3d0c82dfdbc63d66fbcbfbd7c130637473b293d7ff30bcf2b3304f9c19113395

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
06-07-2024 18:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
Size

121KB
MD5

4c7959b55961a3859db47073ccbbbfb6
SHA1

c54a1acc69b9df04a6c53c1d930bdd7408bf0018
SHA256

3d0c82dfdbc63d66fbcbfbd7c130637473b293d7ff30bcf2b3304f9c19113395
SHA512

1301826bdcea85fe4ca2a65a800d159a4842dca29633c659ce65f39e3363a5368160ff665253aba11bc8ac885030d797bc6c40b6f57a5d471cc91689f90d946a
SSDEEP

1536:E6pvgqzlgqLub80E8RQhANXdGyUtS5S9Ej46p4NgnkOE1YCeJ1nHaYBxrz+Rm0R8:E5JKKPNXB50PNgkg6YHrsm044EKRJa

Score

10^/10

evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 61 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 61 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Control Panel\International\Geo\Nation	aUMcoQIo.exe

Deletes itself 1 IoCs

pid	Process
2864	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
1792	aUMcoQIo.exe
1972	CsQQQIsU.exe

Loads dropped DLL 20 IoCs

pid	Process
600	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
600	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
600	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
600	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
1792	aUMcoQIo.exe
1792	aUMcoQIo.exe
1792	aUMcoQIo.exe
1792	aUMcoQIo.exe
1792	aUMcoQIo.exe
1792	aUMcoQIo.exe
1792	aUMcoQIo.exe
1792	aUMcoQIo.exe
1792	aUMcoQIo.exe
1792	aUMcoQIo.exe
1792	aUMcoQIo.exe
1792	aUMcoQIo.exe
1792	aUMcoQIo.exe
1792	aUMcoQIo.exe
1792	aUMcoQIo.exe
1792	aUMcoQIo.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\aUMcoQIo.exe = "C:\\Users\\Admin\\tIQssYkA\\aUMcoQIo.exe"	aUMcoQIo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\goMcgEEI.exe = "C:\\Users\\Admin\\luowsAco\\goMcgEEI.exe"	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WqgAQMQY.exe = "C:\\ProgramData\\tssUwkow\\WqgAQMQY.exe"	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\aUMcoQIo.exe = "C:\\Users\\Admin\\tIQssYkA\\aUMcoQIo.exe"	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CsQQQIsU.exe = "C:\\ProgramData\\FwMAMIEI\\CsQQQIsU.exe"	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CsQQQIsU.exe = "C:\\ProgramData\\FwMAMIEI\\CsQQQIsU.exe"	CsQQQIsU.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico	aUMcoQIo.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
772	1508	WerFault.exe	730
952	1592	WerFault.exe	731

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
1808	reg.exe
1856	reg.exe
2348	reg.exe
2456	reg.exe
1496	reg.exe
356	reg.exe
1240	reg.exe
2068	reg.exe
2072	reg.exe
2704	reg.exe
2852	reg.exe
548	reg.exe
1976	reg.exe
1920	reg.exe
2456	reg.exe
2712	reg.exe
1776	reg.exe
1276	reg.exe
1768	reg.exe
876	reg.exe
1636	reg.exe
2820	reg.exe
2580	reg.exe
2320	reg.exe
1588	reg.exe
2172	reg.exe
2596	reg.exe
1364	reg.exe
484	reg.exe
3004	reg.exe
2104	reg.exe
2356	reg.exe
2112	reg.exe
2348	reg.exe
2288	reg.exe
2712	reg.exe
2536	reg.exe
3060	reg.exe
1700	reg.exe
1664	reg.exe
2116	reg.exe
2616	reg.exe
2636	reg.exe
1856	reg.exe
1360	reg.exe
2912	reg.exe
3000	reg.exe
2872	reg.exe
1344	reg.exe
2380	reg.exe
1668	reg.exe
1588	reg.exe
2588	reg.exe
2932	reg.exe
2056	reg.exe
1588	reg.exe
1920	reg.exe
2584	reg.exe
2248	reg.exe
1948	reg.exe
2848	reg.exe
1384	reg.exe
1940	reg.exe
1680	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
600	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
600	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
2724	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
2724	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
2672	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
2672	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
2864	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
2864	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
448	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
448	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
1096	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
1096	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
1048	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
1048	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
2892	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
2892	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
1376	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
1376	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
2348	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
2348	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
1728	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
1728	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
1744	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
1744	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
964	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
964	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
2836	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
2836	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
2700	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
2700	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
1316	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
1316	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
544	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
544	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
1620	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
1620	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
1372	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
1372	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
2744	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
2744	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
3000	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
3000	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
2520	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
2520	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
2756	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
2756	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
1992	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
1992	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
2776	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
2776	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
2352	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
2352	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
2804	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
2804	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
2024	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
2024	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
2060	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
2060	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
1628	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
1628	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
2100	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
2100	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
776	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
776	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1792	aUMcoQIo.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1792	aUMcoQIo.exe
1792	aUMcoQIo.exe
1792	aUMcoQIo.exe
1792	aUMcoQIo.exe
1792	aUMcoQIo.exe
1792	aUMcoQIo.exe
1792	aUMcoQIo.exe
1792	aUMcoQIo.exe
1792	aUMcoQIo.exe
1792	aUMcoQIo.exe
1792	aUMcoQIo.exe
1792	aUMcoQIo.exe
1792	aUMcoQIo.exe
1792	aUMcoQIo.exe
1792	aUMcoQIo.exe
1792	aUMcoQIo.exe
1792	aUMcoQIo.exe
1792	aUMcoQIo.exe
1792	aUMcoQIo.exe
1792	aUMcoQIo.exe
1792	aUMcoQIo.exe
1792	aUMcoQIo.exe
1792	aUMcoQIo.exe
1792	aUMcoQIo.exe
1792	aUMcoQIo.exe
1792	aUMcoQIo.exe
1792	aUMcoQIo.exe
1792	aUMcoQIo.exe
1792	aUMcoQIo.exe
1792	aUMcoQIo.exe
1792	aUMcoQIo.exe
1792	aUMcoQIo.exe
1792	aUMcoQIo.exe
1792	aUMcoQIo.exe
1792	aUMcoQIo.exe
1792	aUMcoQIo.exe
1792	aUMcoQIo.exe
1792	aUMcoQIo.exe
1792	aUMcoQIo.exe
1792	aUMcoQIo.exe
1792	aUMcoQIo.exe
1792	aUMcoQIo.exe
1792	aUMcoQIo.exe
1792	aUMcoQIo.exe
1792	aUMcoQIo.exe
1792	aUMcoQIo.exe
1792	aUMcoQIo.exe
1792	aUMcoQIo.exe
1792	aUMcoQIo.exe
1792	aUMcoQIo.exe
1792	aUMcoQIo.exe
1792	aUMcoQIo.exe
1792	aUMcoQIo.exe
1792	aUMcoQIo.exe
1792	aUMcoQIo.exe
1792	aUMcoQIo.exe
1792	aUMcoQIo.exe
1792	aUMcoQIo.exe
1792	aUMcoQIo.exe
1792	aUMcoQIo.exe
1792	aUMcoQIo.exe
1792	aUMcoQIo.exe
1792	aUMcoQIo.exe
1792	aUMcoQIo.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 600 wrote to memory of 1792	600	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe	30
PID 600 wrote to memory of 1792	600	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe	30
PID 600 wrote to memory of 1792	600	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe	30
PID 600 wrote to memory of 1792	600	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe	30
PID 600 wrote to memory of 1972	600	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe	31
PID 600 wrote to memory of 1972	600	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe	31
PID 600 wrote to memory of 1972	600	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe	31
PID 600 wrote to memory of 1972	600	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe	31
PID 600 wrote to memory of 872	600	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe	32
PID 600 wrote to memory of 872	600	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe	32
PID 600 wrote to memory of 872	600	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe	32
PID 600 wrote to memory of 872	600	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe	32
PID 600 wrote to memory of 2116	600	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe	34
PID 600 wrote to memory of 2116	600	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe	34
PID 600 wrote to memory of 2116	600	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe	34
PID 600 wrote to memory of 2116	600	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe	34
PID 600 wrote to memory of 484	600	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe	35
PID 600 wrote to memory of 484	600	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe	35
PID 600 wrote to memory of 484	600	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe	35
PID 600 wrote to memory of 484	600	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe	35
PID 872 wrote to memory of 2724	872	cmd.exe	36
PID 872 wrote to memory of 2724	872	cmd.exe	36
PID 872 wrote to memory of 2724	872	cmd.exe	36
PID 872 wrote to memory of 2724	872	cmd.exe	36
PID 600 wrote to memory of 2812	600	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe	37
PID 600 wrote to memory of 2812	600	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe	37
PID 600 wrote to memory of 2812	600	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe	37
PID 600 wrote to memory of 2812	600	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe	37
PID 600 wrote to memory of 3036	600	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe	38
PID 600 wrote to memory of 3036	600	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe	38
PID 600 wrote to memory of 3036	600	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe	38
PID 600 wrote to memory of 3036	600	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe	38
PID 3036 wrote to memory of 2636	3036	cmd.exe	43
PID 3036 wrote to memory of 2636	3036	cmd.exe	43
PID 3036 wrote to memory of 2636	3036	cmd.exe	43
PID 3036 wrote to memory of 2636	3036	cmd.exe	43
PID 2724 wrote to memory of 2632	2724	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe	44
PID 2724 wrote to memory of 2632	2724	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe	44
PID 2724 wrote to memory of 2632	2724	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe	44
PID 2724 wrote to memory of 2632	2724	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe	44
PID 2632 wrote to memory of 2672	2632	cmd.exe	46
PID 2632 wrote to memory of 2672	2632	cmd.exe	46
PID 2632 wrote to memory of 2672	2632	cmd.exe	46
PID 2632 wrote to memory of 2672	2632	cmd.exe	46
PID 2724 wrote to memory of 1376	2724	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe	47
PID 2724 wrote to memory of 1376	2724	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe	47
PID 2724 wrote to memory of 1376	2724	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe	47
PID 2724 wrote to memory of 1376	2724	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe	47
PID 2724 wrote to memory of 2888	2724	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe	48
PID 2724 wrote to memory of 2888	2724	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe	48
PID 2724 wrote to memory of 2888	2724	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe	48
PID 2724 wrote to memory of 2888	2724	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe	48
PID 2724 wrote to memory of 2284	2724	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe	50
PID 2724 wrote to memory of 2284	2724	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe	50
PID 2724 wrote to memory of 2284	2724	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe	50
PID 2724 wrote to memory of 2284	2724	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe	50
PID 2724 wrote to memory of 2920	2724	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe	52
PID 2724 wrote to memory of 2920	2724	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe	52
PID 2724 wrote to memory of 2920	2724	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe	52
PID 2724 wrote to memory of 2920	2724	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe	52
PID 2920 wrote to memory of 540	2920	cmd.exe	55
PID 2920 wrote to memory of 540	2920	cmd.exe	55
PID 2920 wrote to memory of 540	2920	cmd.exe	55
PID 2920 wrote to memory of 540	2920	cmd.exe	55

C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:600
- C:\Users\Admin\tIQssYkA\aUMcoQIo.exe
  "C:\Users\Admin\tIQssYkA\aUMcoQIo.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:1792
- C:\ProgramData\FwMAMIEI\CsQQQIsU.exe
  "C:\ProgramData\FwMAMIEI\CsQQQIsU.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1972
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:872
- - C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
    C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2724
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2632
    - - C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2672
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock"
        6⤵
        
        PID:2940
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2864
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock"
        8⤵
        
        PID:2352
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:448
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock"
        10⤵
        
        PID:964
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1096
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock"
        12⤵
        
        PID:2384
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1048
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock"
        14⤵
        
        PID:2700
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2892
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock"
        16⤵
        
        PID:584
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1376
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock"
        18⤵
        
        PID:812
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2348
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock"
        20⤵
        
        PID:968
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1728
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock"
        22⤵
        
        PID:1712
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock
        23⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1744
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock"
        24⤵
        
        PID:2100
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock
        25⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:964
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock"
        26⤵
        
        PID:3064
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock
        27⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2836
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock"
        28⤵
        
        PID:3000
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock
        29⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2700
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock"
        30⤵
        
        PID:2416
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock
        31⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1316
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock"
        32⤵
        
        PID:1876
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock
        33⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:544
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock"
        34⤵
        
        PID:1344
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock
        35⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1620
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock"
        36⤵
        
        PID:1744
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock
        37⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1372
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock"
        38⤵
        
        PID:2884
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock
        39⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2744
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock"
        40⤵
        
        PID:2672
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock
        41⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3000
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock"
        42⤵
        
        PID:2252
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock
        43⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2520
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock"
        44⤵
        
        PID:2888
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock
        45⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2756
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock"
        46⤵
        
        PID:908
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock
        47⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1992
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock"
        48⤵
        
        PID:564
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock
        49⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2776
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock"
        50⤵
        
        PID:1720
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock
        51⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2352
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock"
        52⤵
        
        PID:2176
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock
        53⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2804
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock"
        54⤵
        
        PID:1276
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock
        55⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2024
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock"
        56⤵
        
        PID:2356
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock
        57⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2060
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock"
        58⤵
        
        PID:2836
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock
        59⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1628
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock"
        60⤵
        
        PID:1640
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock
        61⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2100
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock"
        62⤵
        
        PID:768
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock
        63⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:776
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock"
        64⤵
        
        PID:2920
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock
        65⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock"
        66⤵
        
        PID:2884
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock
        67⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock"
        68⤵
        
        PID:1988
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock
        69⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock"
        70⤵
        
        PID:2748
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock
        71⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock"
        72⤵
        
        PID:1856
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock
        73⤵
        
        PID:1108
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock"
        74⤵
        
        PID:2848
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock
        75⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock"
        76⤵
        
        PID:2652
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock
        77⤵
        
        PID:1376
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock"
        78⤵
        
        PID:2460
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock
        79⤵
        
        PID:332
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock"
        80⤵
        
        PID:2788
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock
        81⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock"
        82⤵
        
        PID:2304
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock
        83⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock"
        84⤵
        
        PID:2580
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock
        85⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock"
        86⤵
        
        PID:884
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock
        87⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock"
        88⤵
        
        PID:1284
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock
        89⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock"
        90⤵
        
        PID:2828
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock
        91⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock"
        92⤵
        
        PID:1376
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock
        93⤵
        
        PID:548
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock"
        94⤵
        
        PID:2728
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock
        95⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock"
        96⤵
        
        PID:2936
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock
        97⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock"
        98⤵
        
        PID:2668
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock
        99⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock"
        100⤵
        
        PID:2096
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock
        101⤵
        
        PID:916
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock"
        102⤵
        
        PID:1624
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock
        103⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock"
        104⤵
        
        PID:952
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock
        105⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock"
        106⤵
        
        PID:2956
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock
        107⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock"
        108⤵
        
        PID:2588
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock
        109⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock"
        110⤵
        
        PID:2332
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock
        111⤵
        
        PID:448
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock"
        112⤵
        
        PID:2872
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock
        113⤵
        
        PID:1756
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock"
        114⤵
        
        PID:2724
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock
        115⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock"
        116⤵
        
        PID:2888
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock
        117⤵
        Adds Run key to start application
        
        PID:992
        
        C:\Users\Admin\luowsAco\goMcgEEI.exe
        
        "C:\Users\Admin\luowsAco\goMcgEEI.exe"
        118⤵
        
        PID:1508
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1508 -s 36
        119⤵
        Program crash
        
        PID:772
        
        C:\ProgramData\tssUwkow\WqgAQMQY.exe
        
        "C:\ProgramData\tssUwkow\WqgAQMQY.exe"
        118⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1592 -s 36
        119⤵
        Program crash
        
        PID:952
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock"
        118⤵
        
        PID:2884
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock
        119⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock"
        120⤵
        
        PID:884
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock
        121⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        122⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        122⤵
        Modifies registry key
        
        PID:2852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        122⤵
        UAC bypass
        Modifies registry key
        
        PID:1920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        120⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        120⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        120⤵
        UAC bypass
        
        PID:864
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\DCMwMMcw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe""
        120⤵
        Deletes itself
        
        PID:2864
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        121⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        118⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        118⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        118⤵
        UAC bypass
        Modifies registry key
        
        PID:2116
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\usUIckYk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe""
        118⤵
        
        PID:1432
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        119⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        116⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        116⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        116⤵
        UAC bypass
        
        PID:776
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\GokccQIE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe""
        116⤵
        
        PID:548
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        117⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        114⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        114⤵
        Modifies registry key
        
        PID:2704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        114⤵
        UAC bypass
        
        PID:3024
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\CqcEYUEM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe""
        114⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        115⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        112⤵
        Modifies visibility of file extensions in Explorer
        
        PID:536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        112⤵
        
        PID:2996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        112⤵
        UAC bypass
        
        PID:1388
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\MqwQUcYI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe""
        112⤵
        
        PID:1240
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        113⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        110⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        110⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        110⤵
        UAC bypass
        Modifies registry key
        
        PID:1920
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\JKoUIUgY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe""
        110⤵
        
        PID:1888
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        111⤵
        
        PID:332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        108⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        108⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        108⤵
        UAC bypass
        
        PID:2848
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\dekEMwQE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe""
        108⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        109⤵
        
        PID:316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        106⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        106⤵
        Modifies registry key
        
        PID:1496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        106⤵
        UAC bypass
        
        PID:1560
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\xQAYcAgE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe""
        106⤵
        
        PID:964
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        107⤵
        
        PID:1096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        104⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2356
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        104⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        104⤵
        UAC bypass
        Modifies registry key
        
        PID:1680
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\bwEoEwgU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe""
        104⤵
        
        PID:704
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        105⤵
        
        PID:548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        102⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        102⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        102⤵
        UAC bypass
        
        PID:1748
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\OqUUcIAU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe""
        102⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        103⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        100⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        100⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        100⤵
        UAC bypass
        Modifies registry key
        
        PID:2456
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\aQMoIMEk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe""
        100⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        101⤵
        
        PID:836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        98⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        98⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        98⤵
        UAC bypass
        Modifies registry key
        
        PID:2348
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ywcEwEos.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe""
        98⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        99⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        96⤵
        Modifies visibility of file extensions in Explorer
        
        PID:712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        96⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        96⤵
        UAC bypass
        Modifies registry key
        
        PID:1364
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\WqMEEUco.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe""
        96⤵
        
        PID:876
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        97⤵
        
        PID:884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        94⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        94⤵
        Modifies registry key
        
        PID:2712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        94⤵
        UAC bypass
        
        PID:2720
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\fQkwQYAo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe""
        94⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        95⤵
        
        PID:2316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        92⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        92⤵
        
        PID:1768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        92⤵
        UAC bypass
        
        PID:2464
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\PKIYEMAk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe""
        92⤵
        
        PID:484
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        93⤵
        
        PID:1780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        90⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        90⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        90⤵
        UAC bypass
        Modifies registry key
        
        PID:1344
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\FkYAkskA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe""
        90⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        91⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        88⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        88⤵
        
        PID:1156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        88⤵
        UAC bypass
        Modifies registry key
        
        PID:2348
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\dUAUokYI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe""
        88⤵
        
        PID:1888
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        89⤵
        
        PID:916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        86⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        86⤵
        
        PID:1328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        86⤵
        UAC bypass
        
        PID:1680
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\EGcIEIco.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe""
        86⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        87⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        84⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        84⤵
        
        PID:2996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        84⤵
        UAC bypass
        
        PID:2188
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\mIcksIks.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe""
        84⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        85⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        82⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        82⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        82⤵
        UAC bypass
        
        PID:2804
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\SGsAAAkY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe""
        82⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        83⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        80⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        80⤵
        Modifies registry key
        
        PID:2596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        80⤵
        UAC bypass
        
        PID:2856
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\kuYUsIkU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe""
        80⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        81⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        78⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        78⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        78⤵
        UAC bypass
        
        PID:1624
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\xwcgYgEo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe""
        78⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        79⤵
        
        PID:896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        UAC bypass
        
        PID:2344
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\bysQIwgY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe""
        76⤵
        
        PID:1588
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        77⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        Modifies registry key
        
        PID:2872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        UAC bypass
        
        PID:484
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\FuMMcAEQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe""
        74⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        75⤵
        
        PID:964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        
        PID:1280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        UAC bypass
        Modifies registry key
        
        PID:2580
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\PEMMYwYM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe""
        72⤵
        
        PID:920
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        UAC bypass
        
        PID:2276
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\GCEkMcIU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe""
        70⤵
        
        PID:2668
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        Modifies registry key
        
        PID:548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        UAC bypass
        Modifies registry key
        
        PID:2172
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\oGQsYooM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe""
        68⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        
        PID:1048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        UAC bypass
        Modifies registry key
        
        PID:1940
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\iMQcUYog.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe""
        66⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        UAC bypass
        
        PID:2276
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\IEwAYUow.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe""
        64⤵
        
        PID:356
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        
        PID:552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        UAC bypass
        
        PID:2620
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\HeoUYogw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe""
        62⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        Modifies registry key
        
        PID:1384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        UAC bypass
        Modifies registry key
        
        PID:1776
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\NUcgkEYU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe""
        60⤵
        
        PID:684
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        Modifies registry key
        
        PID:2912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        UAC bypass
        Modifies registry key
        
        PID:1588
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\FQsIkooU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe""
        58⤵
        
        PID:1880
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:1196
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        Modifies visibility of file extensions in Explorer
        
        PID:564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        Modifies registry key
        
        PID:2848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        UAC bypass
        Modifies registry key
        
        PID:876
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\TsAAAAYQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe""
        56⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        UAC bypass
        
        PID:1332
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\UQcQYwgA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe""
        54⤵
        
        PID:1280
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        Modifies registry key
        
        PID:1588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        UAC bypass
        Modifies registry key
        
        PID:2712
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\KGUQgsso.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe""
        52⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        UAC bypass
        Modifies registry key
        
        PID:2320
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\MkgUIMQQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe""
        50⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:2508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        UAC bypass
        
        PID:2996
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\sEQwEIsg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe""
        48⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        UAC bypass
        
        PID:2496
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\SMUogwws.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe""
        46⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        Modifies registry key
        
        PID:1664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        UAC bypass
        Modifies registry key
        
        PID:1808
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\PEAAEgos.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe""
        44⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        UAC bypass
        Modifies registry key
        
        PID:1588
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\pEoQQcwY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe""
        42⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        
        PID:1540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        UAC bypass
        Modifies registry key
        
        PID:2932
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\xCQUkEMk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe""
        40⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:1376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        UAC bypass
        
        PID:2328
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\TOgUwgAc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe""
        38⤵
        
        PID:2556
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        UAC bypass
        Modifies registry key
        
        PID:1948
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\oiwYwksQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe""
        36⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        
        PID:552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        UAC bypass
        Modifies registry key
        
        PID:3060
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\iKcsMgUE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe""
        34⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        UAC bypass
        
        PID:784
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\oYgYMMcI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe""
        32⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        Modifies registry key
        
        PID:1768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        UAC bypass
        
        PID:2096
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\kWUAgwMs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe""
        30⤵
        
        PID:2580
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:1852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        UAC bypass
        
        PID:1488
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\hMgQwsAw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe""
        28⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:2772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        Modifies registry key
        
        PID:2636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        UAC bypass
        Modifies registry key
        
        PID:2456
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tMoYwsUU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe""
        26⤵
        
        PID:1836
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        Modifies registry key
        
        PID:2068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        UAC bypass
        
        PID:1588
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\dmIAsYcc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe""
        24⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        UAC bypass
        
        PID:712
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ROYoEkYs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe""
        22⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        UAC bypass
        
        PID:1296
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\QMcYYgoA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe""
        20⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        
        PID:1240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        UAC bypass
        
        PID:2340
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\igsgYosw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe""
        18⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        UAC bypass
        Modifies registry key
        
        PID:3004
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\SSosUgkM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe""
        16⤵
        
        PID:2984
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:2668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        UAC bypass
        
        PID:2116
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\GWMUMwAk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe""
        14⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:2332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        UAC bypass
        Modifies registry key
        
        PID:2536
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\DCcksUgk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe""
        12⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        
        PID:712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        UAC bypass
        
        PID:2356
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\XMEcUgEM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe""
        10⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:1824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        UAC bypass
        
        PID:792
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\DukYQgAk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe""
        8⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:1496
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:356
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:2368
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        UAC bypass
        Modifies registry key
        
        PID:1240
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\nGkksIUk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe""
        6⤵
        
        PID:1848
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:2244
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:1376
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:2888
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      PID:2284
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\PQAAAgYg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2920
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:540
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:2116
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:484
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:2812
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\oQUUgoMs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3036
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:2636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.exe

Filesize
236KB

MD5
791e597feb647f7f7f08274577e89310

SHA1
99cae08f1feb0509d482c4f0af105e5cb9f547b1

SHA256
9a373003b0d84e465e49758561f9f09f83c2961008970a46684a081c2e2ee58c

SHA512
80da63cea5eb3415dd31bcc938fb5aa4df164bae50238d55379d3e101414f885e7ab99d98a9b911242a1a3b6d6631cd2416807e32e365724f4b8328c9809d2c7

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile23.bmp.exe

Filesize
157KB

MD5
0f33353be32eb15251d2ba0397a521eb

SHA1
e723e74db629e3344c7dbb3b529615d06414d9f1

SHA256
da101adb304263cc24002a834dd88f592c70ade101a746323eac3890db93eaa1

SHA512
c02f207c438968f9a31e96bfda1486829c61308726c35f456673def4a97f9a9e17ee15ecca717a6381519fba161d87bffa7dc7e7664577180669369304bf086a

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile27.bmp.exe

Filesize
159KB

MD5
6410ad470d1b32bca360126a8b12f199

SHA1
11d6cfd21c540cd6a29a60b95bfb2a5c6ee273c7

SHA256
52d9f845213aa18f431f4e737fe5c84e8d9945b728dcb7963763478d2af4edac

SHA512
a4bbbf82b31b46f6f6932f87352c98105706f58853216d434d2000a9f0f4bad4b2049129d0c0cf1e06e3df297f59ea3502807b030191abb394019ff624e1f611

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile29.bmp.exe

Filesize
160KB

MD5
251a6b90e83e3057c711526fd024d4f3

SHA1
8e85c2892d3b47bd5e0603d40634644070237895

SHA256
62496da9aca4d60afe33820cae1509a8cfb85b261b0c33f3a153fc19a8a12b35

SHA512
7c3d802dac3dbcfd496e0fa1e0e21853da10778d95d728ceac1f8b7b1eec764cf4827096e70b4190894213b63c89afe7d624450f66649db08897948fcee865bc

Download Submit
C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe

Filesize
748KB

MD5
302fe0fa21ff2fefdd1883161bf62399

SHA1
c020d9e393d4fd498d77af5a9890329c831a5796

SHA256
8284c12a737a86cc5b4db725cebbad8a6be7d1fa3a1b5d94caaa05d495f23708

SHA512
6fa2a1745d39283e7c3751296a4034c9cbb89ad90e07f37bf19f303e826a06a75fd11f82989a0017ba91278281f796d9a421ab670f73ec4da4f3ba0a8f31bfcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock

Filesize
4KB

MD5
9b1114047709d50a558f2ea4f6dbe9ca

SHA1
03459f960b76feacc4642131bd65028b4226fe8f

SHA256
d752cf16a0f3cfc9d796fc8c53c83087ede2d5b5e28fa0591517870b212d5eb6

SHA512
47f122831e229d869c40131e5e4968e97838a6c99898e8b179e60047711a58b27231736a788cfdd852657e2edd38c7d9d6ece93c7de63f6f45b6f3163c2fa3f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\AIswQEsQ.bat

Filesize
4B

MD5
d93346193e05f0a94b633f16bb648bab

SHA1
77e1052b06d8930d5887148dca0cc52c4b108284

SHA256
1edf92580adc17233b6fa197b2305696d72ce6fbf873691e917ce434dc0fef59

SHA512
ec9b0fa05eaa859097058e4cfc0e3ae18fbeb276552f8e528901bcf14b4f32b8711eae7792da86f62c62e39f2b3c8bdd17a8b3233f33e522e530d4eba2240092

Download Submit
C:\Users\Admin\AppData\Local\Temp\AgME.exe

Filesize
160KB

MD5
a3b165633092b866caedb01b3c0b3526

SHA1
1fcf1d69d0ca077f140a7ac3a22cd8d8a8510be8

SHA256
f40c63b622bf2e387ae1d1d732a677226bcc4a1cd4efe237146b78051dd69e8b

SHA512
ec1eedde59f2bd47cc173ca171e48d34ee2d5927882ffcf4e90b6c4b9ec24a9c66e5ee3435fcb0a50a049131a7af25622301ea626660d8defe3de99a4360ba8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\AgMk.exe

Filesize
157KB

MD5
6539ceeefaa774144bd0ff7f81f6648b

SHA1
763bd54db014213d290ab63d5056a082c7021001

SHA256
433083b2df881e9ee204c004678c84873e428bfa1eca205136c83ab113fcaefe

SHA512
0c0afe3beaaf2a2b35a6b99d03c79015a435bb8b09f2aa9c1382cf7d5f6e7633407acde8575ea84996d48d393094dad83996717f28eb1a76cb7ef40afdfaf216

Download Submit
C:\Users\Admin\AppData\Local\Temp\Agok.exe

Filesize
523KB

MD5
877ccde3c50e735a7d8c126d4fbb0224

SHA1
b4e333d6c72be14be8bf26dcfa1e81acb5d49b1f

SHA256
2b7f5ebddaaaa37cbf21db9b72fd97f6f9b4bdef1f98e244deef130d94bbaf0d

SHA512
9605f902bff4ed7f7bac0dfa157df86c859c8adf13c6b71fbdfe4eda5a1d4dc817cbcb2691bba9efd61b33b36bd4c805b84fab2b07fe39f6049b45ada6daa020

Download Submit
C:\Users\Admin\AppData\Local\Temp\AkEa.exe

Filesize
160KB

MD5
5d65c9cc2133bfd5919a507f3f952884

SHA1
873db353829edd68d63082b79e337951973c4358

SHA256
9284950e37aee262575a9458b25592f417afe979ed40af975d34e7b391a99237

SHA512
4bb073175b5077c2253e28b5b8ae6d942230dd7bf59aba06dc748a165dc17920e6e01c73b2dfef519af1962957c4713b46f83030240d0f5bfc58f584afbae7cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\AkQa.exe

Filesize
158KB

MD5
653d8d7503ee47d783a6413b869431fe

SHA1
c47c71bf66b63347d7da1959636107e371592951

SHA256
85651147c6f46c1c1b8582f5fa036e5908eb1111bc779048520caf6cacd2d5a6

SHA512
5713d53ed03a6ac178c7e466e6e8c35fcac3bcb6d2539c55eed3f654f7a9a1c945ec937bbe0e0d51d0375443cb473586d94c92d107b94ef0fdb3113c1c619c40

Download Submit
C:\Users\Admin\AppData\Local\Temp\AokY.exe

Filesize
154KB

MD5
ac9c55aa80c9f06b12654b86cf37e35a

SHA1
9a005b7bef124ab46c2dee78851ade2f6afa575a

SHA256
6fe26490c1201cc10103a800224b784f375393b002e6ceaab05be4fd26b0ea73

SHA512
322337e933490423955780fc6da7b826ece24c6097b10127f82b05862255a6418b5dda52a311137b2e0c38a34fe3fe545a0db180585c54b81e20bfe59df33302

Download Submit
C:\Users\Admin\AppData\Local\Temp\Awgk.exe

Filesize
159KB

MD5
f2d57b417654af5fac1e250187478d17

SHA1
90eb65130e56d27ee24e88dc51796a14285d3cdd

SHA256
bf5d01fb3b3e65e9e1458e6f1940e8617946b63e4b069f991967fec7d40ef9ef

SHA512
f61bef738626ff32c1e9d306723d8cbe2c617f5360431ab497dccd4ae3556f0aca0dc0c0deb4316f183a0a531dc9b8764e7273eab09b31e1851f51fa49d18704

Download Submit
C:\Users\Admin\AppData\Local\Temp\COkgscUg.bat

Filesize
4B

MD5
464237bfbc30a71cb073fdeb9fb23134

SHA1
2462c36d75a70864f423ffcc299a9a6b2b7eac3e

SHA256
9396281d61c93e234d66496ea3c6971448ed290f457492d1162d868a135b6ce1

SHA512
c197d6b8615dfb782ab6e2e56d85d0eb09c80ccec6294775580a8fe11d5a64b6a8e5a331fe6d796f9dd29f47709c6e71ffa13fd8ba05581528ee8dba647ca4af

Download Submit
C:\Users\Admin\AppData\Local\Temp\CQcg.exe

Filesize
157KB

MD5
77e8c02c1f03b9813369cb0adfd527b9

SHA1
02fb8880101c263aeaef29a0fe323258b2c1ec1b

SHA256
285d32a807b47ee2dff475fabe76cfd1e4cbc1c50954be825c9ccb972bc8f19a

SHA512
0659f7478f8045c6f021ede79cb82429840aebba2381a92220794cc6f4af94ae18b6aa6a3125591d4878b51a8348f07557341418c568987b8094963cf1208cc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\CsEU.exe

Filesize
157KB

MD5
43c0decf90942dca52938bbde179bf83

SHA1
7e91a61f6508c5ea660bdf0e59429499339ff83f

SHA256
185fc90d29aef541b78c508aac95b93ba96cd4ab53ab4db624c6e5bcc430f792

SHA512
048309e83e90e5de17fb94a879015f5e2b621679d31e46e5c0b1f2b78e6f1ce18e0eabc4bba63ae60bb9c29d4986fbd977c7d96cb79cb42bf69130358eeef0a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\CwQI.exe

Filesize
161KB

MD5
fdf20bb957082989369aab587a850a06

SHA1
426039bad11a6d1b48dac84f912df0aa4accd250

SHA256
83b626eb8e58748276c99beb089ba682c09b8f1343e9e0607f9c19d5d6613a7c

SHA512
324f23b32497f1ec97487ecc09cd5c7e3d79ef5e8ca13bc400ee7351dbcf82cbc3c3d93ea3b731ab6eaac5d2d729dc11e91fb2b16698520fbd8fe3d7ff4fc7ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\DGAYwsQw.bat

Filesize
4B

MD5
b9f1090a1eeded079db41c4bb27d96b4

SHA1
fda516cd740425e93fd659d45c1a8e71d7763637

SHA256
f454dd72cd11d35fa736ea2bd4ecddd83405c4fecdf5dac4e174ebb1086c560d

SHA512
bd038e87acdc0749cfdc1fc9e98842fd5b86b09a527edbf7ea6802f7f3683802fdcd8589fd1de4e4da74eba50a594caf13fec4f49535a030aa14f898bedf5a2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\EIES.exe

Filesize
159KB

MD5
a5b7d7ebf38bd42563d601e57c8d1e93

SHA1
73715eb27279bac862cafdba6198a45c485102c5

SHA256
d3487656f265f0e3163b5135cc16105cdefe13411c56302c8be7fa02be430d2e

SHA512
e65858825ccc51d3087c97468b23652efa438304e90b18ceab420719c8df3f7c617fc479caaac14227115314c5f96ea66d3ba38acdbcc056126c8cfb2e077996

Download Submit
C:\Users\Admin\AppData\Local\Temp\EMAW.exe

Filesize
158KB

MD5
d6225ecb8f6bdf72ca1d5ef2968582a1

SHA1
0aa39ae2f7024afbd932ab74f30cd61e3a16c123

SHA256
57e6d2b6c8a97db1efb8fe3ec3a7ce12cdcabf1b11fc631d833473d620a8fcd7

SHA512
a299d7289c01d702f35b02d15abf56e083830a959946dc59f3f2cc7bc69c8c035d30068390942c38dd597cbd5f809eb0642e089613ea18fb800692720c45e507

Download Submit
C:\Users\Admin\AppData\Local\Temp\EMAgIUEY.bat

Filesize
4B

MD5
85dcfc8feb4be67877e16390d1bfd4b6

SHA1
c7b2c737d7d278beed41ffd5218b27f2d1422c5d

SHA256
6827af178f7b68fede9cd3dac0f0a9ac1728aa2d6568e63d02039ff6c5730c69

SHA512
528cf009d9db21b65cb450a9acde299cb517d57fafb74372fdb718a6347acc9e5ff6b49c098863b7b6746d3bc6cd4668640babdd8fcb88ebb19c42ace62ba893

Download Submit
C:\Users\Admin\AppData\Local\Temp\EUIq.exe

Filesize
158KB

MD5
d4a76a3e2918b164a90f991cfca3d6e7

SHA1
a7005f3bd06489eb6996094cbe51c7cf47e98304

SHA256
02d6867cbe7185a3ca7ea18889db56620a87b47f204abba52cc4dd5922c70d2f

SHA512
c83fa9fda61fd8030ae6475d344140f262dcd945358f8257a4b65e80d8c393edd9d2f9c61989fe89551c75d3e524d7e4de1a2d21aff731d79cc3402a8d2587c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\EcoAEgog.bat

Filesize
4B

MD5
428f3bcbec355b789ca0839624f86f3a

SHA1
7aa1757f23b813e73d077a675e70abfc2cc9a909

SHA256
fc6cde34a8c5369f344ea91e429ae75b3c4d76edf799f587ac91ed9c5893a39a

SHA512
2378e794c94e3776e85493ef721e6fbd83905bdec97b32dcef30803b467af40c5ac486e7e0f6c26a16f7c3f1b23ac63d653b3a8d32321f587c99b43616a714f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\EikssIYk.bat

Filesize
4B

MD5
023bd6550f8932edb274b7bfaca3f923

SHA1
284a9cf39a8598ab99f472ea6f5472df0ca7f6c9

SHA256
0f404e7d69e61eb64347a36b36fe4526cb2cd636a4bbab3588486d7768bdb83e

SHA512
2e072c1a5f921aaaed657e1eec2a3ec0d371b8cf621d503ae73de91e98d7f9169cab3b2b60ae3c9f0b4b488e5a69ab3b933b7f1785b8244842bcbe54283e345b

Download Submit
C:\Users\Admin\AppData\Local\Temp\FocoQMEQ.bat

Filesize
4B

MD5
ccc5a85447badb48360e0fd6689d1ade

SHA1
fbf753ed0cdba219aafd54e80715b50f3253f70f

SHA256
45003b765e54400682558dd3b5007447055535a81e608bc815a359f776c4641f

SHA512
7bc9ac38ef7ef5de04792ec2e4a011fdf14add25f999f9e47f08c9c3cb6c3e5c2d5a25b0ab1678c4da9e0f8db3f9013fa0bad5aaa2e5cb6a69d466f42fd45625

Download Submit
C:\Users\Admin\AppData\Local\Temp\GEMO.exe

Filesize
159KB

MD5
1a7a9264a2312488cc970e3f6aae612e

SHA1
06e3fdb0e9b897a25c41e8595dfa751b646ecc4b

SHA256
3ecfb55deafefad61b0a34d98dbd6f30edcd3e2830b4e6d51a317e03e3fedae8

SHA512
799789b2b827b327cd542fd9565960126e4c658e0a7b8df963d367a86780b51e4e3049e0fffd7d1d97e476fbac098df7be61b499882788f3734805da5dcc5840

Download Submit
C:\Users\Admin\AppData\Local\Temp\GQgK.exe

Filesize
4.7MB

MD5
d1508fa87024328498615ee802939767

SHA1
d541b9c9c678f5c7edf2d0fb588c5a54e904afc7

SHA256
6c6e25e3329b7bd659264025e2715f492fd3ebc2b84b5d159b30b156a15cc1aa

SHA512
3631017d04e8f4501770672422454bf1f4859771eaef04fe7755545bb7adcc112d7d1f1b4806ac26f6d8e57e0e940c029078dce57c75603855c28fbd4b27ce83

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gkco.exe

Filesize
157KB

MD5
71e6e04837628071541f40940b3b124e

SHA1
a50d43e0acd283cc2a621c88d261aa8d964d497f

SHA256
d9ccff5dcca89f81a8689cdbc6d3f04d5c78dc968118f96e1a8d639403ca20cd

SHA512
5eb0c92905fa60b730503f89cfef9e68b96754445ab85441d199d510024154a31f388a95c0d046c24e0d6855c692b6663b1c129fea03eb36b2de449221d95ea6

Download Submit
C:\Users\Admin\AppData\Local\Temp\GugokYEo.bat

Filesize
4B

MD5
7689af7e9430c382db87740802045397

SHA1
17650726ec1cef656b129b9fdef27c8a0eeef71e

SHA256
4dfef9a8ea4bd7ead61d64c6d64c5135fa15cf63b35a85ae5b9f19c2d13e6372

SHA512
91f21b1b814663310288eda08af1aa686d675dec1625f5999bd7dcb14b1430d7c8044b8d555057b1e96627e5fc35de4931a3596568e6347afe3fd70a7417a2d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\HkokUEwk.bat

Filesize
4B

MD5
f88f51fd65f56bde9770c61e5d4e7863

SHA1
b50c2d12d310a83458bb6d7e4940418832bc40c9

SHA256
a2b92fa1239782ab9d3bd97029107df486fc5b073dffea22f3db2ec5f9b6fdfc

SHA512
0c23195e575df99bfec47edd89a6bd9881835dee324caf563d2828016db9ad60cc47d5fcb3d883b9676c3473a8226aa957b6ed1c82efbbf0863fc6d1110a526e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IAww.exe

Filesize
139KB

MD5
a7b4fb22122e3208e9b86133abfab1c4

SHA1
1e5ef7dda35beb35f3ef620165dd446eea3f578a

SHA256
01b3e741c1511d3925f372eb549257559cc81949b8345b3514cff937ad4c73e6

SHA512
22b994715622b664736a0e51c1362ec9ea5e538cbc00fcdfccdd05d46a76684cadafc83d7f5eea07fc2a3043b331427b138bb35a2aff8ad39a8517e11c9df61e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IMEsogsk.bat

Filesize
4B

MD5
42baba5dbcfad608e3c4601d892b5e99

SHA1
5a948ceee5bae0998307239c6ce97c8e900d54ca

SHA256
0af94f06ab4a3dbde3e9e00ca52e5be613d23629b9ece011501aebbec98a0d8d

SHA512
a6c1b6d20ea6d5a3975d0e8e215c46db48a1a43aeb1711e9287d9812ab806081557c841049c3eaba94838635db0975b8d954eff8e86b41c94b36ecd8946d4539

Download Submit
C:\Users\Admin\AppData\Local\Temp\IgQa.exe

Filesize
691KB

MD5
cae533cea6f7eaeaea243220898fd05d

SHA1
5579035dbf502ed823d477f6bb45c44ec3fa080b

SHA256
52e5fc87c820e5485fc9b83ac30cba7241dc8e39c0ed3da7584da86916933d0c

SHA512
cb993c02fcfe05db07deccc3724d2b9fc83928a8a5159f8cee5d926681980f0abb3917c03b516b0bf77b44b51e748f79a471ded0ccd893bac1637f4d64850e81

Download Submit
C:\Users\Admin\AppData\Local\Temp\IwIM.exe

Filesize
159KB

MD5
76b6a9009e15a9204e98e159e553eea7

SHA1
18eb0c0b49b83d8e35e61ce541e61c0a9627acb4

SHA256
740483368be041ee68f39f18bf055b330c56a4106a4e738c85b3fb325073a025

SHA512
d07c05d2aee5d62b22da1e77ed4becd0b796f27a8104b9d9cbb1164e6a95212755d918d5eb8b7ed5daf1139909a4aa6ccbf8415bbe2297363fc8ed24df028a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\JCwYQggQ.bat

Filesize
4B

MD5
ad8b7433b7353df4f96df81e195794e0

SHA1
01e0b516af4e6f2189613ec336c56c872ea6efb3

SHA256
5d5c1f412fb275b1021a2ca11b205814908ca0777d281936b012480444a55606

SHA512
361376dd030a3cbb92b4d346e850556eec8b00d80c8008177633d4bfe4fbe5cd4e65180891e640c126aa7f134b1fc6d2f44823dfd89228c73b2c1e32a799a5df

Download Submit
C:\Users\Admin\AppData\Local\Temp\JMsMgEMM.bat

Filesize
4B

MD5
3a8187a9f8ad441b4ea4bc6c6100755a

SHA1
a22d8d35a8a769a649c9c37524cf7e17ef329a21

SHA256
287230d0c83fa9730d39e07d50ef506e483cfd52c1a222dc91c0891709a04cf1

SHA512
0343ebade0a380e04e35fff7e0b0d615527c946d83cc2950a651e8a18e3b1fe4064131ffadb4e0f48fb22e72a4f4d7ae26ae97aba52d8977a642423fc5b1d49a

Download Submit
C:\Users\Admin\AppData\Local\Temp\KEIY.exe

Filesize
159KB

MD5
eb97872f14aa0bdd3bb684e305ce0b67

SHA1
947422201208dcf3dd9853c089043ef95e53b48f

SHA256
c655c8f75456ece71de3046245508800e0c83638ce7e630ed467bc884a05952b

SHA512
f48e6429f344af0d5644041309cc55058338c9bb1cc85faba0b41554f791b96616c082f9f83d44fcb7695bd25ee64450c4affee31f410dec64f195c9b2cca9bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\KQcW.exe

Filesize
158KB

MD5
483c57b8f6c15ccbb9f66c09f9b9bd20

SHA1
dac8752c0be9eba9d30e285e26db989c17e327b4

SHA256
8c0e2c7aed77400bb364715371b6a731113360c064bb3aafc314d01bab2da837

SHA512
767d1c6d02eb4c4c53a01e40942c2b4d4c16a298c2f43bd0802bd3b611f87d4fa54086df6b5b39809b71b04f7bab7dd09a3a606cabe0aa6c749f98e860cc7bf9

Download Submit
C:\Users\Admin\AppData\Local\Temp\KUIi.exe

Filesize
159KB

MD5
8a87eceb9a3ecb109483e17f130c1285

SHA1
1e0ee9eb569cb46aebae7635c78dbd28e63223ed

SHA256
2ae9cae0ee2ef542ba7005400d73d9c74380c960a16c847294e2ea360d5ce653

SHA512
38934604c03b15afa1f8719612c35348d44bffedbca2b114f28ab5b1e57c55cc474dff9c1edbbaabc5ddc0b45ac2d5d79a7b15dc2a1d01d618f92ea01aa427c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kkso.ico

Filesize
4KB

MD5
f461866875e8a7fc5c0e5bcdb48c67f6

SHA1
c6831938e249f1edaa968321f00141e6d791ca56

SHA256
0b3ebd04101a5bda41f07652c3d7a4f9370a4d64c88f5de4c57909c38d30a4f7

SHA512
d4c70562238d3c95100fec69a538ddf6dd43a73a959aa07f97b151baf888eac0917236ac0a9b046dba5395516acc1ce9e777bc2c173cb1d08ed79c6663404e4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\KoIEsIIM.bat

Filesize
4B

MD5
c9f8b087b9fb596c3763354425adaede

SHA1
c2d46a6db0d185f3264aaf9036a0146419064963

SHA256
616c4d1da941a72ef696fae936d1b8a471f486ebb91d1152a657056ec12c7b59

SHA512
3361ad8fc704cd506afcfcbf8c771746fa013afdb4a4181843e364180b8594c57489c1576c04974ebd09d42c7fc3bba2dc13299f87c22f905a93310b9783580c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kwcq.exe

Filesize
238KB

MD5
e5351e1e36efdbf4a4956cc3ddc05b67

SHA1
cd7244ffc4b83556e2f28d52be316d9e5be3e8e2

SHA256
34a865b16456a7cf0618e0ddaa4bd7a877b68d059712a04e027920799817f7de

SHA512
c1a50ce728a4a44046abccb4fbee0e6b9eb8e4c6c1c0e9072a1b29d44c8af08c189e9ab4657bab7b21159c933b12634e5f839a838c9c8168ce2e463911a848d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\LGMoEswo.bat

Filesize
4B

MD5
a91d30e3a67fb5bad0c4e12d9b057548

SHA1
2020714e9ffeb4257af50f5ced941c8e2ab5f520

SHA256
924242fc16846b483ad06ede16bbf7c7075d8823c05a7dc19d1542bb1e8079b9

SHA512
399e31ff328a20309b6c1032eb7ba0dc697f11cf1cffe294cd94e806b133176603f56415fb5d5d30d1ec8b51b4d82796d5b94fb311e8aa020e96fa25a37d7add

Download Submit
C:\Users\Admin\AppData\Local\Temp\LickwUUc.bat

Filesize
4B

MD5
2c740350afc58e5923686671f7076c85

SHA1
0f1390212af101552a6a1fae1c810d46c365a298

SHA256
8cb23b14b50c1ec59194c6dad31b586397d074f5ecbd94eb66dab68964d1e985

SHA512
04d0bff0188dc36d3c9d530c7fe06dc943078d5361c85ceb5f0265a5b2403def1cf68f63680f663f5514e1b3b495cd774243181ff844cfa6d4142092153af175

Download Submit
C:\Users\Admin\AppData\Local\Temp\LwUEUcMg.bat

Filesize
4B

MD5
0e202452f838b68e5d8a5abfff48dac3

SHA1
5b82c3a9b83f391ea78e36e251a7beedf454b293

SHA256
03d6ebd79e2790b04a1fc5f2c5409ad2148b0ddf59af4869e5e282fbaf300855

SHA512
356415215146c1f93f6335e3d6b0b35e86a6903ddf7d3c5a7175c29cbfe044008631c3250abc2b153ab9b7df998adc816e5d3fcd6ec284e0b796e333d441141d

Download Submit
C:\Users\Admin\AppData\Local\Temp\LyYAcAAY.bat

Filesize
4B

MD5
442bc3129bc6298a4e23cc72e99b1848

SHA1
a49ea13e6d5c5ab9b5c47f2b3bad04ea2ecede41

SHA256
3171c74c086f2b41fbc1ee1dd00ae4ea1d17951d487e7c92c906c059b580255d

SHA512
92e5f98c6e3476ae963ac4558a23a4261bcbcde0c2c7772e7e413b407c11ce6a3f651aef3c1ddd845fe44cf02b7a264d57074d46b8291c9b787da328a4cfca55

Download Submit
C:\Users\Admin\AppData\Local\Temp\MAYc.exe

Filesize
159KB

MD5
6f1df7f13f60c6f94398283a49df39ef

SHA1
bf1a2a95275d60c6bde73a80dcfb790422f977a5

SHA256
8260077618f88678715d58b69382a82280ddc69f56410cc715c22653f2da89a9

SHA512
557c7060a3525823cc68b40a4a026a597a4654a74be737028a92d2d3a8738ec981aeacbf0eefcc8762e78d7c92c4160cc3fa14ce74a7796b9452d8fdfada2831

Download Submit
C:\Users\Admin\AppData\Local\Temp\MIYC.exe

Filesize
156KB

MD5
a5abf5bcf60f7e57a9decd44c0907e33

SHA1
f32b0d9a1c282a83e82c61bfbef8b7e689169877

SHA256
569dc75c53c117bbc1126ebad0a59ec42d49b72e0722616238a019bc860360a8

SHA512
b017b9b4cd2bf5bb915a19edcf790cd3d95ff61ebdac88e55bdefeb00178131eab4c3970c4ef32cbbc0bc215ff07f5bdc159b0f87002044f5eb461f22018fa63

Download Submit
C:\Users\Admin\AppData\Local\Temp\MIYQ.exe

Filesize
158KB

MD5
2bb244ef15fa8ae8fba9973cb226b363

SHA1
5b0066cf752ca6de4a08cf632fb6dea994460deb

SHA256
e9b9eaac259916a455e46c3aa1c2b147148198bd9052a7a89033e9e4f75d2fdf

SHA512
e026521cc1508940e4bc1061e7902068f0d403d7c1022d307d181d8827b769e4d7e9bbad217ac137bdc474721421565bcbfced67200650c8ac467d6206f455c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MMMI.exe

Filesize
827KB

MD5
b28767acbf8123c1e79d60d4b96a002e

SHA1
c7cfbbed6e6953e53992f53c93cba2345ae4913c

SHA256
bf2b22ac38260bf6b8ffec443d3c442c280431f331519a49be02d54bcf610470

SHA512
55aca7fbc04b1aea75ef2259d0e307e73290bf66c7e0b531af7f56d3741263def64a85979c3d49ae8739b24bfb70500117c78a571e1eef5b69c271424c16f966

Download Submit
C:\Users\Admin\AppData\Local\Temp\NCsIAUcY.bat

Filesize
4B

MD5
31c93130dacf9a9cdfe4ac85942b8cd8

SHA1
6f8998093b38c0a069ceda1b44e48c88e14e9e77

SHA256
463c88c36ce694148de40784b91e191b018b97e7c447051d88938e7b00283fd8

SHA512
059e127a1b6e94624e0abe561e292d84f102d4d0e4a8ce84142d2c0eab0c09b6c28528993ba6f7ddc43551996b163170aa7f6c5f09895d70fde545156c98bbe1

Download Submit
C:\Users\Admin\AppData\Local\Temp\NUoUoQgo.bat

Filesize
4B

MD5
c8cc1afa570d55925a073def87d515f7

SHA1
46d6500b019f66c1733575beac051cdeb9ae30eb

SHA256
a0343bc11b55411ac146d6f7cd884fcc3fa62379ff011781cab90d293fffacaa

SHA512
ecb3a0ef360b95951caa086a258d83ddd5e523e01ecb376b673334dad0bd7f3dee1af17ab5db9916f349c2904013ad41cd070fa68f5cecba97218ca2ea18ea4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\NuMQQwEo.bat

Filesize
4B

MD5
2d65e4b2df5fd87d670cfe95c9b8134d

SHA1
9b0eb4727aa12771b2e9f0806618ee30089deec9

SHA256
6668b31aace9d45cce9c7790cabdf96e266ce8ae6a0cdb81125a590fafe8887e

SHA512
bc99245b5f3f45c2a4466a564bdeb38b629f86ba3a12bb071187d281a08d1131e2942a6049f15f8da8b22f3e992c1a3aadaf45a16d392cd0c88c02b4e1d6d80e

Download Submit
C:\Users\Admin\AppData\Local\Temp\OIUQ.exe

Filesize
158KB

MD5
551ee6a3f066c82a4e741d1e058feba3

SHA1
69d0146818acfc5e56df2a8131f0ba56cc690310

SHA256
16dd20caaf7535b9ffc98237ec08e58ddcc0601fdc3eb5e0653c16c84dbe084f

SHA512
e9398669bc062572ed5cf5c966f617a86e22756c4128dc96c3d37d72991f8da9d44e8908e5a784b37fd2adeb58cf18ab53c84ab83e5f2b7bd4f2dfa0a16db97a

Download Submit
C:\Users\Admin\AppData\Local\Temp\OMMO.exe

Filesize
8.1MB

MD5
5adf718858514aa95eee4fae0bfbb0f5

SHA1
4021745c4f22dea5e8c86d4b96551dc0abca4cb8

SHA256
13f22860372076b97a77a9be406ae706014c0e7a50e15488df0c2ca81716e0fb

SHA512
5519528410418d3255a9f3a35563b3d6e01a27985557339eeb89d48a8f5957a5287f2952737efcf9e4f716fabdc92759b904f5c1d60f393206d614d78fbd2159

Download Submit
C:\Users\Admin\AppData\Local\Temp\OUMm.exe

Filesize
159KB

MD5
98570c636d76545e29b01806b94f1cde

SHA1
47429a2fb66ab552382940eb25401444672807cb

SHA256
c83e415a8772a5a72c7014d8b9f213df95a49690b4c5d8c75eac23d5cedf0a18

SHA512
c151ac1b258c75ca05fb205face5ef9542a43c840550d87640def442ef33f113d746c5aae229307d2d719a84d0c5feb1630eb57e21d6a8ca8861adc5b9a1a4e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\OUMs.exe

Filesize
157KB

MD5
982738ff8c1191ab2fd4ed2a3bd50873

SHA1
4a3fa05580216b59c03dcced29beb26c2214bddd

SHA256
f15f50c8b4a1b9e03413511e8e2adeaae00dd25c2e1894b96cdce844d620159a

SHA512
a6ee535b68bba83d9b7500c4e852450c8f8724ef35f9df9564e441c71ec269055d7ccdbda8ad0c8a4f51a19bd3835c30f60a9e28d5385f6957e12b7a4d79cc8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\OYsy.exe

Filesize
969KB

MD5
c45a9c9871be4a62917c8de9254e93e3

SHA1
4f54abec5ae7712c180a5ef2c4a8590fac346ab3

SHA256
1e385e565fb37b00db447e97c558abf90dd4328dddcded10c0548c4c0ce134b7

SHA512
dc33e95dc454b6c33bf65e5040ef7c99e4d85cf337149816a0412f696f8738a92f075ed83b1bde7012d8b89c884f5a5b7f6bde0f84c579d7316790b589a65542

Download Submit
C:\Users\Admin\AppData\Local\Temp\PGUIggIc.bat

Filesize
4B

MD5
f76864e833c02c62a1bfe6e0409b4588

SHA1
3eb09793177472f142d057e48f791e53636a50ae

SHA256
ddfee9aa7791cb4894b452938d068047729b95d32723bcc4aeca856e0b55cf75

SHA512
71ba3302ecb07ea096c99458cb63fee52f3f2dd565f74d8bfed3e4ceb6111b5cd0f79ca910f0fe3eb27748a5de37e728228e839871eabd55736fdd3b081e5312

Download Submit
C:\Users\Admin\AppData\Local\Temp\PIQEckMY.bat

Filesize
4B

MD5
bddce3aae2d7bd2d55ab2c755350e06a

SHA1
51cf2b083ef9674cd94c7df36a0ef18853055ed6

SHA256
2e3753baf95f05b087bebe42695e6570a33038d30fca15efd484da9421152c53

SHA512
7a7be5799d435882eef64715f6b4cbdff840a7b5730df6be0adaeec33f1746212dbc9d30c1dbde79401691622bd858e333601003e27b7ac58fb4bbc64c046940

Download Submit
C:\Users\Admin\AppData\Local\Temp\QAke.exe

Filesize
154KB

MD5
84fef8b38c0b0430ee597eeb1974f369

SHA1
719150d5461ca7d56ec716fc6969d38b0f2523bb

SHA256
d0516aa88f960c2e1810210b3d511bee3fb6f1ef3fe97857d622b8f639f0e090

SHA512
e44e960399db18aeeb3246f7da1e2b3533b89f17c935bcbf722ed51ce3c9671a12fef831f67a0cbf2ae192fc6e9d329f79b57838caca74ac43f03388ede935b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\QEoe.ico

Filesize
4KB

MD5
6edd371bd7a23ec01c6a00d53f8723d1

SHA1
7b649ce267a19686d2d07a6c3ee2ca852a549ee6

SHA256
0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7

SHA512
65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\QcAW.exe

Filesize
161KB

MD5
1a4a636b20608b729e6223f003d20e3b

SHA1
40fb97af1d4c11538400dc8976b430f81f4f1bf5

SHA256
ef01daa1e357ce7c82e959b0c2957aa5b2c84c2fdf8f86453d2c3485a0d39b7f

SHA512
87c0f46a85276d6a9d51b5e8c9c0c77cb190c35360d274b779749e0c300b0281b6886ff1acdeaad5724711f41301b773db487ebd303e328ff56fa4a29b484b89

Download Submit
C:\Users\Admin\AppData\Local\Temp\QcIy.exe

Filesize
159KB

MD5
e431c33d90721a911a468392b44c2b78

SHA1
ba283b70b07fce8faafcfa39d9afec9ad77c8798

SHA256
91bf62912f1705370c15758b57d073fe469fcdfece5ce5f6bcc9e8486bf0cf7f

SHA512
839f3704044db5baef68fd9f480b6a191270f6927d2c8bd37ac92fd588de82597133db834831bdb2ac194b9d389df6cc0f78289a818a5980f244c205dcb40219

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qcss.exe

Filesize
557KB

MD5
a3d6ae3fe9ff81bd999132e37058acb6

SHA1
a589fce3baed2cdf723fa7ac48f07d1c74ab8813

SHA256
2b5231d5a9e1d1a4d0eb1eaf702c6a07928533080e48fdf8afcabdee6f083107

SHA512
4d49b501a5d01b1118ad1e34721e637eb20b5674ae3d50012424b1f987f345caf38ecbac691f7837817fa4953f0e56194c2f7f83a4cdaf78015bd474981b2201

Download Submit
C:\Users\Admin\AppData\Local\Temp\QwII.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\RYoMwQUU.bat

Filesize
4B

MD5
93b00055fc10d26ed0faf75124f31c7b

SHA1
08a8b92c1df62447f63011f54f127655965a99b2

SHA256
86dd3213ed41e696b975d0953d8bc31deb9cfcf762e88c8dcf888f2b813dea79

SHA512
698bd8db2da5248f91659183a0647660f0d019b2d89650838888e685e6f0d728251c23866195c5e0b8eda2c7a8aa49d9c98a659adfc3b16b29e30041d572b497

Download Submit
C:\Users\Admin\AppData\Local\Temp\RuMAgsgg.bat

Filesize
4B

MD5
0c9b20a86ebfca664c7a69f5e4b9c38c

SHA1
8790bb4ab80e6a03161eea3bcb9175ad6c8536e2

SHA256
cca987c263a661a04e32bc127f10cc7e8de6e8af4947eb6e35538615c7e296e1

SHA512
5de48e0791666d2144631418e4dee679ced78a24e5096c6e0300bf8b40a45fa13f94adbe3034100c676aa7f24809207aabf6785c8f911440275131b06dc8e49a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RwsUsgog.bat

Filesize
4B

MD5
e3e2598ccc9c0652a2c44430b9ce993b

SHA1
f20ca81499e8623d0108b58996543cf6471ed608

SHA256
239defc2a0cd1de720ad73b4740535b145abbdb45a9c4d91b09608749d3c0596

SHA512
1e71c0c20d2a950d35a53962acc804df891c90a409c1280f940250a8f254c4dccd8a1a441c271bcfdbf23be751991c2754617414c1c8513c7238852f45b45cff

Download Submit
C:\Users\Admin\AppData\Local\Temp\SEou.exe

Filesize
160KB

MD5
e4f2cce70eeff6d37e731d2159e12482

SHA1
9882c446e287c3d33cba7ed18aee143887eea151

SHA256
103417401a0ff82cf6ef755e3f3639b803e51ce1a1e93e958211f88113cf78d8

SHA512
af4828ab7006724e45b274a8c661d453fdee6ab284df27ec40ced73efa15330d530576d538ee018e2ab37af5a99631453110458a645dafa47a9cf327c3a140a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\SMwsYQAs.bat

Filesize
4B

MD5
4141025726dda70e555ce50ec38c2ee0

SHA1
20adeee3234186c798b2bad643022ee7504f2cb1

SHA256
4e49eb2f9a9101c32fb13eb8b7dd7bdd044ca7ff93104b9db8542db074038deb

SHA512
744f34a85855e210ef636cc8583be5114b17391bdc257da01410faaf52ddd024dc962f4d7e48c4839f0aa6aa08216f054aac2ba2cff63f3e3741d1fd96d877a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\SYwc.exe

Filesize
158KB

MD5
66de2e9423d0b6ad806ba61e338ecc67

SHA1
6877a4a55a05b8530b948cf044805e3862be0d56

SHA256
6e4b22fb649ed1809e785a0712218c026a3f54d85022c35a6a2ee0c42e775fe0

SHA512
c51b86c3a963f26b3d2ea9ab5c55552757a632edb4123f23fa41fe1fbc2471022e8152083cf6e1f17821418b501dba49b20d7a7ef2b3e2da1dd7116469bd59e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Scgi.exe

Filesize
157KB

MD5
37948b484b06c92eabfe08d9d285e3b2

SHA1
bcc052a22b6ea57a6a1a63e2dec841e122bf0296

SHA256
2eca2b2b6d034bdd756492c899dde676db1d731da9f3b5966e3cddb2c9ce8089

SHA512
c80ae89a1d37b0c7f93169a903fc73cb91eec0d7c9c48b059a46052fd598fc41d326e495861a30c7de3f509819cafa00aac009c977b79c84417fe526388dcdd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\SikAAAsk.bat

Filesize
4B

MD5
b6359aa57a59d79c5be3a41d6ab38b16

SHA1
c0dcd000314b0946d2a247de9ae816bac27791b2

SHA256
52756ca310d17604fd4451c0f92c3749cb9aeb51128ef661d0d7f06462615eea

SHA512
c686b866996c515857845868a4209b537ef507e80343235be66d7bf60be9f2faa1a2b96294bbbfb89f575bcd03675a74262deda40b61548a27df40885ee668bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\SkwE.exe

Filesize
565KB

MD5
3f508913f1a61a0211e832de979ebbd2

SHA1
0b1b82b679eda4c1cec782716d0df94a831e76f1

SHA256
0b001ad4b19e6160532bef6bac43cb62c0f1adcca80411fe84811c445dae1925

SHA512
1a5222a8301430c66c7295c4ed5c44c3f6463e2b0180199cd3432b2008bc5962968be05d7f508d1368ec89736cf05d017e0ac725ac4931e3c1526f1a121b0be8

Download Submit
C:\Users\Admin\AppData\Local\Temp\SwQg.exe

Filesize
134KB

MD5
a5ece546af45d6f3a45f570db3942893

SHA1
cfc3101cfff08a74a2a2deee772b3237d0e2afcb

SHA256
b70e25fab0c5f175c1b096c13c1c5668ddda04ac02c5af27bc7297aa6be9932b

SHA512
04f440d27393a21741ed980dc731bc5ac83654a1f023fd8c4972184b88cf018a9b2a7dc724aaa44746072c0084e773d653bc7559db003f81d64974b159249ca6

Download Submit
C:\Users\Admin\AppData\Local\Temp\SwoW.exe

Filesize
138KB

MD5
2f82a717c3d190e2a1dedf7b43586390

SHA1
e6ac468ac26e0e6259b9b1eab7acf521b0790450

SHA256
7c75557757a03cb5796467f2bfc9f4db3a1324b8a7749bee591b87293c179350

SHA512
db088bc467283177f3d986bfd9ac364d6b0b238afb87a3c0fc1fd288ce95627d2601891b53363a1cf4b77723da558df125f91936443c3f154d00a3d01b964d3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TossMkgM.bat

Filesize
4B

MD5
99c5c0df2457915dba54015f757bfd70

SHA1
94a4ce7d0128661a0778a14daf4ab64b962692b8

SHA256
f76396fbb2f7b85b3bb4a3f9420fbd9a7b5f9bdda17b3ee33fe98b201f395465

SHA512
e8ed99c345b146dce06405662a45f0daeb69057096b2213b60564d07a7e3d13156eef05767bf2ac91de419a2ed1f61b795f86f2ee82494dbb8455f7642c53f81

Download Submit
C:\Users\Admin\AppData\Local\Temp\UYEU.exe

Filesize
236KB

MD5
ea4f0e8df52a7b3cf7163ede9741a15c

SHA1
91ac6b4c04443c20aac06d641458cae49aaefc77

SHA256
2b8b36c308694e44d0bbc2883e236b79d34c6921c71cd0b05c25d7020327e379

SHA512
d9d656880df0556bc516c6349c035ef38926849e196b92535e5f2e623d6b8c2fac4a8ab4da2f437aa5d50897617134466324faabc935d9b681ef1231ccc1cbdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\UwUW.exe

Filesize
511KB

MD5
7cea76abb0c40242b7816baf77cb7165

SHA1
a3b72648299371037b73b09d1be5dd1f4bf83fff

SHA256
74ff9c9b99fc542c715a8584620bda19293524736051d8e2327b839ca673fa16

SHA512
0a58aaf26aa139b63d6406fd5c08281904e37e34bdb0c877d3a61976b6e7b4ca20ec97cc7e1f0858988bc4f4c4f6b46ee439f5b51530620f4ffe32991a4361cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\UwcI.exe

Filesize
158KB

MD5
09347d8a34210f756535120dc4a926b2

SHA1
461e96fa055bd04ce5bb74376e35b56e3f3f50e0

SHA256
ee7e3e698a04977f1ba040369f7de222e7c7f1a280ebdde606e1d7304a2ac922

SHA512
d1c6e7bc2f9d6c72ad775743bbaf22838e51434fe9b46b5ca63c9f26006f074c8b2fd119a1a38378a7b8c0cc1cd806e6938c8a3b102406d6e6b88b1fbf501724

Download Submit
C:\Users\Admin\AppData\Local\Temp\VWQEIsMY.bat

Filesize
4B

MD5
60e63274e5f3c1840546104f5fabd842

SHA1
7936eb06d1dc67d18bf741a74d270825dc1a8578

SHA256
e48b2a0cdfa7a8b2b5f76718ef79ec7b1ab54855f259c0497121b86afeba5aca

SHA512
9d1c085478eb0d3b2949228aacc13a397311fc7125c6627f116dcaa384c736f44cbbbcbce6efdac4a188f34fe2e3e5d8994577806176b48c529fd42dca540133

Download Submit
C:\Users\Admin\AppData\Local\Temp\WEAQ.exe

Filesize
403KB

MD5
6afe1d6f2fd0525c5edc72a2919532b3

SHA1
04fe085162218eb5d604f2706186158c1752daa9

SHA256
cd0dfbfa02f4910a0ba2b507325621323f1b0b58d125e4dfe2fa4218fe9cefe3

SHA512
f1f2f6566e6e0552b36459aca78f8edea3e7067c5f39232785eab1961394aef65f96718c0e251ee8b16e6e1063c91adeaf8a44835239a094c97c1c0ba9ee2233

Download Submit
C:\Users\Admin\AppData\Local\Temp\WcUQoYQw.bat

Filesize
4B

MD5
9998b58affc50db7f09cc839b21c530c

SHA1
9be8e9eeab5d48dba6feab8fca7259f66a708034

SHA256
a0c4cfe466589be8fb013d435c9d72aafc3786401b0fe0467e1aa9ef80762afa

SHA512
1ab777e818503d63aee17ec96425e29d51f5f5b1f583604b00184ae30e3fd192eafbdb7588307a222cdf81c398c691927f06369a2764e787965f546fba792a7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\WkIq.exe

Filesize
158KB

MD5
5887cdddc6b7a760f9207137ac210a2f

SHA1
0700d968727151de82a805e21953d261d24e156f

SHA256
f8c32a52981097c44fd298e2d5efeb57fc36c3cfc8e091e26b1d6116e92c2388

SHA512
7e7d15578bb7e7b18b25d72e4c845669d815341593ac5e0a3c1e05c5e214e2dda90495f89a14ad9ac07ede7491edf8e3da152efbbf2741ab7b815e98f717d4d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\YYUskcQA.bat

Filesize
4B

MD5
8814753edf5b173282baebe2ab3dcbf1

SHA1
934496c6c2e7c570c796bc6e4b382e8cb502df80

SHA256
924d4320ec420282d7646da87c33ed68d9205ff203d22a702bd856964eff2a07

SHA512
8e3ce08204de9d841927c50e72f6a8309670c6e63a215fa2d2943b411c82ae93ab5775eaaeb9daf2c021462b7817543cc4bb064a20225fd30e2181825d30bec1

Download Submit
C:\Users\Admin\AppData\Local\Temp\YcYq.exe

Filesize
158KB

MD5
86da16ebbb662522aeb81ab9428bac09

SHA1
7191e2b0e5fb655b1771365ab7d66aaf0befef53

SHA256
d316490973141826cef8508d656ca4642658f01b587e35a3ef946962dc03ca5e

SHA512
fe4c3a326e05940a6b0f260d209d8be7184df7e59211865e1df8a08dbd8b03c86b375e5b80751aef06842f08cd67f1ea5be1c7ef70a388dc07402b3bba162481

Download Submit
C:\Users\Admin\AppData\Local\Temp\YoAS.exe

Filesize
157KB

MD5
006a508cc98a62c3c46ed944134ea628

SHA1
2713ea971ca36b5a51a3f44903dc09b9af1a305d

SHA256
c8a4d5aad8c54889ecda0a5fbb13e99015ce22341c6b79c872ae62627e6d7bc3

SHA512
f2cf2d6f423588ca5958d8fcd44fcb55a6775a41c7f29227efa309aa2d6f15f905784be804dc2919f895c16e0ece9a390094d3a776a5bb6171b1e48f6bdf0317

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZSwoEosc.bat

Filesize
4B

MD5
f1ff199def714d1dc5590e0c71f777bb

SHA1
b165c00ba7f10dbef490657c4fc1258e5bd1b5fc

SHA256
8ec196954296a4610b36734359a264b3558a0e0927f613b53c402f545d9e3e3a

SHA512
478f5efa32780addeb0e0629bca062c70928b315de54891ab50263487d4712d2899f2f7c0859b4a7e534dfe5491be5f7b3960286b97896560105902156c89987

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZwQskIIQ.bat

Filesize
4B

MD5
451d30e4096a7c2a3c4c5d0f87cb340a

SHA1
838656a53e906f5e39382828416d8d5feb334813

SHA256
2962e77440abae7f7a479259d66dd7f922ac33cb6997a6cf77a366dacb6aac30

SHA512
6fc7d4a12853b6ede1e8fc16664ac57d3f2425e63733e79c3ee6bef2fd55070211c7d23531a98563093955105713930545bf7213b66e44621d4c1bd4b8f8a87d

Download Submit
C:\Users\Admin\AppData\Local\Temp\aAwK.exe

Filesize
156KB

MD5
edfbd0747fafb4ed9aea28c4a4a510f3

SHA1
e209a947fcb9e9c7155180c9e02342df62034583

SHA256
c6513122da982fff1903023fb7076b1e25408612027760fa8e85181dacbfe5fe

SHA512
fe4405a31e4336c24df71d4758c59916a46e447d6e1258d1f605cd6e156e6228c54abb8db2847d378b672ce5f9f4036a697f09d7ffa29963c2897899e1e7f11f

Download Submit
C:\Users\Admin\AppData\Local\Temp\aEgs.exe

Filesize
157KB

MD5
82ef4ec9dc866ba59a02521d0c6033fa

SHA1
d6efb1c8e393c64fc47c757c2ae7bbb4252f5c05

SHA256
9e56e4704e08ce507ec9e9189d2e5bfbc34ccc15ec276e10e15c2fcdbf2e0e33

SHA512
501b753e8d11a925c44d9fc02112ce519f1003717ced7efa8ee8346b1a7eed2ace5627708f18edb75b2490953781b7b0493f88e8d0dfa57b9b7f91e769f212e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\aMMO.exe

Filesize
576KB

MD5
0a132764e863c963402033f5a859157c

SHA1
9ee05595654986ce7c5f4ae1a7e9970366e498fd

SHA256
6315271e040670143d0aaafbd3d0bde6ad4fea6d3c9033e253f9c82f7a689048

SHA512
25bd9a5d5cbd420522dc82712e2b068e128d01a1d445f8318039c95a7da5645314a40143f589e34b2fc70bbcf47f2173f97f25888aedf6f89876fcf2e6428e67

Download Submit
C:\Users\Admin\AppData\Local\Temp\agAe.exe

Filesize
157KB

MD5
d669e31b2f9818f553207ce296bbaed1

SHA1
3930433fdceebd71ea1dd29c6cda45e6c58246a5

SHA256
fad16b223046c25ce8ae946c69804250fb889ee83c3b2021bf875b5c43087a58

SHA512
562230711c8e2ee9d9c7b8d0a6ab1258d764d0a2a1c38b8b17732cb0be2844ac18ffd9bb4e23bb995b58aba931f975607ab9ae855d8fcc6070bf9ed0ccaed075

Download Submit
C:\Users\Admin\AppData\Local\Temp\aoIy.exe

Filesize
159KB

MD5
d5b9da5129235b777236e16b5c27d6bb

SHA1
2d196c9530302b87a1b30b92906e9b8afb4f7112

SHA256
dda443f0aa4e698f0e9c3919c9d09eed0a4e749c6ab83967c5f316a499898797

SHA512
f58263c4f6820d99ee33be5d44b9ac0c31af9ae58bd9818f922a0bfc0ec01b5a449a7185345a64b8e017e7d0592ec7aaeb70eafdad8cb3be9140741e17722103

Download Submit
C:\Users\Admin\AppData\Local\Temp\cEQi.exe

Filesize
157KB

MD5
cc8c6df61f5f2597b5a6a6ce792877f0

SHA1
2f5bcc4d1d73f2e645b8a2a9ec4f873428adbcd9

SHA256
64ebc1fe2260729daa15d9ccf152835676896f84ab932a253b120cef932bc928

SHA512
460413150d5493004da3275a8574fa9b673eaf70a659d0333245bcc4080e842309fd221752e675ac22819795d00c969fb03b35ce21aad4a7c733b9e81d9f4237

Download Submit
C:\Users\Admin\AppData\Local\Temp\cIIO.exe

Filesize
158KB

MD5
f50a26d226a73ff35fba7247b224432b

SHA1
4b1553c58e92ed781d285a0cc4550a762ad0c297

SHA256
857ac9229b32c97261ab443b4a7d0cef07e74363ee3d1ccd74b409c9f0575b17

SHA512
707ebff490af78e95ce4283f7a2c5593eab165c9d0c4c83484363d4bbf404ad73c538b0e17337b84cae9462f4cfc4631345c024b9725b55270f021d1bfee3b2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\cMQM.exe

Filesize
993KB

MD5
4bf0b37655fead6353efd43960422d00

SHA1
deadf1f67518d43c0a1d6a939e2b543b6763dbf9

SHA256
ffeac602cbb229891a77cbd34dd38221b1b5be53575f9e0a938bb3a4c4292a67

SHA512
4ff6d7ee6b9950694644dc9a9b3386ac8fa40409cc6defe8e25686fb90dee86c9af8079e765f0c6b6acfbe5165b3633fc7146d0de03e859d96abea02b2001bbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\ckwQ.exe

Filesize
868KB

MD5
e534e3749c5f79b5bd1b7cce8256e387

SHA1
6a54d1126eaf00ba3d00f52cc8d1d53e427b60b9

SHA256
f9413b801742dce2e3c54165ef697b73f377251ff7dcca99c3ff1ed8e8c1e6ac

SHA512
18e6b180b154cfd16bf2eaaa9ff331406c2fb851a11f0e9f811e4e1cece07c29e0ff87d85c9306892495d7c81e7700cd720866ca4fd8928397ee732906af67a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\eIsi.exe

Filesize
715KB

MD5
1f8d572220c0233403043c99c4c9be07

SHA1
f090b4b082de3daf095cbe1bc2072e9c375133bb

SHA256
13f8f74967c4d0a56a4d3c35582914718ce5777de6c5a6dd6622e3103f0363b8

SHA512
31ab885ae6e99ce5fc049849be6432187bc05d38ec871c4b913e42e3c477f1768bc397cd6e1cfd558c3a26a8980ae58b3fd9297308389ef4f47a73b6c77908d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\eKYgQocU.bat

Filesize
4B

MD5
429776ac4bc6cfd8336ede1bab567106

SHA1
e4920e943377c5831c1b97a0ba8986bbe1a237a6

SHA256
21c74a71f7b261237c70319be921c3df0196c091c7a21e7320cb7d5334be4101

SHA512
8cc8c5a6c5e5db11840b46230dc11ab5779306330aa81f87a68aa95fb4368b4642eb818eca67442c2738033a28d3d0dd8446313748c0b95c0a3840437a2f9524

Download Submit
C:\Users\Admin\AppData\Local\Temp\eMYa.exe

Filesize
746KB

MD5
c773d2910fed7bf7bbf037d2651c6c00

SHA1
c9e3c0b9e51ccaee2ae2891e37c5403c31d3869f

SHA256
e322361085d7e9653f33cede3c556bb5dd403a957545a7502d6df4260bdc6d8b

SHA512
1f94667b6f243d6c296696fa275c63397c8bd98d72d53db985c4f1e2f274ab8f27e1d6cb220febd34859e103cf492389ce8c5057e18be160e32872a947fffff3

Download Submit
C:\Users\Admin\AppData\Local\Temp\eMwI.exe

Filesize
158KB

MD5
ca5dac2f9ed85c5e87c27fe07e7c4523

SHA1
11f1ef0078ee5d8c1e8ab47dad6644a964ab264b

SHA256
e65b3b5e1cd3a60ed9c08ba164b4a7608a6508b95f4fe9b017814829c0ad77f2

SHA512
9eda1882865bb868ddfa161463d954264dd1829197ca44f8cf3c04e64f7f2009d2c91f6daacb9f7ebd6b7f20984f7c11e962c60bbe52223fdc3ab3d205ea33a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ekMe.exe

Filesize
159KB

MD5
a590ee10933ff0b0c8cc1b7e8d244b95

SHA1
0bae09d86b1c44c035f60d0c5c306279746ecf08

SHA256
410633f3c01c2f48fcadb301ee3a8455986db568c78665e617d849736f9fdb8c

SHA512
a954041ee162c5789f243c014da24256ac4cd81dda9d6c04db8cb8f545507562711e140d2d7a6ab648c412a61173cc425b1c0064f6a34a252fa61b31ea925ab7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ekkc.exe

Filesize
660KB

MD5
379adbd77e0a3415dc60f2a03595547c

SHA1
0c908a79e8cad5b6031a0e8413b8620b6a851bf1

SHA256
c74c9d295c320557a3459d5ca49de0b530acf22ae016efa98a0995c727ef40b0

SHA512
d30ba219af92836e2f5fc2ad0b0bcbd0a0ddac834d9fe08a53d5979f7752350a84aa8ecd880c103866023750fec6c0634bb2cb15ceb3dd68389d9c3a8a03081b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ekokUYsg.bat

Filesize
4B

MD5
e38def3d65094501463b574371597900

SHA1
57d3977ce2131214c65d5ac1331fdac86a506cf3

SHA256
496353583f9d96fc0cc296e508848d18f559f2a6ae71269656ba052ada8b3063

SHA512
56d54a3e93a594a819346dc20cfac702327e48c90361efe7fcf69cfc357edd4f95420c7b01b88f46c68caea39c856c98ba66f5eef587e43382c2f4c4cdbc46cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\essC.exe

Filesize
160KB

MD5
b56a736c7c68bb2dabd1d88bab003389

SHA1
bc3dcbb0336acd57648343c5a81243d08eb2be76

SHA256
b29cf859c8860dbbfb3b68f5e399683df25eb7080c9caf73dd3c6277fb92dcdd

SHA512
3e85f2ed96a02ad1858b846458edc0bd23b529be20c93cbdbf49cdcae40dcddddc7d68763a799bc43760aed2fd3adeae9103eb9fadfee42ca5f6fbbe1bdd3525

Download Submit
C:\Users\Admin\AppData\Local\Temp\fUIYoAQY.bat

Filesize
4B

MD5
d04cf099642a555c1c221599c7bd3613

SHA1
9fc2094a581096fc76180ee5785f1fa21518db45

SHA256
96898ae25c4f42a476df60732f95c82f654b749c708503197e9fc574b2239009

SHA512
06277879174bc9637676e91137364fc71f38c8c16f03e0ec4f27b479af61c2ef76a21443d3c1ce4e42488681d9310ca2696e222d658e8468af695d5489a3f126

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gIkW.exe

Filesize
556KB

MD5
1ff2bd9302a4d1197f2c2699a83b27f3

SHA1
aa3b29f7343d61eb046cf5f18a6d8eca82ed8c56

SHA256
ef3f3da16009eb9f1859cca2f27d12a0a23a9f6a4e2201d390438d78f7ce0148

SHA512
5199ea3df3e46d5f72fe229a36f4738f37eb90d6f2fb7ccfdf3222a8a96074acc3f7e1ee9fae108d4518e878ac7d542fa90cca4fcb5f605f2abab77675d8f782

Download Submit
C:\Users\Admin\AppData\Local\Temp\gMUM.exe

Filesize
159KB

MD5
3b234678aa66bb925a6333bc9381910f

SHA1
c33c843e87f5a0c58ba71f217cd55987e3df47c0

SHA256
ad7d4e8447b84d62209b043012debbd5877289dd337e9d63d9817f138b48cf74

SHA512
715a401e728247c69882234114bc9a51cedc27e666d8e4f043d32ef77b1809da69c1ecc76e0830e1f7f2773c760c022b2fabbdb6e1e1d87eaac49d07dd320a54

Download Submit
C:\Users\Admin\AppData\Local\Temp\gYYm.exe

Filesize
137KB

MD5
17a02efe5c7a7c242c8353e441794ad4

SHA1
2a9d4061aa400b88da70b53ab83bf65b452b68a8

SHA256
55734310f3d32185c459aaab34b91747fbeee80f88fc1bbcca64960b9fc31978

SHA512
284878e44b593e7b0ff7e04dee63ac9809b8b2eb255a3b7903a3da23273670680bac04d41288c101fb186ef2c33ebe212852af4ff015cfc64915413606b90fd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\gwAA.exe

Filesize
158KB

MD5
1f39f1aaecf5136a9d9a507f7a815f94

SHA1
375ef15ee69de9652fd5a6e37872d71caa787367

SHA256
ffd69017b126df6824a09f8b38965506f03ec5d6cfb464aa0b9947f673d7ae31

SHA512
d6a21a3cb0ba0c32bf02675a45111a2e46e1f6671f430b095973dfa18d28d3ebef0469e1bceb810ff30f4244a7715be603532be80fd6d2a2404a4901aeaf1637

Download Submit
C:\Users\Admin\AppData\Local\Temp\hucsoIYg.bat

Filesize
4B

MD5
34dacc9a4afc05c7f5271a23b25895a6

SHA1
8d7e48ccd5f56a58171ee2a5339cc9379421e758

SHA256
7b141c340b7dffae454fb6f07799e74626bda7d04105e17453eb9f7e8d493782

SHA512
e123317f7af4005c4382d62e7bbb99ec2ebafe6215c11e19971e418bc0a792c05cd755cecd368e7bf80c89225e1466bfa004e997bc269be97ffc3cf40c8b9e23

Download Submit
C:\Users\Admin\AppData\Local\Temp\iIYO.exe

Filesize
158KB

MD5
4afbcff9f3bbfd4edc54d3458691fc66

SHA1
ba1441ac20f3c18f4e48b9f19a0bc81c1537a6f3

SHA256
8a751de9471e65e1c74a37ea3e72ab1eebfec6f06d7750937750058269bf5dfd

SHA512
079761f3cbd412813bdbb32697b8756e9749c1738a885e86e43caeaf8c05dda937b1c79c0fc825c4061981142076808830ef2b46ccde798e685a8f20156722a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\iUgI.exe

Filesize
157KB

MD5
524ae84cbd6e678c455a21e9ef2cd03e

SHA1
6082c105e6d3dab8f9e36bbbd4bf371e31c32846

SHA256
3fd2dee8f7515dec42f5e405fe9024e572b91a81e95646ed85c128ba276e43ec

SHA512
abd4e8e545f2e9e56967d38a1ba5785917348cc261cb8d22a1c9804a2f608dab767ab5551c800e962a9cb3c93e325232cab7c8491a47036b45388a831b3c6698

Download Submit
C:\Users\Admin\AppData\Local\Temp\iYME.exe

Filesize
159KB

MD5
0f8433a17a81d52db88c6c6af310b956

SHA1
63010b353885886bcde40c290d0c3773f8c86c22

SHA256
915c0d74c271d6c333d22fb82806fcc666de2dcf3c9e80a30dfca68dc5145426

SHA512
3eb64b9fa9c39e5d036607c073d769bd0a2e769753018559f5c820f3b745d2163f98b67ed7331a47350e4e04f749680ef9f720d2ce4d89264a5bd4bab6d9af89

Download Submit
C:\Users\Admin\AppData\Local\Temp\ikUc.exe

Filesize
937KB

MD5
f610e12f4ee2bafcdc803289c4256070

SHA1
7a1dbd62325656a803bf242660b91d23147eec7e

SHA256
b3708a505b424fb51a085028d9f85bc857eafcdf738f893b77dbc10088d27e6d

SHA512
9e86722528e9a4b36d16c1a3721240ed6af638f615f44b0a959230eda91795fb177bc8dcb973d768746981c0319a6e7a5a262a14efb083205026224d3c53b17b

Download Submit
C:\Users\Admin\AppData\Local\Temp\jEowgcAU.bat

Filesize
4B

MD5
315bc94255abf9cdf054ab64d52283fd

SHA1
37cb4f898bc41cdc22e50644f41f6d3f99df4353

SHA256
5c134fd07b10c28d9f388d30a9a36145766be495d00aa7bd3e2afeed3032050f

SHA512
4148c55e61b09aebe87c332d02c7cd720940a6b6af0badc93af9b0f73094d6bdde74823a9c7364e678657769063d5474390c895d58f09ae191af88fbc0340d79

Download Submit
C:\Users\Admin\AppData\Local\Temp\jMkgowos.bat

Filesize
4B

MD5
cca2500d695cda2b7fd802105dc55c36

SHA1
0c33bdbc98a61944297dc08d8df1952200ed0df1

SHA256
f13486ee1377307a1cf1426f29463b2c325dce0fd380b2cc7f4c7a093bc2bd6c

SHA512
042565dd29ef94a0c1e824d73f567beb632c923026529b2cf1414e2cbfa1459bb6f868551cfa883924b27a142a71b923433d171cbf085155e484a30476307032

Download Submit
C:\Users\Admin\AppData\Local\Temp\kAIs.exe

Filesize
159KB

MD5
dedaa62b3e4940a3cae7279b27257515

SHA1
cb4b0c4d31ffe4f99d1ec39e9babf98e88e3da01

SHA256
69888ba94ea8950a7084ac82bf73aa2b22eaa67e52ccedb06a22ebb1acca4964

SHA512
2eead77d823a70bcd734b1c6510c4b08aa40f7fcca04d800037f36fdf610fbbb7339294f79c5cfd4b0112db9663e76625d7dd1d0f5b45233ea696df88c38ea88

Download Submit
C:\Users\Admin\AppData\Local\Temp\kEYkIAYw.bat

Filesize
4B

MD5
add2fd66029ab1984ab81d7c0deca776

SHA1
2834cdd012788ca9752f73bb16ce5330d317a324

SHA256
d48a76709fb16ba5501a2cb7e30b172d5d6d584d23cffac98b2708460efd8bba

SHA512
6e87b112fe9ca94cb0ac4cd6ecaf63af8f3efdd6a9a5e9630f4467a26ad443cdb31ff246739685377e2e96b9c72e8ed0ea7acd3f1ea17e84dedb42d729a482cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\kWQooogs.bat

Filesize
4B

MD5
f003c6871e1505e993cefe24531e3f96

SHA1
d6473d71413eb9c9e570248f7b58a65ee3da6331

SHA256
390398e5335446a07d6cf16799bbb85b490be9c7fea12d94c63a5873be58ef89

SHA512
7f060d30219c756e2bb68d82c4f359227fd635c6efbb5bb99f40856feb0a25adcf0f1fbe10f05636bdfbabeb9b20acea22a84713162ea5f61fbbfc9668cf4f20

Download Submit
C:\Users\Admin\AppData\Local\Temp\kcwo.exe

Filesize
157KB

MD5
073fbd13c47dfd590c21ab758f135f72

SHA1
88758e58370ed714af269c16771e6ad4c0222279

SHA256
b29961d573df3ce64246e8abcd47672fd9a48a3e245d29f3c9d5511f6d831b5d

SHA512
468a7fa58350c3643e6cff0297b00d005430fb966819add986acf752c303fe14a4394251ba562a528573627a02d3ccf8baf2c63a11c69e271ed0c2d69677ebfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\kgAsMMEM.bat

Filesize
4B

MD5
e39b6cb0763a8e82ddcf45ccb64045bc

SHA1
34488036bba7b12531574d6f11fab01f22dd5d32

SHA256
c1b869c5437247f946a04c946fb7a7ec308f104805502d6c59c56d8b1d9e77e4

SHA512
2a633d58ca2fed20682269f1f809ddab1fc4d8089371197536e2d3995c9a79b0d558894cb67628ca4b775e0b007822e5399eae468de8898c28a272160f90ddf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\kgwk.exe

Filesize
159KB

MD5
e547d137fd02e77cfa20a7918ddd47e0

SHA1
7d175e34f429e0a21028831a34a40aad0e671b71

SHA256
a06693744234f02a465c8bc1274ce9f6d3a59b11f5a4c15877e26f48a731c160

SHA512
344ae9b62833974fb2335b55696177c58c853eebc7b02c0d8de3fcf0319ba796409bc9164595512d91fd9ef5739182e7fc671b1e1e4a9e1447c2928fa46afdce

Download Submit
C:\Users\Admin\AppData\Local\Temp\koMi.exe

Filesize
160KB

MD5
59ef8110af24d767ecab160a142d319e

SHA1
268dd9b4bef73766380e35079164b386b2a79acc

SHA256
90b7929fb1b03875277d350838f3e0d62950ac918bcb66a8d8c80d6263a23927

SHA512
cd2b1a6e321adfa83c80044e225dc447ce96a22cd33546f1921fb092015c2c138dc6c0159e0f5fdd2d1e3f83abdbe998836745ff2312b780957417393239ac58

Download Submit
C:\Users\Admin\AppData\Local\Temp\kosM.exe

Filesize
236KB

MD5
925ddbbfc7169c36d2e04e7c5b707776

SHA1
913afe232eecbd9be73a60b91483f5b8cf701acf

SHA256
8da4e7f8eef08722e0c81d6f3324417fb1bb8483f00d39eccde6f0293f2e3fb8

SHA512
f29463b20dce38c153473c5de5c0a3c60381f73f02e3ea7a45eda5a414286661db20b002e675b8be078787d004f7b48401cc056cf0f2540450df3abd3966ffcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ksEQ.exe

Filesize
343KB

MD5
2d93839c5332fd0705a27267cb0c5d4e

SHA1
81094fbdacde67e18a5896f3cbd66feacb61f978

SHA256
4b0b3d74c4ba5ad95877bee37ecfdc554ba606d217e39bdfc8cf538c43666acc

SHA512
381ebfdbd461fe06fe09f1ad1fca681066955222fb98863caa8facdc9ef6f56203c783089a6ce3ef67fca9491c2bcfbc5de9519dea770abc1fc0395fbc268f3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\mCcowMwk.bat

Filesize
4B

MD5
dd5dab8f6a24282a748c5016b57a2ef5

SHA1
525430cc3ccf40f73c580c2a6b09d64ed197f754

SHA256
ca2d5bfaffe389f164471cfda0bef2a6161ab3eff82819f5092996abbd19b297

SHA512
67f82ca2fc5fdf39689ee8a6608cc0ca7e930fc5a31790763e39b3f6512769e9e035beac17608eddd59865c989c654a3c8bfa1d0e4143a61a4d31e0ef22ee937

Download Submit
C:\Users\Admin\AppData\Local\Temp\mIUm.exe

Filesize
159KB

MD5
b6187c2e454264aa49578a516f70c293

SHA1
ed706be811a3c40b41c797ebd1c7ed8e842331fc

SHA256
b7b5aab53ce2530786d4d11e92f14d401afb8e45b976ade6c7b6ab0ce0a32302

SHA512
3a679c26df4a875149efc4b78962bdd47f6e0556a862e879861e89bdde7894ca40a5b91ed3a07e650f2d4a22b4fe906000b1875ddda92e806c1c868470ac3d8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\mIkO.exe

Filesize
151KB

MD5
cbe013ab14635c56ef887b6ebe4605a1

SHA1
fcdd0ee3a42c0a4304698e336c68580c46dbb9b1

SHA256
5159d56ec8302ddeae6722be1e403d97da0fc5404a677a8fc5224d2a48333c69

SHA512
1d356db7df4fc4b56e3a5a0d89f2d9dd1c447be54bd88403908a961fb7037f3dab952054e785d7deeadf395d30de7c468449fdf6ecf8c81bd4aa238e2e9dcfa6

Download Submit
C:\Users\Admin\AppData\Local\Temp\mMQU.exe

Filesize
157KB

MD5
b91b77bd66f20b5855804fce8614a7c0

SHA1
bae3d5485ce87e21da40769bb25d1ffa2dd5d282

SHA256
d0a2d84bc65709d40d96dac145ddd9ac477c40a7f4149ffaa6d5b4f6905333be

SHA512
dd3f328f9278f2db2c9d83c6decf2ca223930b97c5af8c9b3e1b65df4bbd0d22605f34af86194962f61ca664ffff2e3fba0b89788b446fa0cf6464d2bca18193

Download Submit
C:\Users\Admin\AppData\Local\Temp\mUIu.exe

Filesize
157KB

MD5
b5305699ae439b4a2f7c99f50e843b92

SHA1
ff7f7107058c804a9985a110414ee001160cdf07

SHA256
aa6efa03f53cdf9426b07a3e9db8acab0f1678e35b03187876441b50cfc1b02a

SHA512
303096c6dced28a1975034f366c43c36ae56d4bfe6a87a0671b23ff5ecd32dbffef74b5d47fe60691ae09c44f8d5623b8c8add4fb869c44027a125fc860d96fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\mUYC.exe

Filesize
158KB

MD5
958270f8387bc1334d75a49ff4171773

SHA1
89dc254570f588a658be4d1d555679302786504d

SHA256
0a989cfd142746cc978a67854ae705d7853b601a751eff881e49e2f5d5424aa4

SHA512
f06acc7c7b2aea05df9117286f43da423d2468d30b6fde1fd81344a1cd6467ff21b82dca01554ff1b818c4e54d15617771b9ce97e0d1cc5846ea4491a449d5e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\mUoEUMYw.bat

Filesize
4B

MD5
d5e7fa32182c352db387433a9668109d

SHA1
cfd5fe25c0a27d5f6c768ced1d2b62e8f58d718e

SHA256
1c4e25c37cb37aedd22553f3a6fab6aeb1dc7767b642cf9fa8d3e104df4db56a

SHA512
2e79ddace18f3b180a8728bec18147fa508204d14571681140c13e7dd469eecc9cef0127ac0565d8c547cf095f55de78d39386cab2e00010637dac271b0a292e

Download Submit
C:\Users\Admin\AppData\Local\Temp\mYUU.exe

Filesize
867KB

MD5
d37549157e0e0ba5f184adbb272bc688

SHA1
0be6a6bea736dc37d9dd35d6be2ec2fa038fc71c

SHA256
8490a481c52d1725e659aa1c576e5abae51e806a528ce2d1f10dafce7d45d090

SHA512
9076935ad7a2e3c39c3de9c45b477c291fa396edb6a93bd53c923e73408e129ee922f1c72c1beddf0e635aa210e6570c99c18121fc0c5b434b388e4ffffcc7d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\moIU.exe

Filesize
566KB

MD5
1c945d7f3344af3bfe66e6126fc10d3b

SHA1
0c12b853595b97ea696f9d242fb8599767e7b94c

SHA256
b84a30967132f2ba6a92f24c8a8cb6168832856ae311258b5d4f5c83a73295ed

SHA512
b90ea2f5dbab06a1d7b4f5630120b34da02799fe172ffe28970689b907627805e5b1cd54a50a3e0cc852e84187c439bb08110866a66dd3d0ef5b585764aba20f

Download Submit
C:\Users\Admin\AppData\Local\Temp\msYM.ico

Filesize
4KB

MD5
47a169535b738bd50344df196735e258

SHA1
23b4c8041b83f0374554191d543fdce6890f4723

SHA256
ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf

SHA512
ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\oEcA.exe

Filesize
236KB

MD5
3682405b6d44083e85ad23cf4efff435

SHA1
638de95a370434a683ad1df16b8ab4ddf0bd2e56

SHA256
e4d1bc78711d8483a31ce29216f064148ed100d65dfdcc187548eefeaec28e26

SHA512
b95e17eb703ff7b79e785fbe59cb6c01c07d491d5dc2da82d971a62d44f449b8f4d344f2323aadd69d77109e514d12ea4bc04aeffc3203d79c2db9a92065f0c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\oEwm.exe

Filesize
158KB

MD5
39524c50e1579bcb40247ac7249400c6

SHA1
5ffc9a7b5aa421128c73fb6c088c66eb10a82a95

SHA256
77cccabdaca2acec971429f7e3786aa8aad394ca7a545df649ff1b4cfe7d00d1

SHA512
38cfdd2f84e47fe934305f0dac1e0182bc1e60395bad3e957a26ba9e08fc0e0585dac550de9f0632dd550e074f2924918cb34b96582802b66798471448be6eba

Download Submit
C:\Users\Admin\AppData\Local\Temp\oQUUgoMs.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\oQYq.exe

Filesize
157KB

MD5
3be2a32c8e2b81730de1fdbf44baf0cb

SHA1
2145d7eeedbfd4f8b2527148df544a3f57ad4d43

SHA256
6152770ab052b8725e649f84f6f17cb6135e67a83534072444ba420ff2cb1810

SHA512
b6377e98eea4ae84afd7425fb7cdc8fd113520d0e79fa12828df8481c98eb1be971ca1e1c08b21a68defae5fc8fce7d11059bcb04c7b5f79f9b64b8741220926

Download Submit
C:\Users\Admin\AppData\Local\Temp\oYMQ.exe

Filesize
160KB

MD5
3299187bc913bc85ec48177f045d2c2c

SHA1
83900e553b25e90c94ce18e0f86968d9df2e7c70

SHA256
d5818f0283da522d2de7754c0c366bcbbd939d3f7e4111c6215f369fb546a3d6

SHA512
fe81ec4b074cd051a28ff8cf1cb6447b1973faf142e5aa7330e1e23cef9cacfdb374f8c31aead3ef7f337d04335c388789ea709b436da52c3cd889fce569824c

Download Submit
C:\Users\Admin\AppData\Local\Temp\oicsUYQo.bat

Filesize
4B

MD5
2d3fb773ec3b487f05c5c9da68458d37

SHA1
fa6a743f326e654c7098d24b6acc774831f3be04

SHA256
328947c57aedc537274439286d1f69036e1abad922db2d657010110cbb4fee1d

SHA512
8b244cc06092266ba40a06d9a389bbe8515f5633040011ad141370c1a1fc0df75a6587d95ce47a25ad11fd32df7e684c1d288996dd2d75013cfa3d9f34f52efd

Download Submit
C:\Users\Admin\AppData\Local\Temp\ooUk.exe

Filesize
159KB

MD5
5443e9be82b1d568969fb4a059ddde3b

SHA1
d14e90ccd57fe9a2e3f3589ecb81c2013d81deda

SHA256
a8c8b937950f58ab4452971ece283d12f20a62b625946b0ffdb14a2a87fe9e81

SHA512
9f89e2a144389f5417796b73d25f25431f82c9cf4459251ea108b42d958b1c37fe2a9f18ac7dbefa89e05b6e19fa0629ba4823e783865566ea432178fb6c054f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ooYK.exe

Filesize
157KB

MD5
e0b939867967ce27b8caddfd8563f8ec

SHA1
92aa8806c9ac1b5eb80e591eed7a9760d23cc8f5

SHA256
3af40d27134590989304df6ea931db10badeba7a2f4eef034198b80f5a67ec79

SHA512
7ad9fd2cefb8025d63fd1d4c005aac7552edf7a7aa271b68b65089918a0243d014ee0cd79740fb1755a3925bc56b13fd3613d15e0af2419313579bd6a86c9cab

Download Submit
C:\Users\Admin\AppData\Local\Temp\oogy.exe

Filesize
4.0MB

MD5
ca7956d21e542e58c86b136c16baf3da

SHA1
d05ccef5c2111314cd3c52e0066c623744562840

SHA256
2e984f1e62da9be8f0f9652f2f4104b04c67ac9a2b376cffde478cff8bfb3c0a

SHA512
35f00880e1078a3b539786bb3ec5bfcf2e924d9f4b6043ec5f6affcd215c83c9f307ac54b9c3118031b38d8c4d44bcfb0f4ade403cf929eb1797f70739067315

Download Submit
C:\Users\Admin\AppData\Local\Temp\qQoQ.exe

Filesize
415KB

MD5
e61e1b4572fa110830dbf1d63b61ffdf

SHA1
cc5a073ee27fd1927c9e14a763e7b0f08e557f12

SHA256
b645037419d05c726195b2a6fad4b2039a8393348f6da3413a7d9530d7ba296a

SHA512
a565e79df69cb8e7505f3d5f9c1321352fce338e324a0ad27f9a201eb38a095e7625251f912e9167ada86507013da10976e7c7c249722c029de703de8f755492

Download Submit
C:\Users\Admin\AppData\Local\Temp\qYQkYEMY.bat

Filesize
4B

MD5
09e5c1dbb0141f2d3cd2306e66955a9a

SHA1
670887cd0b6267716e40f6d957a42ca3b9375156

SHA256
b2e7bbf9dc7ef40428c6660d196b519eff26e9ef663699f47f7e8f718777cce1

SHA512
0cc3cd3bb5cad7d5bf90e8b16095b90ff8fffd839f71227ebada6e911fb85e6022738fd592a2da60c11780251fec21852fd19de6952fa19e87052297989e3eee

Download Submit
C:\Users\Admin\AppData\Local\Temp\qgkW.exe

Filesize
159KB

MD5
05cafe275f63a2433cfd19cdceb16669

SHA1
caf633e8826e5c6caadd2c78616053cfaa1430ac

SHA256
f5dff0b230132a7c90af228583c4d34229b6e92fd054a30bd4badc35213b3d0c

SHA512
4412a85946f1c6b27a881694e1bc66df10e4c96ccae523edd77d3cb171e816798ab7da0b59903b61474f01b08a1a47cdb1aa2c312c148f6cd973eb9395aecc9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\qsss.exe

Filesize
873KB

MD5
6fa8fd79c9d52bd8170eb550925ce65c

SHA1
165f93c1ce8bdcdece92f96b9aaeaf31dd276bc6

SHA256
fd7ef82bc254eadd02d4d7d7e5af287917d6957bc98723b78f7664e0c4f5b250

SHA512
5dd344304c0e190c1a7e3ad2bc0fe1c751e8bf5816c17ce4d8a4e166229222f8b0d059b7e684dfe3f4015245d1516aa6bbd5c999f81e3471a92306ef97c62fc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\sIMW.exe

Filesize
160KB

MD5
bb051df38500684fbafdc3b54ecc3560

SHA1
6564ff08d18dcfcd8ea424a99ca6fbb3e7c3a388

SHA256
05c6caa583b9ca0ba98be06e96505bb33973a09569820ca94f5813715860d3dd

SHA512
c7b051102711fa6a0316e6ee814f35b73e123696d1789701530cc6124b36b743d7e6e08a2e51068dff86b3f55c084c00b6b8d58a15a75a6270ce10d6ff8e866d

Download Submit
C:\Users\Admin\AppData\Local\Temp\sQok.exe

Filesize
158KB

MD5
ccf36bde449a7cbb7188340833e7525c

SHA1
9e76468fbc44b1e8a2acacc8a7241c840820da5e

SHA256
2dde4084406983c3e913b4246f63e87dd0450c25e591a5400a34f34ae556c4e2

SHA512
1732103b4bfede294ec2b3ec26b8f1375781ad317b1beb20a6b9e0cb55bafd10dde958c1c2372f42da4876245b504755ea48b975f9a6c4eafaead56220fd879a

Download Submit
C:\Users\Admin\AppData\Local\Temp\sUMQ.exe

Filesize
158KB

MD5
7f6f710e45c7b7428502154a8f536de3

SHA1
2ba059c3aa2048baba5d09d9f6f04d2525d20363

SHA256
4f7b822f6a495a6dde683d12517fd36ef61aa3d7ce7fe8672b2bca0d1c79899e

SHA512
cd2b723735f1ce388145703f96269105deb09dd2b50709cc4191b2621b18fd2773e1b48e216e9a1f69a3bf3e5c482710ecd55af8440e1e7144c141d373805a4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tKYQAEgM.bat

Filesize
4B

MD5
fddfb382cd5bd30f6946d65ce5a1e965

SHA1
80ae5319f92a58a9043d4682c1972cbafaade0d7

SHA256
04f09a5ce2c52ed53c0e66dc2f759a7e3f493f2c5c7d9cdededdf03280af3079

SHA512
dc8ade40d689aae2ac64c36db00bfafe9f522760fbb1a60c0db66f6fa88e9f7407347c1bc2394e28417176e244d6456fb729ff8924fe05e3f1537140610c9e0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tMIogoIk.bat

Filesize
4B

MD5
3b1a5c6f96652786ec14e1fbbd2b9f25

SHA1
49115a9a1c5dc1802b9587b007cda4f02142267f

SHA256
e6ba7bbc8e055a2af204e1fdecdc5b7167a395a9a8945da809403a12b25dbccf

SHA512
a7b7d3923b5a0ac29d1b25766b390eb038dc3a6b24d0f149cb8df7b2ebda00e7be284bc3058fde68278103995dc277035a320e4c7f29fa6f34065b6f355ef902

Download Submit
C:\Users\Admin\AppData\Local\Temp\uEEgIMQI.bat

Filesize
4B

MD5
ba52a1373b094ff65ec31e14e39e92ba

SHA1
e3316b4ce9d1843ed92c638a952b0a2424211865

SHA256
ec3b80b12a9e2b2038a7598233480d7fc94a269f0dd38f5991eb902e8bbd493c

SHA512
3f2ae44d0b4e0252467dc89397ed8cb3db387994f4c84d08d5ab5d15ca83bf90e343b730b3a369b3a82c5a2c8b99c8ae835d8762763213723818d17131009b47

Download Submit
C:\Users\Admin\AppData\Local\Temp\uIQe.exe

Filesize
140KB

MD5
a63ee42de4025cee14c4aed2d909f250

SHA1
210eb06fa8b16488d8e2f51a78afe9e3b2a589db

SHA256
e212db87113d123e577a6e018c19e241d3a7c2e80dc149af15f9374a5a0bad66

SHA512
95b314488dbb730d1e084147b47cad712812ab0d37714a1bfc9f4a600ba0d30cc29d061569bd2a01eb91171dc61a47f87b6083aa7a7cf984ff395eb95c81c95d

Download Submit
C:\Users\Admin\AppData\Local\Temp\uIUI.exe

Filesize
159KB

MD5
08dd8f0cc3dece7c9da54d123e012787

SHA1
28b645a0aca0717af4f3830f54bb2bc24de481b5

SHA256
d4ad9c12ed04bb2d5627e371682747eef08bc1b084ff8b2dc2369db72fb830be

SHA512
f2e3e4ca6cee5bd6bc7a7e54cb58ddbe00334d1c3b5379d87928a9f857c8f4b1957a80edfe567c88c2bc8949e456bf32d880003051426b5c108f898193bfb2ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\uIka.exe

Filesize
160KB

MD5
0cee3faeb8cc6a327a2be5d0161420fd

SHA1
8825c8a9228b424632fb8e1d46ea9f970d3df028

SHA256
031f1d6e036649da65e1f99cb8c5142efb96d3d0a98b7bf251c9dcd14af31a19

SHA512
5c63c4f7e874c21b3c8a097d41434a7ff57d1413583572396a144b532848419a26efa1b1491c1925a0836f24d1846343bc6bac14999043e26482ddb0ec37a44d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ugoQ.exe

Filesize
159KB

MD5
9ef61b4c268ad47a9639f21f804edd90

SHA1
05cfed9aee64538d4316f5320861766523ea9c47

SHA256
292ead22bb13f1f3f1d5cefd43aa5204c333b18cb597ee074da199e4c957a949

SHA512
540b39c0b8078bfd6fe603637de6031f61f24b1ccc30e66d740826635bd8a479ccfc9d7353cd81cb845c512c1750d810b04fe2714db38966ee1da3690858e219

Download Submit
C:\Users\Admin\AppData\Local\Temp\vykwQQwc.bat

Filesize
4B

MD5
a9b39fc275c63c86d28c5f97dfd16ec4

SHA1
630ecbd724a67baa3cf3cfafd5cffb1e0683fe88

SHA256
a40e73b9cb4a9fb9ec8e0874ab962e3c9c67e81bfb1b7aac82e756eaf902bdbc

SHA512
d063ca49c4feee09101087562a1470001563a9bd76846283fd8c51276cfea241a0df55664477a1b338df7b66c905d227cd33f565476279501f9cc60556711c0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\wKgwoIUI.bat

Filesize
4B

MD5
570e6ebab654732da8080d3c8ba7046a

SHA1
b2bd91ffb355c332c5e0af95378fe4c7438374a7

SHA256
2610f6a46e6879b8fb43d83adeadb2659d4f7ac6ac0917c4afccbbeea73f763e

SHA512
e2481f622725180cf005f88bfa1e92400996f48280c6bb1dcafde69d59bb7497e2100de03c8cccd05df0b4735f8ed96304f42c132b9c90298f5dd42d875e9b91

Download Submit
C:\Users\Admin\AppData\Local\Temp\wQkY.exe

Filesize
158KB

MD5
f76ae8924def4d5d732f3f3c7bf6f3ed

SHA1
3d8cdc65293ea280c7aee928a32e586d18021fdc

SHA256
df7913b99c61621b47bdb90b0ee6a6f9d0c679690c72a24803c944cad3773572

SHA512
dae30cd1859d3ad274a1391b882d636b4d5f18ee4f4bf567d786740b4bc66396b66f2f6a7685861a94ccb5bc473c5bb6c5289d74a9dd6b125da2819ce454f2d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\wkMC.exe

Filesize
452KB

MD5
c59ce42a545497fd2ac0e1620f242189

SHA1
7c0414855e413941dba10cefb1bc8c55f99e09fa

SHA256
d1ed3116a371762f8e17a6d4785f5964ffacd6e2740ffe434ae6e2d00f899f54

SHA512
2e62d23404abbe321a47da9349f6f66dea60a7b9053e306510487a90273844f41f206e8dcfd59d0e35d83af03987e375499ac7f95c7a703ce762e403a88f4ff8

Download Submit
C:\Users\Admin\AppData\Local\Temp\wkUS.exe

Filesize
157KB

MD5
f110056b9bc554768877462c87415155

SHA1
1bae34c20c73b9104746d13b95cf06bbe4ebc9c4

SHA256
037b7ca8b6043dd2906afd6b872163899e816ec43d4695f94a31605a798e6fee

SHA512
55a3adfc7ff472db377f5dd89564b1ef7619cfe7d3d698e6d4932bf3f1852a6f368d7b7beba1ac84483876b5ae410eb624cdacf6d462e0f70da1f67829b94efb

Download Submit
C:\Users\Admin\AppData\Local\Temp\wsIO.exe

Filesize
148KB

MD5
cecd8f856ef90663a3ba5d3d733b46df

SHA1
ef208a78a09381f0240237396ea95782e567bd6b

SHA256
bfe9c7022fa0ace94ea33d4158f8dda15d0e25d5f6dacf2845dc6631b397c7d4

SHA512
dc836fb94a934de588406e58b36b18e3c3ff9d4834bba708a034729ed52ab682db29a607b451ab8b64fd80485705b6e4b1dcc2561dc021a11f67146f63da4415

Download Submit
C:\Users\Admin\AppData\Local\Temp\xKIsggcQ.bat

Filesize
4B

MD5
0f8836d7bfc7e2ff8ea90a2833ce0c79

SHA1
c327db5968f2b1aa8265c708081bb07a189d6051

SHA256
04e12759082447f2e9b7a63efa96756b281014a83405f3f9df8103701cde09cb

SHA512
ed069d8dd3ef86ba74c269105735aec10cbd2a0b0c162303aaae7717f48d3d53157a3f597ab1903beffef88166bc99050561fed696db495f379035f15b28ae77

Download Submit
C:\Users\Admin\AppData\Local\Temp\xKQEgAIE.bat

Filesize
4B

MD5
05f23a0b2b14ef1e4ad4139a09b2ce80

SHA1
0aca89f5a3c1a502c5ef2806a1af2be6fce505bf

SHA256
4888450265256c0ea1e48a04da46c06c91579073625254a875f11ae3128ca066

SHA512
fac3e018bbabc423095172b266991b24ec2f0bd75125af3e193487e4e7c53b3fb0cee84418866ab172a97ac30ef0af9b60b61df46f79f48ef799e182f1e274bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\yOYkAYkI.bat

Filesize
4B

MD5
f76c1302d5e5c9eee7f742711b1c0fdf

SHA1
c54a9f27a1a946f9168416d97828d33cc5037822

SHA256
ca9206f7fba34716d7372c8b570f655759940e24559f68e48033ac20ef5398ee

SHA512
bb527003d541b9bd80f8b71ce55710f579b1b1b4fb2c28c7040acdbcb9351eba19d20561897103d83f478f54713bb94f5ed125a313593145a2ab373c5f7fa7de

Download Submit
C:\Users\Admin\AppData\Local\Temp\yUIU.exe

Filesize
158KB

MD5
eab920dd6c927e67c7fb650abb6cb038

SHA1
dbf06f3f72c83612d4deb9346ea38094453920ed

SHA256
c212c65bc83ec579b3c8c581b106142429ed282aeffc60c6e0014a43c851d012

SHA512
f32752bca2a19a978db792d885a55e9114648b604255741664f0db4032f7e7ccd7d386852c5073de5e882be97da5302337ef5002905400a254c37cab38a5bcbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\yUMO.exe

Filesize
1.2MB

MD5
a3dae5e33734f92b7842a60956c372ef

SHA1
a4823ccd22f5cf586b3897ef241c96507f70c188

SHA256
20fe4f813efc320ab5a6e58020b4c3a4bc95b07157a8e8e9b56368b1330cf52d

SHA512
0ae985894f512dcab32ecf4477a6b31a075378cb3f9664590e62c9ee57f59d731978c9692385971a0a123e46f448d32b696b8fb5016d6aecff46d091e4e4960c

Download Submit
C:\Users\Admin\AppData\Local\Temp\yWIcAAMs.bat

Filesize
4B

MD5
3ccd05a6af056d2b47391f79640a66c2

SHA1
ab89aa49f10106836d94d3a13bec500d3b781cc8

SHA256
ebca917b50c1cb49ee0836c48535d19cfeae077712b1afa131abb9db04fe2be5

SHA512
ccbcdb20f86f44c789c89e04a307f5132fde36282e5bfe1a6afed3717cba947a2ba0a328fe43854f727b3fe41dde1c4892141d49cd94a16071eb396f69e9cc93

Download Submit
C:\Users\Admin\AppData\Local\Temp\yqwIggwI.bat

Filesize
4B

MD5
74dc91e9660cd4cf49eaff22499ff6ab

SHA1
7a76d68dca193686aa1791adf9d7713f2c9aa4a7

SHA256
d332822d62be34eeed2dc964594ab86a6f24579aba95d4e94796aa6e00dd79d0

SHA512
c12171a842b20413a1583be154fbf4195c7095af0c6b00ed5eaeb11740fc928837896952c922cbdf72f0813df154963071eb9ed10732b51b154e456d5a3cc8b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ywUsQIQc.bat

Filesize
4B

MD5
667af0d082c2f005905e3a8a5fb40129

SHA1
3f80d1b876fb35e24b99f064415e26f51766e7ba

SHA256
985f32211d660da657fa56f7d9bb0bf0add8d732f7d3f5753c7d14e426450678

SHA512
16d0762bb44071f2fd53ca4f5a461dfdf191427aba0a0fdb3e3f76020787ee4d41210c7afea4e0be5f9609f1f88744f7bb2f04d6eb149024ca2fe11bca72e98b

Download Submit
C:\Users\Admin\AppData\Local\Temp\zEQogcUk.bat

Filesize
4B

MD5
d863c7221342d691eb0cb9a38d594848

SHA1
1148027f7b7be04bbc18dee3031c6aede2f344e3

SHA256
0f3994c9756f1bc9eff4979e34edc5ec60fcd380e205ac2a12799e90773ec948

SHA512
688997e802419810f117d5503b6bcc579be6d21f8c30f7b17539706ac3c384be301a750b7db08e245b37ab7da4a427cd1698cd7b6f89d487e9a603526b488567

Download Submit
C:\Users\Admin\AppData\Local\Temp\zKsowsAE.bat

Filesize
4B

MD5
44cf1c623bbf7e198e68e85219c4e681

SHA1
3e718c8ba8f2fd874af73e062a27547114dc1e34

SHA256
2b6dc976a69ced91794834cbae2037738079300eef6ec8ed07458593fffe3d9c

SHA512
fd528f955a2cd98810e689312653ddf8dbf56a4fe3e95412276a3f0795622a8d9568985930a0965ee58181b0bff1c37b77158fbe3cb91e165635b9833a21c6ca

Download Submit
C:\Users\Admin\Music\MeasureSend.png.exe

Filesize
271KB

MD5
f4ae3f8b8e0263111f58ee8e919ee1b3

SHA1
3657be862f38f5296cf5320e16bafd0b81947931

SHA256
14736401578aa3bf56c358a3c4c4e6cc4811a7b167767d44c3d8405e40172edd

SHA512
9198f4fbd4f35a46aa70a5f98e6c01e7896edef7767ef272132ed3afb325ecce57bdb4404445e062bb1a2be6398d9bac671f7b624639eee8312dd7a1436905e9

Download Submit
C:\Users\Admin\tIQssYkA\aUMcoQIo.exe

Filesize
109KB

MD5
96f7438177e788b9705c54dde2ebf333

SHA1
823adc302a3414e2141044b835b817a00ff6cf10

SHA256
afaaa028032ac9945c9604413aeae7104a3b88e69eca02d84af099d2744d190b

SHA512
18ba12e12dee9148305455999f0ebbef676a8d55e5676906f84d35d9147fa261797d9174b8e42dba25d7f2976482ce51c471e3a8d06a7695bd14c1a135fbb797

Download Submit
\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

Filesize
145KB

MD5
9d10f99a6712e28f8acd5641e3a7ea6b

SHA1
835e982347db919a681ba12f3891f62152e50f0d

SHA256
70964a0ed9011ea94044e15fa77edd9cf535cc79ed8e03a3721ff007e69595cc

SHA512
2141ee5c07aa3e038360013e3f40969e248bed05022d161b992df61f21934c5574ed9d3094ffd5245f5afd84815b24f80bda30055cf4d374f9c6254e842f6bd5

Download Submit
\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.0MB

MD5
4d92f518527353c0db88a70fddcfd390

SHA1
c4baffc19e7d1f0e0ebf73bab86a491c1d152f98

SHA256
97e6f3fc1a9163f10b6502509d55bf75ee893967fb35f318954797e8ab4d4d9c

SHA512
05a8136ccc45ef73cd5c70ee0ef204d9d2b48b950e938494b6d1a61dfba37527c9600382321d1c031dc74e4cf3e16f001ae0f8cd64d76d765f5509ce8dc76452

Download Submit
\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

Filesize
507KB

MD5
c87e561258f2f8650cef999bf643a731

SHA1
2c64b901284908e8ed59cf9c912f17d45b05e0af

SHA256
a1dfa6639bef3cb4e41175c43730d46a51393942ead826337ca9541ac210c67b

SHA512
dea4833aa712c5823f800f5f5a2adcf241c1b2b6747872f540f5ff9da6795c4ddb73db0912593337083c7c67b91e9eaf1b3d39a34b99980fd5904ba3d7d62f6c

Download Submit
\ProgramData\FwMAMIEI\CsQQQIsU.exe

Filesize
112KB

MD5
cd75f6e823edc56cf9120a00b289fde6

SHA1
6d8aae4b4424d6b7c019c27c0eb6375491da48fd

SHA256
bc32f7b852e4e23e9a8195f3081594c1d92b269ecfaa86baf8bf08077e1b75a2

SHA512
15ba8fc96947659ceed203462d6a0a2e536d1e84934a7d283a488a81d2edf12263ac012f4c97ac010a932125b9997bbcda5efb73d477e4a260fd36e2b21c2c2e

Download Submit
memory/448-103-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/448-135-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/544-414-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/544-382-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/564-974-0x00000000002E0000-0x0000000000301000-memory.dmp

Filesize
132KB

Download
memory/564-975-0x00000000002E0000-0x0000000000301000-memory.dmp

Filesize
132KB

Download
memory/584-195-0x00000000001A0000-0x00000000001C1000-memory.dmp

Filesize
132KB

Download
memory/584-196-0x00000000001A0000-0x00000000001C1000-memory.dmp

Filesize
132KB

Download
memory/600-38-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/600-0-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/600-27-0x00000000003D0000-0x00000000003ED000-memory.dmp

Filesize
116KB

Download
memory/812-219-0x0000000000270000-0x0000000000291000-memory.dmp

Filesize
132KB

Download
memory/872-41-0x0000000000170000-0x0000000000191000-memory.dmp

Filesize
132KB

Download
memory/872-40-0x0000000000170000-0x0000000000191000-memory.dmp

Filesize
132KB

Download
memory/908-877-0x0000000000390000-0x00000000003B1000-memory.dmp

Filesize
132KB

Download
memory/964-289-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/964-321-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/964-125-0x0000000000160000-0x0000000000181000-memory.dmp

Filesize
132KB

Download
memory/968-242-0x00000000001F0000-0x0000000000211000-memory.dmp

Filesize
132KB

Download
memory/992-2901-0x00000000003E0000-0x00000000003FD000-memory.dmp

Filesize
116KB

Download
memory/992-2899-0x0000000077240000-0x000000007735F000-memory.dmp

Filesize
1.1MB

Download
memory/992-2903-0x0000000000450000-0x00000000004A2000-memory.dmp

Filesize
328KB

Download
memory/992-2902-0x00000000003E0000-0x00000000003FD000-memory.dmp

Filesize
116KB

Download
memory/992-2900-0x0000000077140000-0x000000007723A000-memory.dmp

Filesize
1000KB

Download
memory/1048-150-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1048-182-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1096-126-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1096-159-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1276-1270-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1316-391-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1316-359-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1344-404-0x0000000000160000-0x0000000000181000-memory.dmp

Filesize
132KB

Download
memory/1372-428-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1372-479-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1376-229-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1376-197-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1620-437-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1620-405-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1720-1108-0x0000000000160000-0x0000000000181000-memory.dmp

Filesize
132KB

Download
memory/1720-1113-0x0000000000160000-0x0000000000181000-memory.dmp

Filesize
132KB

Download
memory/1728-243-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1728-274-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1744-427-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1744-265-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1744-298-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1792-28-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1876-381-0x00000000002E0000-0x0000000000301000-memory.dmp

Filesize
132KB

Download
memory/1972-29-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1992-998-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1992-886-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2024-1271-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2100-288-0x0000000000170000-0x0000000000191000-memory.dmp

Filesize
132KB

Download
memory/2100-287-0x0000000000170000-0x0000000000191000-memory.dmp

Filesize
132KB

Download
memory/2176-1172-0x0000000000260000-0x0000000000281000-memory.dmp

Filesize
132KB

Download
memory/2176-1173-0x0000000000260000-0x0000000000281000-memory.dmp

Filesize
132KB

Download
memory/2252-640-0x0000000000580000-0x00000000005A1000-memory.dmp

Filesize
132KB

Download
memory/2252-639-0x0000000000580000-0x00000000005A1000-memory.dmp

Filesize
132KB

Download
memory/2348-252-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2348-220-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2352-1208-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2352-101-0x0000000000370000-0x0000000000391000-memory.dmp

Filesize
132KB

Download
memory/2352-102-0x0000000000370000-0x0000000000391000-memory.dmp

Filesize
132KB

Download
memory/2352-1114-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2384-149-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2384-148-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2416-358-0x0000000000160000-0x0000000000181000-memory.dmp

Filesize
132KB

Download
memory/2520-775-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2520-641-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2632-54-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2672-88-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2672-528-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2672-55-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2672-529-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2700-368-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2700-336-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2700-172-0x0000000000170000-0x0000000000191000-memory.dmp

Filesize
132KB

Download
memory/2724-64-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2724-39-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2744-551-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2744-471-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2756-885-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2756-773-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2776-1123-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2776-976-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2804-1174-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2836-312-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2836-345-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2864-112-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2864-79-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2884-469-0x0000000000270000-0x0000000000291000-memory.dmp

Filesize
132KB

Download
memory/2884-470-0x0000000000270000-0x0000000000291000-memory.dmp

Filesize
132KB

Download
memory/2888-766-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2888-772-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2892-173-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2892-206-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2940-78-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2940-77-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3000-335-0x0000000000260000-0x0000000000281000-memory.dmp

Filesize
132KB

Download
memory/3000-334-0x0000000000260000-0x0000000000281000-memory.dmp

Filesize
132KB

Download
memory/3000-663-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3064-311-0x0000000000160000-0x0000000000181000-memory.dmp

Filesize
132KB

Download