63b309b5e85517ea2db32813bc5d5e504a9548f3d29b5dd88aaa4c5e97e766d6

Analysis

max time kernel
150s
max time network
124s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
11/06/2024, 12:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe
Size

123KB
MD5

139918518fe0162c1ee92388bb5a7ce0
SHA1

3aa3e8f262ba0b1f77463bb828110909b705f5be
SHA256

63b309b5e85517ea2db32813bc5d5e504a9548f3d29b5dd88aaa4c5e97e766d6
SHA512

20e506cd05a7339e73ef2f6233943143a00294e5079983ba07d00ad6608b73fa2e0d1b611e511b92921792e85732934f654bd3515707d76c28185fd191398cf3
SSDEEP

3072:KprT5ike9IExce31FR6dy6wDY27MwlWqlWqlWqlWqlWqlWqlWqlWqlWqlW9:KpQ9Ile31Fwjw02YwPPPPPPPPPS

Score

10^/10

evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\International\Geo\Nation	GCwksMAI.exe

Executes dropped EXE 2 IoCs

pid	Process
2056	GCwksMAI.exe
856	ogUsQUkA.exe

Loads dropped DLL 20 IoCs

pid	Process
2276	2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe
2276	2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe
2276	2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe
2276	2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe
2056	GCwksMAI.exe
2056	GCwksMAI.exe
2056	GCwksMAI.exe
2056	GCwksMAI.exe
2056	GCwksMAI.exe
2056	GCwksMAI.exe
2056	GCwksMAI.exe
2056	GCwksMAI.exe
2056	GCwksMAI.exe
2056	GCwksMAI.exe
2056	GCwksMAI.exe
2056	GCwksMAI.exe
2056	GCwksMAI.exe
2056	GCwksMAI.exe
2056	GCwksMAI.exe
2056	GCwksMAI.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\GCwksMAI.exe = "C:\\Users\\Admin\\MEscAkMo\\GCwksMAI.exe"	GCwksMAI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ogUsQUkA.exe = "C:\\ProgramData\\MqEMwoUY\\ogUsQUkA.exe"	ogUsQUkA.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\GCwksMAI.exe = "C:\\Users\\Admin\\MEscAkMo\\GCwksMAI.exe"	2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ogUsQUkA.exe = "C:\\ProgramData\\MqEMwoUY\\ogUsQUkA.exe"	2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico	GCwksMAI.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
1452	reg.exe
2852	reg.exe
2236	reg.exe
1584	reg.exe
308	reg.exe
2840	reg.exe
2800	reg.exe
360	reg.exe
2336	reg.exe
1876	reg.exe
2596	reg.exe
1732	reg.exe
832	reg.exe
604	reg.exe
2500	reg.exe
2328	reg.exe
1868	reg.exe
1976	reg.exe
2596	reg.exe
2532	reg.exe
1996	reg.exe
1784	reg.exe
2812	reg.exe
2180	reg.exe
1616	reg.exe
2200	reg.exe
1852	reg.exe
2720	reg.exe
1556	reg.exe
1500	reg.exe
2300	reg.exe
3056	reg.exe
2112	reg.exe
1760	reg.exe
588	reg.exe
1912	reg.exe
1640	reg.exe
1336	reg.exe
596	reg.exe
1888	reg.exe
1468	reg.exe
1336	reg.exe
2268	reg.exe
2648	reg.exe
1832	reg.exe
2652	reg.exe
2012	reg.exe
2384	reg.exe
2012	reg.exe
288	reg.exe
1720	reg.exe
588	reg.exe
2488	reg.exe
1416	reg.exe
1916	reg.exe
1032	reg.exe
2468	reg.exe
2296	reg.exe
2264	reg.exe
1664	reg.exe
2568	reg.exe
2800	reg.exe
2128	reg.exe
1612	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2276	2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe
2276	2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe
2592	2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe
2592	2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe
2460	2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe
2460	2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe
2320	2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe
2320	2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe
684	2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe
684	2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe
1060	2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe
1060	2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe
868	2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe
868	2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe
2668	2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe
2668	2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe
2516	2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe
2516	2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe
2796	2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe
2796	2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe
2040	2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe
2040	2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe
1888	2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe
1888	2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe
920	2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe
920	2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe
2448	2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe
2448	2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe
1676	2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe
1676	2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe
2036	2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe
2036	2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe
1432	2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe
1432	2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe
1084	2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe
1084	2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe
1888	2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe
1888	2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe
2152	2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe
2152	2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe
2020	2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe
2020	2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe
2104	2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe
2104	2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe
1328	2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe
1328	2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe
776	2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe
776	2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe
1864	2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe
1864	2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe
1664	2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe
1664	2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe
1016	2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe
1016	2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe
716	2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe
716	2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe
1868	2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe
1868	2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe
1528	2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe
1528	2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe
820	2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe
820	2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe
1568	2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe
1568	2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2056	GCwksMAI.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2056	GCwksMAI.exe
2056	GCwksMAI.exe
2056	GCwksMAI.exe
2056	GCwksMAI.exe
2056	GCwksMAI.exe
2056	GCwksMAI.exe
2056	GCwksMAI.exe
2056	GCwksMAI.exe
2056	GCwksMAI.exe
2056	GCwksMAI.exe
2056	GCwksMAI.exe
2056	GCwksMAI.exe
2056	GCwksMAI.exe
2056	GCwksMAI.exe
2056	GCwksMAI.exe
2056	GCwksMAI.exe
2056	GCwksMAI.exe
2056	GCwksMAI.exe
2056	GCwksMAI.exe
2056	GCwksMAI.exe
2056	GCwksMAI.exe
2056	GCwksMAI.exe
2056	GCwksMAI.exe
2056	GCwksMAI.exe
2056	GCwksMAI.exe
2056	GCwksMAI.exe
2056	GCwksMAI.exe
2056	GCwksMAI.exe
2056	GCwksMAI.exe
2056	GCwksMAI.exe
2056	GCwksMAI.exe
2056	GCwksMAI.exe
2056	GCwksMAI.exe
2056	GCwksMAI.exe
2056	GCwksMAI.exe
2056	GCwksMAI.exe
2056	GCwksMAI.exe
2056	GCwksMAI.exe
2056	GCwksMAI.exe
2056	GCwksMAI.exe
2056	GCwksMAI.exe
2056	GCwksMAI.exe
2056	GCwksMAI.exe
2056	GCwksMAI.exe
2056	GCwksMAI.exe
2056	GCwksMAI.exe
2056	GCwksMAI.exe
2056	GCwksMAI.exe
2056	GCwksMAI.exe
2056	GCwksMAI.exe
2056	GCwksMAI.exe
2056	GCwksMAI.exe
2056	GCwksMAI.exe
2056	GCwksMAI.exe
2056	GCwksMAI.exe
2056	GCwksMAI.exe
2056	GCwksMAI.exe
2056	GCwksMAI.exe
2056	GCwksMAI.exe
2056	GCwksMAI.exe
2056	GCwksMAI.exe
2056	GCwksMAI.exe
2056	GCwksMAI.exe
2056	GCwksMAI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2276 wrote to memory of 2056	2276	2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe	28
PID 2276 wrote to memory of 2056	2276	2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe	28
PID 2276 wrote to memory of 2056	2276	2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe	28
PID 2276 wrote to memory of 2056	2276	2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe	28
PID 2276 wrote to memory of 856	2276	2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe	29
PID 2276 wrote to memory of 856	2276	2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe	29
PID 2276 wrote to memory of 856	2276	2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe	29
PID 2276 wrote to memory of 856	2276	2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe	29
PID 2276 wrote to memory of 2516	2276	2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe	30
PID 2276 wrote to memory of 2516	2276	2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe	30
PID 2276 wrote to memory of 2516	2276	2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe	30
PID 2276 wrote to memory of 2516	2276	2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe	30
PID 2516 wrote to memory of 2592	2516	cmd.exe	32
PID 2516 wrote to memory of 2592	2516	cmd.exe	32
PID 2516 wrote to memory of 2592	2516	cmd.exe	32
PID 2516 wrote to memory of 2592	2516	cmd.exe	32
PID 2276 wrote to memory of 2632	2276	2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe	33
PID 2276 wrote to memory of 2632	2276	2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe	33
PID 2276 wrote to memory of 2632	2276	2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe	33
PID 2276 wrote to memory of 2632	2276	2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe	33
PID 2276 wrote to memory of 2644	2276	2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe	34
PID 2276 wrote to memory of 2644	2276	2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe	34
PID 2276 wrote to memory of 2644	2276	2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe	34
PID 2276 wrote to memory of 2644	2276	2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe	34
PID 2276 wrote to memory of 2560	2276	2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe	36
PID 2276 wrote to memory of 2560	2276	2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe	36
PID 2276 wrote to memory of 2560	2276	2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe	36
PID 2276 wrote to memory of 2560	2276	2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe	36
PID 2276 wrote to memory of 2620	2276	2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe	39
PID 2276 wrote to memory of 2620	2276	2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe	39
PID 2276 wrote to memory of 2620	2276	2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe	39
PID 2276 wrote to memory of 2620	2276	2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe	39
PID 2620 wrote to memory of 2544	2620	cmd.exe	41
PID 2620 wrote to memory of 2544	2620	cmd.exe	41
PID 2620 wrote to memory of 2544	2620	cmd.exe	41
PID 2620 wrote to memory of 2544	2620	cmd.exe	41
PID 2592 wrote to memory of 1036	2592	2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe	42
PID 2592 wrote to memory of 1036	2592	2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe	42
PID 2592 wrote to memory of 1036	2592	2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe	42
PID 2592 wrote to memory of 1036	2592	2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe	42
PID 1036 wrote to memory of 2460	1036	cmd.exe	44
PID 1036 wrote to memory of 2460	1036	cmd.exe	44
PID 1036 wrote to memory of 2460	1036	cmd.exe	44
PID 1036 wrote to memory of 2460	1036	cmd.exe	44
PID 2592 wrote to memory of 1676	2592	2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe	45
PID 2592 wrote to memory of 1676	2592	2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe	45
PID 2592 wrote to memory of 1676	2592	2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe	45
PID 2592 wrote to memory of 1676	2592	2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe	45
PID 2592 wrote to memory of 1552	2592	2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe	46
PID 2592 wrote to memory of 1552	2592	2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe	46
PID 2592 wrote to memory of 1552	2592	2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe	46
PID 2592 wrote to memory of 1552	2592	2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe	46
PID 2592 wrote to memory of 1820	2592	2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe	47
PID 2592 wrote to memory of 1820	2592	2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe	47
PID 2592 wrote to memory of 1820	2592	2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe	47
PID 2592 wrote to memory of 1820	2592	2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe	47
PID 2592 wrote to memory of 1760	2592	2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe	48
PID 2592 wrote to memory of 1760	2592	2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe	48
PID 2592 wrote to memory of 1760	2592	2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe	48
PID 2592 wrote to memory of 1760	2592	2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe	48
PID 1760 wrote to memory of 1836	1760	cmd.exe	53
PID 1760 wrote to memory of 1836	1760	cmd.exe	53
PID 1760 wrote to memory of 1836	1760	cmd.exe	53
PID 1760 wrote to memory of 1836	1760	cmd.exe	53

C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2276
- C:\Users\Admin\MEscAkMo\GCwksMAI.exe
  "C:\Users\Admin\MEscAkMo\GCwksMAI.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:2056
- C:\ProgramData\MqEMwoUY\ogUsQUkA.exe
  "C:\ProgramData\MqEMwoUY\ogUsQUkA.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:856
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2516
- - C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe
    C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2592
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1036
    - - C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2460
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock"
        6⤵
        
        PID:2008
        
        C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2320
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock"
        8⤵
        
        PID:540
        
        C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:684
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock"
        10⤵
        
        PID:1460
        
        C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1060
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock"
        12⤵
        
        PID:2488
        
        C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:868
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock"
        14⤵
        
        PID:1468
        
        C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2668
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock"
        16⤵
        
        PID:2036
        
        C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2516
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock"
        18⤵
        
        PID:1032
        
        C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2796
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock"
        20⤵
        
        PID:1232
        
        C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2040
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock"
        22⤵
        
        PID:1328
        
        C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock
        23⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1888
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock"
        24⤵
        
        PID:2752
        
        C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock
        25⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:920
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock"
        26⤵
        
        PID:2732
        
        C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock
        27⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2448
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock"
        28⤵
        
        PID:344
        
        C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock
        29⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1676
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock"
        30⤵
        
        PID:1588
        
        C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock
        31⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2036
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock"
        32⤵
        
        PID:1032
        
        C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock
        33⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1432
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock"
        34⤵
        
        PID:1664
        
        C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock
        35⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1084
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock"
        36⤵
        
        PID:3040
        
        C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock
        37⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1888
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock"
        38⤵
        
        PID:2636
        
        C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock
        39⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2152
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock"
        40⤵
        
        PID:2632
        
        C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock
        41⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2020
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock"
        42⤵
        
        PID:2796
        
        C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock
        43⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2104
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock"
        44⤵
        
        PID:1856
        
        C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock
        45⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1328
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock"
        46⤵
        
        PID:2644
        
        C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock
        47⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:776
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock"
        48⤵
        
        PID:2632
        
        C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock
        49⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1864
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock"
        50⤵
        
        PID:1224
        
        C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock
        51⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1664
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock"
        52⤵
        
        PID:2264
        
        C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock
        53⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1016
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock"
        54⤵
        
        PID:1536
        
        C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock
        55⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:716
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock"
        56⤵
        
        PID:3040
        
        C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock
        57⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1868
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock"
        58⤵
        
        PID:2164
        
        C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock
        59⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1528
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock"
        60⤵
        
        PID:2972
        
        C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock
        61⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:820
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock"
        62⤵
        
        PID:1820
        
        C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock
        63⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1568
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock"
        64⤵
        
        PID:1436
        
        C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock
        65⤵
        
        PID:344
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock"
        66⤵
        
        PID:2864
        
        C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock
        67⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock"
        68⤵
        
        PID:1844
        
        C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock
        69⤵
        
        PID:2840
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock"
        70⤵
        
        PID:2320
        
        C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock
        71⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock"
        72⤵
        
        PID:2392
        
        C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock
        73⤵
        
        PID:356
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock"
        74⤵
        
        PID:2112
        
        C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock
        75⤵
        
        PID:1028
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock"
        76⤵
        
        PID:1592
        
        C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock
        77⤵
        
        PID:596
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock"
        78⤵
        
        PID:2448
        
        C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock
        79⤵
        
        PID:384
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock"
        80⤵
        
        PID:2008
        
        C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock
        81⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock"
        82⤵
        
        PID:2556
        
        C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock
        83⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock"
        84⤵
        
        PID:1860
        
        C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock
        85⤵
        
        PID:2124
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock"
        86⤵
        
        PID:2800
        
        C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock
        87⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock"
        88⤵
        
        PID:2648
        
        C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock
        89⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock"
        90⤵
        
        PID:2644
        
        C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock
        91⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock"
        92⤵
        
        PID:3016
        
        C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock
        93⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock"
        94⤵
        
        PID:2672
        
        C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock
        95⤵
        
        PID:356
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock"
        96⤵
        
        PID:2008
        
        C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock
        97⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock"
        98⤵
        
        PID:1500
        
        C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock
        99⤵
        
        PID:1756
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock"
        100⤵
        
        PID:2412
        
        C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock
        101⤵
        
        PID:1840
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock"
        102⤵
        
        PID:1368
        
        C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock
        103⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock"
        104⤵
        
        PID:1232
        
        C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock
        105⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock"
        106⤵
        
        PID:2300
        
        C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock
        107⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock"
        108⤵
        
        PID:2748
        
        C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock
        109⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock"
        110⤵
        
        PID:1260
        
        C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock
        111⤵
        
        PID:404
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock"
        112⤵
        
        PID:2552
        
        C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock
        113⤵
        
        PID:2740
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock"
        114⤵
        
        PID:2680
        
        C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock
        115⤵
        
        PID:1380
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock"
        116⤵
        
        PID:2524
        
        C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock
        117⤵
        
        PID:1844
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock"
        118⤵
        
        PID:1276
        
        C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock
        119⤵
        
        PID:300
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock"
        120⤵
        
        PID:2388
        
        C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock
        121⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock"
        122⤵
        
        PID:2796
        
        C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock
        123⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock"
        124⤵
        
        PID:2372
        
        C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock
        125⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock"
        126⤵
        
        PID:2568
        
        C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock
        127⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock"
        128⤵
        
        PID:2180
        
        C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock
        129⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock"
        130⤵
        
        PID:1580
        
        C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock
        131⤵
        
        PID:600
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock"
        132⤵
        
        PID:2036
        
        C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock
        133⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock"
        134⤵
        
        PID:1444
        
        C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock
        135⤵
        
        PID:1848
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock"
        136⤵
        
        PID:2644
        
        C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock
        137⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        138⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        138⤵
        Modifies registry key
        
        PID:1832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        138⤵
        UAC bypass
        Modifies registry key
        
        PID:1500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        136⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        136⤵
        Modifies registry key
        
        PID:2648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        136⤵
        UAC bypass
        Modifies registry key
        
        PID:1640
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\fcMEYQsg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe""
        136⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        137⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        134⤵
        Modifies visibility of file extensions in Explorer
        
        PID:976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        134⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        134⤵
        UAC bypass
        Modifies registry key
        
        PID:2328
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\iQkgksYw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe""
        134⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        135⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        132⤵
        Modifies visibility of file extensions in Explorer
        
        PID:852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        132⤵
        
        PID:1148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        132⤵
        UAC bypass
        
        PID:940
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\cscwgQcQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe""
        132⤵
        
        PID:1436
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        133⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        130⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        130⤵
        Modifies registry key
        
        PID:1416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        130⤵
        UAC bypass
        
        PID:1556
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\iawwoAkw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe""
        130⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        131⤵
        
        PID:1912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        128⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        128⤵
        
        PID:2176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        128⤵
        UAC bypass
        Modifies registry key
        
        PID:2720
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\oGwgsUIg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe""
        128⤵
        
        PID:1380
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        129⤵
        
        PID:652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        126⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        126⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        126⤵
        UAC bypass
        Modifies registry key
        
        PID:2532
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\TockgMMc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe""
        126⤵
        
        PID:3024
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        127⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        124⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        124⤵
        
        PID:320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        124⤵
        UAC bypass
        Modifies registry key
        
        PID:2596
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\JeEgsUAw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe""
        124⤵
        
        PID:1264
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        125⤵
        
        PID:1020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        122⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        122⤵
        
        PID:1060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        122⤵
        UAC bypass
        Modifies registry key
        
        PID:2264
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\TWcoAggM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe""
        122⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        123⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        120⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        120⤵
        Modifies registry key
        
        PID:1876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        120⤵
        UAC bypass
        
        PID:944
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\TGMocAcE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe""
        120⤵
        
        PID:344
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        121⤵
        
        PID:2332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        118⤵
        Modifies visibility of file extensions in Explorer
        
        PID:292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        118⤵
        Modifies registry key
        
        PID:1912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        118⤵
        UAC bypass
        
        PID:2496
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\rwcUEYws.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe""
        118⤵
        
        PID:1148
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        119⤵
        
        PID:852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        116⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        116⤵
        
        PID:2052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        116⤵
        UAC bypass
        
        PID:1216
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\AeAQsYkI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe""
        116⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        117⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        114⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        114⤵
        
        PID:1052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        114⤵
        
        PID:1840
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\uOoYIsIU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe""
        114⤵
        
        PID:532
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        115⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        112⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        112⤵
        
        PID:1908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        112⤵
        UAC bypass
        
        PID:920
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\cMUocIcY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe""
        112⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        113⤵
        
        PID:2568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        110⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        110⤵
        
        PID:932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        110⤵
        UAC bypass
        
        PID:1976
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\GOoYogEo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe""
        110⤵
        
        PID:1152
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        111⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        108⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        108⤵
        Modifies registry key
        
        PID:1584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        108⤵
        UAC bypass
        
        PID:2132
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\hQMIQcMk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe""
        108⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        109⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        106⤵
        Modifies registry key
        
        PID:2012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        106⤵
        
        PID:1148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        106⤵
        UAC bypass
        Modifies registry key
        
        PID:288
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\dKMgYMYk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe""
        106⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        107⤵
        
        PID:2556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        104⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        104⤵
        
        PID:2840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        104⤵
        
        PID:2468
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\nYIoIUwg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe""
        104⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        105⤵
        
        PID:1884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        102⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        102⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        102⤵
        UAC bypass
        Modifies registry key
        
        PID:2488
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\BmAAEgsI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe""
        102⤵
        
        PID:2668
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        103⤵
        
        PID:1296
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        100⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        100⤵
        Modifies registry key
        
        PID:832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        100⤵
        UAC bypass
        
        PID:1832
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\GCoUssMc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe""
        100⤵
        
        PID:2444
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        101⤵
        
        PID:384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        98⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        98⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        98⤵
        UAC bypass
        
        PID:928
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\gEUEIowQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe""
        98⤵
        
        PID:1420
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        99⤵
        
        PID:892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        96⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        96⤵
        
        PID:1484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        96⤵
        UAC bypass
        
        PID:1716
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\YikMkoMM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe""
        96⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        97⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        94⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1296
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        94⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        94⤵
        UAC bypass
        Modifies registry key
        
        PID:1556
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\SiscQEsU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe""
        94⤵
        
        PID:876
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        95⤵
        
        PID:1416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        92⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        92⤵
        Modifies registry key
        
        PID:588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        92⤵
        UAC bypass
        
        PID:1856
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\xeIAsAEI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe""
        92⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        93⤵
        
        PID:776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        90⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        90⤵
        
        PID:700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        90⤵
        UAC bypass
        Modifies registry key
        
        PID:596
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tKMUYUgQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe""
        90⤵
        
        PID:928
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        91⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        88⤵
        Modifies visibility of file extensions in Explorer
        
        PID:472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        88⤵
        
        PID:1416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        88⤵
        UAC bypass
        Modifies registry key
        
        PID:2840
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\zecAYkQg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe""
        88⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        89⤵
        
        PID:1876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        86⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        86⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        86⤵
        UAC bypass
        
        PID:1636
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\MaMIwMcY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe""
        86⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        87⤵
        
        PID:1224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        84⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        84⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        84⤵
        UAC bypass
        
        PID:928
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\GKAMUsIo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe""
        84⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        85⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        82⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        82⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        82⤵
        UAC bypass
        
        PID:1964
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\eQMYMock.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe""
        82⤵
        
        PID:1452
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        83⤵
        
        PID:288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        80⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        80⤵
        Modifies registry key
        
        PID:2500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        80⤵
        UAC bypass
        
        PID:1660
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\YMUYEAos.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe""
        80⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        81⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        78⤵
        Modifies visibility of file extensions in Explorer
        
        PID:912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        78⤵
        Modifies registry key
        
        PID:1976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        78⤵
        UAC bypass
        
        PID:2440
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\LyogEMAQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe""
        78⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        79⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        Modifies registry key
        
        PID:1760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        UAC bypass
        
        PID:1692
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\rOkgQAsI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe""
        76⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        77⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        Modifies visibility of file extensions in Explorer
        
        PID:488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        Modifies registry key
        
        PID:2128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        UAC bypass
        
        PID:2656
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\rSkkIMEc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe""
        74⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        75⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        
        PID:1444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        UAC bypass
        Modifies registry key
        
        PID:2236
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\mukoIkQg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe""
        72⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        UAC bypass
        Modifies registry key
        
        PID:2296
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\gcskIMog.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe""
        70⤵
        
        PID:700
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        UAC bypass
        Modifies registry key
        
        PID:2568
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\YIcEkIIw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe""
        68⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        
        PID:2332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        UAC bypass
        
        PID:720
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\KIIQMYQI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe""
        66⤵
        
        PID:2540
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        Modifies visibility of file extensions in Explorer
        
        PID:292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\bcgMIkwc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe""
        64⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        
        PID:2468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        Modifies registry key
        
        PID:2652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        UAC bypass
        
        PID:1600
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\nWkUgwIM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe""
        62⤵
        
        PID:684
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        Modifies registry key
        
        PID:3056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        UAC bypass
        Modifies registry key
        
        PID:604
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\LaEQQoMA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe""
        60⤵
        
        PID:1848
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:2512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        Modifies registry key
        
        PID:2468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        Modifies registry key
        
        PID:2812
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\faAsYIIg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe""
        58⤵
        
        PID:2548
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        UAC bypass
        
        PID:1892
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\wMIMgQMw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe""
        56⤵
        
        PID:540
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        
        PID:1828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        UAC bypass
        Modifies registry key
        
        PID:1784
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\KCosgMEc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe""
        54⤵
        
        PID:1060
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        UAC bypass
        
        PID:2812
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\IccwcAgY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe""
        52⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        Modifies registry key
        
        PID:1336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        UAC bypass
        
        PID:1688
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\QwgkQEIo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe""
        50⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:2532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        Modifies visibility of file extensions in Explorer
        
        PID:932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        Modifies registry key
        
        PID:1032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        UAC bypass
        
        PID:1480
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\FQYIIIcg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe""
        48⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:1220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        UAC bypass
        Modifies registry key
        
        PID:2200
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\lwgAccwI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe""
        46⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        Modifies registry key
        
        PID:2596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        Modifies registry key
        
        PID:1664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        UAC bypass
        
        PID:1152
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\FsUUYkUw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe""
        44⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:1016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        Modifies registry key
        
        PID:308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        UAC bypass
        
        PID:2944
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\HYcYwEAw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe""
        42⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        Modifies registry key
        
        PID:1916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        UAC bypass
        
        PID:2460
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\geMEkYEo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe""
        40⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:1264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        UAC bypass
        
        PID:2176
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\IekAIYEY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe""
        38⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        
        PID:2512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        UAC bypass
        Modifies registry key
        
        PID:1616
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\cEgoYAYE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe""
        36⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        Modifies visibility of file extensions in Explorer
        
        PID:328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        Modifies registry key
        
        PID:588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        UAC bypass
        Modifies registry key
        
        PID:1868
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\yCAowAow.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe""
        34⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        Modifies visibility of file extensions in Explorer
        
        PID:652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        
        PID:1204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        UAC bypass
        
        PID:1744
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\HMAIgcQU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe""
        32⤵
        
        PID:300
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        
        PID:1372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        
        PID:2704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        UAC bypass
        
        PID:1572
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\FOYUMkEo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe""
        30⤵
        
        PID:336
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        UAC bypass
        Modifies registry key
        
        PID:2336
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\duUwoAAw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe""
        28⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        UAC bypass
        
        PID:2456
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\TIQEIAso.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe""
        26⤵
        
        PID:2984
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        Modifies registry key
        
        PID:1996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        UAC bypass
        Modifies registry key
        
        PID:2852
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\FussUksw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe""
        24⤵
        
        PID:360
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        UAC bypass
        
        PID:288
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\OeccUgUI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe""
        22⤵
        
        PID:356
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:2124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        
        PID:300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        
        PID:1744
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\gEEYwsQU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe""
        20⤵
        
        PID:1200
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        Modifies registry key
        
        PID:2300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        UAC bypass
        Modifies registry key
        
        PID:1720
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\iaIQcEYE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe""
        18⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        UAC bypass
        Modifies registry key
        
        PID:2180
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\cCoUUkcA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe""
        16⤵
        
        PID:1824
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        
        PID:1560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        UAC bypass
        
        PID:2532
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\PgQAQkAw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe""
        14⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        
        PID:1016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        UAC bypass
        
        PID:360
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\lQcAUgEQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe""
        12⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        UAC bypass
        
        PID:356
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\XQMUoYwk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe""
        10⤵
        
        PID:1912
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:2740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:1424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        UAC bypass
        
        PID:1116
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\TyYAAwUA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe""
        8⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:2348
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1264
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:1260
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        UAC bypass
        
        PID:320
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\cscoQMEo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe""
        6⤵
        
        PID:300
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:2508
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:1676
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:1552
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      PID:1820
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\aOQssUYk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1760
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:1836
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:2632
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2644
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:2560
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\AmYsYsUQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2620
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:2544

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "131716562903964236157469781-1696266671-8388995241109179756139644530734286972"
1⤵
PID:1828

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-36582565217371524884669261522129558487-375282621-2096795665-1294737609817849768"
1⤵
PID:3056

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1996606364-1089142895514789657-1303543969-19494601571484178047-1942456069-230036552"
1⤵
PID:292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png.exe

Filesize
154KB

MD5
70b223ae8e7dec3f7838da143e8ddd56

SHA1
83c3991182723fd281e54a73fe322bc358bea93a

SHA256
8dc2833d73a23262041dd6e584e76dae08ff8450de6b06bfbe33ab1d92064013

SHA512
f9144f33aded4b3d0a5870b94f0510c0b6d25228606577c62486c7a8e0ea16fff73e51722dca82417104932e1d57a41ce06c7a29c8c1b6b0fee10541a103e687

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.exe

Filesize
153KB

MD5
de64a2907c176f90e5f09135d9b8b321

SHA1
fde759d81c247bf17e35df3146cd532f7a5d1d9e

SHA256
b0c587658c1ffd29308597e3ee39646bfab9e2998d32600fc8cb26c7780d0134

SHA512
6692b8daa9cbe59116a12b1f91e9fffe9c3796488d9d86a821ed02623ec9f1f13c3b0e810b7ad5a14fe8f7da5515a5ca15ae0822ba00e09ead8a0c65b17c890e

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile20.bmp.exe

Filesize
161KB

MD5
ea586387d24802d137f58c4c9c82dd39

SHA1
2e86ee52cf669063d4ed1dc47f5737fdbea99a04

SHA256
73a41db927e1b1c03140a3dd1934c6ceb155fa4de0192ae0bbc4349a82cb1f2c

SHA512
92c764f78f4e8b58e7e5bbfd96b2c9bb96bb2adde370f3612f1500cb409873f5169b0f19e4a77c1bb6e8818ef64b3cbd694dfaa90a7cba7b8927ca405f242412

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile22.bmp.exe

Filesize
158KB

MD5
416c7639d3f7606676fa4f14347fca08

SHA1
a639e250fc17cadd466eb2da660b4979ec70e665

SHA256
e0ffdae8c9911b3a7cbc34df68eb86bba7e1fdb8e24b11e739881ffb7480a2de

SHA512
8bd8e5e3cfa10047e91551b9b02ce6fda242c4461e18b1bd6a48784697885a9edff19719de5b77c65e1993f1ecdd96d26f4b68e570f3f5190833fa3a05f61bd5

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile23.bmp.exe

Filesize
162KB

MD5
22017771719b2772b8f9617b58d669a3

SHA1
94df931b8a0c3113e9e202b57ed2e7d249e45336

SHA256
4b8a5ea18b4fd5220d87ea933e3ff7138224b3c5359cff7495933c344142ba71

SHA512
56a3ec6f149e0e9d9d6ea2b720009a53949d1535647b15bc8998757b174cf51ef451409b7c7dbe5d8c62e76ab6276ec0dba1c51c310e80185f079dc8ee384721

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile33.bmp.exe

Filesize
159KB

MD5
8faefef9a457543d3471c21b66cde71f

SHA1
8021276ec234abc9d6f4c2ae0290cc0be70e7a9b

SHA256
73c98f15b4c7dab8357019dfc79c57d909244d8652faff31e846be213f66fae7

SHA512
38b9163d019a0285cfbfc289b4fe2bbbd5c0b99a52b3b21c70014b9945cb22b0b2c00f46e49d4a6f5e4cc49cc3bac10235ec10bfc77a7c6bfc5764080b31f042

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile42.bmp.exe

Filesize
159KB

MD5
4532d4680b6533648e618aec4613451a

SHA1
60c2948bdd6d7296ee01aa27c7820c229d3882f3

SHA256
9f64beb64e15eaee03c0d8ae0eb8935eeb9e0bb17c2c4a51ef856203a7052a4b

SHA512
47ea3e30e53f5e5f0942cce8ec032b615a96fd235799a9efbf07e224de0756d45dc27940c9e0ec7309efe9a0d11ea74c3278d716471c58ac9850f87c5a8fbb96

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-06-11_139918518fe0162c1ee92388bb5a7ce0_virlock

Filesize
7KB

MD5
60ccd873735d9035c52f9c02f786f75f

SHA1
bd7d492425c86c703f52b2edd94c3996a73c5592

SHA256
7e787fc9a671c15b2b02d94b4d50cefd3341fb8d6aabf42ac9f6c7953ed147bf

SHA512
f8b7d52391e71ff885065967b37f4a06320f974326aa3ec9d03a36917a904ccffbf4f10ed9ae666eb2dc73790a59808b5bc736c1e630842aa1088480beda2931

Download Submit
C:\Users\Admin\AppData\Local\Temp\AUci.exe

Filesize
363KB

MD5
577db3364c3d511fed863f930b449f00

SHA1
1d97c988078ca852cc63a8950eec9bc1d4397575

SHA256
6c6b6d6824d1d9364989f4d80fbe42ed0379c91f1d87eee4c01bb897839498d8

SHA512
54590b5cea9447147c75b9b546682eb70f6885688e5a11d7db1794d6d37993cec071885e6f6c1154f3facdc8528231f355e1d31cded1602df83745bf0680e776

Download Submit
C:\Users\Admin\AppData\Local\Temp\AcUQ.exe

Filesize
157KB

MD5
4a4afb6cc29db2735db6855bf777e684

SHA1
9a2e98f5e869e11823d42eb97f4965979676fd25

SHA256
7a06eefaea0f594f35a7c62e7de12817af17104abd26f80d08e7a384968f2465

SHA512
261e8bc555ec023057221dbd207068291a5d75a0f2bf6e9ce7be4723c080cde783033f0396a7ce851e0967b898ae864e122fe9d14a1704b761a8319be77e73bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\AcYYgkwU.bat

Filesize
4B

MD5
9496035eed5369b7c373d8b959c850d5

SHA1
583f7306a9f17fa0b2cb918a9751b5eaf977156c

SHA256
0a0ac6ac8070216987eb5feaf50868c4e31bb3d600b2b238df313944621db4a4

SHA512
2ff52634131389a5050dedd2a53ff75b9aed8d800bb17b1d4087f49bcb49a61d1ea52b9ccde0d320d805bc4b4bf07d503e91f4a58aa36395006fbe90d8ee7186

Download Submit
C:\Users\Admin\AppData\Local\Temp\AkYC.exe

Filesize
853KB

MD5
c92460f1a4f06a0999b75dec68c602c6

SHA1
67511adee41bd892c9fb428fe0ed480b9aba841d

SHA256
044313393bfb1f64d99720b43db6e219e20397517a9d585f0a00e231f277146d

SHA512
c8c5afdc4531c856ef1266a9057f18047eec45b643bae08169a3a8d6c7158d70a5560c0736b5afa7bdf7eba72a9f739ebd8f6dffe85c0ae792c9a0a0f46f8e6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\AmYsYsUQ.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\AsMG.exe

Filesize
158KB

MD5
0c560eb2a4128d7d0aa151957beb6b5b

SHA1
9d0fa914f8e555574a43fe484dde0800c1c6e8b7

SHA256
0cdae3bf685deb395ad384ba7ec211e562dab5da5a5d4f7f51a2d6a4dc5160ad

SHA512
15ef150b2c3cf3653a981612cc56084a7a0d7e331b8aadb5be9d8b2891132998242093ca461e0e05c186ea57fdf1b6b645f658d9e991418b8db7cfb283ca5cc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\AsMw.ico

Filesize
4KB

MD5
47a169535b738bd50344df196735e258

SHA1
23b4c8041b83f0374554191d543fdce6890f4723

SHA256
ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf

SHA512
ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Awke.exe

Filesize
159KB

MD5
550374abfba8abdcced8e3bf07e2634d

SHA1
ce16127c98a639e96069d4603d67d5cfe6d95d5b

SHA256
c47c8ebc8c1961841ca3a8f2ab75b1c0dbf9fa754bba80d1279547ebe1e041e2

SHA512
176ff5681d4bdad36bb88d007c3b5cbcddcc1e0579567cbec7512cc69ee54a7a23d2d5422c5611747ffa8f81bdb03caef722657a7d3d1b0c1a22ddbd360b42d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\BAcwssEg.bat

Filesize
4B

MD5
428ca8c686fb702f7651ad4bbbb4ceb7

SHA1
b3e96fcc9d590ad1867d75a43942dcc0b8134e1d

SHA256
89f6767d8fb0881169996e54d7af23ae75ef09aa22c431fa377d29ebf3d0033c

SHA512
84619e033180cd9bd30e1fb92e28532a9df666dd0de96fdc6933cc9a0f03aa4e9bb95bdebe8cdb2fad6d066e7118bfc782b9026639cfe9628d09f59bfabca0ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\BGQkAQcI.bat

Filesize
4B

MD5
6abc5dbcf3c5b5ca3c5d1c4277c14343

SHA1
ff254eb8b71f6eb0fd9b2bbf79535f2e0f5e3183

SHA256
26abcfb8b90162d9042501ce34abe464fc93ad94d902c90fd471c52efee238e2

SHA512
2595c8790b71b290a4337814e0f0c4c5f4dc756933a1bfc4137efb5d4ecfe04236144708701d5d8041bf00df6f25b68cb1cd4b85972810d8152b739bb43e96ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\BMAIYcME.bat

Filesize
4B

MD5
776f23e76d21b344471e63a35c979229

SHA1
b93068c11528eeca52dfc0175b703a2bcf431664

SHA256
92a4fd7a31734a0f0824ebbdc3d91901a3e8903383cc07515a1fb2f45c91523b

SHA512
bc701220dde0efb8742c32e2150bd72c4e7d6c3ff20088a94d4a6771abeb44731d1701d718c246510cd2a7016e87ea60e0cbfed61eac8d729863d1edd444e0b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\CoEq.exe

Filesize
694KB

MD5
1afaca3d8ce044333f0110e5405c2541

SHA1
9195bf44053718a3e6221e565dbe275130b58c9f

SHA256
d4ef4ffcdafcfd7db2322d2f36a2b0ced3c42f923c806d55a29a40be690a6010

SHA512
40bd7a3d575c9c1a325fd8138fe2f5ac5dd2245f9ac079fa43379d86cf97b8ded7b7874a850452d3063e251c67535726e5620d43cfd5c38a282fbdbdfaffb170

Download Submit
C:\Users\Admin\AppData\Local\Temp\DUkwUwIg.bat

Filesize
4B

MD5
5625cb4f58860a04ce396ae741c02d75

SHA1
86ec1fa2b0f436c74b3c5cac114ab3fd0de72131

SHA256
27605ff6aa39ff5caa2033eb413b960afd7f03dcb853f77f2d33d37a51cc749a

SHA512
0c7a6684b94cafe665202660dd2a5b51a09e14d0a01d2210f77cf56e86de0d989a5e6ee982b4caf63812130461d5a3949b810b3e93df1163356d737752252480

Download Submit
C:\Users\Admin\AppData\Local\Temp\DmYcwcAc.bat

Filesize
4B

MD5
edd5c0d71f2070be8191e75c9a6c7232

SHA1
b893f7c0e31ac6d267e83f164241c3089d9888f4

SHA256
d57c606a614e6961b08955bbca3cd51a9dd913ad9c43722b6d18e06726aca3c0

SHA512
d82ed8a2378be48df493d3f0de6f3b64a2d563b7eac3ecf1c5cd46ac454b49fddf8359cd6e191301102b31738b99118e0c29193ed9fb5c86e6a0a9e5ee08fe06

Download Submit
C:\Users\Admin\AppData\Local\Temp\EAkw.exe

Filesize
139KB

MD5
6c542eed5c49c057c940e0b89b1e8f02

SHA1
797adee3018ac89a6e15da26a64f03678bda6b9d

SHA256
9f388ad29c073b78b3fd8404cc8be6b349472df953a02bcfbea23b2c27558230

SHA512
521f54e09abf958d620e30f3749856750296cb753fc78709ca05085620dc26a77cca0a2df8878ae2d36a513d7ed3b0ab10041402cc064b376514a7c7cb909269

Download Submit
C:\Users\Admin\AppData\Local\Temp\EEMm.exe

Filesize
238KB

MD5
16cc20ba1fdae3a2d33aa114ca0fb4a5

SHA1
fdd219ac9da89be4286a71dbc4c27e09e56322fc

SHA256
c3ba44959cfc19b2dccc8a6161ba9d79b2fafb5240ab6b1bf5ab9a90e8370f16

SHA512
6202b2ceb7d4a33b10ef5c804c101c70a115e3a2f49e34a5afcb0ad51d6fddfe08c0a5aba5a240731f28c1df99d11bb01fec2cf6313ea40f99a19a019319d153

Download Submit
C:\Users\Admin\AppData\Local\Temp\EIsw.exe

Filesize
158KB

MD5
eb5d08869a8a8742a5c48dfffc955599

SHA1
e13edf9eb30b8db7217675c4f82e374b3028e6d7

SHA256
cbaf0c5c6da78d0440304cb7fdae91c10a70e0b8ecaaa8732614f1ecbcb7fb77

SHA512
6958d298102d2a98ddeafe357b76c19c435ee5873103c24b1d12d9a98cba0198e51e2531e5941be4c6ecc11ef1778dc00e0223f029137e51e1f374d574832b73

Download Submit
C:\Users\Admin\AppData\Local\Temp\EWQUgUYo.bat

Filesize
4B

MD5
5a1b2ceb49a1b2e3e3ab53b17fd44fdf

SHA1
5fa5524ff91b344906cc30394ba94836cef70dee

SHA256
6fa90ea98754079a7e0144d739174707f643abcf5e354c7386fc7ad6e9356dcc

SHA512
98833c0db70b4f32db0bff6878cef9bf2d96e67d67d9de2700ad91b23564feae138f66ca5ae41570d8f8b6f4e3f851d4a8c24c82019a38efdd20f2b91002d8fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\EgEU.exe

Filesize
158KB

MD5
7e3e9690c75b4df2e86cf5b59f401ffa

SHA1
adf4a99f7e00a3845da02a9790794416d0742fba

SHA256
b338373d33ea0a521a0104352b50934a3b7ad536222e5a15ad1efb79140f0126

SHA512
c354ea636fa719d3d0f3022a4014dd2e1437398615463115e0d8e89d233ab4d97ad73f70958c3960895dd0481f68d024253b30e5827ec1504a91728e64d4e8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\EoIM.exe

Filesize
158KB

MD5
cc7bc7328b2c6d241604402705094207

SHA1
0f087890e9f1eb4b87ecdf5714ad9f2a95d30794

SHA256
d9752423abe39066d432aabbb0ed034f26a707010f061c57796a552a142da37f

SHA512
06ef7b3b00a3ef361b861ba80dc6f6c942bee77127481428aa1887cd0d430e0567b864a9c0fbcca5695fc78d857f587c04b429c1bbfe615e7495aeaccb96a865

Download Submit
C:\Users\Admin\AppData\Local\Temp\EsAy.exe

Filesize
470KB

MD5
0ab66c925fbbdb9561cb7622e2cf6109

SHA1
6404dcbd8247cfc3444beb0c2b63d77dddfb0573

SHA256
3def6de5d0dcbabf6ca615387b362dc33920ad4b5870c14c0ca9600d4ba75856

SHA512
c81f0c349f42c88d1810836b73d64a2d70fc7de2bd4eabc9bffe116f66baaeecfa767a3927b69ed9afe6b30b0008886ebded1b85e72c43f757a696248c3e646e

Download Submit
C:\Users\Admin\AppData\Local\Temp\EuEMIYIY.bat

Filesize
4B

MD5
1f217655613bd92ae34e1e3a62ba5890

SHA1
ec05ebae64f5c7a04dc7720184ca0928e527f073

SHA256
5b09bf3e682bf177c94fca7ec6d2f826650c5f163bc9d5349d873ee42db5f540

SHA512
73dbdd71eba6ab77c34707d90c8d6466ad008030ce0a1d38bb4b44d0c3afb2730f51037d8df5373e20cf8c2e10e6eb89ec5b3aebe2cae9a9d66ddf8d6bb780d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\FCgwAwww.bat

Filesize
4B

MD5
48a8e8d247947996fd9769b0ccccc373

SHA1
beedf4331b50fca1cafdeb74f52624f5fa402958

SHA256
c4fca8c47a555150f98abeaf321d7e32826ceebc4372cdc1b7e91032ed517d3b

SHA512
ae6d5ec09419b79ab5427aadb6be2c039b37cea80675101b41b6a00c5ce8777cc89bf898b28cfd657570cde989e0c4aeb5f4de2a7e1184afda226e5210d0e428

Download Submit
C:\Users\Admin\AppData\Local\Temp\FaEIMQAw.bat

Filesize
4B

MD5
4c24dca7f5deab33bc1399c79011f300

SHA1
73c038853810b8dfd7fe9facafa0373df34f0123

SHA256
5fb3f9f8f89fa1c2ece68292bd946ffdf068dd7d0684882b6d4894ca563adb07

SHA512
67b25d03dcaf3aa770e5ef082c580db158b5264c034353d504816f8dd61cfbeefb48b7cfc46bf2c6aa40fe3dbf0fbe1d749f3c15520037a3d71f047ca6cb5ea0

Download Submit
C:\Users\Admin\AppData\Local\Temp\FgYkMkQk.bat

Filesize
4B

MD5
110ded8561dcf98e6cc2ada88d2da2d9

SHA1
06e594968736304735aa46a216a64dcb692f4902

SHA256
8ca07732ec7760e39ae61dbd9fc08edabcf4658ba7b42ad45b0ce11a234a4a88

SHA512
70f135c832a5219ad1a7475f5108875fcfe749c027cc361fe7c69ba0ea2d2bca75f4b788597953a20d6ba5f9ee0b0298ed92b38881f69562e384217df141f1fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\GYcA.exe

Filesize
743KB

MD5
c03c494bf325dd5d331313b801744b7b

SHA1
5de4f1ace470af775c21adea9bf30cd91f0fc69c

SHA256
0704a439c7e5c6b883e1983a6563de7318d70dd29eeb76105f789d3f3a1d9ef8

SHA512
2baa1ce2bce92450c3168e96091a00efa4361a16b4ba801b73a332ca6584cb16a572900fdefe08e59edc4fbb1c6611246f16621595e46ac561716318b54204e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\GwkC.exe

Filesize
159KB

MD5
e0b770c45424f7a247c6d528b186ea9f

SHA1
9bc0bf1cee577f6435b3b2e471c97dbdbf312d0b

SHA256
7c23d100121202097298935bc1576f6952540eb964e949042858d37204e8a505

SHA512
57b6a251f248c31a6c3aeb2c46dfc81e681b5de5ade01a23cf7f70ea00e89a97d4195fb7aa9167736efdd429928dcd78b43068c1a149d6839cdcf1f778461891

Download Submit
C:\Users\Admin\AppData\Local\Temp\IEosUcQA.bat

Filesize
4B

MD5
7b29991182a0dee6c23b4bc99ae464cc

SHA1
16f57ed232e8c7ba3682009ac19edd3a5b8d90e2

SHA256
e961d1656513cb988b29e105f62bb09160a91a30c6c9aed0473152bb696689f7

SHA512
35061461d2fe74e902ea9a48d68114a149aae4af414c36bb8204fe57ea4db8aee5176f0101f112998419fe577f15fa68c3c7b071a26e5913e00570898cc2ddb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IQII.exe

Filesize
745KB

MD5
0f12af3be7acda8419f728fcae717c00

SHA1
e7dc2c2b7dbe7d711010122cfe66b8b8bf4bafbe

SHA256
159b0ae2337b26578b4a9bc0fd1dc24b3b16b1ddc8acecad87e8c9581363a554

SHA512
cffa5ccc4a64e5b709ef54af38fb84b6c95eb87c3af024bab975c383c156068b14b69ad58f39b3ce3ceb369516f95c3c8658136d713ce13c23e6f245de1ac61b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IUkgoQAQ.bat

Filesize
4B

MD5
e904e088121e06eeb7c32c0a206bf83e

SHA1
1ebaf6d2ca61633dde9973d1d16671dc6c367f14

SHA256
b45d65cffaaf907d360e47c6698be9ccb3d01cf246a7d2e1b9a8fbcbac07b813

SHA512
9694c3730083ce3704fcf111e4a4c360714b31b9bee61e4f2102b362d3bc089480063f65c1ed30583b1c627ba46282de0b4501408b05745dc4ad3d52014c069b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IYQS.exe

Filesize
158KB

MD5
1432402263e4c4474cf5142403d5681c

SHA1
937c845055eab699e44516f4b0f071055a264f58

SHA256
98813e27fd71d4677685b458503ade4a5be65d2e37c68aa78ea1e2fd1d8734dd

SHA512
3a43bb85554c331997f12d5fb91969d51e045784f57309d7c6cf5261820efe9a4a60324f85c44c48e700f8917b3af3dcad2e8c3eb9cd4592f4514759e045417d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IaAwIswI.bat

Filesize
4B

MD5
802bc284e7d316999f9086b60eee0ac6

SHA1
85c57da0551f88108c710cb72f49fe5412b56ff0

SHA256
8be6011360e86810c89234acdf574da04c1394a47b72dff3bd6c8329629b9960

SHA512
4316f00207a955eba04d1151ba2fdd838ae1b4b821bbb92c26dc32395e81c2dffd3d0af3c4d86e1a0dee5116d2a400136aadc5b09d03d3b1726de519eeb26013

Download Submit
C:\Users\Admin\AppData\Local\Temp\IgUMowYA.bat

Filesize
4B

MD5
79f2fe1a770db659a202ea9896aeb216

SHA1
0f33dcbc4ea5a62c2d5454c3272c5fda107ba868

SHA256
08f3c066ca024a41335c77d845fa9bb81c59c9284ea5afa29c21d452f9445514

SHA512
02a4290c43ef22a12698cba256f8902e034ce49e1c1480d067fc8045f61a23db44585ae2c8c1122ace8d3220c6c21cd3a5a937e96f80ba72cbca7559ea014270

Download Submit
C:\Users\Admin\AppData\Local\Temp\IoIK.exe

Filesize
157KB

MD5
9327445182943ad42292ce23574c1402

SHA1
f7aedf55b344c260ccea2eca44aa387399840ba9

SHA256
500b8797609526b5d3bc323066a70842106d44b600340423b5ef34b994b3d631

SHA512
b9cfd2ce92770dac1aece2978e6060a099c2c6bece77130b904cf15b3c8bc61370d0b5bfbd7c7138a52cdde4ee49626fa0aca014545bd564cef328ab38439b63

Download Submit
C:\Users\Admin\AppData\Local\Temp\Isgk.exe

Filesize
162KB

MD5
5125a9b55d8f675eb0f515a28b9a040b

SHA1
12e335ea05a13ef07cdd99e9758dc8f96c807e2c

SHA256
0a42a128f5f6fe1d6ed7ac5555557c9cda8c7802697a41a9b12faa5754992182

SHA512
f03038bce83ee0dc8df54a0fdf38965355abf8d0e7c7ddad40115163db58f1b8bf4c5151627b88d4e1b62c20f32a4d5880849b23fa53e42e8fe5bf82d789688c

Download Submit
C:\Users\Admin\AppData\Local\Temp\KAMw.exe

Filesize
869KB

MD5
be1c7242be10c13ee582d722d42379a8

SHA1
0946104597afbf1840262605d5b99c15d957544d

SHA256
3ad7db7e9b77ac3365edbc1047ad38030fc8addfb5c933adcf20e37d7f870289

SHA512
451f366aa1075b20d9da1ab3f75ba471a7c201f4568026f706ff2429ec329267035102683e911b8c5c34a34d99cdada314f242087e6edb66bfbd8ea2862fd38a

Download Submit
C:\Users\Admin\AppData\Local\Temp\KYck.exe

Filesize
1019KB

MD5
befba0c90f2889a434263e1b5e2b215a

SHA1
67c6dad91e733f198f3635a6cf2217aa066765e5

SHA256
84a605547de0a2df13265643af9d47e9d44951583ce9e519576620c24ae7def2

SHA512
12c302b2b052a8d4c771e727244a772e696ce3ef805b763e2dc23a50da839f84bc4721332efd2e3b60d3d7ad1efffa678ed2d28c1b8cf2ea8898518be115185e

Download Submit
C:\Users\Admin\AppData\Local\Temp\KcMC.exe

Filesize
159KB

MD5
2957f57142349720d834f692b5d8f4ba

SHA1
b6de0814768cce89a62ed074de51dcab307d9218

SHA256
65e070052879d2229afff0537bf2379f7f6baa329e50660bf3b0be622e60e24a

SHA512
65e356ec60fae5317923d9a4d980b3dda928dcd7b43d915f73e4f3d50b71e46c2b96b2e535ee1bbe33b47326644910152753874693a63b8d69799840416040c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\KcQEwsEU.bat

Filesize
4B

MD5
a485b7ce6ec1f8063f8196487750e2e0

SHA1
d2bb9e06cb6693b59800f90362db7e8b15b2be7d

SHA256
5aecd98242f69ccf8b3683adb0c11261883bd2c3df53710fd6944ff61560ce4b

SHA512
8578bb43c0d0ee9b7bc58c109850c84d6896a29c8b233a5158f0ef0b2c0c5f2b5683b850a15f3287b158425dd8e127bf927910415d03dd6a4ce4f3b9b3305d4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\KkUo.ico

Filesize
4KB

MD5
6edd371bd7a23ec01c6a00d53f8723d1

SHA1
7b649ce267a19686d2d07a6c3ee2ca852a549ee6

SHA256
0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7

SHA512
65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\KkgI.exe

Filesize
239KB

MD5
06e3804a3187dead2d6240a8f3790e46

SHA1
833fad856d8a7d6f71665cd0179ae256c26bb346

SHA256
d36a42c9d2b5891591b882eb68fafdc1eb9f0168bde0d2d4a7b09bb38a7f56fe

SHA512
7fb50c6b5e8eaba1a0dd7f41ae72e4b6ce8af5abaf5b04039072db0edf8ae4eae93497ec154add6206ae7f20b13bfe34a39bb44036866a4c1e39b5240d54e718

Download Submit
C:\Users\Admin\AppData\Local\Temp\KsEW.exe

Filesize
1.1MB

MD5
4ace66d75a61af934e279b109b8828e0

SHA1
66f028ac2d49027b5651535a85755d05a1fcda75

SHA256
c6a5d546abf55f1cfc477d10bbe15b75327c2bbf1af94946b227e6efe9a52bca

SHA512
7e05813b66f6f737fb2fd2e586cde9c27eecba0998c24c414e48dcf950818be7366e9278ddc1cd62baa1ab02f8e72a29f2b47ae42226ad658393936186da710e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEIG.exe

Filesize
159KB

MD5
3868f302273e5d1843e1ddb9789af5d3

SHA1
cbf3de8e0a62c0b9017e1379d7889adf9a0b3027

SHA256
b9f75564c7a5743f526f5dd70319b45ff8a84c7901cf04663809a757f1f5b372

SHA512
3ae849bd0d2c45f5c55a43021a70d1ea18f97a050468593d534957f28a1648dfe83a8e6386820093c743c6821ba34da13e5f4b932409f2f14078ab2d2227433e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mocq.exe

Filesize
158KB

MD5
b549a879364160d3714bda0927efa263

SHA1
090e98999c6b08a8be16e562b42996dbf0f52966

SHA256
c51aeaa558268c5e3e0c731572a5ef19f8bb9cbaf6d3f74cfe87e1295b4b26f9

SHA512
1e5cf33e78a79e5c3cca580e25b053408b2dfc04def7c9bb7c986fdfdee208e12179aa39701dd33bf4d0f645cb0f8ab316c84130c5736a3301f33171f2849f61

Download Submit
C:\Users\Admin\AppData\Local\Temp\MosG.exe

Filesize
160KB

MD5
02786d02d87068db3ba2afbf53e228c0

SHA1
cc564072178abfc3e068261942b6042899f2b759

SHA256
4eb2dba2f0b703fdb15e5a392ab2daaaab51abfe714795c211b14af788facec2

SHA512
2cf33047cbb9c0c4c5fe62b5eaf9768da5ddaf74e7a9ef66007c733747ce5c3ce3fbaaeb97990970978ef63565f5db0da8f1678d49d610ee371c7c165291db67

Download Submit
C:\Users\Admin\AppData\Local\Temp\NycUAggE.bat

Filesize
4B

MD5
964538bdbae5a2bebc39d6668f7bbab3

SHA1
358d9d4c61a73224f75e6a0757e2d577848496a0

SHA256
95222b1061dfd5a7b963d6464ae38ff8caff553b2c0b1c3e6b4e22e58b333f98

SHA512
5ade8e6aaf433117229448d818fff5368ec7bb868c7f4cc89543034635342f036c9e127b5e7f1a8c14c763435cab7ff15a667ff0c274e569051620c6fba18aca

Download Submit
C:\Users\Admin\AppData\Local\Temp\OAwo.exe

Filesize
160KB

MD5
38c7d729109fc7402630b058eba4dfbd

SHA1
2e2fbf0928d4e8967ba74dc24890d8f18b57b159

SHA256
71a52ce48293f2df7c46d5da468bbd495e929abd010e24dc5e61e6fcc347ad76

SHA512
080fbdf4b0684d5f489a3425803b128d1ffd7d9b4afaa9ef802002246d8b88631e4686e4d90999f8c2deda5574fb089548f3a9bcbff4280813dc595e5e351780

Download Submit
C:\Users\Admin\AppData\Local\Temp\OIUA.exe

Filesize
158KB

MD5
319a78613196f142356cabe075da408c

SHA1
496c56d1a3f5fed78a4613309b49b3260ae2a318

SHA256
7b22a60ab8108f0e24aa7908cce37de66ea81355d6b21397222cf4f1ade6e870

SHA512
c50c154872fcd59cd536a9d1947131b695e6e510c80eddd90b44869109b13a0602412b97b2686cd6084af7c6f048b0039d59bc59629cb60b79eefa18aea2ca73

Download Submit
C:\Users\Admin\AppData\Local\Temp\OUEi.exe

Filesize
159KB

MD5
7875e02b951e43962d6be2d5ff1f83b3

SHA1
384ddab37a5b9eae04c0f2d5ab23debd73a850aa

SHA256
60f8b1276b610e0e6214be1128d69692e5f42b7a6738a4318783af16e2d8f611

SHA512
905e205220b9e5b63f87e3c2ff3a5ba73b45c29c409e61d528b20aca5d5c846b5e3b40c28d104c8bfd0a9913c011856d0bed050a0017756873e742e5d7d502e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ogcm.exe

Filesize
153KB

MD5
90efcfaee82238c1a64ae5cc401925bd

SHA1
389218bd4463e34080f830111ea12168f5b22f82

SHA256
3d394f8ba36c65b516fcded07e048c8e20d801503f77d2972a771f0ade8b7681

SHA512
cdd564b2b1679fb6acbbbbdf86d4a90b9fd9a0fa1858ed40719e2171cbf12f87f111fe5ec34616e8c4d31fde271a042ec4f9ceee225ec54f4eebbc8c218ebbc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\PMwIsooA.bat

Filesize
4B

MD5
6c6f1b09eaed6b16ecea508ca3b92173

SHA1
45ddc47954ac6f40bb4e0b53062195e4e217908a

SHA256
d0b5f883f6bd617e198c6c2d4f69c265945cd0f19f7c2fc209ecda2b8763724a

SHA512
3ab41b7e897ff1f6e0e2f2b52e94fdbc5b8daebd7864e3b133e198ae189766674feb785341fbcdaeb47542ded3bec9892263e61b71bec78118de39887d4bcaf9

Download Submit
C:\Users\Admin\AppData\Local\Temp\POEYEEgw.bat

Filesize
4B

MD5
390d0f07405ad674c1a6625d43185386

SHA1
27dbadaf65fe734eea529140dbe6dd5c83543890

SHA256
d51ddbdb84e2421c32d3abcdc77d697f886f4e1945af93c616e26580733028e5

SHA512
2486611bbae730f0298370b58fa9aa27e0a6e96ace7c6882a33921525cf6cac91340f69e65e5c71bb7f4910dda8a0fb4a960b658905bbccffe9f294f507de901

Download Submit
C:\Users\Admin\AppData\Local\Temp\PoEUEEww.bat

Filesize
4B

MD5
5fe97cf1e69d48c9eb13cd4f4792f304

SHA1
c0cfd6d6b6f066171bea42b8e88a05be316af538

SHA256
0d4b54ab9f081772606b43b5ff72409ff46caa16ee6b9bf0fd784f67389b4fe7

SHA512
5251c81d42155cf40192631185af29c59b219bd8f9bc49f22c3e673f1af92a83618b2a841d57751730d50f11e4775f3346ca91a491eb800cc2f636cd4504ff41

Download Submit
C:\Users\Admin\AppData\Local\Temp\PygAcIkU.bat

Filesize
4B

MD5
ddc8c1d23a171193b1ec50138ced6304

SHA1
5b850934275a94786d7e5eadbc8a5183870a176f

SHA256
96592450b0f982c96e823fa421649586078f6777a2f14f973a73decc4cf8ce6f

SHA512
7e1ef4ce3a4428f9e609b249712f7b79fd5566d6f54f50addae7fe2ae131d4006a38d093f6818dcd01f3fd2133e6797feab1d82c877b88e916107f0c56d82359

Download Submit
C:\Users\Admin\AppData\Local\Temp\QEcQ.exe

Filesize
565KB

MD5
5b26a9af7c36ac3db4fe1e552d718ef1

SHA1
4c90d8c3e9aeaf81de59bbe5f09cace92454e68c

SHA256
e75f6107cbf5cfd73ec79a8dc25d23d467b7f24893462599f33e1ce6db0d060d

SHA512
c13f29e7a899efba1a65740087cc9709ab4467bc025e0d08a1feffaa86ba2712cef734a5600614884093d6351d4d6a0f91668ae7326febe502dbfe050ea57ebf

Download Submit
C:\Users\Admin\AppData\Local\Temp\QEwAYQQs.bat

Filesize
4B

MD5
191e0b3d3f98b362c8ad83e586fcd710

SHA1
a6f7a5af48b527665a4fe91e019227d8d13d7196

SHA256
2bede5e5c58967dd9630a37032e7d471a81fc2edfa5c1baaa9babf6f6f19ee0a

SHA512
f68850fbb9a7e88421b0d2bf297d6312c7d75b907e50ce1c4d397ba9b2eca9f024e51087768c2dc490d660ec868b7e729207f9bf0d7866cad2f3681d7f29fe9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\QMEE.exe

Filesize
156KB

MD5
5b55d82b3315df900054b0cb911cb338

SHA1
cb0006ed694b58b909262746981f87fce138911c

SHA256
fdccc182d295f9b83f6033f6ae5c3d530d12c4a63de6a26850ce9449cb47fe1a

SHA512
fd4ec82afae8933b09a5f0dbff69788b9fda9b1f9cebe0f23b80b347f11a1f10dfb18d7314f51b18660ad3f9742e1dac3d666a916ca79b38888b4d9f80d7a4b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\QYIu.exe

Filesize
157KB

MD5
f28ef453c8c99b5246f3870ca1865c96

SHA1
56cb39c900493f91d2ddd57e98a3f0ba1e8c11a2

SHA256
c33269185dd5d54dcd4935d57a456e52dc83d89e8a8f5984363c46078b3a5f08

SHA512
a2289d4c7ce6e7b3748b340d7de63d9b3e141938816095d0de1dea947ffcd27c9ce040877a6b267dbf6bca088ea572440fd9daf7a00f7c3b9f667a200529f432

Download Submit
C:\Users\Admin\AppData\Local\Temp\QcUK.exe

Filesize
159KB

MD5
fd58d2518c3abc77881532d9ba19f70a

SHA1
34d083e7dfee8520a1f364a9dddf51447b91fd04

SHA256
69f969efb1044c573451bfc4fbff2ca77174e4442f6878827b611dd438c01db1

SHA512
68757c22bb462c6fa82c4964738a79f56e24882ac23ede491ff58e1eef4cb8b492130787731fddc5cb08cbb20085ddb0eea867cfc65c61a0bf90f7e53d452ab1

Download Submit
C:\Users\Admin\AppData\Local\Temp\SAwQ.exe

Filesize
158KB

MD5
d1d817a6f63896256fbb26ecc3de21d2

SHA1
07f7bac52777f5a5c3206bdfc216c0d339b6ee13

SHA256
4b2908db2ec82cb817b3e4fb54f1d59ca8b75243906768721dccdac52beb5adc

SHA512
3ea8ba0383797c4cbc28a70b2e9077b7c115d68bb6dc0bc4dc466a2144dcf5ca4abb07243e6c047e266921a9bd278387f3d41b85a6d298505a18dd92cf648494

Download Submit
C:\Users\Admin\AppData\Local\Temp\SEEm.exe

Filesize
158KB

MD5
443777e11fcf31f174955a7fbfc50509

SHA1
c7ca1ba1ad3d03283b309a8a53935f3ca2b88793

SHA256
a81fe1498e6f018c091550f81f7f8c64fc799412c9b46815f7edc416eec2a0a2

SHA512
889b048e05abf096544e02a3fd10383aab81b5cca72efc97ad513601df42dbb3af34b425d495c19951728defe41041610b1c4baecfdd253332b158dad8f4148b

Download Submit
C:\Users\Admin\AppData\Local\Temp\SEcA.exe

Filesize
159KB

MD5
d422f4c69727a7b0b6924de8fb15b77f

SHA1
231eb6078cbbfd9d4968944a2d7ddc59899d87eb

SHA256
4787dd6afc9428b6325f7a298886b5192b39d97d584a5a4ebd71456ada96756e

SHA512
017f781f0b77ce8e8dfa5d39949636ba80b0dba37a5365ab343ffd74331e8705cca3cb4898a74899b43fc523287243c63f6f16c9ed7c0d376915a8285df4c4d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\SEosogAA.bat

Filesize
4B

MD5
9e70ddd9bc9450e27a4bee987c23664b

SHA1
4baac79e562b5d5756fdc1219f84a60e97f245f7

SHA256
7a33fd1eae0c643bdadc931b05ae3c490c730f0da00436328192f4c9f1a821f2

SHA512
4ce34a4fd58990ecd19054695e2090bdfaef5b7c7668dd26df0999d87dd045dde3cabac2189c9eef0c339001c77dd9ab8bc3c2c38f8eb0167220190e84a5b937

Download Submit
C:\Users\Admin\AppData\Local\Temp\SMEUgUQg.bat

Filesize
4B

MD5
80231d5575e63f58a3f0545338df42eb

SHA1
daee500b6bf3ccd884d93423b7331a1944852492

SHA256
1f8a3179421c2a9475471780c48057f6c89990ee2830b6c1a64f5fa97eae2eea

SHA512
f0cae90190371b1734d7e1e3be13586de5c5c248693c4bb18bf3944ece0c3a4562119c516ef20f04fa236fe555fd419bde14ee58aa5be8f6f6c2fa1704b95fd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\SUUi.exe

Filesize
158KB

MD5
a52b27d547413592f68b62500339cc47

SHA1
156ab66d99022028ac4b09a096fd3f46c2167e96

SHA256
c25c07457ddad451df819e42e1f3c60d7a98b612de65c2bd8fc7909ef3b0e618

SHA512
6ba79a652d29b49df8b330fd0822e5de3107be06043b21050cb71c0a6268bca2267a294ecaf484fc752f34d415b3402476c5e2fb06c15f92e2b01bd7434f4c7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\SUkm.exe

Filesize
159KB

MD5
c3a6c6955c5495007d7a8fb26f0f1bc7

SHA1
217466580552c0f4ac4854a6beb7fd80ab45c7ec

SHA256
c831fafacde5931b6db7cb710825bca1f9df7db0cbf86617a251bb5f5c3baa27

SHA512
5c6e5c536dbad80fd5083b7008dc27959ce4b9f755abb49e58c7865823f44282ef3813b289cf0add15c128e6f163eec820f4ac1c7a1fd9e6115290b8ca779695

Download Submit
C:\Users\Admin\AppData\Local\Temp\SgIy.exe

Filesize
537KB

MD5
efe6db7bb0e96975096aed2e11cdba0b

SHA1
2f5539bd0304bf1ab01f0e2eb13b5b6db0c0069e

SHA256
e6e6845185578661f280149397349a336af63ec0ddccec552bfcf1ac85659cf6

SHA512
5b1728bc7e34271074d5452633c0c1b753a81226146f55e17da813f598cdd4f3d144a636dd2f52e18ff79481e313f451583716378fd7ebaf83c41893cbbe8473

Download Submit
C:\Users\Admin\AppData\Local\Temp\SsMm.exe

Filesize
555KB

MD5
fcd90124be5fcb45948f355bf47b8f17

SHA1
9488e4612eae36472e747751ab31089b60862dc4

SHA256
13af45b8c103172aaef57619e9b24d8e31a4e5ebda2cf0a4fd7875671ab97594

SHA512
4ba65b6ea76c737c2c213b150e5901037488ff9ec7232984cd9a977e4b7715df0597c4d40e9c5d629f51a4d6d08a94cbdc4a211a692902ce73d3428db6ffed42

Download Submit
C:\Users\Admin\AppData\Local\Temp\TSUAIEEw.bat

Filesize
4B

MD5
31276c4fc9833776a6a8f4009efa0ae2

SHA1
e0c2641dde405b89a6a1940d06d79eadf347add4

SHA256
337570e4634049d2e54478511d2e0fe002dae6eb2fa3a9ab13473e8a1fc224a6

SHA512
b6e02c770b27e21480e74cffa75a4a04f5eb175e4cdd5359bafcd24d7e7ced131782ae32ed44a8a8fd3730a70dd4001702f8f2dcd2378328782c05e856b2c394

Download Submit
C:\Users\Admin\AppData\Local\Temp\UYYU.exe

Filesize
664KB

MD5
991b027455ae437d78dfa15b55cabbaf

SHA1
fafd77db2484c157c6df88a46fd308ba1015e051

SHA256
ba93ed23b216903e62d6e59a7df05cc11d3065b9a61d32ad75d3e4e825d3bc7f

SHA512
eb0538b0bec40d026e64c1047e0eb12d7f9bec131f3dcb915e5df535f6c69447d9af472f9a3efb93c2c4dfb13c2aa745d9dbcf63214f7397898a467551abe79f

Download Submit
C:\Users\Admin\AppData\Local\Temp\UyEwEMQw.bat

Filesize
4B

MD5
8e87a411d1e73bf8d5fca4ad625686b0

SHA1
25d42e520da3a47b858a5c535912d6f52e3d2ea3

SHA256
112e83c86245d787dbea5f122b8b576a876fa878f9d152bba08cbe6ee12397f9

SHA512
ea92d93018bcd345a043824ac2c20ee4f5e7ba9bb6261dedcc91a9783fee48c3d0363fa4fc646072a58f3f53f9f85888df278e6fbabd4ce79a87ea1e044e48a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\UyIkQYoU.bat

Filesize
4B

MD5
6b5bb53517d7e99616d3fced19f71c62

SHA1
5dd3bd951b3f68ce1c94f6f8ef84ee3f44579219

SHA256
39114aa377fd0e4c412cf4cc90ba3d1e2b410aa56bdc9a7532f05e17101af9b9

SHA512
ab362d194e5871ac73e0c1df4426f6d998b95a1cd47c1d8d2eede7115225b77d89a0c99cf06ac0f8ebad3f979860084bc64adb40b086b931daa608362a6a1058

Download Submit
C:\Users\Admin\AppData\Local\Temp\VCIMYYoQ.bat

Filesize
4B

MD5
9ebf211485ec970b471fd132f1ed3769

SHA1
d8c041d208156f5f2bf8db5e791e0c4d6e412bb6

SHA256
47a76b76d1af76c1847d49f05d923504cb242fa28f41baaabd84be20f783e44b

SHA512
388aa63d0d8a34f0bcf858044766499dd9bf5a27ea1f8bf8fb5327d00182969b49836a50ef3be3e67be9435c87157c2f5aed6b26d67892bb72ffc28310c30eb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\VCwYAIwU.bat

Filesize
4B

MD5
8984a18e2c7313422cbdcadaed8b6965

SHA1
405905d7d98162b79b6e0976d8cfecf21b7a44fc

SHA256
67dee106df4080e812f68cbdd86b5a4351e932c9e00577520f0ff6e9056259ed

SHA512
f8338737ea204736841d502950f4fbebb7d1be5d60f958b99e95a76caae4ed12ba0c39ba7b1364aa30685189e67f2b30993f9574be4d45b55a5970bc4df85ee1

Download Submit
C:\Users\Admin\AppData\Local\Temp\WEEg.exe

Filesize
159KB

MD5
24ed2b958b399066c061f28999473d8d

SHA1
4cee167271488e9e4b735cf3f6d8cc1091c0c8c6

SHA256
2820a426c2947645ff6a5f2fb1817d63a9976c5f274d184f7a8085c845ea0f6c

SHA512
34b8581f16d98006f134d6cc07a000d2da551953cc31140013f0bc0b5ad8965205b404b3aa59ce576b7f3c5b0068596fbde0ee909ad6e5f4e5881156c33862c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\WQEU.exe

Filesize
159KB

MD5
cab9c14817475d9008ea4c37b12b73b3

SHA1
f21b8784cfb4fa46868603f43fcb7ec4d2a4b440

SHA256
be3c9c2a7e711f461ae7d70a2628f39ae0221dd2975a1d11d55ffc626b3baf27

SHA512
cf2467b0394e028ab47232ca7f93b27cb9a8cbd35d86e51cc5316d9286b106cb6ccbc98387ec2c2dfc62b191c4ba0c24a8971e39d9bb7097cd59c032704df2e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\WQcS.exe

Filesize
1.1MB

MD5
c0cf79a286d206a5661eb9460368b5f9

SHA1
939b2c0b0f760eb35614528ea7cdb3d7b5b6b623

SHA256
ba01c051aa300f494b69ed887137bfbda58c5ca8a4bca9bc38adcefad4fc1f5e

SHA512
8a71463a94a03af7a28c0736546bd81f70c194549bac239f2fbf5ae427f3c6e76ff6e2c2e33e0d8266edcbdd5a29c09332f48261c7448412fc8ae7fcf98c8e13

Download Submit
C:\Users\Admin\AppData\Local\Temp\WQsU.exe

Filesize
658KB

MD5
0ed26207026d0c9903f3016ebaff2a18

SHA1
83eec94f03d640af33103fb474888d83bea9dbd4

SHA256
a64d503ec88b2fb329bf6d3c7937df9b66cff61e37e77fe716841a320d6f14bf

SHA512
12e31ccb2140f3d01d85876e0db6ec107eddc5d7b97c7f716aa299184cbfaaead67f42e7362346b14d1ead49d70aa00f713b8fe5bfcc9c633ae3eb8ad490320f

Download Submit
C:\Users\Admin\AppData\Local\Temp\WSYUUsUM.bat

Filesize
4B

MD5
9d4f4b6c4306e10d244d8c01b89987bc

SHA1
19ca6ca3262f809c87277b4480d42176bd3183b2

SHA256
3a4fb486fe1368a2f8bf701701f64bf268c5f9a2bef5cc981a288b6f56f9a7ab

SHA512
ef939fe6f68f68f7d2c4bba99fe158eddb571160918f7f733b0442acc31a9b27adbd5c2909806bd2b84d869c11b7b8244ed35fcdc61ef7c76147ce03f3886be2

Download Submit
C:\Users\Admin\AppData\Local\Temp\WYgI.exe

Filesize
159KB

MD5
cfda645cd701acc2a11a4f08fe5e51c8

SHA1
bdad8773135568829a2f68be6bd569330108da3d

SHA256
1df9c81ab1adef029aa36bfcb882dccbe6fd2170887b42168889bde33dd2d159

SHA512
6572301adeb0ca7defd006e566495b774b72751bfc061cca746c0139084868f9e3c3bbe5a7c38d471a635fbbaace48b67e04680b0bc8c67b4d90ae8e00f44d3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\WwAU.exe

Filesize
873KB

MD5
49ac2dc4a36c437eacf0c4d33882ff8b

SHA1
2ca5a0689d4c8e2b524c3daccdd73446648bf99b

SHA256
b9466cb51589de3f6a65c39d5b2abf0e04ebd5ffb0896c60d5bcf1092823fcba

SHA512
2dc68d0ce640ccdf914c9d767e83a14220e5485114efb6810b6f475abeff30b27031813925a8195307ec582d7b764a1692443e103dd36bf4f96e384ef4754daf

Download Submit
C:\Users\Admin\AppData\Local\Temp\WwEI.exe

Filesize
564KB

MD5
019642e415c9f57dfd2961382a5ac9ac

SHA1
3adec661c5fc8aec8b3afb747f1dc862357adc06

SHA256
36eb244c1a7ef45e115173d01c6ae35d83e501f26e932bfef623e460b5a0bce4

SHA512
68a365f4c76df7e8fad53f285586ce7d6a17391c4282962bc7c85f0f7126b0137885c35eca36b40cd7dd0127ff42f04d194b45581cc7c0277626479e4e5cdaf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\WwIY.exe

Filesize
160KB

MD5
86f9a0eee6d3e7028d1efff4de887eec

SHA1
90e0f1d74372178fca62a9bb31f03c234282b4f2

SHA256
7650c42a645640b3906fb1d97387a384d21667b8f18c7da034b8a00e30d51b49

SHA512
17248c6ede1cd41b9179c2b10a3acb3c7bc0cf962f6d94d7e210dff9a1f093546c1a13b450d2c09d0cf6f456b1a3ca82b92fbbc6c509d6880495b138d84a872c

Download Submit
C:\Users\Admin\AppData\Local\Temp\XkgYIMcc.bat

Filesize
4B

MD5
e6cee34443c48522ff4e061eb4f29d1e

SHA1
a321c08c8ca8f1907249109d1d523f877cf5ce79

SHA256
b6214e97f62c4f044c2fe26069197564f95cb5915abe8573989304bcf1d67b02

SHA512
06fe8f911aa6eebee6b4075b0a58749e1322f3f93fedef35a5bb55aa5ee56dd7d656ce9483914f1ece5ae98b94d6c79d3492002a2c23858c7346b8779196a93a

Download Submit
C:\Users\Admin\AppData\Local\Temp\XwcEsssY.bat

Filesize
4B

MD5
a4f5d93cb9554cc7815d176be3a2caa2

SHA1
b18860d203db51b63d3fc63159e60475fcf7f684

SHA256
e6682d1eb0932628358770899248ac4226755f6a8cb4495db0a86d1bd4ef5302

SHA512
0fd0dc331c08722784468677d1b31e4eb5f8819d8519f19dd4a7f4cd6eeb1ef8f14278d1ae753716653fa5c1cd640ae421fa7c22a93a436af4346fe3ecd11785

Download Submit
C:\Users\Admin\AppData\Local\Temp\YYUgoYMo.bat

Filesize
4B

MD5
5e0f6da9b2205b7259ec9894e5cf93b2

SHA1
12d8f4bf0a8dae67b94e6ceeb4bc05f004e35348

SHA256
04b36d4caa1a6195820ff587f7852be8e1d94691c0e1a1f9f5000c923ff586f9

SHA512
baadce0461cf3357ea5e98acdb6e32d42de14f5925da72059cabd9669c7fb4fb28b5c1bdefaf51e0198ba6f89bc67cda736402406d0f2990234c2a5c9d9abf3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\YoUI.exe

Filesize
408KB

MD5
cd59c8f7536ad6ab2cb483a135b59397

SHA1
f31c00092134bbc80a8fcf68477fd3f7b6f97e7a

SHA256
45865d7493b2cebb6e083b4928097122db57ea0e2412b3612d19e6dd97d1a19b

SHA512
c3bba84a10cdd0716d6aed815ee3e294713ff94b946115dbcabcfe94d07a1e7ed93efba5541024437cd9f71d9b180aaf73ac078aaf3b5677234d98caa057e2e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Yoce.exe

Filesize
157KB

MD5
c96cf78036c9fa476de439b3ed409a89

SHA1
197aa334feba513878e0bf15d6620cddf06e8725

SHA256
b796aaf5287ad1960770e0353378ca1e65cc68cdaadef2e42a0f6d6a340d34c9

SHA512
86fa28d0e1790778e259e549e60ef08870261c30dc96f01d5a2ce667f7db0e9f89418fb30c60a2c55aec05bcdc1170fcb43ebaf9dde2dd1df794ad38aa186dc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZQgQAkEw.bat

Filesize
4B

MD5
d5ea35eaf01c912f8654bc2900209493

SHA1
5e9e790aee862685a8b7b73e411a66df37a6778e

SHA256
9fc1a53c71b8a41e9050143192d2f2562b51c3c483addc1224b996dd04a16640

SHA512
f5c258e48f72e95e1f3fcab9284f5db683b576e1f9615459192ae452e81723be46f45796278fbc6cfb7ccf45d114d68255c495fbccc6212e4ff2373fd5aa837e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZwcoUMAU.bat

Filesize
4B

MD5
3187cba6d1c6134be0dd8af1ee7eb8c5

SHA1
cbcb2b283d3361f91e6e4c1c68f9633b8d8909b4

SHA256
e47958fb3c2653a21ed3b024350badd0ba6e8446dadd7b2b67613ed47401a602

SHA512
7d07dd7af3bc7966c1744eddae1d8b3fd4af7bb3e68d633f4614d496ecf0a2b430a56483965b95b0557289552f5cf2d536b5b27eb277b2a2510925621b26d916

Download Submit
C:\Users\Admin\AppData\Local\Temp\aMUi.exe

Filesize
249KB

MD5
9d8ac1cecde338484622b9ab1942e869

SHA1
df1cd044cb1f690ac7803eb3d1b1f457056b9676

SHA256
aa6651d4de65a13ea488d6dc2f440da81a2a86d3335d7ebf3eb80339d1dc54a8

SHA512
f378c875b6f4725dac2ce662ee54737b684d4fa1fa9fc4315e15241fdcf30dd53245f6288ea0e17916e778b6cf64bac6449b93d03cdd98863950da3dc32a750b

Download Submit
C:\Users\Admin\AppData\Local\Temp\aiYAEgMQ.bat

Filesize
4B

MD5
8208e33d8a44c0625fab111ed0d7db50

SHA1
853a481990f713c592ffe599565c7c0742a48fa4

SHA256
a9e7044952d60b9240f0bf38f178bc0a3f5710c97536e2ee84a313f667d03b8d

SHA512
236688aab6ccd5a5c53041cbc946a7c77045ed5ae3e4fb917fa6b1900fd9533d802137099895e559513b78b8b4b2508c7d9120890772b5153cde04d1b13c2104

Download Submit
C:\Users\Admin\AppData\Local\Temp\cAwe.exe

Filesize
158KB

MD5
3fa74423fe0e24e55a77b7ba6b73c37e

SHA1
448fe7bc247554559179082d5d6ebc5ecd1d4863

SHA256
f4bc1d6494236beb538167bb4df3feb546889ef9779f7f0ad791e59df14b9e73

SHA512
8b3ce28c9c259ecbfd6c55f6a0563cf4e2701187964c7b8a251a291c852bf32cac1b364a121dd4fa738b67baf317abd2dca1d930a1c43d70086bbb3f5890ab28

Download Submit
C:\Users\Admin\AppData\Local\Temp\cEgsYYYU.bat

Filesize
4B

MD5
d8f10b5a415b02fe90fa1b9ea93addd1

SHA1
2e3d0e5d0d8cdb5e7f90c9a5449774934484c72d

SHA256
efcf655b00f730a9a1b38d5c0c3256cd20fbd32dedf80e691a4cd5ebb32574fa

SHA512
76da1d30436c147d6876a1a1556e4d918371e16181b8190b29fa86edca17b05d523dfd7d226081d86f425aa4216bfcadfe9fdbb66213c91602697220d2b3cc8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\cUsm.exe

Filesize
556KB

MD5
9458919f0fdc225c56637fe5c8d52cb5

SHA1
74b8c0b5da8ec50eabd276c7dc09f44664f165da

SHA256
1f1d554248a28ce56b87e5a9695ea7382de27266839939868da537bdd4545c00

SHA512
49d2c183db474e38090e7d50c95d5761192693ea29fbb51d570d2ce7fc815a27f89e4cb8518b80a9b38b09f04ef47f95e84fa75ad0b2d253aeb25ff15fb33d0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\cwwS.exe

Filesize
4.7MB

MD5
8870cb940cade86a96e3981d07b95613

SHA1
a97b79d9bb21da8eaf501c42766b3758cf47bdb0

SHA256
1178824eff5357e8c9dc607e928a91f20b15ec1fe6db4691bc75d354e550a14f

SHA512
d2d4ab5923ff398ef2d698d681f93ff1269d9bfc7b5fa0f2eb2ecaf218f95bc52b3ddc011c9cbff0312d8f9834a72bc7d206404756b6a6fe845f2985030d62fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\dEgQgoEU.bat

Filesize
4B

MD5
a59b225f19ae9e39607a77332200cfbd

SHA1
4b38f936094b0a98ff3cd4f2ab7b7aadd21cc30e

SHA256
ab17a4a6699056751a5412ec4c932c3dbde17cd0cd5e9d966fb34a8c387b89e1

SHA512
402cce72dad8e5df31fc73051df9336f14e67ec0116329503632ecc28fc7b3dc63a9e7ad24d5642911bb8cc8e63a60d369ed28e1198911d4592699ab733fc1e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\eAEQ.exe

Filesize
159KB

MD5
f9ff1116ef657f7d25d07844bdd47841

SHA1
bdb875278ca516349e56423d42dc55c31307242f

SHA256
b00ee324fc05d473581cba9f3645b2a874d9b204b84f63d57f54ef7b7517a6e0

SHA512
9b68152a1e6ac98e0748b2ef1929a81f0766656de43dcef797184ecb0a104a3b62ff183f230dc908e870ef50297dbb633fa52d956d5b829564647510ef94d25a

Download Submit
C:\Users\Admin\AppData\Local\Temp\eAEm.exe

Filesize
157KB

MD5
6bb0c504e516487b037e969f63630eca

SHA1
b03faaae12db957fae90304b5282d4eeb626ee5e

SHA256
6441b10ef22a9f1274039d80484510b6350aff517af8767e136086e4386a4e80

SHA512
5e2c68f782f1e507c423f71187486244f87d0f6ec066c599a7f504ec456574329bd7902a85c6fe564807aaf5ffef70ff5fea96edba04de993c52b968c1cee9bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\eMEy.ico

Filesize
4KB

MD5
5647ff3b5b2783a651f5b591c0405149

SHA1
4af7969d82a8e97cf4e358fa791730892efe952b

SHA256
590a5b0123fdd03506ad4dd613caeffe4af69d9886e85e46cbde4557a3d2d3db

SHA512
cb4fd29dcd552a1e56c5231e75576359ce3b06b0001debf69b142f5234074c18fd44be2258df79013d4ef4e62890d09522814b3144000f211606eb8a5aee8e5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\egIYcMgY.bat

Filesize
4B

MD5
dfd56da711204a6002e4a61a26fe6cdf

SHA1
c50f56ea62d8158f76dccbcbe66f38187826a9d2

SHA256
85cd1b8d88fe51dc1e549a8dc9fa79593e1c5832e4d5fc66458b3413721bad54

SHA512
2a333bdc19c82c4d67e692ae9770135464c71470dfaca8ee880306e1042cb8d553f9045b22351a66982cf385452706200527a4e3c8ed472afb864096449cc419

Download Submit
C:\Users\Admin\AppData\Local\Temp\egksosAI.bat

Filesize
4B

MD5
224f4939182c1be807e860c42207d17b

SHA1
e28481af217b7572bc6007cfebc644ca67c9893b

SHA256
2f5895d9c312c466ce2f2b42fce13fef842a6993b7dc4546dc1a06ab71a305f2

SHA512
8ba702ecb48c22e3d66640644f38c196deee5026adc0254f200eec7e71a102b2157ce890888ba19cebf85f278838f581e2a88bab43683f7cbee0deeebc8fdd00

Download Submit
C:\Users\Admin\AppData\Local\Temp\esMu.exe

Filesize
149KB

MD5
f721906ba8f6db6ad10b39e1f11f46ef

SHA1
38267686639da3381860f97bdc733e421a6a915e

SHA256
47c14412f5e44d8259050492275a7b0a8f87f2b702789a04aed1ded30901c047

SHA512
78c10bb9ce6cdf3b0e3b9e64a70c024370f70b210c7530d2f41602bdd4c2eb95cea5ee38d5960da5a31045da2a36109174e33b534b2cbdcb545b1d2c79e9d006

Download Submit
C:\Users\Admin\AppData\Local\Temp\fUoYQQYY.bat

Filesize
4B

MD5
1c561257e366da11280bf628746b7e31

SHA1
4639004237c1607b6baa3b71d2d35569c3f97088

SHA256
8a224669a7e19204f76da07119c27520c9607bb4436d7f9e010d80680c8c8f88

SHA512
4cfe5f2c94a8bb2dd8e73c53d4e3f1e8f73f19ebf9f6057088852e452881e0118cff00af2b95e7c4fc18203e43dd2a251990212d5b31a083435b4d3fb933d166

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gIMgYwMs.bat

Filesize
4B

MD5
4c4dda87f8e9056201c59f392be10943

SHA1
cb1c0da3cd4ac65ae0af0b5fd901d2b1304f77bb

SHA256
c049df439c462d78253a0fbf321ffba64bff7750e46cf8eecd2db7773ebbb6d6

SHA512
55ad28e239fcbea413b035f2a84c53021a9e6b0f14e24fbaa8f11adf36a6c51f68fe8bc72bf436458508a0c38962ec249499d6a6135673c3db7a5355e731ea28

Download Submit
C:\Users\Admin\AppData\Local\Temp\gIUgkYAs.bat

Filesize
4B

MD5
6e982ddf1c93ad4b4047d29bc73426f8

SHA1
f60f81b687c4e8b9c0507abff41198ffe072eaae

SHA256
bd8033cbe92841ebb20316e95bf9155c0544f919c86f79206a1aa7d6747b812b

SHA512
8406b705c37f54ff8ef3bdfc8724c5df9edd46d8b63d7eea1d06875d553d5fe144953aa8d659be5cb0bb65f5427defc5b94df9cbaf3faf06ae7afa690d07edba

Download Submit
C:\Users\Admin\AppData\Local\Temp\gMME.exe

Filesize
969KB

MD5
a7919e1266b10a798b441af44a101245

SHA1
14a063bd3cfaea7aba75c493a57bc978da124169

SHA256
36debf9009d098b7428e58b4e13524d1cf3dc124e462b70a4f254ce398c476c8

SHA512
b0a4b8ba116c0accf29f1ace772f437fda2e3b7d97d0b2641fe8e9801babb419281b314acb01e0af6f6bfc6c047d462009a0e7501ae2089403f3ca31bf9ee4d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\gMQS.exe

Filesize
159KB

MD5
b0ea0dff62a37a07fe240e23a82ea019

SHA1
66aab25939a1d5be9954ac80d9cd48910a96c688

SHA256
5642bd22519d7817264b3fc6721b6f38dfaacaacaffd10d73bc15079c287d6ca

SHA512
4276587549c1d907028e6c6c9bcc17b007a7132ce1e8dc25cbd023517426149fdcef854c754250f1d4b079616c10a296607d6f44893d501f0f2f5c041b8c5a51

Download Submit
C:\Users\Admin\AppData\Local\Temp\gkYq.exe

Filesize
159KB

MD5
677f7f7130ca5f78ed396f04a4aefe89

SHA1
72bc7ab17404cbd43c0a5d847b10abd9c4c2b16f

SHA256
433020c535f2fabb32389c13d43d028fe9ec4a3a8ec2d52a58d4be4748cea2d2

SHA512
ff8df9b8d40ed157e095edeadd2b3cefbfa01babe852fa67e22b23ea95e125f0d2aabdcf880dca2a0bb8073254fefce2886a2b69cf62f3659be254b2ada9c12d

Download Submit
C:\Users\Admin\AppData\Local\Temp\gmAkMYQI.bat

Filesize
4B

MD5
21657924cd83560ccd84b1fd4650e6f2

SHA1
ebdb3e8a372b3e5012bcb5af8f9bbdbfced4f8fe

SHA256
4874e4459eee321a1b0046bc1bf35f995da441cf12bf0906dd7c3d773862273c

SHA512
f5811b9c73cfcf1cd90d75a7ba36f352fc76675660e2d1b6bd6388c90f47c8818557bd0527542ef1887384a501f76677b632124291684bff54a5e6685e8512ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\goYoYkEk.bat

Filesize
4B

MD5
5b728b8a26bf587e087215ce96f60554

SHA1
c89f28d0a8b392604969c0956d0f14aa34ddfc29

SHA256
8fb7345187d67c0f2f93c47b8ada44715f3969d7357057bfd8a486e818d569f6

SHA512
da36c471da6ef7e332c22c52533d4f76d819f88a6019463c72ea49028b6a4b0498fe8b6191efe7f89f12693e4bfb8a5b2e0ac88f7ec406b75af3770d62e98d14

Download Submit
C:\Users\Admin\AppData\Local\Temp\gokS.exe

Filesize
158KB

MD5
61f250b577be3d7edf5a2e3fee5f9bd9

SHA1
5c6deb301987a3c99455fb96f541d3083547f255

SHA256
0291bb456648eae9a60f0c47e7fc623e7a5e2b83eac36c21c76cba1002fc8fa8

SHA512
610a409a2ea760224e65a4a188aecc512e947176f1bff6b0614c859367c00f08231297e21d88bf81934d564aa43e151a4bc29bdacc74c8b86df7c8850fb188bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\hqAQUYAU.bat

Filesize
4B

MD5
b63aafd277ea0e64f8e7fe03249865e8

SHA1
7b221b15dc364cabc9b232d06e4cbb666faf7163

SHA256
8b9098e753924779644b7ec333c19f76251909dd4a580627a69df812fb44ee70

SHA512
3462ef24f8aa5b61908eee7097155053f32d6769bd34d3a06662081b5d850edf12ce30165bdbd94a5ea4aa660568b951b7df755c93b482058188c693e35ce2fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\hskkkIYA.bat

Filesize
4B

MD5
d470818f2ebe39269eea20c1dbe191db

SHA1
9ef3441f533bbaa229be71febc45b6952cac517b

SHA256
98c63737898fbc661df66e9363f3510140d766f52c3ba2cb05d325ab04bbf10e

SHA512
b28bbe73b36e6cd98e89d4b70746cc0b80700c7e0bb021cec6a03042e1410004eb839a57aa07d0a6cda89ba3a88fd52d5338b30221d56d8c2a5ae23436f76540

Download Submit
C:\Users\Admin\AppData\Local\Temp\iAUgsMUU.bat

Filesize
4B

MD5
3ae1b092bc250c774cc5f9a486e64967

SHA1
9758648d540ec6212d796253d810f782dfc2eef7

SHA256
4dba88554411b3847d5e187e2d33f2f7e75bdd587f3ebeeef6e26eea64279f59

SHA512
d3201762240ae52a6b253756d7a02a45f9d1475cbc8484bff9bacf0048b4534096e29e04faacf46c988ae47c320c869550b5e1376345031eaf5a9f1c94434682

Download Submit
C:\Users\Admin\AppData\Local\Temp\iIUc.exe

Filesize
239KB

MD5
d89ef1dd31dff5e01a7d84b2b8f4c8c2

SHA1
1138e7a1c84b02f945b35810faa7ab5a6fa2df67

SHA256
97661d994140a9e81b11c7b1d2ee2edba37c0cd690208b173b43fcaabe8c9a85

SHA512
54c35ddcc8264d8ba6895bce20bc7978f155e72c38cd8bdc1744006652adc9d023bf89e53a25adce8ae7599637da0653e98f7d1807e24c51131b5d1b027c0d75

Download Submit
C:\Users\Admin\AppData\Local\Temp\iiQsIwIA.bat

Filesize
4B

MD5
6c4df55486405b36b1b0796266fbe479

SHA1
a78ab743e6df4367c8dc642bf0a9cbf278281f81

SHA256
106ff833860bfc7dbf75b33fe47c9e55dc9afe307ca33f336e07ffbc20030b65

SHA512
64ce2cd57bd314db7171ee55f49cc470176746274b053bc8761026d37e1c6c566b2cdc73471c2824eb7fc128dd0909851e4caf0d6410ae91e00b13fc63c14399

Download Submit
C:\Users\Admin\AppData\Local\Temp\jcAwUIYg.bat

Filesize
4B

MD5
5c5cf4d7d00555f295ab407798a78e21

SHA1
256df0ebe3c91494316e77136297912a03863947

SHA256
d41a0a2a71fe573793bf1e0899d738f5ff8e6b8c7cc122014bfa02be98c33c4f

SHA512
e336b4d9e92e1ee337b216db774e5e8710df7e5f34067d8f6c9abf6d6a554634c3b9cf982ce8834b32e40c795bfd6b494af7c75067192af6fec02ca5c83737f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\kSMMskgA.bat

Filesize
4B

MD5
ba0a931a5f58e7b05df80b8a4507c635

SHA1
b0f9f74c21dfbc8ee14f0a3be3c95f6ce3560d0d

SHA256
70a0ff1f00da4e502cbbd381bf93e59d714736d6dae3ab18b78206f56ec4f50c

SHA512
416acb2d79381889600216031be3687fde8de343388b1b54c9f8764695fb8fbae6a08a110ef2a5f7f33bcf88f13c8b1d9c300f0cb7a63e404b71655d64b679e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\kUAQ.exe

Filesize
158KB

MD5
f0ce41273257f5c0894296b54e0c70e1

SHA1
56cf4c834d50e8d7c375e7733280e8578e6054d0

SHA256
a5d224cf3974539cec9147eb88030b3e8da3288aa2aff5a34598bbcda1f5bc58

SHA512
35b2f066d47e06361c2ac60f61025432fc36c2a84cf4aab8891c7d04870a0d8b7b912d777c925e1fc5f2d7538ab727ea9f4ed5389f7027038ac7137eeb533a6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\kWMgAwkU.bat

Filesize
4B

MD5
bff990c5220483da0eecf2cc3f96b0b1

SHA1
b2a1a8d02475e0586d0c67aef3c72b1457290a02

SHA256
5fd7e2058df36963358c9d15311a748b9874c99dac60e679fc7dbbd4544265ad

SHA512
39886420d76dc5a053e349e440273fdcc8966fdb818715d8bc7bd111e3120132c241b8156f1313e5698cbad0a00fcb53e7fc88f4b080b323f5b4733721c09af1

Download Submit
C:\Users\Admin\AppData\Local\Temp\kcIC.exe

Filesize
136KB

MD5
2d7063f6bbb87fadf52a517812ca2595

SHA1
772c41cec9801ffbafe0194513b06b602b48a895

SHA256
5a41f7013e7b432f1280e09ca3ca10710df1d7f9d3895ccab1ae4b13ba0d74ae

SHA512
2b9ed6c7223f04e5117d140997638ef1b55f52f8531f816e410e775e0b3578e6c68e51e1e4f2bf10dc552291773025688cf3c3ff500bda79caeb17039d89cb70

Download Submit
C:\Users\Admin\AppData\Local\Temp\kkoI.exe

Filesize
158KB

MD5
47dcb04b2f855dba0474328743b42b41

SHA1
2893688996e54911ff257a7e18c51c4038bc9a96

SHA256
805a6ee98ced7e7dd9debe3ee1baeffa04516882e341c9b2706d5b01683656e0

SHA512
3599a9c8c685eafbf32e10fe1b16fae798a4886b9d9401327b1af1ab352af7588de0085e9260469ffd10d433df6acbf2edc7f631cadb96ee3c06975ae1868724

Download Submit
C:\Users\Admin\AppData\Local\Temp\kwIc.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\mEYc.exe

Filesize
160KB

MD5
76dbff3705a9d18dd7b8c8642a2c6db6

SHA1
c91c5d3d7aeffe612e68920b0dc056e33f7c6bc9

SHA256
cdf55c8a8a3a4b5c65ae5b14f7221bbe016c04407e9f3b134ccd841594552c30

SHA512
47bb4d9290918b835c95244684620a7c9d70872a352e0b00aa3148603527a17afce9c561c36c81ac86fb5e1d1695563c74ac77ad09b04fe633a3d12fcf132b8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\mEcM.exe

Filesize
157KB

MD5
cf054921d756b18830ff0c57a64445eb

SHA1
93b957d71646353b77286b7ba812913a22fd1db2

SHA256
80fae3d0c2bfed8ab529aa7191f295e559ae2cb945a0c8704eb98ecdc23ff7a6

SHA512
35db92bd714f53338be14ac0e62c67a62f6a94edb4609831637ec03177d0c5a9cc1b4371ec82ab2a7e466a88a4572df33f250507211b7ace9aab579c7c001a5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\mEow.exe

Filesize
157KB

MD5
603b6b98538e17b48f344703ece0f0fd

SHA1
20c3c37a61f8d73fb55118aad30d258d7f886448

SHA256
a5daaf2781671a06e3f8b5c6e6937a42e4de5d4f24d4552f13542525bab116a3

SHA512
95234939cbf3499cdeb555baa1ca069e2da28301977f9517ad659e8d35714279eb45b28f3979056163aaa10dc96da12aaf42607f4d90023542a00b946eeebea2

Download Submit
C:\Users\Admin\AppData\Local\Temp\mMIk.ico

Filesize
4KB

MD5
f461866875e8a7fc5c0e5bcdb48c67f6

SHA1
c6831938e249f1edaa968321f00141e6d791ca56

SHA256
0b3ebd04101a5bda41f07652c3d7a4f9370a4d64c88f5de4c57909c38d30a4f7

SHA512
d4c70562238d3c95100fec69a538ddf6dd43a73a959aa07f97b151baf888eac0917236ac0a9b046dba5395516acc1ce9e777bc2c173cb1d08ed79c6663404e4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\mMUm.exe

Filesize
159KB

MD5
b4a457c1535671f58c7a97c275a874db

SHA1
78e2568dced70c1c619817e086d1ab5b76e16bab

SHA256
f7b79d8041dc3b4e22d273364504e1590fd9c6b4880da8b3ae0434eb651618ab

SHA512
6f50abf6b147fe9019de15419215303f934445293181b9cb90dbb79078cf26490807a9435cf59fbfea5b66f55e81eeab5cd007c795af0d26fd9110a5d6d792bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\mYQM.exe

Filesize
139KB

MD5
9e0a5da1e6fe322ab40bc6ac0398bd12

SHA1
3f41429e16adea47916a0d7db5499a230cf30da4

SHA256
b0644b01f6b30d02dd7a7d2f3ad136ab9d92717a690520d2f848e6827db984c7

SHA512
8f4b65a7335af1192b6296aa6cd3a0bced70f0890fb4d537148ecb8cd0d029f951bee3e1dac77c50b465fb4214dab291109e12f50e0e47ab817a6ea2db4fbf74

Download Submit
C:\Users\Admin\AppData\Local\Temp\mcgu.exe

Filesize
159KB

MD5
c95ae446b3be125f24df60d9a84e9efb

SHA1
0b1261776e791362483a173fecb1356641c16288

SHA256
cc4cb6478b293a91ae0a7b3a93d613e7ef10b629cf566f31cfc0df593b5a3cad

SHA512
f92cce2f6e13d9f91814f9edeaa7e7838094e431af37a4cdbb8a2e15d7d7fcfb487aba34f01515077ab48d44654a08871f89a7c2ad21c7d55cf0a4da222b4904

Download Submit
C:\Users\Admin\AppData\Local\Temp\mgIm.exe

Filesize
716KB

MD5
1198e074642315fbe40729632f1ee84b

SHA1
a9d8d9f786fef95873698b6ab5de060c9457c522

SHA256
508f1699c58195ec6134d649f55b848e6db6211884d971e9bd78e9b996b61a43

SHA512
e272afe6e22deb41f2b82ea57c125e07f6b21dca202bc67c947f8a4a8ca74299a066219f640dfc3cb9bcdfc18af1bd01633f0b502d0247c8cf03f38e761d5815

Download Submit
C:\Users\Admin\AppData\Local\Temp\moss.exe

Filesize
139KB

MD5
8d7ced0ee03e2dd39c7bef5c52248a0a

SHA1
4e557b4b4ea46f139490efdcb11fa3e4583dffdf

SHA256
e0718b4d7b4d51503cda425b44e96d14e91108e32474a18e95b11295095c7c8c

SHA512
59c026dfe941baf78538393ae3fe0a3afdb279ece588ffbad931f260005bc57d465995f7b41aa57129158c27c7f69bfb7f4e29d8abd00e481779def29a58af58

Download Submit
C:\Users\Admin\AppData\Local\Temp\mwAc.exe

Filesize
158KB

MD5
41e92c536699e62481e204d289290817

SHA1
f8ddfac853a786ca8077c3d890bb0bb629fda35c

SHA256
c973426d91e421ab3662ddcac163a26ab6528dfec07672035b30e7781904e8ec

SHA512
a3c1940c81ec6b2b29ed5d5c8a46f964d179005d5fa42f3083aa7f85b8cc0f7febd62292fc324d6d145b8125fd687753d9e4d1460b9ba90ec63e20b6366678aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\nqAoIsAs.bat

Filesize
4B

MD5
41f32de7c73531a2326aad5e58bf0184

SHA1
80940283abafaf95c03dbe4bed0877e2c7e2bfa3

SHA256
e6ddfb8a3f06cff3d5aefdd13664d112c6eed45d525eb5a225a6298427a0f67d

SHA512
7949e50cb68cee90de9f2ce3d19f1bfdb3201e1c72d35e140e0637947a6e463a0cb0cd5d240c8fd81ff579ddb71359608a9125facc0a64b029a6965e98437170

Download Submit
C:\Users\Admin\AppData\Local\Temp\oggE.exe

Filesize
159KB

MD5
9475669ccff37aaa7c0abe246980e25f

SHA1
d1ba96db5538bffb5d48c11e1d4f4e88ccf21330

SHA256
312444b57dffd326aba1ba1a1a5cb343879b2c168445c21e5874bcda40b65b43

SHA512
3c8059ea72617462ac9e39857a50afd06ee7c40c5152342767d1c36a9949d19becf5778eaeab0ccbf9d1a380dd8158b1bc20fe61ce099ca62ccb14bac662d5c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\pUcAIEcM.bat

Filesize
4B

MD5
efa75b9899d5068f464c897cb325f58b

SHA1
42db126c22bcb70db54079cb2c59f6f43c2914d1

SHA256
573ebe14111f6daae1b37ecf97315af1184f65b42221cf08dc185a709ad1c00f

SHA512
0ab699a352a44eed1cb14df14e059a1da59cccb5b6f1c223a7708679271be9001a259e8bee53d2acbf575f061305e376962261aebcc6810cddbf1bb972545548

Download Submit
C:\Users\Admin\AppData\Local\Temp\qIQw.exe

Filesize
159KB

MD5
5425f7b7e6c61bddd4464afdd86e90ce

SHA1
3b8f84f08b30e3ef5e5c5fcc68b2b5593a5921f3

SHA256
684b17737f84265190d60235d9b8e8c4556e27d4a8286a4322999338a477ff0a

SHA512
40913675c0135fbecfb6e920d5e27e76db9f5340d7aac48c2092ac5a3c1325cb56f4e3606f556459d9b3ce0d8c1620a69208503ff99318f0136db6711e05c7d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\qIcQ.exe

Filesize
158KB

MD5
678c0a5151aa91b16ed3024909143bbb

SHA1
7641cdfe08eea0d5fea442f1ff827611841b92fa

SHA256
05c06d49be8ba1be791a0db10ac0e93db154943c68369c8fdb4758f407131eca

SHA512
09a29d9a76cd5cab56d207564861a61340d4a9cfbfa0da73d0165e65af75df597764eb9d361db5878a6ea65e0c138b93306f190de0b1fbe0c0663ba003f1c885

Download Submit
C:\Users\Admin\AppData\Local\Temp\qIcs.exe

Filesize
158KB

MD5
79e6b3e947fc17e85cfbb9e2d92cb395

SHA1
60974828a27af4083d162a1677460c8e621d1edd

SHA256
8e274997d05665260c75e846f9f581027bc96fa0811b7f4bd224a91c8416cfd7

SHA512
72e3a951dd04e7b21e119f9d3c41822d3ad0ba30f06b73dc2eef70894ebfdd3fd29d876b3f4be73a086c31e9c7e3a430f98f7da4a9156d15973f58aea0a858e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\qQQc.exe

Filesize
159KB

MD5
e8c1cbfab1fe2725f0c8fbfb0bb5cc3d

SHA1
3eb88b881f6bd30e46d17ca6c60494837a66bc56

SHA256
1be2987877fa1051519ea5105be4005c5f22932cce2d33e11b0eb8c3f7f0fca9

SHA512
b58637d61c7eca428e6e63b3761193960446370344f033042f306aeb43d008f5687a7857c8a5627bba60e13cf716fe3131d9781fcfa7b6556d97dc181f9220db

Download Submit
C:\Users\Admin\AppData\Local\Temp\qQcS.exe

Filesize
157KB

MD5
dd66d4d7b91b4b0d540f24f439d3ab8c

SHA1
437a8a7a7fc7874518929b9413d07b78d8cfb5d8

SHA256
b7697226453ece07f78206a359d919a61c69241fe819aa946920dd8cb8a5fef9

SHA512
6bc3f66fa68a2493499194e9b6ff5dc61b7692ed82d58b2be99bc3d404439970c6f251ccebaea74724ad13944be889ca3335b7ba697d696e7876f9e2f0fc5a06

Download Submit
C:\Users\Admin\AppData\Local\Temp\qgAAIUEM.bat

Filesize
4B

MD5
37f3059c670fd700c6b7f70e31c13fc4

SHA1
0056c590d2816e24b6163535156704583085bde6

SHA256
c96767f7cad1c510319523db8476692068461b2fcb9a0799727ca6b019b51460

SHA512
58aef6abbd049a10d1a9d2b5a4905234f70ee197c76f62df2f4395876bf9c09f519768fe544d1886ec76ca26e1ba1579cde0840de865903714c600de4c349928

Download Submit
C:\Users\Admin\AppData\Local\Temp\qgQW.exe

Filesize
158KB

MD5
4980e3e9576d81dd26618fbee0d6d80c

SHA1
0be773231a079ec6b9d5847f9f08d3ad136eebce

SHA256
b3063dd02d8e5599c6eb61b3da9ce0e3f7ad789dbc697d239495e4681f7d75f7

SHA512
d36dcd143f99244bb93de5b14bc4a6d930725e0b17930b2e5f89a1e35d3a3805c551602ea89570b4cd6fc1b9ee684031cf6590e1a525ac47f091355adeb1043d

Download Submit
C:\Users\Admin\AppData\Local\Temp\qswYwoQU.bat

Filesize
4B

MD5
e590fccec36b773c945bbcfa2b33c2b0

SHA1
409a0909b8836a53d8ffc3c6097f15af22eef9c2

SHA256
1156896061fd090e1ea9f5e62839f39f34ee2a074e02f47dff36e360480a6df9

SHA512
6a69808fa648983e8a89eb7387eedbe5b9e6ffe7c821f25243437be84bfa6e9485d42d7a13a5078853ceb8518e6158e14c6fac6341f113a8189e6abef7709885

Download Submit
C:\Users\Admin\AppData\Local\Temp\rIYYkUUA.bat

Filesize
4B

MD5
0155664373eb753f67d5e051a0aac3a4

SHA1
b737fbfc455e2897b28087129a358535e58025ae

SHA256
396949a27e16531dc7d86e6b5cc3842c88abf972ecb76a753eceb9006347c22a

SHA512
5227ecd3705e371a6de94d89d2928601c3c6b89fae48112cb08da4d7b9b970a404d09ec8278d6349919419255886f44285ef659f9f1faf2aa7799872f61e0a94

Download Submit
C:\Users\Admin\AppData\Local\Temp\rkMAsIIs.bat

Filesize
4B

MD5
63f6491765e7bea938ea4c76d18eb574

SHA1
1c1735674d592df6fb3cd2daa71c4a0883a99002

SHA256
1ce7080f61627a8570616ed60c8f3ddb3fc93eaa200177bc6e9871a90b748a8c

SHA512
d879214eca75f4be18906a6fe29541175552a5d7e0ec486069e901008773c48dc3101702bbdce1630ac8e2320fa30752bf447319f9b31c61b1072166c33776a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\rqEwkEkw.bat

Filesize
4B

MD5
7222ef727d537574d2ba24d689e1ac23

SHA1
d29f9085b7b6f0e939158b2b199403155db8fd67

SHA256
5e4149eb2e664fa7b9de71ab59811cc61ca3601024d15f7711066043c3a0a2e0

SHA512
a2464b58932b55e866207c8e9a597f677e2f5ec62647a90d038eb60869b8016f917283e60dec22759fee54ed512f9ec74b9a146479db0c20300466c9d763c1e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ryQQIoYQ.bat

Filesize
4B

MD5
4f6ab5a2239fe63cc8cc63da1a1fff22

SHA1
274e897092404c080c194cb1e7d6486423e21cb4

SHA256
5cbec55acdf26a235653b1e8074085b0cdcfdb97d2ada5e48453f10090472808

SHA512
a2ddc75a11a8393cb9e12e49b970d84f49f3fc477dee06bc2d1464e1bab1ec629d4a3eb398c77ae66318682ffd7401c4428d985a5468015a53f5298e21bf67ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\sEgG.exe

Filesize
158KB

MD5
b01b4daa62008ff107f51c2b243fca92

SHA1
442d3fa427aa45bd0615bfbbe77aa2b6a4de867e

SHA256
48b596a354241ae0a846142c1d8d70327b989a9cd803e1fd900e14beb302a929

SHA512
fe23baff6f1b6f9a2031957ff3ca08ca75de87bfc15c73b7ac35165f830bc832c48863f38ad5562eae2b0f3f92e2dcf0fbb09f63808990d343279e73e3b17a7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\sEoq.exe

Filesize
157KB

MD5
bd6b4b810971fd2c965795b508c8aeed

SHA1
87b611a715b7469ba45218ba9fcfbe0ed9634091

SHA256
b70df2db7d4ff45c8db80d93c8a31b465a4720bfb9c41cc8438062c6302972ee

SHA512
de9686c9b81a3ba317bdaf40a82f5324976c4a383b9f42e75ef816e1ff650fa212f3fd5cfd990393cd65ff03c2fbb2083d7ea9af4f7e02910183a517545c07aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\sIEw.exe

Filesize
563KB

MD5
035b144c8b26a02baa14e499decbf159

SHA1
0184945349d24f2c201977b88d508425d99ef4f8

SHA256
f83e5fb16acca890d669bde1c2bdd196acf28386b2ff296f535df4ca30d145bc

SHA512
5265e047d0a2f1a1af16bd1bf2efc3a4ee7b0ad8affd139d22dfdebca91bb4292bd6e5d528c8b2b0584e9fb7317791d3caf8a8461421370e2403e8e0c9f4ab78

Download Submit
C:\Users\Admin\AppData\Local\Temp\sMIe.exe

Filesize
157KB

MD5
252107cf0736b44f904f93c2293220d5

SHA1
a5293f42223207f71c523dd214d9e8484c064480

SHA256
b3387a6d42e96f55c0c1d3073c8079b37e6c888548f5ddbf40472ed6212c6622

SHA512
d206c3a045e8ba7a5382c2ef18496e0d0f4a4bd5af0b79861c54d61dca80db9acbf761d32ff9d0fe5c5addf06a343ed571dd5b45413284d9c8e5842b430cff1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\sYQG.exe

Filesize
160KB

MD5
a49d17134545e9fde128ac8341e91304

SHA1
c33094090259155e48fa3e2b898dc8cf5f9961c8

SHA256
e095be803318de0c563998cd828bccd4d6f330a464070dbc61ea066c4421fa8a

SHA512
23d658c48f1efc44813f00bd208b1e761808575ab3ad04feb8211a17180450e9d70c7a83a4afed86612a4e62ccfe77d1bc04d6124aa044994fc096df46eb300b

Download Submit
C:\Users\Admin\AppData\Local\Temp\soMW.exe

Filesize
1.2MB

MD5
346544625cb79ef9acd7c82f26b4b70e

SHA1
767f355a5ce090ac654bb061b05cc04235003bed

SHA256
490c0ba98bcff489a8bc007fbc8de956f1c002456363a5315b8c8acf867ec1e8

SHA512
85ea70b2a45a17fe56abff1313fcf004044c966b963f1dad2839e886116dad89a8db339a0959c506892bc9900fdd3bdd8c1d8de237906c3f731fca4eb4c04419

Download Submit
C:\Users\Admin\AppData\Local\Temp\swEA.exe

Filesize
372KB

MD5
74bfea6ab813aac15c2c9eb35f8b74a6

SHA1
96bb7e01a50b76e421484314cad9b1188db84837

SHA256
31086f1abe909cdaff3445de57b2b20cad83b092f4de1dafbeaa23ea79354f1a

SHA512
5abfd1605aa6fd9117a48a9cbd284e84e03bb0ab53bd75b471222910250a002c0a9a907cfd2efa20edffae83bdc151ea72d68049f11d18d2b6350b921598139f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tIMsgQQs.bat

Filesize
4B

MD5
62a24dd2770ade46925de052d780c7f1

SHA1
fbb36a5a8928bc14c7f0b1e7981d6e503e31a01f

SHA256
9f77c69406b6970dd02bd4d83b526ce9dc6061ed5eba13471667c5b7610a20ff

SHA512
92f02a51e08fb500379e640f267540b2c5b93c96957aac28aa1b575f2f780c0b05ce5b31b0e8e1368ac4b5fcaa097aa217475b531b78f507558f3d3dc1659272

Download Submit
C:\Users\Admin\AppData\Local\Temp\uAoe.exe

Filesize
159KB

MD5
288964aa3d72f7ea125cc7f56ecca8f2

SHA1
2a85dd2eef93544f6e2f0ecb63bf4710ab679e71

SHA256
84da751beade06e33bdeab92a4fc290e2ddf7377b2d06078bc4026d3f243d6eb

SHA512
adcea857b39ec1aa51cb19acedde7d06dfc0d7e692cdf313ea8e6c9c7d962b38fe358adae3b98d7dd847cbf9e85372725782deb937904f8ccd3a570c6a356297

Download Submit
C:\Users\Admin\AppData\Local\Temp\uEMS.exe

Filesize
357KB

MD5
e0d4d01f5f84466592339f1c8b40e79a

SHA1
14c4e4c4fd88115784df8fb2552698082d2cf6ae

SHA256
de4896a0352d6343015580206911ee0244e3229e439b5ccdb6a435ccb30c4ac4

SHA512
8688287bdbdef2c726127f8192b9abc4f48fa294815d3ef4b98849e30c997ae9d6156b5350cb5fbb96d4b71a01aa59bc23caadc47471a2f958a46e6f77dc58ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\uEcu.exe

Filesize
871KB

MD5
be41d12febb9426181dfc809e8bb03f1

SHA1
4bbe4c08bd1c47207f160c11c9c3f9944088a8a9

SHA256
f2b7b6cf17b4cb29e0f31c2b4788a3929d8aad3ddfa93d764c3e2a79f29792aa

SHA512
d1c534d80e5219d9235ecb2b76826305163e045cda84707ee40fe38c49f86cad7e68715e96deab6a02d27caab65b0a2d572747b0e81da7480e2995f86db19268

Download Submit
C:\Users\Admin\AppData\Local\Temp\uUwS.exe

Filesize
158KB

MD5
9f64b293bc6b7adc3f3ac8ac617d44f1

SHA1
719427575330b56ba08dba997d941529e5332143

SHA256
73f49b51c04006568e706c70f18cdcb0f9531bc363a3e2bfd6c52f8c81cd2562

SHA512
6e445143248388b661fc48f453dc016565dbded7c63c9c065ca6b65e6781e517eb78e6bd42a4cfab36534062a31fab7f72aeb96556754f7dba4922ba18391809

Download Submit
C:\Users\Admin\AppData\Local\Temp\ugEA.exe

Filesize
158KB

MD5
909fc8e19dcb7b599d3b868491b9720e

SHA1
cfa68974323b6495a6e35545bf02f96e5aba0a1f

SHA256
837b779fdb8be167c916d0f6ca32d2f03bd176f774a9a62466db922f43c1afc9

SHA512
4ec1d171eac7878692634052212d240fc0690ff501adedda3845442281e4323031e0a16a75b7066980f3b7c404baed63c5cb2a9e4b97b9cd84e3822d954636d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\wAIk.exe

Filesize
494KB

MD5
e64667182611501ca634354628ea9ab6

SHA1
61a71a4923f9cfd31ec6794014b201ad5c3ad0d7

SHA256
954da235dbf2f8a9e2aba361026ca39620140285ba9e26fda1c54e0bb8eb33d1

SHA512
41fcc3e3b35b8baa731e50df7425e5a7cde9cc2c2f6e77dd59f852418e8d4eb53c2553bee2605b07fc2ac0bd15cc8e2565ed83f0586051dcce1f86f4d8318f5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\wKoUcwYI.bat

Filesize
4B

MD5
47f4420b36bfb65a6a8062c710d6df7d

SHA1
153b6ee72ba736ed402bba69d68f7d37ba68b775

SHA256
3d6b2cebb45f150224cb2d66df6130114d9560a5522ca09adb23d6809c9b2724

SHA512
94a75102d8c25656262d3e013db8b9972a4c4e400091ef4982e1b47c291fb76bc1fbda5abd8fc8cc3fbf1012b471009ffaa037c6edbc21903c6306afa5a3feed

Download Submit
C:\Users\Admin\AppData\Local\Temp\wMIO.exe

Filesize
139KB

MD5
d4a25ba7b8480941550decab22c9e645

SHA1
bd79b423fa8c1fc99a13761007c7e1be088b6a44

SHA256
875d18851fa99339d2491b71f76da472d52e951c4a4c0320bf746472932ed78e

SHA512
cc3677cf035442d237b2600b13f0c487274798ffb44a5559454cee39604bf2dcc68e32b1ae93d6f99cf54c5e904295cf5e568962eb86144490d9c169e1b669a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\wOgIIMoc.bat

Filesize
4B

MD5
1adad4fc5c47f4350c00d0a3063c958e

SHA1
6d5833430ecd44760323d3ad69b53303a0ee399f

SHA256
f294d8a33328f175c1236186e7d0c6686754c0411ffdb2d4a74f8528c1df92b9

SHA512
5c2f340f3853058dfe14b5bb984e93b38f28649abb829c607ab8f692b5a08300aec9fabbe3235caedb5f5541b52282a622b325fcd5ebbda6472e6aeaaab0b9fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\wgIs.exe

Filesize
237KB

MD5
5729102a2ea435b90fb2a6f3b3b4e017

SHA1
13183295a0519b3cfd671151b0d901b65a13fff5

SHA256
adfb5a5f112b43a767f4d237c55cdb400f4f3b5735d9e29b69743d934235993d

SHA512
32fc08895dc12e0abfe333845b6c63eb420de61f0f56a0b92da6b1bce164f8055d243880c9cae39a29f4efd360f9d9434b00e567eaa3c1ceb47819c2c00808c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\wgYc.exe

Filesize
158KB

MD5
610c90041e360d00f5e7c1271d1f79e0

SHA1
4396fb582c598f28e296b03aad6fb8f711a4bb51

SHA256
8c39121b56800c532ebbb94a3bc0d84180122caeee627f0577b7932b9cb44300

SHA512
1795e6a58bef11cc0dfea673ae6519c12bb9524c30ebdc8724d0cc248921fcf06745d83bf34f025591e6205f3a3624908997ef6b9c0527f3895573a2a381d662

Download Submit
C:\Users\Admin\AppData\Local\Temp\wqgsMksk.bat

Filesize
4B

MD5
736c1720a5797394a88c3726ac72ccbf

SHA1
9953970fee5c969670dd3973799164c196079514

SHA256
773027166cae673c0404a319c89f57fee963c2f04547ccbd5c1af756981fa6e7

SHA512
6ab1a55f5b0a6969b3b2e949a6e2750b37d46922f594e55b8fea53c4735c5d13c0d12c88809e0e85ce3bb4809d7de3e2cca7b0dc0652084b6414e6e559abf5ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\wskg.exe

Filesize
935KB

MD5
456a3b35202058d8a4c271f0226d3080

SHA1
8887050e150d14a39da2e440ab8271d3f43cf1a3

SHA256
7f416def78f77ed825aa1bc0af34a28c10e81f5705e06db1bbeea93c3ca9f314

SHA512
a673ac82cf621f7dc3b7abe907f51de761a60eaf2943a7015cdfb9dbc10797b288a3b73a9432cd7d781eddfc26b80bc8965ac02585cc65ef9d4e3f363b606dac

Download Submit
C:\Users\Admin\AppData\Local\Temp\xAwwwoQc.bat

Filesize
4B

MD5
ae3e7dfe1e9609c5714ac7d0af25386c

SHA1
e849c62e0ddb4817d30265c609c27adedb6c90ed

SHA256
5034b747af29d311900521caa1abbf93de6c0a808a8dbfdf0a8f51146c6c26bb

SHA512
7bd63cf7b26927e675b1652fd67832fa6d44c5235553b2cff83348511df91a63c0d04d9162c578902cef813024db44c9812f8088154224fc51fe5c1e7e57ffd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\yAYK.exe

Filesize
237KB

MD5
e6518f1bdf4bc3d822b347b041af4bb7

SHA1
224c8bcf66dcf714e0ccbbe36e07eb462576ed8c

SHA256
111de5c2d91fb12f6fba4899cf81f61f4c5e64e4be5cf170935cad3c778bcb6b

SHA512
d5998f9d3ad18bef0bd142f01acdb3878084ce01adc8f19e2581cbeda0ad369cd8042d0d51e0b0a1dffd39e463bcdf3faed8e7f092c917e1363082daada86fbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\yAcK.exe

Filesize
158KB

MD5
f9cc03d74626448b094957074e30f1be

SHA1
9d67c3c5a0df456e2c60d958b991c5c599a49ecd

SHA256
f078084b9f54ac3f3e00d95e70d339e939c1f2dd18dd177c968db1e259141eb8

SHA512
8b38f6ef098b18c107119939640d13b0696cea48e8a5de582d84d38205d9a5ccdf1e96f84674f7501520c90e7781eb0fd11c2922ca63368315e22232c3217f26

Download Submit
C:\Users\Admin\AppData\Local\Temp\yGMgsQsk.bat

Filesize
4B

MD5
b483a4406742f9f42736474ccbbfc45f

SHA1
7a8d186dad329a19a2ecbebbd7e65030b477bd75

SHA256
904594102ea7426b5ed159d372d30d6e467ac8705c5c2b119e0ee1ef3f61f7f9

SHA512
ba7c67eae3426bf0a05b1a4cbb245d87f4983246044b34605718dd3deb4686f89279ec82febd9e8c4cca99ab2e295d9cd0232dbec12bbb604945aae48387275a

Download Submit
C:\Users\Admin\AppData\Local\Temp\yQwK.exe

Filesize
158KB

MD5
5ddf1017d9e7ed14a924b90974640b0b

SHA1
869cc26c540ea0b9d5ae420fa36b2e7049081bf2

SHA256
c356c9c0be0a24863dea699ead26be819461ef958339ddae4cc22611cd3dd249

SHA512
42feb02fdf25b722cbf3094b2884043a5d33f4772a3f7b631e186f8f003cecb90df151ee4bacb0472e2cc7210c30f11ac633be16e1da1529a38f1d537bcae814

Download Submit
C:\Users\Admin\AppData\Local\Temp\yUwm.exe

Filesize
159KB

MD5
7c667401a1918ff38550766a8e885e69

SHA1
5f73a2bff23ca87bcbfe1fbf62d3bc7f2835d21c

SHA256
af07afd65a64a734b4b0b26b2c0a788d45db5b82465ccaea52f75b8ae13ab375

SHA512
7ac1ebe5f7505a973760cf0e0fc7e655196ce3b32384f1909d278851266ce05fe61945787a64ad89fcc49fb52483eb5d2c676047d47a38efdece6c420eef940e

Download Submit
C:\Users\Admin\AppData\Local\Temp\yWksAkUA.bat

Filesize
4B

MD5
dd58ff7ce9d9c8f8747d8d30037a3c3f

SHA1
2bb65d5b053e9c4a65da8d4b117cd71e39325349

SHA256
6039d21d8ba318015a839e66bf3fa893b820efcb1e4fa7fecb364fa14aa2cd24

SHA512
4a0f7151f048f11196c06f774c9c42e15478abd58d89d57ff35417b108cc1f7562e77e74a5f2ac00593ed57678fdf8b7f1dead00098fd329c7f6ab3385edcc53

Download Submit
C:\Users\Admin\AppData\Local\Temp\yYAk.exe

Filesize
157KB

MD5
2d2c98dd89f0fbafdbbb3d4ba23feb91

SHA1
c44f495c52967c8292c85740250a00d2cf79d284

SHA256
140e04dacbb778d3947152cc3e268877c14561cd61db692faeb143636d2910a4

SHA512
979ec41f8e5d1d6ae53a4d4372654d736bac3f819e12d6984dda96a6586b24e391595949480341ca4604d6b4f373d6f63282b48e8484d6c81aa8b57655fae8f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\yYUe.exe

Filesize
159KB

MD5
468d17d8e5aea40a679b194c50c3fb7c

SHA1
3853e1d0c159386cffe8b26780d8ecd95490d20a

SHA256
2ec2f5700624c6ac159cfe05c59dd206906524f327ac6dc978d1154a175e41de

SHA512
20b0416a77e296e5ea02e425c59757c09de9bd7321d7eae0e284525360d8250aa752602bc22bea5e79f4cb7d3499bb68a0b9f8e9f763d9e0e494967eb4c0b605

Download Submit
C:\Users\Admin\AppData\Local\Temp\yckC.exe

Filesize
160KB

MD5
d2676ede2d4d7d76b2f6934dfd8348d5

SHA1
1ee3696f1ab800275435da592fbb77a204f26273

SHA256
96964ee31ae2ffc96e3b436912ba2b60aee8929a24b95ca72ef9758df46c1fad

SHA512
a3254cd9446d02e8c60e2b64af48cab4d928db22542ceb944d18a4fd179dfd6769f762e2760b4474ca1a0bd6180c1999df357c888d8829bfe37ecdb74fb47b15

Download Submit
C:\Users\Admin\AppData\Local\Temp\yksY.exe

Filesize
160KB

MD5
242763e9504f3f872ec465f8d2cf8069

SHA1
99cdb46294f43d65fed5d9b3fc74dc727ab22cad

SHA256
048a285e8b4b7bccea52c4c20f66bb0e1b0f91846d72fd12dee6f16f02cd5963

SHA512
f914b673ddb16afefc3e9274e0f25b307baa6e92229926a8a11cdc2d70a55d1c103385b87300db10eadffaf4729e0ac21a8efd2a8e9633f6c7e7f33b59d8add0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ysUe.exe

Filesize
159KB

MD5
c91f8dd92a1af9b4a6ce5bb86543163f

SHA1
6bc0b9a7a39ddec2680822b50136631ba357bea3

SHA256
383b863370dd34ff737cf46b11a949d20c738ea78e18331a3875071c4b1f5288

SHA512
b3e849072c47dc08a50ccf4b9d772b6feeb704edff942ac21250c948923662200d34295488d56a3f4943df2155d326b0b53cbd161eb346bdc16dbe2360df42cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\zeAsskMc.bat

Filesize
4B

MD5
0c0eae905f6b23194de12d1b12776934

SHA1
c500659bcc7a175b56cd8bb07aa34b67348e9dfc

SHA256
29be6588323d0d08770c8ea915499a3185e4e066e3e096a7cf0563bb088ffc04

SHA512
6f791e687d6eb6aedf1652a6aa9b2729b7ee8b6053006179928f6309e34a223f869bf42816e448eaf62594acf307081910cfa1f584ec68d0b6d28d16644fcd5b

Download Submit
C:\Users\Admin\AppData\Roaming\ResolveGroup.wma.exe

Filesize
573KB

MD5
c6613b7090d65e6dc6754a6a14cc6a11

SHA1
c9141dc3bde67d217e2d710d6174ca17578d7483

SHA256
ac6b4524940e7e97f685411343b8187f6e0edf1957e7ff87e88b43c57524eab1

SHA512
81931009627b27220843fcd0d1720d123a00bd38f6e5ffbc17ef686f6a016386f7ef3238d064a3c6819ccef70c1f5c43a7800f36d2046116e0c31b692eec6fc0

Download Submit
C:\Users\Public\Music\Sample Music\Kalimba.mp3.exe

Filesize
8.1MB

MD5
ace981848bc68bf0bfc5593a27ba4f29

SHA1
ad172dd6e96067380db4d0ba44adc0cd1148bdb1

SHA256
1a1eb0280c15c8de45dc74ac674135b534d1e005e04652166b61b0c62c27ec75

SHA512
15900652ba5aef764f22a4866e5b3ee4b45b9d94607d2aa10d40f1d7fc7364eeabcbf14249b18066837f12f70c70a9609cc620569fa07037a6b6d3dd1d8fda2c

Download Submit
C:\Users\Public\Music\Sample Music\Maid with the Flaxen Hair.mp3.exe

Filesize
4.0MB

MD5
01fa2f3c4eb66c0c65f55f9ec32a5c17

SHA1
c34ea7ba99c223b8c62b74e2c7b4723947e849a3

SHA256
132eb8ba40cad7d7e7116e1944029dee7b3ae75737d778c2719ca6000f616834

SHA512
674339c3f84acf543c39587e60fa0b13df341859ac344850798cf3d919264a7d53c881168fb3805d38f89707afb86b2ea03fdadd0eb6e5a9035c8c07c51b72fe

Download Submit
\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

Filesize
145KB

MD5
9d10f99a6712e28f8acd5641e3a7ea6b

SHA1
835e982347db919a681ba12f3891f62152e50f0d

SHA256
70964a0ed9011ea94044e15fa77edd9cf535cc79ed8e03a3721ff007e69595cc

SHA512
2141ee5c07aa3e038360013e3f40969e248bed05022d161b992df61f21934c5574ed9d3094ffd5245f5afd84815b24f80bda30055cf4d374f9c6254e842f6bd5

Download Submit
\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.0MB

MD5
4d92f518527353c0db88a70fddcfd390

SHA1
c4baffc19e7d1f0e0ebf73bab86a491c1d152f98

SHA256
97e6f3fc1a9163f10b6502509d55bf75ee893967fb35f318954797e8ab4d4d9c

SHA512
05a8136ccc45ef73cd5c70ee0ef204d9d2b48b950e938494b6d1a61dfba37527c9600382321d1c031dc74e4cf3e16f001ae0f8cd64d76d765f5509ce8dc76452

Download Submit
\ProgramData\MqEMwoUY\ogUsQUkA.exe

Filesize
110KB

MD5
27838e1a6855f5b4a784852b4f2bc9bd

SHA1
7a4a7f2a3d5a7714b8d6e16d84e5dc513a0bfcfd

SHA256
2dee5dbbe6d93decd6f736547d885de2c634af08698f35616333dd1d8e1a99cf

SHA512
aecb1e2604ddb2a3127212ae99bcfda83e05e70306461e686c28a9b8dd3ec74850b471fdd083424fb8c20b9d1518fda679f62356389b28aa4418b56f40fdb975

Download Submit
\Users\Admin\MEscAkMo\GCwksMAI.exe

Filesize
109KB

MD5
386d0d4b606dbfc41131ca2bb9d12245

SHA1
db05c405c63124baa216735af86aa4be2e3be859

SHA256
a42157b0334f734abae076f7e14a4c2a2b9f21a2548bb03af9c38119c6f24a64

SHA512
7edd4a81621db028787f10c0655a141a865f83f5400356c3cdc42753f9caa8e3837720bbbfc416d3a6748be608b155d07702ca96227003e101ee99c5fac32aef

Download Submit
memory/344-338-0x0000000000120000-0x0000000000141000-memory.dmp

Filesize
132KB

Download
memory/540-103-0x00000000000F0000-0x0000000000111000-memory.dmp

Filesize
132KB

Download
memory/540-104-0x00000000000F0000-0x0000000000111000-memory.dmp

Filesize
132KB

Download
memory/684-105-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/684-137-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/776-748-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/776-860-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/856-31-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/868-152-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/868-184-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/920-325-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/920-292-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1032-386-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1032-221-0x00000000000B0000-0x00000000000D1000-memory.dmp

Filesize
132KB

Download
memory/1032-385-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1036-55-0x0000000000120000-0x0000000000141000-memory.dmp

Filesize
132KB

Download
memory/1036-56-0x0000000000120000-0x0000000000141000-memory.dmp

Filesize
132KB

Download
memory/1060-161-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1084-443-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1084-411-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1224-932-0x0000000000180000-0x00000000001A1000-memory.dmp

Filesize
132KB

Download
memory/1224-931-0x0000000000180000-0x00000000001A1000-memory.dmp

Filesize
132KB

Download
memory/1232-244-0x00000000001D0000-0x00000000001F1000-memory.dmp

Filesize
132KB

Download
memory/1328-746-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1328-628-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1328-268-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1328-267-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1432-387-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1432-419-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1460-128-0x0000000000630000-0x0000000000651000-memory.dmp

Filesize
132KB

Download
memory/1460-127-0x0000000000630000-0x0000000000651000-memory.dmp

Filesize
132KB

Download
memory/1468-174-0x0000000000280000-0x00000000002A1000-memory.dmp

Filesize
132KB

Download
memory/1588-361-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1588-362-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1664-409-0x0000000000260000-0x0000000000281000-memory.dmp

Filesize
132KB

Download
memory/1664-933-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1676-339-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1676-372-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1856-623-0x0000000000260000-0x0000000000281000-memory.dmp

Filesize
132KB

Download
memory/1864-930-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1864-838-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1888-471-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1888-269-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1888-434-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1888-301-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2008-79-0x0000000000180000-0x00000000001A1000-memory.dmp

Filesize
132KB

Download
memory/2008-80-0x0000000000180000-0x00000000001A1000-memory.dmp

Filesize
132KB

Download
memory/2020-497-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2020-583-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2036-198-0x0000000000270000-0x0000000000291000-memory.dmp

Filesize
132KB

Download
memory/2036-197-0x0000000000270000-0x0000000000291000-memory.dmp

Filesize
132KB

Download
memory/2036-396-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2036-363-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2040-245-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2040-278-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2056-28-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2104-650-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2104-570-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2152-462-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2152-506-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2264-982-0x0000000000160000-0x0000000000181000-memory.dmp

Filesize
132KB

Download
memory/2276-42-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2276-27-0x00000000004C0000-0x00000000004DD000-memory.dmp

Filesize
116KB

Download
memory/2276-29-0x00000000004C0000-0x00000000004DD000-memory.dmp

Filesize
116KB

Download
memory/2276-0-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2276-5-0x00000000004C0000-0x00000000004DD000-memory.dmp

Filesize
116KB

Download
memory/2320-81-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2320-114-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2448-316-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2448-348-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2460-57-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2460-90-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2488-150-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2488-151-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2516-32-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2516-199-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2516-231-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2516-33-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2592-66-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2632-495-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2632-496-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2632-837-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2632-836-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2636-458-0x0000000000120000-0x0000000000141000-memory.dmp

Filesize
132KB

Download
memory/2636-457-0x0000000000120000-0x0000000000141000-memory.dmp

Filesize
132KB

Download
memory/2644-747-0x0000000000290000-0x00000000002B1000-memory.dmp

Filesize
132KB

Download
memory/2668-208-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2668-175-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2732-314-0x00000000001F0000-0x0000000000211000-memory.dmp

Filesize
132KB

Download
memory/2732-315-0x00000000001F0000-0x0000000000211000-memory.dmp

Filesize
132KB

Download
memory/2752-291-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2796-222-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2796-569-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2796-254-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3040-432-0x0000000000120000-0x0000000000141000-memory.dmp

Filesize
132KB

Download
memory/3040-433-0x0000000000120000-0x0000000000141000-memory.dmp

Filesize
132KB

Download