958a79dfb26cb0548fa6b48e66b6c826350733a331c77d885ddee2503e2a8ede

Analysis

max time kernel
150s
max time network
124s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
05/07/2024, 13:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe
Size

242KB
MD5

faf4a13294c9eb15a32a66ddff1cd0b8
SHA1

18dc43f42d13880b13d8459c76a0bedee2b86a54
SHA256

958a79dfb26cb0548fa6b48e66b6c826350733a331c77d885ddee2503e2a8ede
SHA512

315f709f7c38ca0e723e7fc8ed0e0292f1262e020a682a9b7d01cd7ef3652259d963c94e8293faada8f2e086fe55c79388f41796e1e9d3f3003556401ae45a1c
SSDEEP

6144:LjuolgBD6TtaqF73V3b9M5r8YWnWiZ8llW:3uoA6TtaqF7tbm5XWnTZCW

Score

10^/10

evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 61 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 61 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\International\Geo\Nation	xKkwQUQE.exe

Executes dropped EXE 2 IoCs

pid	Process
2120	bkwwowkg.exe
3032	xKkwQUQE.exe

Loads dropped DLL 20 IoCs

pid	Process
3048	2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe
3048	2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe
3048	2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe
3048	2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe
3032	xKkwQUQE.exe
3032	xKkwQUQE.exe
3032	xKkwQUQE.exe
3032	xKkwQUQE.exe
3032	xKkwQUQE.exe
3032	xKkwQUQE.exe
3032	xKkwQUQE.exe
3032	xKkwQUQE.exe
3032	xKkwQUQE.exe
3032	xKkwQUQE.exe
3032	xKkwQUQE.exe
3032	xKkwQUQE.exe
3032	xKkwQUQE.exe
3032	xKkwQUQE.exe
3032	xKkwQUQE.exe
3032	xKkwQUQE.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\xKkwQUQE.exe = "C:\\ProgramData\\viwMcgAE\\xKkwQUQE.exe"	2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\bkwwowkg.exe = "C:\\Users\\Admin\\CWwAIEEc\\bkwwowkg.exe"	bkwwowkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\xKkwQUQE.exe = "C:\\ProgramData\\viwMcgAE\\xKkwQUQE.exe"	xKkwQUQE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\bkwwowkg.exe = "C:\\Users\\Admin\\CWwAIEEc\\bkwwowkg.exe"	2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
2656	reg.exe
1916	reg.exe
2132	reg.exe
1884	reg.exe
824	reg.exe
1244	reg.exe
2524	reg.exe
2616	reg.exe
1696	reg.exe
2592	reg.exe
2176	reg.exe
2552	reg.exe
892	reg.exe
2568	reg.exe
2204	reg.exe
2412	reg.exe
2668	reg.exe
1780	reg.exe
2176	reg.exe
2708	reg.exe
2760	reg.exe
2396	reg.exe
3020	reg.exe
2560	reg.exe
1632	reg.exe
868	reg.exe
3060	reg.exe
1764	reg.exe
2604	reg.exe
2036	reg.exe
1668	reg.exe
2308	reg.exe
624	reg.exe
1616	reg.exe
1932	reg.exe
2492	reg.exe
2956	reg.exe
1804	reg.exe
1044	reg.exe
2776	reg.exe
1788	reg.exe
2512	reg.exe
532	reg.exe
2656	reg.exe
1516	reg.exe
912	reg.exe
1696	reg.exe
2568	reg.exe
2504	reg.exe
2540	reg.exe
2476	reg.exe
2044	reg.exe
1844	reg.exe
1344	reg.exe
3052	reg.exe
1500	reg.exe
1920	reg.exe
2844	reg.exe
2848	reg.exe
668	reg.exe
2364	reg.exe
1864	reg.exe
2172	reg.exe
2040	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3048	2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe
3048	2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe
2676	2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe
2676	2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe
3036	2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe
3036	2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe
352	2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe
352	2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe
2960	2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe
2960	2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe
688	2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe
688	2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe
2420	2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe
2420	2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe
2796	2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe
2796	2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe
2536	2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe
2536	2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe
1820	2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe
1820	2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe
1052	2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe
1052	2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe
1612	2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe
1612	2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe
1688	2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe
1688	2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe
2116	2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe
2116	2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe
2632	2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe
2632	2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe
1812	2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe
1812	2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe
692	2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe
692	2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe
352	2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe
352	2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe
1880	2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe
1880	2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe
2204	2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe
2204	2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe
2904	2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe
2904	2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe
1192	2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe
1192	2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe
2220	2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe
2220	2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe
1996	2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe
1996	2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe
888	2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe
888	2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe
2704	2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe
2704	2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe
2572	2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe
2572	2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe
908	2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe
908	2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe
2676	2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe
2676	2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe
2904	2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe
2904	2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe
2208	2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe
2208	2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe
2652	2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe
2652	2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3032	xKkwQUQE.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3032	xKkwQUQE.exe
3032	xKkwQUQE.exe
3032	xKkwQUQE.exe
3032	xKkwQUQE.exe
3032	xKkwQUQE.exe
3032	xKkwQUQE.exe
3032	xKkwQUQE.exe
3032	xKkwQUQE.exe
3032	xKkwQUQE.exe
3032	xKkwQUQE.exe
3032	xKkwQUQE.exe
3032	xKkwQUQE.exe
3032	xKkwQUQE.exe
3032	xKkwQUQE.exe
3032	xKkwQUQE.exe
3032	xKkwQUQE.exe
3032	xKkwQUQE.exe
3032	xKkwQUQE.exe
3032	xKkwQUQE.exe
3032	xKkwQUQE.exe
3032	xKkwQUQE.exe
3032	xKkwQUQE.exe
3032	xKkwQUQE.exe
3032	xKkwQUQE.exe
3032	xKkwQUQE.exe
3032	xKkwQUQE.exe
3032	xKkwQUQE.exe
3032	xKkwQUQE.exe
3032	xKkwQUQE.exe
3032	xKkwQUQE.exe
3032	xKkwQUQE.exe
3032	xKkwQUQE.exe
3032	xKkwQUQE.exe
3032	xKkwQUQE.exe
3032	xKkwQUQE.exe
3032	xKkwQUQE.exe
3032	xKkwQUQE.exe
3032	xKkwQUQE.exe
3032	xKkwQUQE.exe
3032	xKkwQUQE.exe
3032	xKkwQUQE.exe
3032	xKkwQUQE.exe
3032	xKkwQUQE.exe
3032	xKkwQUQE.exe
3032	xKkwQUQE.exe
3032	xKkwQUQE.exe
3032	xKkwQUQE.exe
3032	xKkwQUQE.exe
3032	xKkwQUQE.exe
3032	xKkwQUQE.exe
3032	xKkwQUQE.exe
3032	xKkwQUQE.exe
3032	xKkwQUQE.exe
3032	xKkwQUQE.exe
3032	xKkwQUQE.exe
3032	xKkwQUQE.exe
3032	xKkwQUQE.exe
3032	xKkwQUQE.exe
3032	xKkwQUQE.exe
3032	xKkwQUQE.exe
3032	xKkwQUQE.exe
3032	xKkwQUQE.exe
3032	xKkwQUQE.exe
3032	xKkwQUQE.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3048 wrote to memory of 2120	3048	2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe	28
PID 3048 wrote to memory of 2120	3048	2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe	28
PID 3048 wrote to memory of 2120	3048	2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe	28
PID 3048 wrote to memory of 2120	3048	2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe	28
PID 3048 wrote to memory of 3032	3048	2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe	29
PID 3048 wrote to memory of 3032	3048	2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe	29
PID 3048 wrote to memory of 3032	3048	2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe	29
PID 3048 wrote to memory of 3032	3048	2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe	29
PID 3048 wrote to memory of 2752	3048	2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe	30
PID 3048 wrote to memory of 2752	3048	2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe	30
PID 3048 wrote to memory of 2752	3048	2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe	30
PID 3048 wrote to memory of 2752	3048	2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe	30
PID 2752 wrote to memory of 2676	2752	cmd.exe	32
PID 2752 wrote to memory of 2676	2752	cmd.exe	32
PID 2752 wrote to memory of 2676	2752	cmd.exe	32
PID 2752 wrote to memory of 2676	2752	cmd.exe	32
PID 3048 wrote to memory of 2800	3048	2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe	33
PID 3048 wrote to memory of 2800	3048	2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe	33
PID 3048 wrote to memory of 2800	3048	2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe	33
PID 3048 wrote to memory of 2800	3048	2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe	33
PID 3048 wrote to memory of 2812	3048	2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe	34
PID 3048 wrote to memory of 2812	3048	2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe	34
PID 3048 wrote to memory of 2812	3048	2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe	34
PID 3048 wrote to memory of 2812	3048	2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe	34
PID 3048 wrote to memory of 2708	3048	2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe	36
PID 3048 wrote to memory of 2708	3048	2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe	36
PID 3048 wrote to memory of 2708	3048	2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe	36
PID 3048 wrote to memory of 2708	3048	2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe	36
PID 3048 wrote to memory of 2852	3048	2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe	38
PID 3048 wrote to memory of 2852	3048	2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe	38
PID 3048 wrote to memory of 2852	3048	2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe	38
PID 3048 wrote to memory of 2852	3048	2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe	38
PID 2852 wrote to memory of 2524	2852	cmd.exe	41
PID 2852 wrote to memory of 2524	2852	cmd.exe	41
PID 2852 wrote to memory of 2524	2852	cmd.exe	41
PID 2852 wrote to memory of 2524	2852	cmd.exe	41
PID 2676 wrote to memory of 3020	2676	2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe	42
PID 2676 wrote to memory of 3020	2676	2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe	42
PID 2676 wrote to memory of 3020	2676	2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe	42
PID 2676 wrote to memory of 3020	2676	2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe	42
PID 3020 wrote to memory of 3036	3020	cmd.exe	44
PID 3020 wrote to memory of 3036	3020	cmd.exe	44
PID 3020 wrote to memory of 3036	3020	cmd.exe	44
PID 3020 wrote to memory of 3036	3020	cmd.exe	44
PID 2676 wrote to memory of 2700	2676	2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe	45
PID 2676 wrote to memory of 2700	2676	2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe	45
PID 2676 wrote to memory of 2700	2676	2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe	45
PID 2676 wrote to memory of 2700	2676	2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe	45
PID 2676 wrote to memory of 2848	2676	2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe	46
PID 2676 wrote to memory of 2848	2676	2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe	46
PID 2676 wrote to memory of 2848	2676	2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe	46
PID 2676 wrote to memory of 2848	2676	2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe	46
PID 2676 wrote to memory of 2884	2676	2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe	48
PID 2676 wrote to memory of 2884	2676	2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe	48
PID 2676 wrote to memory of 2884	2676	2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe	48
PID 2676 wrote to memory of 2884	2676	2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe	48
PID 2676 wrote to memory of 2896	2676	2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe	51
PID 2676 wrote to memory of 2896	2676	2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe	51
PID 2676 wrote to memory of 2896	2676	2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe	51
PID 2676 wrote to memory of 2896	2676	2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe	51
PID 2896 wrote to memory of 2004	2896	cmd.exe	53
PID 2896 wrote to memory of 2004	2896	cmd.exe	53
PID 2896 wrote to memory of 2004	2896	cmd.exe	53
PID 2896 wrote to memory of 2004	2896	cmd.exe	53

C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3048
- C:\Users\Admin\CWwAIEEc\bkwwowkg.exe
  "C:\Users\Admin\CWwAIEEc\bkwwowkg.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2120
- C:\ProgramData\viwMcgAE\xKkwQUQE.exe
  "C:\ProgramData\viwMcgAE\xKkwQUQE.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:3032
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2752
- - C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe
    C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2676
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3020
    - - C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3036
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock"
        6⤵
        
        PID:1344
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:352
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock"
        8⤵
        
        PID:1124
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2960
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock"
        10⤵
        
        PID:824
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:688
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock"
        12⤵
        
        PID:2172
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2420
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock"
        14⤵
        
        PID:2952
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2796
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock"
        16⤵
        
        PID:2756
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2536
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock"
        18⤵
        
        PID:3020
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1820
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock"
        20⤵
        
        PID:568
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1052
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock"
        22⤵
        
        PID:2132
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock
        23⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1612
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock"
        24⤵
        
        PID:872
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock
        25⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1688
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock"
        26⤵
        
        PID:2152
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock
        27⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2116
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock"
        28⤵
        
        PID:2596
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock
        29⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2632
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock"
        30⤵
        
        PID:3028
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock
        31⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1812
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock"
        32⤵
        
        PID:2288
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock
        33⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:692
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock"
        34⤵
        
        PID:1236
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock
        35⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:352
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock"
        36⤵
        
        PID:960
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock
        37⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1880
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock"
        38⤵
        
        PID:2696
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock
        39⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2204
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock"
        40⤵
        
        PID:2900
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock
        41⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2904
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock"
        42⤵
        
        PID:2068
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock
        43⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1192
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock"
        44⤵
        
        PID:2344
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock
        45⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2220
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock"
        46⤵
        
        PID:2624
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock
        47⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1996
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock"
        48⤵
        
        PID:1532
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock
        49⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:888
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock"
        50⤵
        
        PID:2228
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock
        51⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2704
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock"
        52⤵
        
        PID:2408
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock
        53⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2572
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock"
        54⤵
        
        PID:1344
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock
        55⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:908
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock"
        56⤵
        
        PID:1696
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock
        57⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2676
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock"
        58⤵
        
        PID:2836
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock
        59⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2904
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock"
        60⤵
        
        PID:684
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock
        61⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2208
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock"
        62⤵
        
        PID:2568
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock
        63⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2652
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock"
        64⤵
        
        PID:1540
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock
        65⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock"
        66⤵
        
        PID:1428
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock
        67⤵
        
        PID:2572
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock"
        68⤵
        
        PID:2288
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock
        69⤵
        
        PID:2544
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock"
        70⤵
        
        PID:2932
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock
        71⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock"
        72⤵
        
        PID:2960
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock
        73⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock"
        74⤵
        
        PID:2636
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock
        75⤵
        
        PID:352
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock"
        76⤵
        
        PID:1624
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock
        77⤵
        
        PID:872
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock"
        78⤵
        
        PID:1480
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock
        79⤵
        
        PID:784
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock"
        80⤵
        
        PID:1644
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock
        81⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock"
        82⤵
        
        PID:1884
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock
        83⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock"
        84⤵
        
        PID:2904
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock
        85⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock"
        86⤵
        
        PID:764
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock
        87⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock"
        88⤵
        
        PID:2948
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock
        89⤵
        
        PID:1344
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock"
        90⤵
        
        PID:2312
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock
        91⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock"
        92⤵
        
        PID:1488
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock
        93⤵
        
        PID:2612
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock"
        94⤵
        
        PID:1436
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock
        95⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock"
        96⤵
        
        PID:1724
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock
        97⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock"
        98⤵
        
        PID:1628
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock
        99⤵
        
        PID:296
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock"
        100⤵
        
        PID:2640
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock
        101⤵
        
        PID:540
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock"
        102⤵
        
        PID:2612
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock
        103⤵
        
        PID:2504
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock"
        104⤵
        
        PID:2744
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock
        105⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock"
        106⤵
        
        PID:2760
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock
        107⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock"
        108⤵
        
        PID:1964
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock
        109⤵
        
        PID:1268
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock"
        110⤵
        
        PID:2692
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock
        111⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock"
        112⤵
        
        PID:1972
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock
        113⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock"
        114⤵
        
        PID:1568
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock
        115⤵
        
        PID:784
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock"
        116⤵
        
        PID:1152
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock
        117⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock"
        118⤵
        
        PID:2676
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock
        119⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock"
        120⤵
        
        PID:2948
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock
        121⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        122⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        122⤵
        Modifies registry key
        
        PID:2492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        122⤵
        UAC bypass
        
        PID:2568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        120⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        120⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        120⤵
        UAC bypass
        
        PID:2252
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\MmkUsoAQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe""
        120⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        121⤵
        
        PID:604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        118⤵
        Modifies visibility of file extensions in Explorer
        
        PID:912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        118⤵
        Modifies registry key
        
        PID:2308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        118⤵
        UAC bypass
        Modifies registry key
        
        PID:2540
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\zuscIEUo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe""
        118⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        119⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        116⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        116⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        116⤵
        UAC bypass
        
        PID:2660
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\rqEoQYoc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe""
        116⤵
        
        PID:2228
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        117⤵
        
        PID:1296
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        114⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        114⤵
        Modifies registry key
        
        PID:1764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        114⤵
        UAC bypass
        
        PID:2876
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\xMsoUUoc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe""
        114⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        115⤵
        
        PID:2536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        112⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        112⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        112⤵
        UAC bypass
        
        PID:824
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\DMwUgggk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe""
        112⤵
        
        PID:2984
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        113⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        110⤵
        Modifies visibility of file extensions in Explorer
        
        PID:684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        110⤵
        
        PID:844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        110⤵
        UAC bypass
        
        PID:688
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ayowEMEQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe""
        110⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        111⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        108⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        108⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        108⤵
        UAC bypass
        
        PID:1780
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\yecUUcMA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe""
        108⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        109⤵
        
        PID:288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        106⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        106⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        106⤵
        UAC bypass
        Modifies registry key
        
        PID:1668
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\UIsIAIkY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe""
        106⤵
        
        PID:264
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        107⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        104⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        104⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        104⤵
        UAC bypass
        
        PID:1436
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\CmQEYoYY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe""
        104⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        105⤵
        
        PID:1772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        102⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        102⤵
        
        PID:1236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        102⤵
        UAC bypass
        Modifies registry key
        
        PID:1244
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZUkYgAgo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe""
        102⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        103⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        100⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        100⤵
        
        PID:1480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        100⤵
        UAC bypass
        
        PID:2844
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\pWEscsAY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe""
        100⤵
        
        PID:1428
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        101⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        98⤵
        Modifies visibility of file extensions in Explorer
        
        PID:888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        98⤵
        
        PID:1368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        98⤵
        UAC bypass
        Modifies registry key
        
        PID:3020
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\xiMkAwgY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe""
        98⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        99⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        96⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        96⤵
        
        PID:612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        96⤵
        UAC bypass
        Modifies registry key
        
        PID:2512
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\KiMkkIoM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe""
        96⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        97⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        94⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        94⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        94⤵
        UAC bypass
        
        PID:2876
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\QuEEMkgM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe""
        94⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        95⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        92⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        92⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        92⤵
        UAC bypass
        
        PID:2604
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\kuMEEYME.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe""
        92⤵
        
        PID:1744
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        93⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        90⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        90⤵
        Modifies registry key
        
        PID:3052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        90⤵
        UAC bypass
        
        PID:1964
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\OcowMkEA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe""
        90⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        91⤵
        
        PID:1368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        88⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        88⤵
        
        PID:564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        88⤵
        UAC bypass
        
        PID:880
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZGUQwoIk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe""
        88⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        89⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        86⤵
        Modifies visibility of file extensions in Explorer
        
        PID:824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        86⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        86⤵
        UAC bypass
        
        PID:2564
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\xQEMEoQM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe""
        86⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        87⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        84⤵
        Modifies visibility of file extensions in Explorer
        
        PID:844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        84⤵
        Modifies registry key
        
        PID:3060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        84⤵
        UAC bypass
        
        PID:796
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\bmEYkogg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe""
        84⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        85⤵
        
        PID:956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        82⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        82⤵
        Modifies registry key
        
        PID:1788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        82⤵
        UAC bypass
        
        PID:2704
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\LcMYwYoY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe""
        82⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        83⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        80⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        80⤵
        Modifies registry key
        
        PID:1932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        80⤵
        UAC bypass
        
        PID:2804
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\gOAIEscQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe""
        80⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        81⤵
        
        PID:2228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        78⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        78⤵
        Modifies registry key
        
        PID:2568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        78⤵
        UAC bypass
        Modifies registry key
        
        PID:1780
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\CYQgQUwk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe""
        78⤵
        
        PID:1352
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        79⤵
        
        PID:288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        
        PID:1772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        UAC bypass
        
        PID:1984
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\AAYAgwEQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe""
        76⤵
        
        PID:1256
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        77⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        
        PID:2984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        UAC bypass
        Modifies registry key
        
        PID:2036
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\gKswQAkw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe""
        74⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        75⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        
        PID:2576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        UAC bypass
        Modifies registry key
        
        PID:2668
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\XUUEcIQE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe""
        72⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        Modifies registry key
        
        PID:1696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        UAC bypass
        
        PID:2064
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\BGccUcIA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe""
        70⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        
        PID:1852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        Modifies registry key
        
        PID:2040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        UAC bypass
        
        PID:1688
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\JYYwsMws.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe""
        68⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        
        PID:1236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        
        PID:1136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        UAC bypass
        
        PID:1472
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\NqcQoUAg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe""
        66⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        Modifies registry key
        
        PID:912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        UAC bypass
        Modifies registry key
        
        PID:1044
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\okUAUEIU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe""
        64⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        UAC bypass
        Modifies registry key
        
        PID:2844
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\qCEQkYIg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe""
        62⤵
        
        PID:880
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        
        PID:1772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        Modifies visibility of file extensions in Explorer
        
        PID:844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        Modifies registry key
        
        PID:1920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        UAC bypass
        
        PID:820
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Cagsgwsg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe""
        60⤵
        
        PID:688
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        Modifies registry key
        
        PID:1516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        UAC bypass
        
        PID:2060
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\cwsAUkss.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe""
        58⤵
        
        PID:2508
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:2576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        Modifies registry key
        
        PID:2204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        UAC bypass
        
        PID:1836
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\raQocQcw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe""
        56⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        UAC bypass
        
        PID:896
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\rAUUQIAE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe""
        54⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        
        PID:2536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        UAC bypass
        
        PID:2720
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZOYQYYko.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe""
        52⤵
        
        PID:1428
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        Modifies registry key
        
        PID:2604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        UAC bypass
        Modifies registry key
        
        PID:1844
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\fyEokYUk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe""
        50⤵
        
        PID:2540
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        Modifies visibility of file extensions in Explorer
        
        PID:908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        Modifies registry key
        
        PID:2044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        UAC bypass
        
        PID:896
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\XgUYUsgY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe""
        48⤵
        
        PID:2468
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        
        PID:912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        UAC bypass
        Modifies registry key
        
        PID:2476
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\KKAYgYwA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe""
        46⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        Modifies registry key
        
        PID:1616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        UAC bypass
        
        PID:2680
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\mwMwAMwA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe""
        44⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:1880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        UAC bypass
        
        PID:3064
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\QQwksMgM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe""
        42⤵
        
        PID:1904
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        Modifies registry key
        
        PID:2524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        UAC bypass
        
        PID:1740
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\eKwUUQgs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe""
        40⤵
        
        PID:796
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        Modifies registry key
        
        PID:1500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        UAC bypass
        
        PID:1704
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZaAEAcAI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe""
        38⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        UAC bypass
        Modifies registry key
        
        PID:2396
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ngowYcAo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe""
        36⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:2176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        
        PID:1028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        UAC bypass
        
        PID:1336
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\PYkkoYUs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe""
        34⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        UAC bypass
        
        PID:3020
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\HOEMgMgc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe""
        32⤵
        
        PID:532
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        UAC bypass
        
        PID:2764
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\PmAAYcUU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe""
        30⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:2052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        UAC bypass
        
        PID:2912
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\AaYcQAYU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe""
        28⤵
        
        PID:1744
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        UAC bypass
        
        PID:2548
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\uEsMwocs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe""
        26⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        UAC bypass
        Modifies registry key
        
        PID:868
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\SmYYcQYY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe""
        24⤵
        
        PID:1316
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        
        PID:1148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        UAC bypass
        
        PID:2140
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\EGYQUYUU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe""
        22⤵
        
        PID:604
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        Modifies visibility of file extensions in Explorer
        
        PID:580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        
        PID:612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        UAC bypass
        
        PID:1620
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\BmwsMYck.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe""
        20⤵
        
        PID:484
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        Modifies registry key
        
        PID:1804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        UAC bypass
        Modifies registry key
        
        PID:1632
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\VYEAAwAo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe""
        18⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:2504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        
        PID:3024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        UAC bypass
        
        PID:2520
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\JYkIQIsQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe""
        16⤵
        
        PID:540
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:2896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        Modifies registry key
        
        PID:2560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        UAC bypass
        Modifies registry key
        
        PID:2552
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\JwEIwocE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe""
        14⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        Modifies registry key
        
        PID:2176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        UAC bypass
        
        PID:1800
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\IgYAoQMY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe""
        12⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        Modifies registry key
        
        PID:1916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        UAC bypass
        
        PID:2356
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\kCsAMgoE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe""
        10⤵
        
        PID:872
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        Modifies registry key
        
        PID:2364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        UAC bypass
        Modifies registry key
        
        PID:668
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\MIYEcoAM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe""
        8⤵
        
        PID:1100
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:1236
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2760
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:2512
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        UAC bypass
        Modifies registry key
        
        PID:2592
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\OWYggosQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe""
        6⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:1296
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:2700
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      Modifies registry key
      PID:2848
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      PID:2884
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\hskEUMkc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2896
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:2004
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:2800
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2812
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  - Modifies registry key
  PID:2708
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZMMwMwEs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2852
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:2524

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1703928754-84604356184406541852118338156092441817396847172015305685-706364367"
1⤵
PID:2208

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1051191333-643750843-1703406713-7053293492532271941134207584800537533-1875950736"
1⤵
PID:2644

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "386315197-989366783118686754213923441498731367481603779187-770006639573394881"
1⤵
PID:2412

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1849716454-1433988103950827643-1656723791-20406714931700442386-20876847991810872697"
1⤵
PID:2572

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2315101851380018688-84528532313854110271908072313207320596913609911501424597810"
1⤵
PID:2956

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "304717535-5798891051473610742-211792438517200079502017725868-1002368304482250423"
1⤵
PID:2668

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-703972147818572724-17611413861403395193167684326-55987821719250234167765932"
1⤵
PID:1780

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-11109608481875395227335739261878444410131017439751646147-889223098672462829"
1⤵
PID:1984

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "428506898489978355209596287716898298809668504457779503601903618945-493782782"
1⤵
PID:1892

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "4305473186856088-19258222659224701881683398353-386885325-16172929441652027246"
1⤵
PID:564

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-12881202751703527452-465559624973302616869452442-13368488451603125354-873447166"
1⤵
PID:1628

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1721443719-3892038861343436982-1082262175-1451887272029320755-1074905833508838738"
1⤵
PID:2956

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "113021187-1656978995-87286744317784233334116974361055435482395783157-1480102777"
1⤵
PID:1668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile10.bmp.exe

Filesize
163KB

MD5
33a8e79784a576dadae191c9ca11e01a

SHA1
1632e759472f9641bf43d27b8303db14af01d93a

SHA256
e1bc775f5f2076cd0585f469922b38074db3bb75f43440de46da83e66b4c8fa1

SHA512
79fad82026f12b740f51d3be3d066208878cd12ea4dfbcf40f53bf7a2e7650adc2be4dcff2f285e3356b5c30be2aae5c9ede8f0bebd4cdd47cbe0ad77ef4ab1c

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile24.bmp.exe

Filesize
159KB

MD5
aa749004ded2a55947f8d0e020b12271

SHA1
d45fce20d8d017b3476eefbd048923df46b1478f

SHA256
fcc1a87ac209bcc8d789001e22a8846b6e71f502d30755f9621f3623376274ea

SHA512
0af2411c52ec1799c7d80f245c056d7841c01f0877bd3322aea079c2e8a3ef3c2c8b0f499f42db7db0514395aa2229ed2211d13ded7e938b801c81712472dc4c

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile28.bmp.exe

Filesize
158KB

MD5
d1e03ab03d2b167b3a046083de316424

SHA1
23f88867426d4ba45815b85d42b8e55ad86792c4

SHA256
d15b216be6086f3475cbae5609bb9deb038bdd3723ed43adb71da215c9dcd2d5

SHA512
574a719d36b03172b56ca8638e8a7c9c9f00fe568ce1eccb6e36ba3a42e545f86613a4e8422aaeec9b74fcfa174cc8de82eb641721a27cb720e441796bddce51

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile33.bmp.exe

Filesize
158KB

MD5
8796704c046113d379bb872a80b6013d

SHA1
5de148945eb040a3be4725c1eb98e9fa0d84210a

SHA256
dc85f82534788701823f28f97df302dcd5b9dcada8c7d36a6931c25c5d2ca6a1

SHA512
f64462ce0ddc38628785e4d391cc652fdcda3edd19ef07d34ad4db243ec7a53d9b46aaafe6f9bdb6a1191e45aeddf3399a9bb1c3e9211b249df6576eac644811

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile34.bmp.exe

Filesize
157KB

MD5
ed2fbb402efee0c50137f975eea16462

SHA1
4b216df21694352cda280699beaf809e8e0e8680

SHA256
0693f287323abedec22611b732569d330123c6a27272f380515620970b596708

SHA512
e0b45e29943e645aed1bff8b527d93d9230d9acd82018568162fce35a8f9cb09a8f0438171d28b0fe76e2f8c9ac57c9c56f50453237ef2cfb984950f27d843b8

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile37.bmp.exe

Filesize
160KB

MD5
1d8d28d8a5520ebb1c8c7793f8b7764c

SHA1
3ef0a905d09cf60ec9793ff403791ca1793b48bb

SHA256
a6e6aa77a905c512b2542be01e2f68c6869dda518729c249625953f9c0ee7cc8

SHA512
e24507373e94546257e933f80cfb56a487fc9f0e139c459cac86d1f47c75e7dc0880e06ef83d72fd262cf72e62819899f60b7bdded056dae5a4097439125963c

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile39.bmp.exe

Filesize
163KB

MD5
82b27720adfe262c8076df558dd1a06e

SHA1
309bae123b2ba1cb954fb9333da392219ce8bdf6

SHA256
4cf4c4e304e206fefdd86acfafa51feeea4b9c3a45b12e43dd34344bffa0d0c9

SHA512
4daab5930e32f2ccc5974e6f370d3ec6d4f316223c554f2737b1875579ebb759d7d72a463350e736c0664fe7771f09c239353763679c9baacc5c70a115a64291

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile42.bmp.exe

Filesize
158KB

MD5
38e8c49c6750758ce56e24257698c0fb

SHA1
215a1b42a5c4eff6ff8eb487166145a3c1b37b75

SHA256
acf571de1e2ba0800741628a178ff24453fa84256fafcd4252bfe03c2e0f0fb5

SHA512
c80fc97f8397757ccd32867d30f524cda7d69f485b9ae589ce0fabc4afee2a96c2a70c9a75833bc5625881b134890ef9ebf64db746c893df348ee028b299c9cc

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\user.bmp.exe

Filesize
159KB

MD5
f9fe377622f6b4c39d8edd38dcfe8edc

SHA1
423b5f6964fd7da4c4aaa063fdc736722437c324

SHA256
dc6ced396b983c957784c6b8d43862965603c597c5e5501630f635c9125f264c

SHA512
d84d8cceb0de3ef2e383719c097936e72edc65ced6b881bdf39c6035a40aee50b257076699f800dcb7bd6d63894bd304ff7c40d6d7186ef48cc955026e9e3605

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-07-05_faf4a13294c9eb15a32a66ddff1cd0b8_virlock

Filesize
126KB

MD5
9adaf3a844ce0ce36bfed07fa2d7ef66

SHA1
3a804355d5062a6d2ed9653d66e9e4aebaf90bc0

SHA256
d3e8d47e8c1622ec10adef672ca7a8992748c4f0a4e75f877462e7e661069698

SHA512
e6988737153a0996b14e6baa45e8010ff46714fe7679d05a2676cc18e1c653e99227e7507cdae4f2b6a99b3c31478630e7e1ae13d0f7c12525406d8cf9867ca5

Download Submit
C:\Users\Admin\AppData\Local\Temp\AEMAQQgo.bat

Filesize
4B

MD5
c8c530dc5d2ddef950257884c0e08d3f

SHA1
229f0ce8514f01d26b9fffe71349b964614e3a51

SHA256
532134b03218de39649a40c0cc87ba11a9f4a85915d66953e4a9f776101c89c4

SHA512
31694d84563500360a452f5c8e7100a0e24f8a6d9b9b128b477077a3691b5c9be1b5169f611ebfa7c3a12788fae7cfa0d88c916b250cb3a3a2b2e663798e1097

Download Submit
C:\Users\Admin\AppData\Local\Temp\AQAI.exe

Filesize
656KB

MD5
aa9ced3551d596ce8618a54c1843b327

SHA1
2390bd941d5894adec5d900ed4ee3bf59fa36c62

SHA256
308653e35bd63206034052a1e3fff913a62c4d7f717cb2f37ff411530d34af8c

SHA512
40d082852d0ded90fac08c5d5308b10483d223a715c87f030d3192e91f84ed0ede8c159f8b443d677a97f44a373e0cea9dc7d93023e99cc27768c29c801a7923

Download Submit
C:\Users\Admin\AppData\Local\Temp\AQsq.exe

Filesize
157KB

MD5
061c0781fe212c287f078df4084ec1f6

SHA1
985fa61e5f64dfdb47a431e8c92285adae189369

SHA256
d15c545a102a2410dfa031ff822a960aad4c27185ee50b000110d7d88e4cb6b8

SHA512
41a07946b940b560fd3d420f1fe22c78c112307aec45f09b2cecfea2ad99f2d969fdf81fc76bf796e9a60f5341c295bf061226e4e8f283c872938e195b95345b

Download Submit
C:\Users\Admin\AppData\Local\Temp\AmogAUgk.bat

Filesize
4B

MD5
2b3acd51c65027087aab01c9923f7d05

SHA1
30f79ff7b71553ecac28a55680af7964cb9f63fe

SHA256
37ffe65458d53b767698440e341b00ff52c17ac962a240b072b4abf2ea231c50

SHA512
7d3fc25d44aa5ae25a2328386fa4b8cd9b320933ab01e4f6118a2913b3cffbde8261dc552f267f9f46dcee796593e648ac453be4f045916a8ec6ce42b80253fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\Aoom.exe

Filesize
159KB

MD5
0a32c05426389d444c539899c759e4e3

SHA1
58c72e219c538fd13220c4dc1391ddcc98f579b6

SHA256
3fa06e1d93ee1768d87e0ae27c8ba5c8a9abfdc173ee6c1b33b753be9d4f4cd1

SHA512
16148ae823635145565fa6ff2908d310836e3715e6477e10a5994b8c373f3f358e1e0962618c884e710c4a694328d950397724b4031ce6423b8bd3e277a34640

Download Submit
C:\Users\Admin\AppData\Local\Temp\AsgA.exe

Filesize
158KB

MD5
62d8a9d199a43e624957c7bbc98f52dd

SHA1
6de21aaedef05ff1988f5a0721e5ade01df4e7db

SHA256
f54c0af8a46ddce9289b66093be4293a553578acef028abafda4b2ba8bf86064

SHA512
8f424bfad44ca17eace52158ab315d3703c8c7525be1e9777b46c791a15da4be7c60d781be516cbe7c0bf3bbb592dff577042a69dc1245ce21ea00f8e9a24e8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\CKYIgIkw.bat

Filesize
4B

MD5
0b80f3728e182a422627d4c59944101a

SHA1
41f624d492dc5df6dbcabf19e2803edc3e837576

SHA256
57d4e3d7da37cee3356fa7e78c00e62ef71458b74956eccde40f0418431d84f3

SHA512
cfe39611dae49dff9f6aad449e4c47ac56a6192ca08ec1d5fe1f4fd1052e832a32a6d6bf137f99a7553dae9c08a1a99a704fe61dd658cf34dd0c5656a0bf5e01

Download Submit
C:\Users\Admin\AppData\Local\Temp\CMUy.exe

Filesize
158KB

MD5
72966df4d61a917dcc8ec5255cebe64d

SHA1
74b08b0281bb3b20579a0c889858bffa19ae2fed

SHA256
a3cffc30b3df96d4a11069f619450a08291fdd03a6c7480b05c02abea81d8ca8

SHA512
e713e3044c7cd92a0d0141b5fa1d685464e809c5b0cf60d6d6c97820424a1fc1f9a487c769c703b5012ce9df816deda6a776dbb80826b829d0ecdae8acd40539

Download Submit
C:\Users\Admin\AppData\Local\Temp\CQUwAIck.bat

Filesize
4B

MD5
71fd12323e8dca6b276bd44ebe677caf

SHA1
608184331ab114b6a1573329e0dd14cfa8575c60

SHA256
5a35a0a3646f4e927039ee7751bdd2a2bda5fafb0e2f7f7051b68295eaf7ba93

SHA512
3b849137d0938e97a7a6ac2abd148e90f948457214efc435c7320ef45bc3238821f57bd994dc1cdf0938b6266c65cc42cc520c4b4aa9eebf7e988f28e8c11751

Download Submit
C:\Users\Admin\AppData\Local\Temp\CQsG.exe

Filesize
161KB

MD5
dad9d39a8a63bb34597cb51d1899fde2

SHA1
7f3745f59cc175b022ed8fb7a7614823d30b262b

SHA256
9b3641a5d8639c1174bda31aea865a18429038eccef5d623d459d59faa9de0be

SHA512
71ea81e424ac2b2b8cae34af06c417fa89d666404156256115bd1fde032934d4a68cb669d3df44f8c87f9a57dec619e7dc97d1bcd21354d3fa76476e47735e39

Download Submit
C:\Users\Admin\AppData\Local\Temp\Coci.exe

Filesize
157KB

MD5
9d6fb49f06716c88bbf2f4a72eed6376

SHA1
2082f842a3c4012ea1b7bdc303005ace06d20f1a

SHA256
fa040a579406b2058f603c81605a9517a27ddac52eaa0aa7fa65dd0ac6df1031

SHA512
b8159832c18a8b6c81ce38df304af43b1ecf56924e9b5622cb20c46ab39f46bdf93efd869de62c9bb2f6642528ffca4d4e5abd75540670accc6cd435c0a7c9fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\EAYi.exe

Filesize
159KB

MD5
c0ff55a9ba697c3736f3b21ded80bf2e

SHA1
ae950dba10f0b5649392379c17bb33cb901e6802

SHA256
da06452d3f307b373d40fb5c082997cdea0db53fa59fd9446799bd37fb77c464

SHA512
57b364090034c543b092cf9839534d8e8d4d90f3155ca417850053cb640b14f7ce40006a52c08683a4ed0cf0e8c2775cdaed206d08fa96c28327442b80682334

Download Submit
C:\Users\Admin\AppData\Local\Temp\EIQu.exe

Filesize
157KB

MD5
fd8ec4374546c6349f514cfccc39be22

SHA1
8777a1ff0399db0d1fead47b43091c9f9ed31b87

SHA256
ebff5a02b21a4606afb6c630f2bf93389b43a6152bd99305a6f9868180d4327e

SHA512
b83f78fa2de8ddac8e29d91829a213b2f308544944d6481d453bd452f21c3e99e3196831e9ccf70e7e2bcd29be3bd27accecce09556fb5def53e00cd007e0f6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ecok.exe

Filesize
158KB

MD5
cb757c2e2e5de4a95696614e7904b5ee

SHA1
b3cdd5c86fd600b336159dc87b013096b3f0c2a0

SHA256
ce2b7c57ccb3016b958ceb687f9493cf41e1990cd09f6ac2f62091e3b63e55c3

SHA512
d535b131e348ecc8f7fb8559e2ad1c5a11572aa0631f32e4a49e37ca201e3d7594350575f631d8268a0d16fada18124c1390a504a43b20c664a9a45390cc4875

Download Submit
C:\Users\Admin\AppData\Local\Temp\EoUw.exe

Filesize
158KB

MD5
de4baceeffbb154ed3c7c77fad44405e

SHA1
df149fb3b3091134ea00cd8f1643d1278c47eb56

SHA256
a54b8de36e03f765d17912faea4c33517511e2c30adf0a8ffac4df71e8f407c5

SHA512
de0e34344296679500d299044a7c538bc33499ddccb1e756ddaa6dd008aeaddf9331c777698e02e9b6446adb5cbd56f875b9b2e27fa26736fcaac3937716a9c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\EwgG.exe

Filesize
557KB

MD5
4c9e188a5770d868ebcecc81add06dcc

SHA1
7cec54325147b7aeeb836880113757d1b22a26d7

SHA256
2f3ad6c84db6967ac5a0dcbc05aa53011058c3e3052a6f004d9d2ebcde171437

SHA512
a0d4118dd1f5865e0d7cd0da8d38ab432023fbd646a03eabcfe610e0f7d5e64d2b7bcebbb91f6639eaadac45f89dab08574c57f02fed528865978527f3bcda92

Download Submit
C:\Users\Admin\AppData\Local\Temp\FKswkckM.bat

Filesize
4B

MD5
05b22daa248dacafc2ba0610306a36d9

SHA1
cf52018582f595c42627f9ec162b23650b6665d0

SHA256
4297e9ea001ba3fc27bc8fc6c5d2aa13abe6ba1890cbbbf62542464ce83f6f81

SHA512
c6d7fa20b84222973fcb648e07b184c2e0b3540857d988855e5a042c8618f5466285d8d9bffcb8c6c6c955945fc2adf04e5321876254b12f9051089fcfe1b091

Download Submit
C:\Users\Admin\AppData\Local\Temp\FeEcoocA.bat

Filesize
4B

MD5
f60046027f8250d1847b5c71c8da3740

SHA1
9369a51d935f5cff049ceba7bc44f14c877f22e4

SHA256
4ced4677b4c01e1258e5017a253f0d679c264e3620b9e64c95020adebf25441f

SHA512
e7b42822923b453de54ad11041d960bbb4e4cc6403a2af612ee431a898a960212e605fbed8e68745cf5b571c16500a5a1a3e6e84ec9cbe821ee17f01d3639747

Download Submit
C:\Users\Admin\AppData\Local\Temp\GQMY.exe

Filesize
157KB

MD5
462dc569c31764a71bdd71d689abdae6

SHA1
8f66877b91dce0f59b360660c2aab232928dee89

SHA256
5de7979879e035cc5433a3352fd0410015ae80dd479f804f4a752b0e058c3651

SHA512
9f0cab0d6867f832786ad2459b3ad1d9c275c2c3999e327dcfd3b6695692851af2d5520118a72de40d478ef35ac2bddcdc3d6e2a21954de806b8c933b7f46d5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\GkcS.exe

Filesize
159KB

MD5
bef5d2d2e580d4ae9a63a54ab1ca37ef

SHA1
cc5fa206f1489bd06cdf07661f02dc42ce70dd5b

SHA256
3620f0d452ad979a67656ea8efd01e12a915be342ff10cd22d622e9a564b52c4

SHA512
4ebb219e399178f77e4340fb9ec3f61d33a3f1925941213d1792da7f275eb347e208ccd6a760fa9b919996bf56331c462341f2c175dd93c0fdb772a88134acb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\GoMm.exe

Filesize
157KB

MD5
5e9d4da305bd5bb65f274419d8ef2ae8

SHA1
39e071cab8a968807bef2ebabbef4eee8b814466

SHA256
bf254e94fdb9ff2962f43085b13d97870eafde5e4f0b8baec451b5f8d8946515

SHA512
d0ce3d411e60689237274dd563115f91d386bec49160bc3b2c92b73a714287389776cd5cdbf3278b1ee07f82190328d5e82c70aa34ad4290a19311f3d3d3b5ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\GugwUoUU.bat

Filesize
4B

MD5
d40ae2c66a0148d7653685a08ac1be17

SHA1
f696532140a416fff95a77338f679aaec5a0b7f5

SHA256
20eee8dde79b58bb9bb357acf0e440bc750631bb40cd84d5b93401fb6f3bfdcd

SHA512
59feb95989b5ee737162a3b2581e28c2940dc84f73f1d65249329eab8e6581071fa5a32e3e4b18b9d652d346d26752b90628e7ea8dba572d3c3a96c7f86d7985

Download Submit
C:\Users\Admin\AppData\Local\Temp\IAAs.exe

Filesize
158KB

MD5
d08681071f5e282b87f48d1e1c03d122

SHA1
1e03b63e080302b6bc126a80066b571447c621bd

SHA256
f9adbc4ddcd297530e992d3381cf4013cc3d2a11d75d1bddb74425d5601b9e99

SHA512
f29288725e7b0b69c8d8555eada72455d2088aa6b8f4f60c827a0af1512f6ae301793f100cdf4b875c110715a3944192dfbefdd36c7c2aacca182b070298f2ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\IsYw.exe

Filesize
236KB

MD5
91ad650f100f2d703ff739c6626d6a49

SHA1
78b6c76e95247701eaa47011c01b62dcbdc57c0b

SHA256
1398b707732d099e78f08705a93a12376f2cc6237d005374bb865484ed9ca918

SHA512
526b8bef0ae633d21a3a92bdde3882f5a15a4bde83b7dc171565898fdc3f3ebcf5b86d824133648afd01c800d457a728d65d61c591c040e7a5078c9cfaeb9209

Download Submit
C:\Users\Admin\AppData\Local\Temp\Iswc.exe

Filesize
137KB

MD5
29a6746d50e273e54644c0781c21d6d5

SHA1
1294478b7f44f773724930b83f4af42f96b90b5e

SHA256
532140864cfc3d41f99a738f4527c7ce1d0459298f8def14c155a59f8c86d377

SHA512
50bcd660564b8502ec45ab33abf06834c16a07d7dd6081f5ae93c50258d82dc81c03444ec8fea7335df84374156af5979a13e5c42fdbb3fdb2008b95fae5fc79

Download Submit
C:\Users\Admin\AppData\Local\Temp\KAMs.exe

Filesize
8.1MB

MD5
88cba5b607485a96ad95c3c5aacce4c4

SHA1
6187291e0d2234d241c4cf803e2421ff43aa9be5

SHA256
8ab9ce4988edb0c3950881cbc93b239f9f409587db88686a83aa80ba365dc2ca

SHA512
55fab27c119586fd50d0dbd9a759fe9bf37d332de992b692ba6a397609b4d930f496367f243d1e6c47461138b34344a4a50008424dffffb69b7acbbc59fc3030

Download Submit
C:\Users\Admin\AppData\Local\Temp\KEMw.exe

Filesize
284KB

MD5
dfb0e127f5eb7bc918d7bacfae4fd1e0

SHA1
f6a80351682b6bc69a8457816d65c0dc30337365

SHA256
dd259e275db22461eaa4cd7ef51e2d5e1d1dd54ce77183bcb5e21fb9a76d62d4

SHA512
7ecd14d86e78da015aa2f59aef04d6829d62217373a8e791088c7ae218707557b4a58a3c186b07b395e9bb62fbae3294e6b6c70c51ddbc6e550127ddf6f39f00

Download Submit
C:\Users\Admin\AppData\Local\Temp\KMIg.exe

Filesize
158KB

MD5
4aaec429993259135acf232de42ed0cd

SHA1
722562e7eb03b05db4aa02ffe6e98e1040727822

SHA256
2e640ea4da6b7aacddc1d78986ccc129cbb90aedef59621c3cfe6f83a28b4413

SHA512
2aa905d939345bd26851b217f2df37860c7bc89c25e48ecf098682a07aec6ff1f856ea72de9bd0d982892228b6cb9153a1ff905fa7bbb82605c8b697c8a5e757

Download Submit
C:\Users\Admin\AppData\Local\Temp\KcAs.exe

Filesize
872KB

MD5
8b031c83ac1272d091bb1776f9508a5f

SHA1
ec5e829400daec8ec9238328ae6d5d7b73a3236d

SHA256
0d56cb8d68eb0c0f854000ee067a46c685c32b445d9a57ec4a86928244d9878a

SHA512
6b15b30c8878cd1b232fdd8da9f1303196faf3305c45f836539b77b7dadc417207a9fc7790e0c0d56ecd4b3a082fcb2815e56f77f780c7a14fe2b7c45569ccfa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kgkm.exe

Filesize
238KB

MD5
95f4880692435c57f5abe4b0c10f5983

SHA1
337cc7928b6c685aa1f6967e61e163c415df5a8f

SHA256
bff007034836537cfd553b26540649031e9c536a2afd947d2e023f50131e68f7

SHA512
f71a03e49a198761912462182180fa8ca899063a543ed05155832154463ce51148ba46b2fb5f3e99bd46071df3efbc94a4e959a3f13a16cb7699a92986f57507

Download Submit
C:\Users\Admin\AppData\Local\Temp\LGIEYAYA.bat

Filesize
4B

MD5
e5e32d0b9783565dbf6c63ab99c8eaf3

SHA1
c3a770016d75fe941cd344bbe4ca55d5f1583737

SHA256
e7e10b212a4020716eebf9e42da5dcb971b00c46eb6e677cf0cb2a44e5dcebe7

SHA512
55525b13bd20f9e1b6d38f037095b8ce592b3753a8b80cccf01ba1c2ba32d04f9ed8b2a7242aacbe3d2131f2583be8bdbb00432c39407204cc7ec09bcc57d8b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\MQAAsYsM.bat

Filesize
4B

MD5
313657a357db14028bd1f86804187ba2

SHA1
046d10bc176344a7f9bd79fb53b3269622ef8ca3

SHA256
76084588e269b4e8871b6002f4e6810709e9a803250ebfcbf784364abbb77409

SHA512
c62b0ca01b6fab713b7a87d7fc97a09e5b19b48264b427e0f3ac7c1d5da2ff4dc890144038efa23d152d17d0d099d5b575034cb79a795c37aae21faafb4be852

Download Submit
C:\Users\Admin\AppData\Local\Temp\MYkMQEoA.bat

Filesize
4B

MD5
f952cd88f4a6eb1e7894fed4c6648ed1

SHA1
c592e365afbacfd4a63d8e7411966733735c4c4c

SHA256
2b65d5a85ca014d2cf2b3d68f1367c5f5bb2afd67a45f682dfde86c50f311a8b

SHA512
b577c4c762194abb5576779337322dc649dc036993c50f2ee150d536e7354f4c92d3fcfff8b569de9cf77b99237e4a2315f99402f37686dd4ace36580e6dc138

Download Submit
C:\Users\Admin\AppData\Local\Temp\MgEY.exe

Filesize
745KB

MD5
853c7362cdca2e7c82c00ebad436d64f

SHA1
26b26624b21f501e027a2a2d368d1141f529488b

SHA256
4d9b232275155f3686c43c9637f9f84a0d925c6e61c5ee29c07ee9eb7d4af699

SHA512
f56e0341ef42c3c3904f708c983b4b9f0a6dd6b7bb069842a685c40d4c4092ca642f0157353b01e531b79cba53ff5b36c84d53f92afd52f47663703472eb04ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\MkMAQQAc.bat

Filesize
4B

MD5
6dafa911551a48f406b7902a6140fa83

SHA1
5ce30e624be1d656e28a800f721a9c6b183b38ce

SHA256
02628e58bbd968d60e18e7c7ff39c56d7b42d288ed5a6507e5c0a1339f68715a

SHA512
db6ffd74e849e9e637dd33688389dfeedc94762806dc068035b82d0968268495266bf110af68b263298166d377a2a7215a0d384ccaa761ee21069433dab5877a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MoUQMMoE.bat

Filesize
4B

MD5
a17ce712de4bc6b9f6791761750307ce

SHA1
910eda108767ec8dd55b68d4896518bf65acb6e0

SHA256
5cd6b4b384c94b3f8f8d5ebbd6db8eef77d29cfe4ae3f8b0b3954feb694d10f5

SHA512
e0ff51ca3338181c3ab267adbe8bbbfd894c8b7e7058758d7818dbeb4ebd8284324158e819d462581622f003c521259869f4600c20d8ef1af472a30f255b9cc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\MsYc.ico

Filesize
4KB

MD5
5647ff3b5b2783a651f5b591c0405149

SHA1
4af7969d82a8e97cf4e358fa791730892efe952b

SHA256
590a5b0123fdd03506ad4dd613caeffe4af69d9886e85e46cbde4557a3d2d3db

SHA512
cb4fd29dcd552a1e56c5231e75576359ce3b06b0001debf69b142f5234074c18fd44be2258df79013d4ef4e62890d09522814b3144000f211606eb8a5aee8e5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\OIYU.exe

Filesize
158KB

MD5
9be286122aa9aa3e146215be4a379605

SHA1
6bafaf11f9775d05687d823042523e750147341f

SHA256
31df6db5c4b961412ff1df0c808a9becff14e7df5a6d0d8ed8d4e6fec5123a0f

SHA512
f02cbdb6553eb8b0a7bf782350cfc90340d0baae89027fb771a081cf850a694c511cf1d41e612fbeb4a9b3a8ef21e97fd352eac95fc73694ae413797149fc3a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\OQQsQoYs.bat

Filesize
4B

MD5
5c412063686f8fb3242f3ec73c9e4b12

SHA1
6cdcd4a3d487e4d0012bf69c0375d4d4de9699d3

SHA256
71b56d08ac051c8542c54e17e26bf5e420819e3b66e585dbfce24a61ee7e31bc

SHA512
6c73f8d1ee1447c2557449f59d74a265c2babeea1b7b087cca3b83bceb20d9ca264ad1a24b41ba7c5e22b5029b102f81b15ba62c14a580d7dcee60c933045003

Download Submit
C:\Users\Admin\AppData\Local\Temp\QQcS.exe

Filesize
159KB

MD5
b5573fdc640f2d81686ae4fd835fb01a

SHA1
9e0000a4ff4b5ad8c40c3bbfc0fec0d7ebf3d11f

SHA256
ddde31aeb63f1c604126e7aa06f8146b4dcf33c7f143521acb867e9482696c12

SHA512
d9ed5a76627a10d50a69f4d83c31dc1ecc76231545922bbd4a128a680d3edbc2711feb653a2ca51f73bf9e0a3bae55f7490de0219c8b12f822b3c38a49e7bc3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\QooE.ico

Filesize
4KB

MD5
6edd371bd7a23ec01c6a00d53f8723d1

SHA1
7b649ce267a19686d2d07a6c3ee2ca852a549ee6

SHA256
0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7

SHA512
65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\SAgW.exe

Filesize
156KB

MD5
c47485601d80c227940170773d12c247

SHA1
4eb5f337710c4baddf751020ee9f797efb946b32

SHA256
8a8e7efba21f9f9364b94ea0889c23dcbb002a376bde3eba6d6ba083a0e15200

SHA512
0041b4f4ccccde80cf5a2007e5df8aaf7b92efec3b89b5ec6375081094c5f1d4d80aa2643339b8f49748e92e91aa8dc84df314d2a22af9808f08fe3536f0a7dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\SMEo.exe

Filesize
157KB

MD5
f0d76582abf6d588c2a20e91fce618ee

SHA1
cdafcc3c840c70743e234fb13ad8757c360f093e

SHA256
fcd0ffd4539c174a503c627f2dde043b6062df619f6f2f651c0f7bd018935dce

SHA512
6533060e61f577fd9f9abfc7dbfa128172322c9a01d133cacd2fc48ee955841483437501f2bb1bd6c484c11911c2b38ae7fa1ef2419537acb17eb4414ad149db

Download Submit
C:\Users\Admin\AppData\Local\Temp\SckE.exe

Filesize
160KB

MD5
1d358f64df08e7000da5c255956b30d7

SHA1
723d1c2a566b4c92e95ea6b2278c699176f5f252

SHA256
dcb29e0fefa1cd33880496225c46d34dda8916af0c0c592a5d2fa8fd39971975

SHA512
c9f01b100cddba3a69553bfa971a3ccd4941145847f80eda660246f5061133949bf1845bf2fe44593aeea7c3ef904240f61549c0d83b6b27f91e975ac42541d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\SogA.exe

Filesize
159KB

MD5
316e1aae0e97715d271137c73e26baf4

SHA1
baec5c92bc79569b26cbd49eb3c3e1082737fa84

SHA256
4ab815d9107fa12d7090371d9632af577e4b8b69f00cb0046ef55067b4268f01

SHA512
bad5788db940166fa0c694d21d45d0d4bd6129332999f15c8c65a2f85d2ec8e41bd22d269d8bc8e781b0a408ebf3dde0875093c48431ddede2482c41a82ce9d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\SwIw.ico

Filesize
4KB

MD5
964614b7c6bd8dec1ecb413acf6395f2

SHA1
0f57a84370ac5c45dbe132bb2f167eee2eb3ce7f

SHA256
af0b1d2ebc52e65ec3f3c2f4f0c5422e6bbac40c7f561b8afe480f3eeb191405

SHA512
b660fdf67adfd09ed72e132a0b7171e2af7da2d78e81f8516adc561d8637540b290ed887db6daf8e23c5809c4b952b435a46779b91a0565a28f2de941bcff5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Swgu.exe

Filesize
743KB

MD5
af30cfb32b7d49a516a3fe06a650b841

SHA1
18a62df10546d97bc95252a5048863d8c52b03fe

SHA256
2294b62c4e6df2b9269fa87fba75cf471d0538ea0d0c6df7f44b669a3e849107

SHA512
3758950edad81ba9b1a9eb01d050066e94fd6e1667aaa726c885fd2b78340811ab8e95d7657939905211a6ee5eed3d9ac73e74ede844e9c675ec9f512e1e2666

Download Submit
C:\Users\Admin\AppData\Local\Temp\UMAo.exe

Filesize
137KB

MD5
18ff2a43acb28f99ebec198cd1e08854

SHA1
5215d0222638567dc116fb886380255825ef8ecc

SHA256
95d9bfdd704c9dab354890f88f573f7272b60c8cfff7fc0a4f84281270aece29

SHA512
ff8358266a8fa0a4db54754c5d2ee23eadfc74e9a7bc6d029203c072f973efccfbfcfe2bf295b43c156d3729d3734a636604f082a0cb2b80c7409658ce08682d

Download Submit
C:\Users\Admin\AppData\Local\Temp\UQgi.exe

Filesize
4.0MB

MD5
2bb133650e8fdda121f0fa2016e1d3f4

SHA1
b9ef836fc3295fad968ee0fe136c48e42a1dbd61

SHA256
01ff924dcc5c36eaaea1fedeaf3bee04c9b7739b292eee62924f6def0c4ed8e9

SHA512
60cc9ed0d22869447fd2325e3e7803fda5c35d53e99aa434d1be45660d48b1290e6948396cce62ef9c01a5d0a7c5b8e6697eade4d6b080b56bf97514f7d55d45

Download Submit
C:\Users\Admin\AppData\Local\Temp\UYMQ.exe

Filesize
160KB

MD5
b11cc0d418dd9bfba876304002f851d6

SHA1
115789971a793cfd7d0b68088b8bb0990b147143

SHA256
a5c1d7d1e489561bccdd539be7a94dcb369cbf217ce9b9b992064f8f9c7fcf1a

SHA512
041a39f19be991f0b70001f99dd354a8c9ecddd12da2ac0e10c73b2d788d6b6f3103a4abe65c88b5d40dace1f0f613383fb1cba70c83bac38d674d4e93ba142f

Download Submit
C:\Users\Admin\AppData\Local\Temp\UkIg.exe

Filesize
158KB

MD5
ce9ce481b462ff6355ec5d700db4001f

SHA1
16910ac69e94243ae491090dc54d4bad36d26711

SHA256
98372f7133c999a0761ae40855158ce1c035eb3ccbe032c65d86efd2c6e8e1fd

SHA512
4624bf660e87fd45c6c4ef6bbe799772470a259d6e9ccf6f4fda70b81d51f774c39dbbfb2bdfaf40256ecac4cb24485af98959a77088d983cdea5f6dcd598775

Download Submit
C:\Users\Admin\AppData\Local\Temp\VWsUsYQE.bat

Filesize
4B

MD5
18a78008f4c29825c79d6a02224e72b9

SHA1
ce06f5c44907019668a895e48b7fcfdd1e1e2f8e

SHA256
2e39e1fd399072cf09ce479ae4449c4fac4fa004e91a664ff6e01db323d11179

SHA512
3e07e80cd47c92e43e50817852c59d6394b3bba6d31a109b74964ad9e5cb2030cdb71f8e02a7c6b7e0a0ece49e1cdfef0a7a237018836f74d716772dc00746bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\VgAQEYIc.bat

Filesize
4B

MD5
563852eb045cacf77b895d912a0bc1e0

SHA1
be4159641a2c75c4e35492a8c1e0d379b1c86482

SHA256
607a9768743164da22e5394dbc25f4dc286bececaa916134ca1bf35b81070452

SHA512
1630b2481053b930cda9efd4bbe4ad95a10290856be24aa6503ccc41b676f090a1047472e4202eda0124548d607780d4e2a9d142c660cd87fc5b9cf53f866f59

Download Submit
C:\Users\Admin\AppData\Local\Temp\WAYg.exe

Filesize
532KB

MD5
232acc54a24dc3b38df5b89353caa6d7

SHA1
32e2c423cd581809cde11bf84d4b100e887576e0

SHA256
459bac0c41e2b5ad9ea0c1519b4120e8e37dbb41456868c4857e15ef3083f3dd

SHA512
3cda55200887dc19b3d23d869a6083711038c7d9b7587d54188e62beea75b4cf80e9a5e954d485df430e20761c6ac0bb4c510f006a60e39b1bd6a379617fa6c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\WEQI.exe

Filesize
237KB

MD5
94bacd79d5accffb47fa2002954d89e9

SHA1
a7d1348bc7e0e0ce3b287d78f5e5d283536668a7

SHA256
34790c91288efbf6558012d36a4f7990113be744f75072e6ae69b9ca1de7e119

SHA512
0e98dbf0e0f8a7fd6f01c0f65aaa6d703b6a849c27152cc19ef85e9ffdcf24666b3520f94f0bc04d405ecf863188620301a8537a9c49bb9c6c737842795e5cd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\WUQQgoUE.bat

Filesize
4B

MD5
bad6a1107a82754fa6ca4da4b4b371ab

SHA1
17f46c1c01f989e1234bca7d6fe77fc613f3ecfa

SHA256
80eb816f284747070bf16e7ecde0cc81f932b06aa1033693bb18beddb8834b75

SHA512
c6b0e41a09ee4996a3b767f766be865f4360c79f6c7d3920f37462c9e796081f6872364555f41ec48fdd8df9ad46a07fa63c01f115b773ebf230190a199088c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\WUYsAswE.bat

Filesize
4B

MD5
a27434dd3994f709cc6c4ac4da97bc31

SHA1
b9f9afae6b78e56d6c045e8f47888285d25c430f

SHA256
b9a16546f5435882c1a8335f02b915576c32cf6e2f99538610e9b63314f08428

SHA512
25b2c31a5a6d36f50d6e112b18e223d2b25ef6f5fdc61538f759efd7881a93a28aa9d5d30612c82ec140eb929d60c03a5d7b2bba7998a3111b300151fe2f089f

Download Submit
C:\Users\Admin\AppData\Local\Temp\WYAM.exe

Filesize
159KB

MD5
416f719206941d97f33036f930beba4b

SHA1
e1d92d3f3e713fcc18041ce1d0cfceefba8146c4

SHA256
988e6fc0be25a17daff9a5e320a532293eaace72a1363a3620a6a507e103cec1

SHA512
eb35066a80183e4f59732c7f1d9268c4273739c4eb6dc5b3c25f5fa7871cd9d2c7919f3d9fdf5aec8db0517929b1ece00c1cabd8d5db8c477aedf35fbcc8f226

Download Submit
C:\Users\Admin\AppData\Local\Temp\XGAQsIcM.bat

Filesize
4B

MD5
9bdf28cf760f3b2e620001cefd45a0c1

SHA1
7225aa47adb113a3a8efc57269c303d9882d6986

SHA256
af4f85acdc1130cf96431daf1954b86ed85a46b17c13f15de90369ceb26c6ced

SHA512
19e5967fbafbcaf7cab481eeea1de21aa4479ebe9e6acf9e8f3b7f282e0bc5d0f381406ea0f68d319c51632ebb8c3f8efce8023a1433a065a1b23c208398018d

Download Submit
C:\Users\Admin\AppData\Local\Temp\XwIwUcYI.bat

Filesize
4B

MD5
9a6c880073f60baf6d7ea22d7ad5e3d6

SHA1
0c12794bb85555943635a9615a0027255ccdd705

SHA256
f269d2e5a18664191a2c9b01d00f9328b56e99ad8cfe978e49684c6f8ad58c35

SHA512
c3f1492a71827fa0f19994b5eacee32633ca146cb56c2ca0b734bbd50748092a52248832f3f7acda4cba9bd164daf2ce356356d2906af09d3d831954b33e1936

Download Submit
C:\Users\Admin\AppData\Local\Temp\YIAkUAcA.bat

Filesize
4B

MD5
a990833b30e686492e63db8d3966fc23

SHA1
2c12e1b7703b1f44cedbea7aaaf3a7f598f46c67

SHA256
8e948ab0322195328eace43584dbe1664d3865138b4d700e0320b2d7bd044840

SHA512
eac78ab5bbd0f312185e9cf77d1ba5272800f8195af0d218c9ccbe2d3c2b58777ed9817073d836b32f128abd6136dbe51b1c2e3f879a5a93346c1b865f8a885c

Download Submit
C:\Users\Admin\AppData\Local\Temp\YIYY.exe

Filesize
157KB

MD5
d11b02118894fb33ae84b37fdb691bf0

SHA1
8966c604c525deda807bad993e656176375852ab

SHA256
0058fc7a4a7ba9ad47e0be310ae804cb3e22059b26e7e27d59e6bcc1930fee7a

SHA512
fd19f0d4b4730ce98c7da7cb244b28b7bfa24926a80679fda9e8bb60bb9f054c10dd18b1876b443481fb265b406018891017eca1dcd7253da1fa6fa135d2200c

Download Submit
C:\Users\Admin\AppData\Local\Temp\YQcC.exe

Filesize
158KB

MD5
fb286176930136a7a88f95ffc728eb2b

SHA1
6a95d61247feabd20de2e31a8e35db03dac3015f

SHA256
49154dcbf3ef6d1f69b806588dc9d3e8fa6a9a394fe4c9580d191f0cf2fda872

SHA512
8ec702438b12e743567c98d8664a2ae37ced1fa753308cb9237c4de03714e245d88419341784b8e1527b6513458f19a0a09cf0abfeea055985ebca9e96da786f

Download Submit
C:\Users\Admin\AppData\Local\Temp\YYQA.exe

Filesize
159KB

MD5
64875f793a484c4cf38b2f50647ba7ec

SHA1
88527f47d7f588a692203a3c4c47307c84ca3c76

SHA256
17ce301d6cf0a87a7598d99b696964369c571a2e28d38ff8b10437a761da4541

SHA512
fe6897b7b58a4b2c15a3032b897f802882c3d5ec395ad9bf7cd33b6e04dc1a3ec2aadb5107a4a587ddbcdd4aca1debea189c4b9f17a54ab05981f0f06db04dfa

Download Submit
C:\Users\Admin\AppData\Local\Temp\YkcscMcg.bat

Filesize
4B

MD5
b3aeb533c29a8cb16cd2b374172b6a90

SHA1
33f2c05cfd4d402eac75685cfa8aa626a52f4277

SHA256
634c58d8dc1dd2892e012752f30b59fe3c24266ee9691c807bf0e96a93cab9f1

SHA512
82cbce8c867bdff08939da0d42a73f1e2e0dfc63731a1fc96c762f576b9b3c32cacf9bfd86a087410e5811457e1a180913f4ba2eda73bbb52e5e91c464f67023

Download Submit
C:\Users\Admin\AppData\Local\Temp\YucgEEIg.bat

Filesize
4B

MD5
61630d3aa8d38a9df4b616ba51cff2e8

SHA1
12a294eb254ef0e49d30c8c87e5e70ea2bf7d4a2

SHA256
f4fb1780a39c026e1a07b606c479a4443fdf45d602625e46a6b263b2b9402311

SHA512
42f3b50ecbeac5371552f0871ec03363354c441f98fca8aaa6641212fe55f7d83ecb9ce6c3de979650c6a218bb6ad5c48933fbcdf055d0d19fd108e1d5cfc829

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZKoEgwwo.bat

Filesize
4B

MD5
271e872d8aef13671cb4f64216e33dc8

SHA1
5090eba0a4182d3ef4422369e4250b9d094ace34

SHA256
0c5b35ca0c4f544d476cb326974a295398623618b74dc0ec6790fe7c3d4e7f7a

SHA512
95e3717d40e2df831396c9e52af62e5d268d715e8c28965a18adaee2e4ea268934340b7c69c8ac5014f9b9333ed1ec56e8e6ae9f9b7c963d48b9d8d29ca30335

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZMMwMwEs.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZUQkMAIY.bat

Filesize
4B

MD5
e234556fb3d04e7c9ad6f97a571bd55d

SHA1
39c35a606fa95e298786fc5211b0cba79a9911dc

SHA256
44da7d04b631027b913c1e37ddebb77dec1f0ba6bada26b39cc46e578a38f0aa

SHA512
e615c30b2a23c3d9d25ee8dde5752e895b8083d2856a406cc94c53d347161df0edd700db92a589410d16d13d976fc8f025b7f008b618b7267bc78414005a568d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZeIMwEkw.bat

Filesize
4B

MD5
dac1b0d7c17ca8be6bb0e6247976e512

SHA1
ebf961f31341e163beeaa3b15774bc0628c9831e

SHA256
c8a572134eb21e0a7d6dca1436236331eaf177f6d542c56751e8cb832f668b4c

SHA512
7e71c04159478555a37adb76a782620f0e7065983ceddb6b8ca562cdb3f5a1357ab9e76beb5864e99e67e186155e00324ecb4427286354f8ba8f5b566e0656c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\aQYq.exe

Filesize
159KB

MD5
aad6e31d612670e7ecd1ed51dae78446

SHA1
942a50ac2b6188e64bac192ffcf93a5b469af727

SHA256
ddfd66580bd28dcacc6c3725ce50960943ed5baa4c01d658e0c12373ae637a2a

SHA512
706553c788a531ebba81102ddaaf0f2cf0cf282f385099466884adb6ac107c698642bc3faa1c9e3531a67313d2f7e0ddc8e138eea283b1be2e443d8220d969de

Download Submit
C:\Users\Admin\AppData\Local\Temp\aQogQskQ.bat

Filesize
4B

MD5
f8cb7103257e8dbde387e3cf59afb60a

SHA1
28d2e50663fb5166ce1c6d521000af5871254f8b

SHA256
0362d25a6222c08474c97226bcf5c65111df2a02703ababd319d53cbf9c5202c

SHA512
db2ebedfcc72dae0dd646a9799a641053897ee0761c8bc7445ab42c493841938a24cc6852ed8a142383f5d2b003d3e86e7717fdc59eda95406d1bc8ff850c781

Download Submit
C:\Users\Admin\AppData\Local\Temp\acgi.exe

Filesize
1.7MB

MD5
bb6cb13e3f8c86df559e27d2c9fd1570

SHA1
7ed5df0c6af8ad68c857b72c4fe450b76e781ae9

SHA256
19d2849eb1427c51ec9545335b50bcc917bfd1a4ac371244ab38ae0fee89d795

SHA512
4f769eb665bc83a37acff8dd8f13c02f06fbd44af5edc9f70c86ab117f92f3af4deefdf0bb74eaae6647dd87871c0cd5991ed4a77c96f7182bcde69e2f215266

Download Submit
C:\Users\Admin\AppData\Local\Temp\aoAC.exe

Filesize
158KB

MD5
2bd7fc7dd71b318fe8f4911136ebd556

SHA1
2aaa59ecb7227bc491ec61de0e018a1f4162131b

SHA256
3eb2497a3898e192a2ac8b2508d6ccb3d49db620e7218026219433246d6f9bd3

SHA512
b47af4b9ff7aa65670a923d445aed214bace61616ced19dda5bed0ad81358678e52203b1ce00c875001096f6933b07dfda17e3b13f6238543fef2781c665f6d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\aoYG.exe

Filesize
4.7MB

MD5
522f0a9c814028d8e99b8d839f33305b

SHA1
96eb75281dc0d3f473511979d33dff3ee8291e9c

SHA256
06b011f15e483b61cb9049280d8cad06c7740232dbb4dd9e9eb0b37960a03c72

SHA512
5491f174f5e843c30fd32c37274993a395ff71bc10a10b8809b418a070c1e185b023a0aa27df71dbbf14ae092140b4f505fee0497f2ec3a3025f8e8c111526c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\bGwMQwQE.bat

Filesize
4B

MD5
a778de4c1e5ffe50ac2436f81855c38d

SHA1
fba7b42d1d0b572b4216e87dd4b8442380822e0d

SHA256
46f2fe678e59fa60b340a6d9a860f4fd571c5f34ceb66b6337b9cfdf87cea91a

SHA512
9f0e7a5a94d6a959740d09fbd49a9177f7b187ca4a768ea20792bc5e253f5cf1a11887b70dce135872ba03c703d2b068f1b7121e4dcaccfa08e639d9ffe0cca4

Download Submit
C:\Users\Admin\AppData\Local\Temp\cAsa.exe

Filesize
968KB

MD5
b78acd63fe9154144391ae705f21bbf7

SHA1
7764e1806daf36b376ee71f32a5e6b2bcde8e42d

SHA256
c8d0e043a233da9ce4d1f9e89c65bffa89577501c2fa0b08df8109c981058940

SHA512
fa369060da6300b95f9a33d03a6d1fca231c2f1b5b202acf1bd7de8516477a8c641589604be736b8b8ee6020c3d99ba299e2fc9d23057a61f9d56bf7b04ceb8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\cQYEYkwc.bat

Filesize
4B

MD5
7b140fff7060faaea84ddd386e13d9b3

SHA1
068a7458ba540f689a17efaaf4962525d794e81e

SHA256
934738ece1ba66d075e1561c8614a56b64055539289577f86654bc533108ea95

SHA512
1c477dfff0fef68767063d0ba95b1165e0697091becfb0983248a1a7445a57f1ba5f1e9ff090113240356ab12871351f38197632d26e06448a719ea75b4e1a19

Download Submit
C:\Users\Admin\AppData\Local\Temp\cQwo.ico

Filesize
4KB

MD5
f461866875e8a7fc5c0e5bcdb48c67f6

SHA1
c6831938e249f1edaa968321f00141e6d791ca56

SHA256
0b3ebd04101a5bda41f07652c3d7a4f9370a4d64c88f5de4c57909c38d30a4f7

SHA512
d4c70562238d3c95100fec69a538ddf6dd43a73a959aa07f97b151baf888eac0917236ac0a9b046dba5395516acc1ce9e777bc2c173cb1d08ed79c6663404e4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\coUG.exe

Filesize
471KB

MD5
6ec2bf3ec074324fb689e6e2c1aa7b92

SHA1
e54b19eea85cf17b913ee4c31d7349f0bb7e1a79

SHA256
a78534da33f5e51e271d333e5db61fd253fd9189dbfe859caa0f08f6ca04f680

SHA512
059a351015677ae101a1e5ebe88ddca60c85d069683f7d9c568ea28e499b499e677cde3e8e0e9e79c8069b3156151741bf944893d084647aad404c2b93ca8224

Download Submit
C:\Users\Admin\AppData\Local\Temp\dMMAIUQM.bat

Filesize
4B

MD5
827255ccf18ded49e1b2037becaf9ae3

SHA1
733ce67ba46a51b963e4bf6822efc98826c7c814

SHA256
39f6ac983b13bd8b9e6ab0e4879d8a5c79f91d948e99e1acab0f3948f1d0c7e5

SHA512
577816e8361a31c0ffd5f1a06e4f5321cc277b5094275953fbe603f530f721ae36073376ef17737ec981c8592828d4f998450031d97a6353d6449049917d0378

Download Submit
C:\Users\Admin\AppData\Local\Temp\duUMQkYY.bat

Filesize
4B

MD5
3411792e4647ab504f5d74c0603884df

SHA1
d1e755cdd4cc1199823ee17d22a2669e3a0d702b

SHA256
e8d3cbfc6f43699500101abaebc29eb281d367936846bfe6e579db25fab8c5cc

SHA512
9c0bc086a25cfe28a615c5a2cae70d5be3de9e9087f2dc75b30793b0b8acf61b86f0b481b68ef48be22a29dd38e625bbdf6328129f7b35e1a52ec9d741e0ba11

Download Submit
C:\Users\Admin\AppData\Local\Temp\eIcS.exe

Filesize
1.1MB

MD5
40309be28d07d8eb105e4bb42a665c21

SHA1
60b83dbecedb2d82e8fa9edf484bef89403998ab

SHA256
e9ff04609bae8611c94cfec5944939d394f3f0213b379d52bf415e8501d65610

SHA512
037ea985c50b842ae5abecc0d8a6112620c1f336beb55c07d6bb35b29962b2a26f971732a2b54160bf41628dbf614117db2533aa54d2170711bd3ab08178a19b

Download Submit
C:\Users\Admin\AppData\Local\Temp\eMIE.exe

Filesize
160KB

MD5
244ed6887425b73594c0d345c208857b

SHA1
0b98684163bcfa54032ce2840a99e0c294bda6e7

SHA256
ac7e1a51a07711f08534821e5fc56e305e5d1cf7fa6eafec70f3af29f72adaa6

SHA512
83543b27dc9c67e0d938df55d3e1a9954c4d9c73fdd9646d377ceb6f7baa71e9303576e5997e1afb4979dc77590ad3e4389d28c17d05135c0ff6307171097bfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\eUAMgsws.bat

Filesize
4B

MD5
3290b2fec894c08019081df24eaa3bed

SHA1
09cb4978f777ad4b994b9e982c89c0a984f54cfc

SHA256
6763d2e811ee8fe1f038c2afdc998c5ad528c33a638c85538ca012e599d11469

SHA512
dcedce639cdaebce418fc5c6c2a4d8af75456827c74ba378e5584c105a6cde088d59e88426df9ba896ec7baaacca5f12f464193113316796f0817d38c270529c

Download Submit
C:\Users\Admin\AppData\Local\Temp\eUoa.exe

Filesize
157KB

MD5
3a1c851183fe19b3a98fc01372512a63

SHA1
4613234f9bb91538db0ef0d59a1abd4bd7f36d1c

SHA256
75243ba118f1c4116f698274344f4fa1e81083be6d1897aeeb23bb02ea86110d

SHA512
6cc571777ffc75e89380fcb3e722216db91a47fb1aaed56a6a201374534070195952c032211df621848cff5786e7a17e620bd57bf8f612de777931f80d1af284

Download Submit
C:\Users\Admin\AppData\Local\Temp\eYYG.exe

Filesize
160KB

MD5
184c54a8e67c1c44e1c6bfae84f6ab34

SHA1
8e07cf51bda3813021ae0eca61c4368033007376

SHA256
5adbe19b82c8f5e70501f70847f62c1bd13c27d5a2ce8f6e56bb31031e70649d

SHA512
da77ba59e19255acf29fe2767eca15e442d7b1bcd0a15738a2a264b6e9c942303f2337fa8aa1d6cc3e281aa12f445c8b4ce37f416ff869e1c470da79d2f9adfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\eoMg.exe

Filesize
160KB

MD5
7aa3eeae39207c83a14c6d087b4d2655

SHA1
90527fc6f6d248adb2d9966961689209a4bdec28

SHA256
03fec3adcc5a9528198980f4fed13c74b9372d7b180b1725a8bea21e9c709ec9

SHA512
6812aed114866568a9f7c2901590849aa543536f438296a6314d823132c56e255283a6bd86eb481b933d1bc8a1dcf9eda83dbe76b5b1dbe6b3367ea126d404c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\eoQG.exe

Filesize
158KB

MD5
0d7a9206a1ea9ad8b3071cae9d6cd6af

SHA1
0a154e4de48ad7b2ce351d2f710e748c1f7f0992

SHA256
74469d7eaf8bc96397e53ce1bc541510a77573e3361f033a30164e12422846e5

SHA512
3790575f74e8e7de725ac7c4f36d58da28c145ce08e609377edd152ead28f7daf4c344cfcafdb3d2261c0a61663e2b169336e4ea11c27eef233c423d387ba222

Download Submit
C:\Users\Admin\AppData\Local\Temp\esEU.exe

Filesize
159KB

MD5
e960b40d14b0b833dfeae2335f92e6f0

SHA1
407aa898cbd37ed690608a5048e4aefbdc8c9c57

SHA256
a3a75ce14c59ff087113a5cd5dcad479cf4534b1380658307eb933c87ffa30fd

SHA512
15f19293c81c36cf48b9bd5883c686e556fdec2378d734cf46ebee1c2d7a916b82784f2bd3dcc6d463b0aa05286921e3fd81b8dfca34f03b8799571132025195

Download Submit
C:\Users\Admin\AppData\Local\Temp\eskC.exe

Filesize
157KB

MD5
e9633af5d17cf78ba048d04527e69445

SHA1
9104a3f80be56720e2767223abf97ee19a9ec15a

SHA256
edea4517c75b4dfb2f5433ecea3619b5a3cf197504cb2c2adb30e0a1ca3acdc7

SHA512
05e7ac244f4c701375431d03ae2663e561f053c89e429af821aef0663aa316940cf2070095fe11a7abea8b3a4ded13d6f5b5dc4683bdfc52604bb634ad7b1095

Download Submit
C:\Users\Admin\AppData\Local\Temp\ewgC.exe

Filesize
470KB

MD5
4d17998a5fd13c18cddc7265b1349a87

SHA1
12a13e20df76486f4643602f8bc59d0777032e4d

SHA256
0c45ae8ad7cfb6ccfcfb33700d468200242f2bcf1db0660e76a52bcc2826c1a9

SHA512
00f311e846d4ae743b262d1b2bbb2541bb4e449f9b095f635dc205ea1498bdd403c58257752491dfae8b4ed8d70a71cb3d1339e9a7541b9236f9bde9f9f0a127

Download Submit
C:\Users\Admin\AppData\Local\Temp\ewgO.exe

Filesize
159KB

MD5
ec4f82f3c2fd207979f5131008fd70fd

SHA1
0aeaaaa65787438d7ff0fac6b762976998f9a347

SHA256
228c663c5e3d03e9c28b202d5bdbe12e993149797c557a00d7b9e1940ff44742

SHA512
5faaea40d6a5feb5aca649058a8b64cc9d4de78bc62db892f12e7d971391da5d86e2bc87b55be9837589d59b46e77e41e694bd637abe459f4b2e992cea59e575

Download Submit
C:\Users\Admin\AppData\Local\Temp\ewsO.exe

Filesize
417KB

MD5
66e5bf947cc7e80251bf6db21803ee23

SHA1
ac8ead567d06d7e903ced39a595c443c935c0acf

SHA256
b57a811c72c324eedb4bdcc1317ccac015598ff9f81d112e858b093957201cf2

SHA512
c861de72dce05f1c82a7a5ee46079739a1de695decb79252480f4427f7b5272f94ecb9e528f0e8665c6eab62740e1e8f4645d08d3d727992592caba14a5c9559

Download Submit
C:\Users\Admin\AppData\Local\Temp\fScgEEAs.bat

Filesize
4B

MD5
e43eb9655c6b3fc6a0fde4ce7af50206

SHA1
bfb74f4640e2862d8c4896a6502f66bd02aeaf8d

SHA256
fb0921e4ef0517ac83f25b0037661e389bf34d36b45b9539110d291d8c8adfc9

SHA512
e67df6d1944e7f477f563a5f2744ba367c9c03ed26143bcb536c136caff5b875a8bb08a3d743b2eef81719a6d21ead932f779da9f69c313afc62ac586ba0a04a

Download Submit
C:\Users\Admin\AppData\Local\Temp\facgUcwk.bat

Filesize
4B

MD5
0f17733b87fb238a842a802e3452b7e6

SHA1
37bfb48fb6295440953f71b49adc0dbfb4691120

SHA256
0db5e53c7785de111fda49bc616f549b8980e68a86540804451324527c0b4195

SHA512
94494c858d22213d730fb6150e08e6d70048d9c8c30eed6b12a3073c1902bafec336ad0dc7abe83ffea72088ee7b3719669f5e04b805840892c2c247974e5cad

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gcgEQUcQ.bat

Filesize
4B

MD5
22a8f42f1f30cbbeb5c820df9f23dd60

SHA1
0d4813359cd7dd5a49cc7e587db782f78547aeea

SHA256
a930844eb2027975566fccd568d76f9243fa2a4085a84a2554241bdf0439cbf5

SHA512
bb0fbf153cf57dd9693f875ed2dde1099bc0338f2cdf7c9c523760bad95a18f66081186f9f1d3e45fbbf1c2d8aa446fc37ad6d6897872437d654afe88d57780c

Download Submit
C:\Users\Admin\AppData\Local\Temp\gcgQ.exe

Filesize
1.2MB

MD5
8d7b82c715800b90a2c3d4d11216e92e

SHA1
e79d22b952d2ba097c7df5198ef1891001039533

SHA256
47c2e78085adc991b871e51aa14f52a803b042d9fe5ce34050fcf1ef726756d7

SHA512
39a7713fa51c41b9009782d78d4f12cdce4a5296c589f828848549709ea99eb75b355f84eaf0389a011f0ea0550fe7245f74e448cf1f75f92b4987a13c1737be

Download Submit
C:\Users\Admin\AppData\Local\Temp\gqkcUwoA.bat

Filesize
4B

MD5
ebd327ea5eff2cc6b53f5aeaddfd71f3

SHA1
2ad5d6664be57643b3ad2d662dfb3f4aa802300f

SHA256
38de3976c8fb5ae0c06ebe91f29fdada05f9c70e8de87a905fba8325d757a024

SHA512
12ad0d37411fb74ea792c9496ffaae64e9c65cf91dad1865ebaac2bfb4802281f3d856f4cb610d4ca09644e459617842ec2f341bfe732f489245f3a71e121158

Download Submit
C:\Users\Admin\AppData\Local\Temp\gscIAocA.bat

Filesize
4B

MD5
98d3f1f1d9a62d06b101f1bbae81ed4a

SHA1
5f17245437ab6b1966d9e91a8d8cffe55d6c0c9d

SHA256
2a3211866f02ef0fbc7be5cebed7a6660ab21d131b58ab4aae7c462aa2ad57d0

SHA512
a1b5e902d46fd5b56ea148c491f5b62a30ffffb09069421dc86f21d2d4908a9352250c0c407cc54f0ec0bf67172f8cd60ef5f20079340347989229d773caeb4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\hKIQEUQU.bat

Filesize
4B

MD5
ba808f8051419434ffcbe32013013c46

SHA1
7602bb99be3cd88fcec9b831cdcfb15054993316

SHA256
a0cb955688b46a151bca803fe21722355c4a1b7eb9d70a3f507cbb397cc20826

SHA512
638f79012398b4794033f7b911eb7378d051f1051a57452839a4d625eb88898cb4c853bb256050183da086abb5db53e39f9850daab8da60647e0f044134a5c18

Download Submit
C:\Users\Admin\AppData\Local\Temp\iAEY.exe

Filesize
158KB

MD5
a3a97a7ae0a85363d1bd39827a93d16a

SHA1
6a49411bacf1d383f4e548db49896cbff60e8faf

SHA256
82efdaa393918238019afb05aa3a727e0584446f9a4c510ad8aa1e06ee3c856a

SHA512
f4ce8c1efda41e2da96f9585cc9bf924616f3cc7f9b51eb73502b8e22803bd53f4a98307cbf78fd91e5f7668c2e3e89e915f3bdfdefe2fd321c828033b4018fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\iAMe.exe

Filesize
158KB

MD5
5000f6c2b428da60e638e2fe4dda37fe

SHA1
c8d0bef690ec2642ee4da4901fe315ddfe58bd3f

SHA256
eebd9d1a130d888bb82b0d1c25becc732c1d42a52db9a7b3f5fd6457d649f176

SHA512
e1bb887f8a389969cdad964faedee98bf7a91622d625189dd4d320a8c3a8e0cf19145be9098c0b88dcecdcae0f7f694b08edb8908698d04ad064592e4102dd44

Download Submit
C:\Users\Admin\AppData\Local\Temp\iAYu.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\iAoA.exe

Filesize
138KB

MD5
27b2bc3eb7cdd02e079d6bc278786d79

SHA1
a623ea60815fae1d1460cdd6a8c54b2174d56599

SHA256
556faeead20f4380dbe9b804e47a0596fb6d833985e24c89dc48be559f812846

SHA512
69b4478ded703eaf615447acbb7395a6e61206a4c0b59ff036e67e8209ddd297d6f0339877ff0d2614258ea18239182a04835a37b70c926e96aef9ab9fb13ea5

Download Submit
C:\Users\Admin\AppData\Local\Temp\iGEcQYYw.bat

Filesize
4B

MD5
3c0b51ed530ba865dc36434e455797d5

SHA1
7c721cc0f5316799beb1f6eddf61a2f8dfa3e2a3

SHA256
64fb88881c4f814d053e811258ae6229586887f61f315c6d9da963d119abc230

SHA512
bcab0c6714556ad25055be6f23aaa200d2f45a18e281ad3cf71ef62ba7e7f2d1bad184c1a7e48b8daa7fa4aa3fc3f8a1f4bcd30a1a339fa081e4bc43473d5cc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\iIEMcUEc.bat

Filesize
4B

MD5
7858fa933ee495aee6b77296d296ca06

SHA1
de1fd8add1ef58b20ddbc6f45348c93dc9bbe0ae

SHA256
fde8935538c4d1e31b4429942b562513a0343e06a2838ce4704235ef6728145d

SHA512
0248aab2c3be3dbd1d6938abf497aa5e64338b4970879f33ef3184c45f6f203036dcadf09d9232a8d5bd0f82f7dbf23364dc29f68fa306af46b7121e835819e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\iMEY.exe

Filesize
766KB

MD5
7e3512aa142438f8eab7252a4ec42770

SHA1
0e6dd4bc33b0ab30cb36fb0111dc5740797a5c5c

SHA256
0959b30bdccc3b054a48a3a2cef807e95f378af95e263b3c00060c951db502ae

SHA512
5a9d448d66c53ea402721d50fd1cd204b10f092497e8ca9792462281f49d9dbe2e15e517a0f766b895a56bb3f832d4b2312c8e07099305a5d6b2d135a9645dbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\iUsi.exe

Filesize
159KB

MD5
899687bda07f53922719e9002a35fac0

SHA1
4a1f5eae50a0b5493b90c11bc538c3f5d8012a02

SHA256
7f8edc43aaaf6dd792fecc9569d4c3891d852a328dbf5d757c5604bbd42e0b76

SHA512
5747cb991e1ff3dcc66c6665373bc0e9a12431e0c5220a6046a75e8c2872ec1bbd4b6c11060c2a4faecbf3a6d0bd278d16e220b87ebce1f628feb486de3393cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ickq.exe

Filesize
395KB

MD5
bfe68fbf1c93a109f96d83200da89462

SHA1
1fe5cbd919192a8703eadd148669267b2b7cc40a

SHA256
ef3d1b961f3de65db070047c2c2f5408c75d6ce2886cbe8c516e141f0cc8edb7

SHA512
d6dae814c0c3bb7536f1985ea059d05e0de861694f1f63053e4622c59d40448728d061fd051624e05673cdd5239ca28bbe38ec44fcbd7fbeafd8eda3c2ad9a5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ikMy.exe

Filesize
157KB

MD5
44912a8c4a6dbe67d6c47c51c19c6325

SHA1
5d309a31b8d1f6c2fed74a7bf04ee3b2b6fd625d

SHA256
39d7a3c85c62178d68fe12278c25a1c8429bc0af14cc7c2c2a299c9a17560969

SHA512
4e52e9c67f26b32934017a42defabc2202af6c39b1652e93b737e49981e7d28f5d88917a17081ad7b0a241270054d067b4c5397ce0716ff7436fd55ff34a6918

Download Submit
C:\Users\Admin\AppData\Local\Temp\kIcY.exe

Filesize
138KB

MD5
72a3b73afd7e7aa35e8b0f39e9d77041

SHA1
6e1a035ea1bf67179501ed6ed65eddc4eb250fcc

SHA256
300fc5d604b470d36ca5e35000d852d9897d465764e874d1889d36ca927dfc0b

SHA512
1cfc14102b01a1870d375eac896c9e75d7d58ddad42f7a29f5a4f4eadc159838f79eadc0fa3bf5b5bb362b540e9c3322e22bd1b6db36ea61cfe33489fd8d78cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\kYMM.exe

Filesize
565KB

MD5
8d4d9c05babaa23b741d9b1ffc44d305

SHA1
db3ad0da4e1bf9ae426d05c857d7ca322314e4a0

SHA256
58af0314eff5727a96814a4aeeab9ebb088348f5488c84d171b4fc5db5108f78

SHA512
4298fb2a9f7b277dd71f0087a9976a437acc7569916b0a86fc081adabdb8172788081cdcc164a053d6bf71c918af1b2626a1d9455d7e8999d0d49ab0f9a80edd

Download Submit
C:\Users\Admin\AppData\Local\Temp\kYka.ico

Filesize
4KB

MD5
47a169535b738bd50344df196735e258

SHA1
23b4c8041b83f0374554191d543fdce6890f4723

SHA256
ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf

SHA512
ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\kcUa.exe

Filesize
937KB

MD5
65768c404336b3547680600d6db29327

SHA1
26ccb87c77a4bf717c620765222aa106955189cd

SHA256
8804041c8dacf41b47f98c8b8e0f5d634106fff1e09c4d840ab7389ac3076619

SHA512
663819e49b63ceb21643dd27557570f0ba8610a695742d2f0d0c023efa1ab63fcbf8e295c45349148eb32c5415231b50172b7b29137e6701848c1de3e35f5601

Download Submit
C:\Users\Admin\AppData\Local\Temp\mEgi.exe

Filesize
238KB

MD5
5c3be57c28e2f6b601f8266eb99b8b27

SHA1
71cd9a30c6281623aaa7fdc539233a091eb8b685

SHA256
d7a191970f0cfa8a24655b69378576d5de1bb094c60373938ffbcf3f5997b0c5

SHA512
c885a6861209582ab2a66f92faef72dcd70652682fb5dba68a4a5b25d72479e80ba2b1ef7734f4d3834c4e335479fb1d333dc21522281db68a27a2f0e5f54db1

Download Submit
C:\Users\Admin\AppData\Local\Temp\mEsM.exe

Filesize
345KB

MD5
f096ecfa1209c92f2ef109c35cd2d701

SHA1
1fe547eb7debb967a93546cd7306c01ffc2ebad4

SHA256
43071c919e789ce227ecad29bdb63cc21be5073cef4f785ae87e1e406764d284

SHA512
68213ba7d4c319a5f855bb619ac6e60d6eff07aab8f01b73427ac61d1dff1870edd0e811c9395c1150abe0e5838bccaa7ba63e410df739e3570fc821ca81f8ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\mEsQ.exe

Filesize
724KB

MD5
b3ac3a7ec92c8c0d858817335a80a0c3

SHA1
726945aed49a3ff763d35c0acc084c3612ffa910

SHA256
d14365b0534a555502f3ade82460c4b8065c1400dc1fe10828b24c41c0c551c5

SHA512
28f6f2da181171959dbe6056a7529f669e532a9ccf59283ece963742ac1263e11caebe46d4bf3329dc3ea3b6633f865a0d0c3a6bc898d630644c0e6e126d9a6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\mMMU.exe

Filesize
159KB

MD5
ec252484bc386ad301492d926c9e6f27

SHA1
9bfe7effcf43b0ea5a4ac9e48a010c987d45dc0c

SHA256
e3fe0677e66dc8c20d4ff23751520cb96d79a430b05afe42fe8b38628c5869b2

SHA512
39a6ac397379f35d874ecafe453d25e6bbbcf7ce2bd27ca36952b2381a4f62888cd36f4767ca6ed6d4885d6c1ea1a916d946e0fa2387c947314f5c00b9e9ea2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\mYQa.exe

Filesize
160KB

MD5
a6395bc3c9b438b663e2c464b2e2ac55

SHA1
bd213d29b7c610f05af14b15e638999bb4ca281a

SHA256
d7224641a92e97d2b41752db800f223cc23922de486a00e542ed9b245a0c8b28

SHA512
628b95eb8a3fdea49ae29be3fdba6e6affdd53ad35d61a13a1db3480f162d2a7d6845c02bf98c2407e3a0e513c81ecd064fae2cc5882697b03c75bce8a645871

Download Submit
C:\Users\Admin\AppData\Local\Temp\mcwa.exe

Filesize
160KB

MD5
fa24cc06fa018f492966120e9484ca13

SHA1
79f0258a4d8210a5d66fc5969f7c0a304beec8e4

SHA256
a6c0da25697a7ad66602782ce4ee4efc35bbc058f978acdcea0a3dd4fb22eb77

SHA512
a145bffbb0914b419dd70d4a374d6ad0b9fdf4b1f324b11527d6257ca65d5eee58e21f4e52bac0d36bb5a7a599fbcbb50ab21aa405fb530833420cb555def138

Download Submit
C:\Users\Admin\AppData\Local\Temp\mgIa.exe

Filesize
441KB

MD5
2a02d3903f2a5880fade8a4c6ba392a5

SHA1
62e17faf30c02af4b5e3f5dfd7181c146b68fb66

SHA256
2aeb6da836a08f8611658496b2f19c971b63267b7836ef549a2aedf2e1ee5467

SHA512
8851baeedbf541166ceb6c4bfd43159e46b6c14a9b8c0abd4e2e2c1732da9508921f41913ac9dcabe07d7f7dff4c7f96301033ae655d42ab0e526f6aa547a2bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\mksUYgYY.bat

Filesize
4B

MD5
1ec41c2c660ea85fec1fd5181a4058f6

SHA1
82d9a3a2483d7737c50d3edce5fd5ae279d3faa1

SHA256
31a91d5ae6bf0ad604a8523826a7adaf879f9204bf322352136e3adf6fdc701a

SHA512
9640d7e710df1728704cc389ce026e23a4086536e43eaf70189fd7d5fb6933d2ce325e770feca994dc0bb703cc22bd98c5e3192adf3b3df8f63da2bfff0ef5c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\mmgEIEEc.bat

Filesize
4B

MD5
b42e0a755feb03b0fa3cb4d85e4319cc

SHA1
1179a138353a243c56bc6d5687a8280e58f66081

SHA256
d36ac3ab402de3a11e58a40de7bb44cbe26c6aa85cf22caeac04fbf940e82947

SHA512
6e845108090e7891511f65f79e8a990affdb0349341ae850dae76d8d14039661f04a9a9f6e73afecc4aff3ee9592a8b1e3f4fb8d612b5aecc399245d7dba5839

Download Submit
C:\Users\Admin\AppData\Local\Temp\nQgUkIAU.bat

Filesize
4B

MD5
39dfec0eca1da6618ac3b129b07ef4fe

SHA1
611d0d7287ae2811ab04e389d595441957a4700b

SHA256
0e68ca528923c3c408600e88a7b9c66fc69222c309087a7baa931548074d16bd

SHA512
611fd60433719a21c3f8878dd66ee174d57fa4f005c499906984ac682db9d33d46cbf5f0918706c92541a882fe1982590f12ff1c01e063341d922b997aa16185

Download Submit
C:\Users\Admin\AppData\Local\Temp\oUoU.exe

Filesize
149KB

MD5
dfabe89f34eebb91932dfa3264992a0d

SHA1
f5adc6c308a7aa9c1cf929afb2f74b58dd6b685a

SHA256
1683506c73e7ea88ec643259b3b5866ff697bef59822f38146145b79c8ddcb98

SHA512
46b12ca44a11fd55a743ebd53c46b885216b783c1c35a3e6e42904bb64598c4ef45cc68e1e01d0a5d923c8f97d77fb6cb51b06433d8351af22e59cd32c4684f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\oocu.exe

Filesize
158KB

MD5
11272b6715b616fe0beda7b7e34d008d

SHA1
90a6114ffc8601b11fe28a99ea4daaf48dc74d9f

SHA256
90fbc7ecce4d018aef06b56f2120bfa83e03f731eaf2e5bf7aee0a6c4e7a74e2

SHA512
0c39a007c39851c30d4d9f3e2e1314c32283590802e07c502f8b616d7277cb485f78efa51641a400ced7848034a9a3dfd1955c2cdfd07a2a060887c9fed2275f

Download Submit
C:\Users\Admin\AppData\Local\Temp\owsEYAYo.bat

Filesize
4B

MD5
6c3bd62a92e5da898fe57fda01522202

SHA1
cc2042c88eae3b7b8bdc28e6c821c304dc32ec4f

SHA256
ddf1adcce114ea34e5a81aa9ca81d8d4fb78c17d6e8f0cc841da0366d6cd9239

SHA512
5cc4f4f3cb6c4f706c301cb4ea5ae866222620a9a270bd5e571b3b16703b00b8cd3bd4a80fb70f93c8dfec23b9b3e129c356b590630609b08fffa04f1c946afb

Download Submit
C:\Users\Admin\AppData\Local\Temp\pGkIcYUw.bat

Filesize
4B

MD5
69b25769730992684d4226478ee85842

SHA1
5441a6945c9bd2271016d6279c7a4af63da82115

SHA256
701ce659407ec74528c7710303418d72d66e41b9876631f76633e9dd796705e8

SHA512
e926002664574bad75c5d3d057df798aa90356003e68fa833df31378839bf55a248ce1d0a4cf8a1e61f7e756c9b0309b6642fe1e6c8b372d14d736a39408831a

Download Submit
C:\Users\Admin\AppData\Local\Temp\pOcoYMsg.bat

Filesize
4B

MD5
6a51c35b6c2353277d451fb4aa51d581

SHA1
cd94f673c91da8c9754cce80a10fc621d92505cd

SHA256
3caff7b2250636166e06b3343e086f1bd99ff4fa33ffd7a8eb50279a1eb9ad28

SHA512
192510639487c55af093451972f31fa4b446db22c53e613ff5ffd118fa0dbbbedd1e633914adcf51485afb2aac23e0de6685befad68d31e8e56c753101fd8382

Download Submit
C:\Users\Admin\AppData\Local\Temp\pQQIgckI.bat

Filesize
4B

MD5
5c506d027513f6e9b53cd92362aee8c8

SHA1
d2cdc033a453a5e0af0de2dc6c6c8ea8f6bb0683

SHA256
1bbb47886e43bbaa9374d91d96ba2123530092b9902c78e299064809bca41bd4

SHA512
8c6e79e478443d5363e772f642854722e5d16fad33c88c17d3705c7210fa05ac746aac734d529e7922fa52bd3da56b337cba2c9c26694ac56cacdbbb7563f95e

Download Submit
C:\Users\Admin\AppData\Local\Temp\qIEo.exe

Filesize
1.3MB

MD5
293df86e139576eb6e1be86c246ed3f0

SHA1
f630a3a41a467a2af228e3baca7e3aa61a1b48fc

SHA256
cd9cf0dfeb84798048a7088dbf7dc081b1d1259a2d6fea07722b6b8c2e0127b2

SHA512
e24efac2911c9bc1128138e725e425283b6cd2e39329690063e595c435841b177cf601327bcb139ffb25dd1a7fda3957da01b13800a970d26cfd15829ce74be8

Download Submit
C:\Users\Admin\AppData\Local\Temp\qcUS.exe

Filesize
153KB

MD5
c9b658c67c916b5d1bff21776c5e4a20

SHA1
b09d5e535780303d2434d86b79b1db44589d8aab

SHA256
063b348234bc593fba42df6b9fe5d27dd01ab325a04001e77ae4e8a9794ac4dd

SHA512
5e76a3830bff8d91923c733e3263746973a6f9f11ca02d345852df0cc147fafa8f0923725477ef86c99d173cb8a3a1223acb6d2726de147f1d2a74f54fbadc45

Download Submit
C:\Users\Admin\AppData\Local\Temp\qcsG.exe

Filesize
469KB

MD5
d8738357cae0584083f257000d6bd3a5

SHA1
70536270663b872b64fa8c1ec207f532bbacd750

SHA256
a841cfc7835372bedd3ceb9bfbd87a311c0f93ad8e4b82ed8f69d2db1c871fab

SHA512
bdb95dc233112efb659ffe34e1de5e7bacd111d767b279bdfe12d6d2119e58cc2f8d098b1cd379c2cc12bb372dabc1e726ee8ea98737e3b6acd4d9a6995509f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\qgYsMsws.bat

Filesize
4B

MD5
902e8e33ac8e9fd229c58e1fabf6e0bf

SHA1
8f722e8ab9d9622bba47dd44f9103a0d5ad0f41a

SHA256
126665edc8f9779e36c2808f3e3d8d5dd050ec7a4f0bebeb60a33d6ae51610ff

SHA512
22f82468061b99d8c2f1d2d72f8f401f543800ed6738fa1e01fa88f5cb5c87e9c690151f469ad4f081563d15ac1569111d653bb8a1e11738608f6d5f1273a671

Download Submit
C:\Users\Admin\AppData\Local\Temp\qoIC.exe

Filesize
160KB

MD5
57175d2264350ca1818c4e0ea7eb1e58

SHA1
2fb4766f2bf1dbc1bcbd8ea5cd62efb8c6cfb400

SHA256
04d477bf37fcca9a4a497144ac7061dcc5ce001ab71fb5e07e0d50b5612df91e

SHA512
f61368268cf66e7184c97f797bed9d4c27f845e5e611d0db0dda55fbdc4ac9b48dc33d94d10c326757d0938e8ea264bec87c654dabe8120fe49dcf69eef58370

Download Submit
C:\Users\Admin\AppData\Local\Temp\qssS.exe

Filesize
506KB

MD5
4e74b831433c62d4681218c384d6803f

SHA1
bd2e993ee623a39e242fcd2ae18c88a157f5ff48

SHA256
c8cb5d772e40b1363c7a76dee54fa3b193930aaeec077f52e3be3d6fe3b29102

SHA512
62681d105386d0c122ce8e342551796802e7e4597a48b197379226c56ab94c74bd413d51628d8d414943df55f0de3ccd20bfcc452439649c4e4937a471a3f34e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ruswUMgI.bat

Filesize
4B

MD5
0194ebb37b319540f9ba3a92898b6695

SHA1
c413c4e3e1a94aabf9d29d8bb8a28bbaa3a7bb0c

SHA256
92cfc30a7b5b48d5256ab349465b4d02d98941e3964d0a24fb7b34c357076f22

SHA512
fe351cb8ea369267f983e5e5bda19dfd7350fdbf5cdf4314574ed6bb32aa35c612b3d140128b38fca7e832ba3442448ae01941095d4e8f2289e4f431104e4ec3

Download Submit
C:\Users\Admin\AppData\Local\Temp\sMUQ.exe

Filesize
159KB

MD5
341bc4d3aa82c7dd9228b09f81325acc

SHA1
362b1700c1ef77806d1da06625dc73253363402d

SHA256
8c12286df515457f62fd1e5d163b833ac6c14bf6a291a2207f7c531c568283a7

SHA512
75a6c89999507072c2a02326b0f74bb4e66322afcfb1695a17ae5789d5222403d43275737c6e33d40aa6afcffc5732b77543b0fdd76e3605ed3e360a265dcbc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\sgYQ.exe

Filesize
158KB

MD5
fb004d9e06ffaccce5f143da5cc0b2e6

SHA1
d13c0ee350024085a11e2c2d59357a94bdb1dc9d

SHA256
6b027c159cfc18811bc148d519687419e81a7c1cccfa046eb9fc58b2c5884fac

SHA512
6a4372fc96191171f9b4826beb3ef7de01fe42060f517a6085014f241dda080f57756dd2e3c582580c4d57c048fdd438b573abb0cdffefa6b52d79c7de9858e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\skUo.exe

Filesize
868KB

MD5
8998943c8fbc5db7078cae0b01d971b1

SHA1
e94ffb4bc1d86c6e4c436ae87852fb23b6ca632b

SHA256
7443c70807c2fc33da7b4520eb1122f882971e2466128faca14da0d260c7555b

SHA512
90040757c20ee1e096e9ef2eec5db51d1de1b9542066f0f667dc1a2f4daf123b0945616ea4f1cf6264aa0713c1961681ba5668196001930e9da225758994c169

Download Submit
C:\Users\Admin\AppData\Local\Temp\skYo.exe

Filesize
149KB

MD5
fa37e58f339f281a64c23bcbff36d764

SHA1
71d08295a6a940e2464ea57c911bbb9a4f306d41

SHA256
94ebab7a31253baebfba1d5a6e1884951de1aa1e5b098ae6ab7c5ae048afc12d

SHA512
0ec674d621d2a61e91f0c83f4178e80a3daf952cb79b2b3bcbfb735bed242fcd80b1756b3e629a8da67e800e6d8610f0f6788e99ea517201587276793d3a63ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\sokq.exe

Filesize
293KB

MD5
0ceac13b17c0029771fae7aef8fcdf68

SHA1
2134b6cb604aef8ab3b865c767f76478a3364063

SHA256
c9d81500059d3cf019a1a252bcc2bead1f61dd8219d3b66d3ca11c92d900eb34

SHA512
46e8e85d799ad551a68a22d81d1230af9c975814304f00faf2c8981af5688ead912fa42842e12234e0f9de04e790b1919d016ebd78019e08ab0154e398c56c3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\sowO.ico

Filesize
4KB

MD5
97ff638c39767356fc81ae9ba75057e8

SHA1
92e201c9a4dc807643402f646cbb7e4433b7d713

SHA256
9367b951a0360e200345d9aa5e6895e090fc3b57ae0299c468a5b43c0c63a093

SHA512
167328960c8448b4df44606d378f050ca6c24969fbd7cc8dcfe9ddeb96ac7ccd89e507a215b4c1debff0d20a0a239d547f1e496635fa2f06afad067c30597c46

Download Submit
C:\Users\Admin\AppData\Local\Temp\ssMM.exe

Filesize
139KB

MD5
82533d0ba225cb7d2eb0883179c14715

SHA1
c46d87cc470aa4406ebe50068e4176b228ce88e1

SHA256
f073d26c1e457d37f95f5cb271d9b21e9f283be33634c375cc05af55bc4915b2

SHA512
ae4d6b73eea0ff34b84fa60568f71ba5820f5abcef1176561bc61ac70a53084dce1e2a29f278088ffc9e60fc43b76ac9559edc5b1efa6f660648a63147da80f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tqEcEsAc.bat

Filesize
4B

MD5
fdc78b05fd4076885ded35ad1664e048

SHA1
59229ea2c591091276bce292d77ace54ff26b6e8

SHA256
66fb114f77f1cc77aa5d1c9167dd006cca901dd3c2442c7dff56dbc90dc5442a

SHA512
d5c4681e142ac6830ca8e5fd1aae9e2262dfeb698a6e1da148089348efebe77a42b8f0e506bdd4c6567f0f281430ae2660367654f5334f7782b2d5be6d7377d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\uAYwUQIo.bat

Filesize
4B

MD5
7b8bed62a5277d29cd5bed9adc2f896b

SHA1
3e2176f422e7328e6dc390538875ffe69397aa1a

SHA256
bfd94c848a79cb913e1290f6f01ec42a5183ff9f8513c41a2917f9b4527bef77

SHA512
c7b1317ad6d2bf3efd62e81c89788f700d284551feac96f5eff426a91abc998ad72ceb983af47aca682577968867987444a4bfcac5fb5f7c214a8398c0964076

Download Submit
C:\Users\Admin\AppData\Local\Temp\uEkG.exe

Filesize
681KB

MD5
8d9ed370068fe88b0ef9a40272252f6c

SHA1
079283684ea93daa5c2a204d46f9381b5df25f6a

SHA256
986fcea586a2417d9649f28c665dc8caded824e060eae2c0b6a7e7efa4cdbe58

SHA512
075e89c22c4e9961c0a08071900f5a5c7a1171fe5b969dfe693073e44ef09247b6026d8a80bd159ffac40e6b045f27c034281fe6ddc25557dcd07881397a3294

Download Submit
C:\Users\Admin\AppData\Local\Temp\uIkw.exe

Filesize
158KB

MD5
dd34a4cac403ced0ffeb16b9a71d917e

SHA1
1e91be0e56c7af6205a91473bb2364146fb100ee

SHA256
3b35e8aadc535d9e6d3ee6f2fec10f7288685fb5c2632f4943a13f0df9efc8d5

SHA512
cb146e2a2b26c03467095a0d1cc769c16902dd5aa2dc349cf7ebff89b93593920514f627231aae0aa496532a3a60600991632470f03d7f83439574dc6cbfc3b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\uYso.exe

Filesize
159KB

MD5
5ba4672d7f7741954a11f476c7a1a89e

SHA1
e163fb2391a3bb691966e7b699c90f12eb6cadf5

SHA256
09c7513c8439286b39bd19b2eb28c9a2ebfe5d9a9219d6f14a883bed993f4407

SHA512
434fb90f018f6ad810cd6f342b9206f5a355c67fcd7e8a96dfc5d23114a8822a87565fed624797cf0cd70f60b1096e6020f5c56c07d5fce0b9e9e3b073633afa

Download Submit
C:\Users\Admin\AppData\Local\Temp\ugwS.exe

Filesize
157KB

MD5
e295b070295fe764fae40e39ed4c2048

SHA1
9ff3227772f8118769c7079eb7a9e2d192b85704

SHA256
236618b549c53779a5305a040414c339ff36c10ab46e2b24fa2085e4d1a74d8c

SHA512
e5a2d923c9fd5b257de6e9b06029b157a8804f08eacdd08853efc350de0d8dfdb94697668e2f6f25fdb1dbe08231a4ed4564f1b3696435870df97d3003ac7573

Download Submit
C:\Users\Admin\AppData\Local\Temp\ukIW.exe

Filesize
159KB

MD5
bf2c2a2c853586beea33e656368f9dc3

SHA1
50cd65eda05dcbcce080e05e7f9b090ce96b2cad

SHA256
16416b341e73bc45607ab52bdce47318e71d433d9b5ceaf7af0ac6fec26b10bd

SHA512
21637ab86b7fdcabb6245fed6d19224208d596f5f87bfd38bda061abdf6f2068098279e85de1d2071446c9d8e337217234c7b2dae5cb7fce84b2922e58765f9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ukQo.exe

Filesize
157KB

MD5
d9a072970d3c2d5df43327b617ef261a

SHA1
2096afa3f349d0f477c01bc7f2ba1e1dad356a0a

SHA256
d95bfccbe78508a514cde5798e9f3354f6b7fdeb365a89e3dede189bd22a4a12

SHA512
a6fc79c0a791cd794455cd050c0c8febd684614bc0a75a3268a8bad7b4db9d3988899458881369cbbb95d345a84fbcef3588726ad70353fa54a9cebc6e498604

Download Submit
C:\Users\Admin\AppData\Local\Temp\ukQy.exe

Filesize
158KB

MD5
8ef69dd34361e5b598d5c3e350f5b4bb

SHA1
9464d435864bc681365ce968bb8b638b7ee1562a

SHA256
a95f5353363107416423bc7cfca4e338a48ccd07c940550183fdfa623b0f6b74

SHA512
6aafb337cf9e185334fecc49825f3e624c9f9a83edb58a59570283f568defbf3f932abf33c11f3b2e085fb48d71462a412c2ca3f3521628e5d48284f9c300c78

Download Submit
C:\Users\Admin\AppData\Local\Temp\vGMEQsUM.bat

Filesize
4B

MD5
00f6542eb279dd134c64c01bdbc94be9

SHA1
7043deef13c08639ef2d31d23b22e78ffc2d6d17

SHA256
e560fd236eb5bb929079d00931356cf2f36a2cc4802c24c2da612e32143136a5

SHA512
00460438a883e3f0ad5be133618197553ce33721e370f88e7b272ca66cd45a07559e1cd9fdaafca30405c336414beaee8f6b95aa1525b4e13d1d98a3537ac2c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\vmIwsEgw.bat

Filesize
4B

MD5
d81de512864e6f90aaae32ecb32af312

SHA1
47e4263a1dfae02a2fb6ed94d03e72fbceebea0d

SHA256
9650b965f848cae72e3b4343b9de982fd40af1e83cdd9fee6b8ed44f109a96aa

SHA512
0338ada621bdfaa9bc870b10faf67ec71b4c2989368e6eee8f9191ac062ad8ae0dbf6e6d5688388d568e8e57fc5e0168b181bcb1dc678cda851ce7dfae8665e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\vuUYocYQ.bat

Filesize
4B

MD5
acb8ff4c48df3e209813db404140e848

SHA1
3b0b5997b714ffd7fa2d2822451d3b4b8fc0ce58

SHA256
5f07fdc64ae923b4d6f6a8c3e9974e116ef62b076608d32285530969567a5bd6

SHA512
36cb88dcb3d5fdbac78f7a3871dbae8da0fb291853d5341031e6d71f56e1708d01619da2ca33f7ade28e23ae5c6af9666ca2312ecccffddc53adcf78d4a798c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\wAMW.exe

Filesize
609KB

MD5
eb9a3de8d90406af349ea372e2eeacdd

SHA1
e48bfaaf1b52ce95bae338a5ec722c9e55992497

SHA256
c5b16331ea8a8af8c4e0d535217972520affdfe9648d0575813d5996c0c89065

SHA512
473bccb3ce01a986429662402e2001923fe9aca41b2d6a1c10ec66d2b23eac30c66c080d60edba9b136252a900acce4f3b2063de10822679e3fe81a5e51d9eb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\wAQS.exe

Filesize
157KB

MD5
991df0690cd7a1b750fc6f329954f4a9

SHA1
1887e65e8abbcc3e2f470fd002a44f06892c53c5

SHA256
f247f0a01226ad6420ab6108c4efd6675a2f1a522e052dc2e8d8c64ae1a03762

SHA512
61c134ab97bbd94cf17be42de056cfee180dd177d962d89f0d6b8e6c7a894a4c3b0707f7d49691788fb8e550e4a83543364e872b6b32da00a1c5c871f7ae9b23

Download Submit
C:\Users\Admin\AppData\Local\Temp\wAYo.exe

Filesize
158KB

MD5
06b08145189b8227cd35d446ceeff449

SHA1
5e872906e91753287f1322e750e9db3d8a0c5613

SHA256
536127826c1ce43cfc8a81ed7040fb7054320917df054cefae55c4164d656c8b

SHA512
8beddf772b2e9a2f9d75d52f46eefcdb89dda2a754a51bb87455ace38323e7e55349e39bbecb77792ffe5eb59a6b469f04e5e8a2ca4e73c101288714780fe679

Download Submit
C:\Users\Admin\AppData\Local\Temp\wEAs.exe

Filesize
869KB

MD5
3ef7d3852344f3cad78e0024c4adc209

SHA1
0b4803bfb7a13f6a6410742471df4e4d4d47948a

SHA256
bfa0b15e3c5a4ccffc2a32bba60ee8798fe6b76d2908f52ad246f104456b023e

SHA512
29d8606daef05d12505bc0ed9a538252ff72db956918ff2146e463a194feec10d1d0f18dc87230dfad1ced8e099cf87f10840b080471d01a16db0d3181fadd0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\wIsm.exe

Filesize
565KB

MD5
278d0d66358cf9fbfa9df37b70530591

SHA1
ae71931020ae2d35d7b51909de0fc67cd2deca4c

SHA256
4f39474154d70bdf25f247fe2858035ab85db81efdc64e90fda16be0c38ba623

SHA512
1f17f807744a9dfc8f9eb11e4842f9e719d6f6d374db06d26218f8c651691a451bba6ccaf9df3626d5c426bd22553e7fd7d092b73657900cde481615aa52e5a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\wQUy.exe

Filesize
554KB

MD5
c1ad4ee56fe9ed74f4e1b0a10a3dbdc3

SHA1
567eccb71239d3d54b14943f0b0ab123aa4cbde1

SHA256
9cc1e989047168bb5c764a901bcaf4f40c3d5f8217fd52cd030111dfb91fce4c

SHA512
d0189ce20d785e69067124b2d05f5167ab99da48e0526ff3776f48026d4664997289a27ec46f1f8273bcea3830211b29d4e5c8110aaf569f6bb3c65e27aa2d21

Download Submit
C:\Users\Admin\AppData\Local\Temp\wcgc.exe

Filesize
158KB

MD5
fb499819cd411a3257984804415758d8

SHA1
72132ffac726ae82bc151a817b55dd2d7f281dc6

SHA256
bdd7c6352bf208f00b7ce337749efe282a282b9cd5d67d5d16ae07277fbb8974

SHA512
d0e8812bfc5637e3b95d03f1d68ca285838c3716d133ab5c8a8ae0789e002d09ea9c5bf4f3ea09322ea30478dffb519f1a3dacfb89e89a9dc5b2e9f9a84ccf31

Download Submit
C:\Users\Admin\AppData\Local\Temp\wgwE.exe

Filesize
716KB

MD5
0d32feb3f34a32e078477947511442e3

SHA1
df7e266914b161b1423cce23ade092305e3e355f

SHA256
6dd2faa594c6c10e903e726abf4833ef1a44d0534deddbdafccbb43538c140f4

SHA512
88c9377ec63be85f83e087b7f9b3c028486d4253ccc0333ce9aefda8a9bb6978cd567385ab16f51fbc5d0efdd08eaaf8c0b6e70e1d4fc7a7990e0142ded816a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\woQE.exe

Filesize
694KB

MD5
f538abe2bf102bdd54b4dfc2c3a16c09

SHA1
fcab7af0fe268832102b49ccdfd0aa971248fb1a

SHA256
bcb6f2c0a2a1b5fb15d89923171c010fdf6ded2584c62a14cb9a0b5ada9a13dd

SHA512
c308298d167f120dc4b509402baa1b24f46fd1336264fc38eaa872fea07374565b1f24e4a0e8c723fd6b882b5cdbeb7a2f23ed1104a3d01a877352a7a9223f59

Download Submit
C:\Users\Admin\AppData\Local\Temp\xoogQsws.bat

Filesize
4B

MD5
a92785c2a5fded802d17fdc611d9add0

SHA1
5bf4bff8b7f1ca7c4f74d9c1f3f7a4582ad05d06

SHA256
f8e9ef36e1836053131679d4db270b4236785af11485ad9de469c8d1aba2abf5

SHA512
0cbbfac02277cfcfbb86d6ab92385fd908ac3df2ec0a1a709f37075313113307ad2284bc06d0e1ff067ea7464efa2c13a1d647f73f8bfd2eef3db20d11fdb3ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\yIcu.exe

Filesize
843KB

MD5
1e92dd816a4e0bfb2e460062aa896b0b

SHA1
7159c630d0b95a57325f5e194c7e1aaf83395615

SHA256
2d71795af0cf0d74f3755c38cce0f02bd980943c32330056d486c3baac923a50

SHA512
09cf9303df3842d7dd4562cbce210fe55bcac3c3331afaca5b06e0394bc625044b674b9b6387d07b40e09ac0236a9d130c32b2e9e0616244a8cd8aa0ea440868

Download Submit
C:\Users\Admin\AppData\Local\Temp\yUYq.exe

Filesize
159KB

MD5
8e06d3ea69cc2178a6b70d557cf7f50c

SHA1
7cb5daf65af0c8726b95bde92ecf85de017f0c79

SHA256
dfd27513ba62376930249664593e84b293869d11ba95e6c95b4722d2840af0ff

SHA512
c281c27a40beea1d8fccb56b495b0509fe381153ae4f101f9b36626bdf30e696f9cf88e8d4d8924e3cb847c7012ed33188c33cbe246aac7c92e94cdc3342a000

Download Submit
C:\Users\Admin\AppData\Local\Temp\yUck.exe

Filesize
158KB

MD5
7772144a7f48650609ca5a708a3ae2f8

SHA1
24d80c92f83225ce350fe1c15b69f1cc455110a2

SHA256
88c6ac5d6de5d309d27a4c4f2cffd4163b6e1440b0af763fd0f3626b13fdd976

SHA512
77cbd67d3ce72ee621229c09dc868311901061bcc063a40f3079a9b182d0ae8dba995f917f46adb8ac3a40e64d168222c90e488cfe5eda516466da3c9f73a63b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ygQQEcAM.bat

Filesize
4B

MD5
42c28e9993551d2a4096390f2c35cee9

SHA1
eae83deb370a387bb0a3db0e0de3c6987d60d311

SHA256
875cede61484fa616caffa68b97ba4ace471759d6f0fbf314d36fe36b3258a7e

SHA512
05d6644932a0f83358af095025b99f9f921845d33446bf5c45b1102d59d4a98633825fa09068e96bd99c287f1c544bedf205fea1906b62390b7580551ab202d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ykcs.exe

Filesize
159KB

MD5
1873f0caea90784ed067ff7fe7d97cbd

SHA1
670bb90175c96aebf6199bbcdbd8c0dbcde9809a

SHA256
f62b7dce125ec74c02fe2e5303287b6e2fac34603dd218ad1e4abf2aa639df4b

SHA512
c11c7f2cb069de0a9a40f23f624bb48d185df8ea67f4c74fbd57e64e0b5dfe9a900d5fb665e99c2d7779763d94e68e2a91d2253f3fee274c4fbc26406b18a348

Download Submit
C:\Users\Admin\AppData\Local\Temp\yoIy.exe

Filesize
159KB

MD5
8c9087a08ac7fe2dc70ce6823a392ec2

SHA1
20b3c7f454237e336f63a300b80b8cc89d117d96

SHA256
f9f38428b1ee056283fa83808dc301bdac86bcc83cfb35ff69cedc3e2d8ed830

SHA512
51b81d5c31b8e906ea2dd4de770bd6398446579a49e3b22677a1637302410df1f7876360c40cae1b1f3f6500ba8ccce96f4d36667f14e6e141c44cf524aff9c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ysIIEgUY.bat

Filesize
4B

MD5
76c98922dff4c972557c3e19af4580eb

SHA1
bcc7c11576c8c198f0c343d38c623a10a9e14820

SHA256
e2a95ecba36a461f3ff1704a5d7a97d958c6e1bc4faa2b058cb35ff636c0525d

SHA512
516a25768097d17952febecc1ff728541078ed957e6ea71ebbdbf19964a1c9168ab0b58f0abc08d1c880dff5254050ccd85bcbcf5d8101dbef9dc6fb88d54e88

Download Submit
C:\Users\Admin\AppData\Local\Temp\ywAa.exe

Filesize
159KB

MD5
fb9986f0a9bf1018323bc4f0f96be46e

SHA1
5b2592de6208a8a7d22828ce47271d6584f55455

SHA256
4194200ebcd584d5e29e53ccf483d11660270b634a596e0f5d588a510e886676

SHA512
7f181b16116155d58c2673a9bb8299419bba0dfcda6f74a785e3c76c30d53b0aff33794d10b8da797deacf66e0bdc29a242e44d1c423deb542093b24a8b74155

Download Submit
C:\Users\Admin\AppData\Local\Temp\zIMsQEgE.bat

Filesize
4B

MD5
377352b4287f4b330d26d8692cea9b0c

SHA1
42b2249037c5e82e90d92a19c5463054e3d7cb04

SHA256
0409b2a20761dd1ec949c6401dd8e06a2038fa1596db41530fd4a1ed8949457f

SHA512
dc450495776258e6c0b035e1c1fcf7f185800f67ca1edab3c0d49d52e0727d13a1fe8eaa729e2bcbbf2ed17b153e12caa149effc54f6da7644ddd2ad1bda70e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\zqYYUIUw.bat

Filesize
4B

MD5
34ce171bea35c2ede9bd2f24ad250a64

SHA1
cd4c13daf9edf810c59499648f7b8ba4e0dae48e

SHA256
d6417f794d09002b26c177ed44de751492fb2f333a5bf23db6d0b66765d4e915

SHA512
2628e835830a73db16836f9250c4ec2a65ef035b31bfb0a4673cec5019bd6e4fbc0ad9df56c15271b284a1a150ae089e2762ceb4434fc0ac729ee64f0f333706

Download Submit
C:\Users\Admin\AppData\Local\Temp\zssEEAwo.bat

Filesize
4B

MD5
c4985183c05900135a10d90c609ad18b

SHA1
9154726dfd9a8661acda6349c8d4fa3325859268

SHA256
446b1c10bc8cd77b5e20d3d95fde2b0eb8bd929b3adcde55040ade1cf495ed8b

SHA512
0b75b272ec1195c8c4520a965550a65d17ad0233621951fff2d38bdaeb8df6d05099d8d5bcd66cd93b5c9860e51e05707f2b869e2ea8967a25ddc7014a041208

Download Submit
\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

Filesize
145KB

MD5
9d10f99a6712e28f8acd5641e3a7ea6b

SHA1
835e982347db919a681ba12f3891f62152e50f0d

SHA256
70964a0ed9011ea94044e15fa77edd9cf535cc79ed8e03a3721ff007e69595cc

SHA512
2141ee5c07aa3e038360013e3f40969e248bed05022d161b992df61f21934c5574ed9d3094ffd5245f5afd84815b24f80bda30055cf4d374f9c6254e842f6bd5

Download Submit
\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.0MB

MD5
4d92f518527353c0db88a70fddcfd390

SHA1
c4baffc19e7d1f0e0ebf73bab86a491c1d152f98

SHA256
97e6f3fc1a9163f10b6502509d55bf75ee893967fb35f318954797e8ab4d4d9c

SHA512
05a8136ccc45ef73cd5c70ee0ef204d9d2b48b950e938494b6d1a61dfba37527c9600382321d1c031dc74e4cf3e16f001ae0f8cd64d76d765f5509ce8dc76452

Download Submit
\ProgramData\viwMcgAE\xKkwQUQE.exe

Filesize
111KB

MD5
93ce4ca2fb37a3695e0ee3353c7f62df

SHA1
b2c39eeb18c0d7f3b8ddd2f639a85709190ef899

SHA256
bc52a66df4014ea688424aa03e661db073f79b39a6e47bdfa515c70db3264bed

SHA512
d492c763a888dc34cfbf2adeda76621267fe30bd89950631179edf3ff535c4b4987d9d0534624d3c5b9ccfbcf3d993f33e635e0e9e53c8282c395db949f1ac92

Download Submit
\Users\Admin\CWwAIEEc\bkwwowkg.exe

Filesize
110KB

MD5
e6f2ada3c709f2e09a27b4cc3136e207

SHA1
6114b23f61e2d7ac257a36172caba318979ba26f

SHA256
6d2d515bfce831bb0b119f713ca8a9c0f24fa74c59976e48292486ecfe2ff70e

SHA512
47c01ace959f19658a5f73247cfaae6a989dccd873d596ffa746236d6a51de2caa5b82df1e70a245f0d280d4e087c2511f46b42aefdbee8d859b1bd3784e0a88

Download Submit
memory/352-434-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/352-80-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/352-401-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/352-113-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/568-239-0x0000000000120000-0x000000000015F000-memory.dmp

Filesize
252KB

Download
memory/688-158-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/688-127-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/692-410-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/824-126-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/872-284-0x0000000000170000-0x00000000001AF000-memory.dmp

Filesize
252KB

Download
memory/872-283-0x0000000000170000-0x00000000001AF000-memory.dmp

Filesize
252KB

Download
memory/888-839-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/888-920-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/908-1229-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/908-1122-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/960-424-0x0000000000290000-0x00000000002CF000-memory.dmp

Filesize
252KB

Download
memory/960-423-0x0000000000290000-0x00000000002CF000-memory.dmp

Filesize
252KB

Download
memory/1052-270-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1124-103-0x0000000000170000-0x00000000001AF000-memory.dmp

Filesize
252KB

Download
memory/1124-102-0x0000000000170000-0x00000000001AF000-memory.dmp

Filesize
252KB

Download
memory/1192-665-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1236-399-0x00000000001F0000-0x000000000022F000-memory.dmp

Filesize
252KB

Download
memory/1236-400-0x00000000001F0000-0x000000000022F000-memory.dmp

Filesize
252KB

Download
memory/1344-1119-0x0000000000130000-0x000000000016F000-memory.dmp

Filesize
252KB

Download
memory/1344-1120-0x0000000000130000-0x000000000016F000-memory.dmp

Filesize
252KB

Download
memory/1344-79-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1532-837-0x0000000000260000-0x000000000029F000-memory.dmp

Filesize
252KB

Download
memory/1532-838-0x0000000000260000-0x000000000029F000-memory.dmp

Filesize
252KB

Download
memory/1612-261-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1612-294-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1688-317-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1688-285-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1696-1219-0x0000000000160000-0x000000000019F000-memory.dmp

Filesize
252KB

Download
memory/1696-1218-0x0000000000160000-0x000000000019F000-memory.dmp

Filesize
252KB

Download
memory/1812-386-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1812-354-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1820-248-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1880-425-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1880-458-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1996-848-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2068-544-0x00000000001B0000-0x00000000001EF000-memory.dmp

Filesize
252KB

Download
memory/2068-545-0x00000000001B0000-0x00000000001EF000-memory.dmp

Filesize
252KB

Download
memory/2116-308-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2116-340-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2152-307-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2172-149-0x0000000000160000-0x000000000019F000-memory.dmp

Filesize
252KB

Download
memory/2204-449-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2204-495-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2220-639-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2220-750-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2228-897-0x00000000002A0000-0x00000000002DF000-memory.dmp

Filesize
252KB

Download
memory/2288-377-0x00000000002F0000-0x000000000032F000-memory.dmp

Filesize
252KB

Download
memory/2288-376-0x00000000002F0000-0x000000000032F000-memory.dmp

Filesize
252KB

Download
memory/2344-630-0x0000000000170000-0x00000000001AF000-memory.dmp

Filesize
252KB

Download
memory/2408-1008-0x00000000001D0000-0x000000000020F000-memory.dmp

Filesize
252KB

Download
memory/2408-1009-0x00000000001D0000-0x000000000020F000-memory.dmp

Filesize
252KB

Download
memory/2420-181-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2536-196-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2536-226-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2572-1131-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2572-1010-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2596-330-0x0000000000270000-0x00000000002AF000-memory.dmp

Filesize
252KB

Download
memory/2624-728-0x00000000001B0000-0x00000000001EF000-memory.dmp

Filesize
252KB

Download
memory/2624-727-0x00000000001B0000-0x00000000001EF000-memory.dmp

Filesize
252KB

Download
memory/2632-332-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2632-363-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2676-66-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2676-33-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2676-1220-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2696-447-0x0000000000660000-0x000000000069F000-memory.dmp

Filesize
252KB

Download
memory/2696-448-0x0000000000660000-0x000000000069F000-memory.dmp

Filesize
252KB

Download
memory/2704-1032-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2704-898-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2752-31-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2752-32-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2756-195-0x0000000000290000-0x00000000002CF000-memory.dmp

Filesize
252KB

Download
memory/2756-194-0x0000000000290000-0x00000000002CF000-memory.dmp

Filesize
252KB

Download
memory/2796-172-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2796-205-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2900-485-0x00000000001B0000-0x00000000001EF000-memory.dmp

Filesize
252KB

Download
memory/2904-486-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2904-554-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2952-171-0x0000000000160000-0x000000000019F000-memory.dmp

Filesize
252KB

Download
memory/2960-105-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2960-136-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3020-56-0x0000000000160000-0x000000000019F000-memory.dmp

Filesize
252KB

Download
memory/3020-55-0x0000000000160000-0x000000000019F000-memory.dmp

Filesize
252KB

Download
memory/3028-353-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3032-25-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/3036-89-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3036-57-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3048-22-0x0000000001C00000-0x0000000001C1D000-memory.dmp

Filesize
116KB

Download
memory/3048-13-0x0000000001C00000-0x0000000001C1D000-memory.dmp

Filesize
116KB

Download
memory/3048-6-0x0000000001C00000-0x0000000001C1D000-memory.dmp

Filesize
116KB

Download
memory/3048-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3048-42-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download