000000000027F000-memory.dmp

Filesize
124KB

Download
memory/2800-315-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2800-348-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2932-726-0x00000000001B0000-0x00000000001CF000-memory.dmp

Filesize
124KB

Download
memory/2932-725-0x00000000001B0000-0x00000000001CF000-memory.dmp

Filesize
124KB

Download
memory/2956-495-0x0000000000160000-0x000000000017F000-memory.dmp

Filesize
124KB

Download
memory/2984-43-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2984-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2984-21-0x0000000000310000-0x000000000032D000-memory.dmp

Filesize
116KB

Download
memory/2984-9-0x0000000000310000-0x000000000032D000-memory.dmp

Filesize
116KB

Download
memory/2984-8-0x0000000000310000-0x000000000032D000-memory.dmp

Filesize
116KB

Download
memory/3036-31-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download