c4826c9f70993ccd192b0f66c30a1f37f579f88efa3b3c9ff719ddae69b07a10

Analysis

max time kernel
150s
max time network
68s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
18/09/2024, 20:15

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
Size

194KB
MD5

dec5fb1994d3579b05ee221e5a0d5410
SHA1

a61241d9f6162fd2ab9e2263267c7629d8327865
SHA256

c4826c9f70993ccd192b0f66c30a1f37f579f88efa3b3c9ff719ddae69b07a10
SHA512

b26d406a5eaa60392cf9f6ae6e2a85fbd3333c56a99f45274b221c802f8a7c6a4791d03f3cde6c47d2c34533bb72e713edb69a67d32cf75daa3e596b782236c1
SSDEEP

3072:5W5IeUtoX7UK453E9/hgSlWFwZoK0x55yU5mqwfK:wWtoX7K532J+FwZJUgU5mF

Score

10^/10

discovery evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 60 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 60 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Control Panel\International\Geo\Nation	VescwYEM.exe

Deletes itself 1 IoCs

pid	Process
884	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
1596	uoYIIQwM.exe
1496	VescwYEM.exe

Loads dropped DLL 20 IoCs

pid	Process
1620	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
1620	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
1620	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
1620	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
1496	VescwYEM.exe
1496	VescwYEM.exe
1496	VescwYEM.exe
1496	VescwYEM.exe
1496	VescwYEM.exe
1496	VescwYEM.exe
1496	VescwYEM.exe
1496	VescwYEM.exe
1496	VescwYEM.exe
1496	VescwYEM.exe
1496	VescwYEM.exe
1496	VescwYEM.exe
1496	VescwYEM.exe
1496	VescwYEM.exe
1496	VescwYEM.exe
1496	VescwYEM.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\uoYIIQwM.exe = "C:\\Users\\Admin\\oeAYQgsw\\uoYIIQwM.exe"	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\VescwYEM.exe = "C:\\ProgramData\\jccAYUoU\\VescwYEM.exe"	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\VescwYEM.exe = "C:\\ProgramData\\jccAYUoU\\VescwYEM.exe"	VescwYEM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\uoYIIQwM.exe = "C:\\Users\\Admin\\oeAYQgsw\\uoYIIQwM.exe"	uoYIIQwM.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico	VescwYEM.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uoYIIQwM.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
1660	reg.exe
2272	reg.exe
2872	reg.exe
2340	reg.exe
2696	reg.exe
2812	reg.exe
908	reg.exe
2964	reg.exe
2252	reg.exe
2732	reg.exe
2076	reg.exe
2164	reg.exe
2008	reg.exe
2280	reg.exe
600	reg.exe
2516	reg.exe
2772	reg.exe
2988	reg.exe
2924	reg.exe
756	reg.exe
2060	reg.exe
2744	reg.exe
2220	reg.exe
792	reg.exe
2856	reg.exe
2856	reg.exe
2012	reg.exe
568	reg.exe
1688	reg.exe
2072	reg.exe
2568	reg.exe
2544	reg.exe
2668	reg.exe
2760	reg.exe
472	reg.exe
952	reg.exe
1748	reg.exe
2032	reg.exe
1872	reg.exe
2748	reg.exe
792	reg.exe
1668	reg.exe
2780	reg.exe
1760	reg.exe
2280	reg.exe
2164	reg.exe
1936	reg.exe
1564	reg.exe
1912	reg.exe
2852	reg.exe
1348	reg.exe
1356	reg.exe
1560	reg.exe
2196	reg.exe
2656	reg.exe
568	reg.exe
2920	reg.exe
872	reg.exe
2796	reg.exe
1860	reg.exe
484	reg.exe
1812	reg.exe
2892	reg.exe
1468	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1620	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
1620	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
2856	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
2856	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
2616	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
2616	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
1684	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
1684	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
1748	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
1748	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
2504	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
2504	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
2300	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
2300	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
2364	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
2364	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
2176	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
2176	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
2164	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
2164	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
1676	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
1676	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
2060	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
2060	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
2916	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
2916	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
1932	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
1932	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
2884	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
2884	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
1816	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
1816	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
824	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
824	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
1720	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
1720	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
1568	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
1568	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
1324	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
1324	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
1088	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
1088	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
2376	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
2376	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
2140	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
2140	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
1292	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
1292	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
1236	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
1236	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
2532	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
2532	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
1356	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
1356	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
2164	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
2164	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
1008	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
1008	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
2748	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
2748	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
1064	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
1064	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
2988	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
2988	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1496	VescwYEM.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1496	VescwYEM.exe
1496	VescwYEM.exe
1496	VescwYEM.exe
1496	VescwYEM.exe
1496	VescwYEM.exe
1496	VescwYEM.exe
1496	VescwYEM.exe
1496	VescwYEM.exe
1496	VescwYEM.exe
1496	VescwYEM.exe
1496	VescwYEM.exe
1496	VescwYEM.exe
1496	VescwYEM.exe
1496	VescwYEM.exe
1496	VescwYEM.exe
1496	VescwYEM.exe
1496	VescwYEM.exe
1496	VescwYEM.exe
1496	VescwYEM.exe
1496	VescwYEM.exe
1496	VescwYEM.exe
1496	VescwYEM.exe
1496	VescwYEM.exe
1496	VescwYEM.exe
1496	VescwYEM.exe
1496	VescwYEM.exe
1496	VescwYEM.exe
1496	VescwYEM.exe
1496	VescwYEM.exe
1496	VescwYEM.exe
1496	VescwYEM.exe
1496	VescwYEM.exe
1496	VescwYEM.exe
1496	VescwYEM.exe
1496	VescwYEM.exe
1496	VescwYEM.exe
1496	VescwYEM.exe
1496	VescwYEM.exe
1496	VescwYEM.exe
1496	VescwYEM.exe
1496	VescwYEM.exe
1496	VescwYEM.exe
1496	VescwYEM.exe
1496	VescwYEM.exe
1496	VescwYEM.exe
1496	VescwYEM.exe
1496	VescwYEM.exe
1496	VescwYEM.exe
1496	VescwYEM.exe
1496	VescwYEM.exe
1496	VescwYEM.exe
1496	VescwYEM.exe
1496	VescwYEM.exe
1496	VescwYEM.exe
1496	VescwYEM.exe
1496	VescwYEM.exe
1496	VescwYEM.exe
1496	VescwYEM.exe
1496	VescwYEM.exe
1496	VescwYEM.exe
1496	VescwYEM.exe
1496	VescwYEM.exe
1496	VescwYEM.exe
1496	VescwYEM.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1620 wrote to memory of 1596	1620	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe	30
PID 1620 wrote to memory of 1596	1620	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe	30
PID 1620 wrote to memory of 1596	1620	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe	30
PID 1620 wrote to memory of 1596	1620	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe	30
PID 1620 wrote to memory of 1496	1620	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe	31
PID 1620 wrote to memory of 1496	1620	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe	31
PID 1620 wrote to memory of 1496	1620	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe	31
PID 1620 wrote to memory of 1496	1620	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe	31
PID 1620 wrote to memory of 2776	1620	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe	117
PID 1620 wrote to memory of 2776	1620	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe	117
PID 1620 wrote to memory of 2776	1620	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe	117
PID 1620 wrote to memory of 2776	1620	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe	117
PID 1620 wrote to memory of 2924	1620	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe	34
PID 1620 wrote to memory of 2924	1620	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe	34
PID 1620 wrote to memory of 2924	1620	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe	34
PID 1620 wrote to memory of 2924	1620	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe	34
PID 1620 wrote to memory of 2872	1620	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe	35
PID 1620 wrote to memory of 2872	1620	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe	35
PID 1620 wrote to memory of 2872	1620	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe	35
PID 1620 wrote to memory of 2872	1620	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe	35
PID 1620 wrote to memory of 2920	1620	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe	36
PID 1620 wrote to memory of 2920	1620	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe	36
PID 1620 wrote to memory of 2920	1620	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe	36
PID 1620 wrote to memory of 2920	1620	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe	36
PID 1620 wrote to memory of 2692	1620	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe	37
PID 1620 wrote to memory of 2692	1620	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe	37
PID 1620 wrote to memory of 2692	1620	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe	37
PID 1620 wrote to memory of 2692	1620	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe	37
PID 2776 wrote to memory of 2856	2776	cmd.exe	116
PID 2776 wrote to memory of 2856	2776	cmd.exe	116
PID 2776 wrote to memory of 2856	2776	cmd.exe	116
PID 2776 wrote to memory of 2856	2776	cmd.exe	116
PID 2692 wrote to memory of 1656	2692	cmd.exe	113
PID 2692 wrote to memory of 1656	2692	cmd.exe	113
PID 2692 wrote to memory of 1656	2692	cmd.exe	113
PID 2692 wrote to memory of 1656	2692	cmd.exe	113
PID 2856 wrote to memory of 1668	2856	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe	44
PID 2856 wrote to memory of 1668	2856	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe	44
PID 2856 wrote to memory of 1668	2856	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe	44
PID 2856 wrote to memory of 1668	2856	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe	44
PID 1668 wrote to memory of 2616	1668	cmd.exe	46
PID 1668 wrote to memory of 2616	1668	cmd.exe	46
PID 1668 wrote to memory of 2616	1668	cmd.exe	46
PID 1668 wrote to memory of 2616	1668	cmd.exe	46
PID 2856 wrote to memory of 2988	2856	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe	47
PID 2856 wrote to memory of 2988	2856	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe	47
PID 2856 wrote to memory of 2988	2856	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe	47
PID 2856 wrote to memory of 2988	2856	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe	47
PID 2856 wrote to memory of 3036	2856	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe	120
PID 2856 wrote to memory of 3036	2856	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe	120
PID 2856 wrote to memory of 3036	2856	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe	120
PID 2856 wrote to memory of 3036	2856	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe	120
PID 2856 wrote to memory of 2272	2856	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe	50
PID 2856 wrote to memory of 2272	2856	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe	50
PID 2856 wrote to memory of 2272	2856	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe	50
PID 2856 wrote to memory of 2272	2856	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe	50
PID 2856 wrote to memory of 3040	2856	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe	53
PID 2856 wrote to memory of 3040	2856	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe	53
PID 2856 wrote to memory of 3040	2856	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe	53
PID 2856 wrote to memory of 3040	2856	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe	53
PID 3040 wrote to memory of 3048	3040	cmd.exe	199
PID 3040 wrote to memory of 3048	3040	cmd.exe	199
PID 3040 wrote to memory of 3048	3040	cmd.exe	199
PID 3040 wrote to memory of 3048	3040	cmd.exe	199

C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1620
- C:\Users\Admin\oeAYQgsw\uoYIIQwM.exe
  "C:\Users\Admin\oeAYQgsw\uoYIIQwM.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:1596
- C:\ProgramData\jccAYUoU\VescwYEM.exe
  "C:\ProgramData\jccAYUoU\VescwYEM.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:1496
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2776
- - C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
    C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2856
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1668
    - - C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2616
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        6⤵
        
        PID:1676
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1684
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:936
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1748
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2252
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2504
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        12⤵
        
        PID:2304
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2300
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        14⤵
        
        PID:2236
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2364
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        16⤵
        
        PID:2856
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2176
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        18⤵
        System Location Discovery: System Language Discovery
        
        PID:2100
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2164
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        20⤵
        
        PID:2628
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1676
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        22⤵
        
        PID:2568
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        23⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2060
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        24⤵
        System Location Discovery: System Language Discovery
        
        PID:2372
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        25⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2916
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        26⤵
        
        PID:2300
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        27⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1932
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        28⤵
        
        PID:2980
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        29⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2884
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        30⤵
        
        PID:2148
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        31⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1816
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        32⤵
        System Location Discovery: System Language Discovery
        
        PID:2100
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        33⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:824
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        34⤵
        System Location Discovery: System Language Discovery
        
        PID:2484
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        35⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1720
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        36⤵
        
        PID:2132
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        37⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1568
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        38⤵
        
        PID:2792
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        39⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1324
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        40⤵
        
        PID:2928
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        41⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1088
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        42⤵
        
        PID:2884
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        43⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2376
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        44⤵
        
        PID:1376
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        45⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2140
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        46⤵
        
        PID:2012
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        47⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1292
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        48⤵
        
        PID:2852
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        49⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1236
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        50⤵
        System Location Discovery: System Language Discovery
        
        PID:2984
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        51⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2532
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        52⤵
        System Location Discovery: System Language Discovery
        
        PID:3044
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        53⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1356
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        54⤵
        
        PID:2172
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        55⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2164
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        56⤵
        
        PID:2376
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        57⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1008
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        58⤵
        
        PID:1376
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        59⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2748
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        60⤵
        
        PID:2212
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        61⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1064
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        62⤵
        
        PID:2804
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        63⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2988
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        64⤵
        System Location Discovery: System Language Discovery
        
        PID:1868
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        65⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        66⤵
        
        PID:1504
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        67⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        68⤵
        
        PID:2980
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        69⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        70⤵
        System Location Discovery: System Language Discovery
        
        PID:1008
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        71⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        72⤵
        
        PID:2208
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        73⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        74⤵
        
        PID:1936
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        75⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        76⤵
        
        PID:2380
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        77⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        78⤵
        
        PID:1148
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        79⤵
        System Location Discovery: System Language Discovery
        
        PID:1748
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        80⤵
        
        PID:2152
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        81⤵
        System Location Discovery: System Language Discovery
        
        PID:1948
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        82⤵
        System Location Discovery: System Language Discovery
        
        PID:3028
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        83⤵
        
        PID:928
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        84⤵
        
        PID:2120
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        85⤵
        System Location Discovery: System Language Discovery
        
        PID:1368
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        86⤵
        
        PID:2812
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        87⤵
        
        PID:1548
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        88⤵
        System Location Discovery: System Language Discovery
        
        PID:2516
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        89⤵
        System Location Discovery: System Language Discovery
        
        PID:1348
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        90⤵
        
        PID:936
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        91⤵
        
        PID:1824
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        92⤵
        
        PID:2748
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        93⤵
        System Location Discovery: System Language Discovery
        
        PID:1812
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        94⤵
        
        PID:1656
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        95⤵
        
        PID:2984
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        96⤵
        
        PID:2176
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        97⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        98⤵
        
        PID:1992
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        99⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        100⤵
        
        PID:2564
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        101⤵
        
        PID:2324
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        102⤵
        
        PID:1468
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        103⤵
        System Location Discovery: System Language Discovery
        
        PID:2144
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        104⤵
        
        PID:756
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        105⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        106⤵
        System Location Discovery: System Language Discovery
        
        PID:1708
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        107⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        108⤵
        
        PID:2076
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        109⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        110⤵
        
        PID:1936
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        111⤵
        System Location Discovery: System Language Discovery
        
        PID:1556
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        112⤵
        
        PID:3016
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        113⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        114⤵
        
        PID:2816
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        115⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        116⤵
        
        PID:2088
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        117⤵
        
        PID:1872
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        118⤵
        
        PID:288
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        119⤵
        
        PID:872
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        120⤵
        
        PID:792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        120⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        120⤵
        Modifies registry key
        
        PID:2796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        120⤵
        UAC bypass
        
        PID:3004
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\eYIEsEQk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        120⤵
        
        PID:2536
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        121⤵
        
        PID:992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        118⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        118⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        118⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1860
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\NaUQMAEo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        118⤵
        Deletes itself
        
        PID:884
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        119⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        116⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        116⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        116⤵
        UAC bypass
        
        PID:1084
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tKgwsEIQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        116⤵
        
        PID:1468
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        117⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        114⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        114⤵
        Modifies registry key
        
        PID:2856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        114⤵
        UAC bypass
        Modifies registry key
        
        PID:2032
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\NgMkggYo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        114⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        115⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        112⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        112⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        112⤵
        UAC bypass
        
        PID:2716
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\BMEswYso.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        112⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        113⤵
        System Location Discovery: System Language Discovery
        
        PID:2656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        110⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        110⤵
        System Location Discovery: System Language Discovery
        
        PID:1324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        110⤵
        UAC bypass
        
        PID:1236
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\xeoEcwQQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        110⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        111⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        108⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        108⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        108⤵
        UAC bypass
        Modifies registry key
        
        PID:1748
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ngIIgkkc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        108⤵
        
        PID:1508
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        109⤵
        
        PID:920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        106⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        106⤵
        
        PID:2628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        106⤵
        UAC bypass
        
        PID:1964
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\cywIYAEs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        106⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        107⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        104⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        104⤵
        
        PID:2440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        104⤵
        UAC bypass
        Modifies registry key
        
        PID:2852
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\eggIMMsw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        104⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        105⤵
        
        PID:2928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        102⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        102⤵
        
        PID:1460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        102⤵
        UAC bypass
        Modifies registry key
        
        PID:2812
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\GQkIgwgA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        102⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        103⤵
        
        PID:1588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        100⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        100⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        100⤵
        UAC bypass
        
        PID:2932
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\IaQooEcI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        100⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        101⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        98⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        98⤵
        Modifies registry key
        
        PID:2008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        98⤵
        UAC bypass
        
        PID:2600
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\wwUAcMgA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        98⤵
        System Location Discovery: System Language Discovery
        
        PID:568
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        99⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        96⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        96⤵
        Modifies registry key
        
        PID:2164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        96⤵
        UAC bypass
        
        PID:2628
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\FOwAggEM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        96⤵
        
        PID:1300
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        97⤵
        System Location Discovery: System Language Discovery
        
        PID:1936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        94⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        94⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        94⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:1696
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\HmsgAYIA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        94⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        95⤵
        System Location Discovery: System Language Discovery
        
        PID:2272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        92⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        92⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        92⤵
        UAC bypass
        Modifies registry key
        
        PID:2340
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\hkIwAEoY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        92⤵
        
        PID:2332
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        93⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        90⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        90⤵
        System Location Discovery: System Language Discovery
        
        PID:524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        90⤵
        UAC bypass
        Modifies registry key
        
        PID:1936
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\XiYkkEoI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        90⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        91⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        88⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        88⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        88⤵
        UAC bypass
        
        PID:2188
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\vaoAEYAU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        88⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        89⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        86⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        86⤵
        Modifies registry key
        
        PID:2696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        86⤵
        UAC bypass
        
        PID:2360
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\eIQsQscE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        86⤵
        
        PID:1848
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        87⤵
        
        PID:2772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        84⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        84⤵
        Modifies registry key
        
        PID:1668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        84⤵
        UAC bypass
        
        PID:2608
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\UCgQscQM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        84⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        85⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        82⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        82⤵
        
        PID:472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        82⤵
        UAC bypass
        Modifies registry key
        
        PID:1468
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\YAwUIYMQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        82⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        83⤵
        System Location Discovery: System Language Discovery
        
        PID:524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        80⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        80⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        80⤵
        UAC bypass
        Modifies registry key
        
        PID:2220
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\QaEMoIYY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        80⤵
        
        PID:2372
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        81⤵
        
        PID:2504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        78⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:1056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        78⤵
        Modifies registry key
        
        PID:2164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        78⤵
        UAC bypass
        Modifies registry key
        
        PID:2744
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\eoQAUIEQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        78⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        79⤵
        
        PID:872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        Modifies registry key
        
        PID:2280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        UAC bypass
        
        PID:2728
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\RUEAQcww.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        76⤵
        
        PID:2548
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        77⤵
        
        PID:2396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        Modifies visibility of file extensions in Explorer
        
        PID:992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        
        PID:2704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        UAC bypass
        
        PID:1572
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\LeowwYMk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        74⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        75⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        
        PID:1548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        UAC bypass
        
        PID:2820
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\FqMwQEwc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        72⤵
        
        PID:1036
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        UAC bypass
        
        PID:1264
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\JmoQoYwg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        70⤵
        
        PID:2576
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        Modifies registry key
        
        PID:2196
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        UAC bypass
        Modifies registry key
        
        PID:568
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\PqsIQAQY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        68⤵
        
        PID:2468
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:1356
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\DscYwsQc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        66⤵
        
        PID:792
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        
        PID:1872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        UAC bypass
        
        PID:3008
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\PQoMkQAk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        64⤵
        System Location Discovery: System Language Discovery
        
        PID:1148
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        System Location Discovery: System Language Discovery
        
        PID:2904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        UAC bypass
        Modifies registry key
        
        PID:2516
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\EAEkQosA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        62⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        
        PID:928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1560
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\McYIgogM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        60⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        
        PID:1288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2892
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\iMAcoYQE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        58⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        UAC bypass
        Modifies registry key
        
        PID:600
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\yowQYIQk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        56⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        UAC bypass
        Modifies registry key
        
        PID:1812
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\mSYEsIgg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        54⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        UAC bypass
        Modifies registry key
        
        PID:2856
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\PYAEIsgg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        52⤵
        System Location Discovery: System Language Discovery
        
        PID:2396
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        Modifies registry key
        
        PID:2732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        UAC bypass
        
        PID:2796
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\zAocosoc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        50⤵
        
        PID:928
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        System Location Discovery: System Language Discovery
        
        PID:1548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        UAC bypass
        
        PID:1560
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\FKgoocYc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        48⤵
        
        PID:2896
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        Modifies registry key
        
        PID:1912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2544
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tagcMokI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        46⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        System Location Discovery: System Language Discovery
        
        PID:3052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        System Location Discovery: System Language Discovery
        
        PID:1592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        UAC bypass
        
        PID:1508
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\xgwkEMkc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        44⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        System Location Discovery: System Language Discovery
        
        PID:2116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        UAC bypass
        
        PID:2388
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\GgMoUoQE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        42⤵
        
        PID:316
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        Modifies registry key
        
        PID:1356
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        UAC bypass
        Modifies registry key
        
        PID:2280
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\YSMAcEgQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        40⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        System Location Discovery: System Language Discovery
        
        PID:2180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:2700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        System Location Discovery: System Language Discovery
        
        PID:2532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        UAC bypass
        Modifies registry key
        
        PID:1348
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\AIoMckYI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        38⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        System Location Discovery: System Language Discovery
        
        PID:2860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        UAC bypass
        Modifies registry key
        
        PID:2568
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\qAIAwAEc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        36⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:2504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        UAC bypass
        Modifies registry key
        
        PID:872
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\YKEIYMEc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        34⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        UAC bypass
        Modifies registry key
        
        PID:756
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\cWogoEkE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        32⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        UAC bypass
        
        PID:920
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\RGcwEoAY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        30⤵
        
        PID:568
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:2384
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZoEIEoQI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        28⤵
        
        PID:1048
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        
        PID:928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        UAC bypass
        
        PID:2772
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\BYUowIUY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        26⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        System Location Discovery: System Language Discovery
        
        PID:2796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        UAC bypass
        
        PID:1564
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\TcoQsMEk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        24⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        Modifies registry key
        
        PID:2072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        UAC bypass
        Modifies registry key
        
        PID:1688
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\TqAgAQkM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        22⤵
        System Location Discovery: System Language Discovery
        
        PID:2080
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        Modifies visibility of file extensions in Explorer
        
        PID:792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        Modifies registry key
        
        PID:1872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        UAC bypass
        
        PID:1824
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\JsIAowYs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        20⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        Modifies registry key
        
        PID:568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        UAC bypass
        
        PID:2144
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\RkMIAQQk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        18⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        UAC bypass
        
        PID:484
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\UMoQQogo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        16⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        System Location Discovery: System Language Discovery
        
        PID:2736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        
        PID:2984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        UAC bypass
        Modifies registry key
        
        PID:2772
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\mcsMIUIo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:2908
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        Modifies registry key
        
        PID:1660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        UAC bypass
        Modifies registry key
        
        PID:2748
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\uukwcwoI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        12⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        UAC bypass
        
        PID:1292
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\KegAMYcI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        10⤵
        
        PID:2544
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:2584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:2500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:316
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\goEgIggE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        8⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:2340
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2164
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:2044
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        UAC bypass
        
        PID:2180
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\CmkIUcAQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2196
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:2396
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      Modifies registry key
      PID:2988
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:3036
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      Modifies registry key
      PID:2272
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\WwAsksEM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3040
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:3048
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies registry key
  PID:2924
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:2872
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  - Modifies registry key
  PID:2920
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\HQEoAwQc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2692
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:1656

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "746830089-2029027689773997748-6064700381576955094550199888-1366473476-1936998692"
1⤵
PID:1656

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-17250992645293741318303318001101434573-100112313115141221-15490591951570088244"
1⤵
PID:2776

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-222000250-646094382-1881389961-1062663404850922187-1977569597-1875290727396806449"
1⤵
PID:2340

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-452705025292664299154757685315324194731785626606-1514937872-2108454217985080605"
1⤵
PID:436

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-13804050535464610521500177110236734183-205209731770330328-1795064108165700845"
1⤵
PID:1676

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "731549933199714612320126652741845069646-1963951455-17081277641399406046249706473"
1⤵
PID:1652

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "148769201593279907-314348192-519804816-1692569255-9391938514348384672012895960"
1⤵
PID:2384

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "71692789315468420971089178237-1668417251-1087548740-256749484-20181432641628939587"
1⤵
PID:2236

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1249049984-21006296081333634897-1379867117-5850881981344932472-9772935-212189283"
1⤵
PID:2388

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-418744731121879367-19101549451440486898-193882069-20243142041597619574-978328124"
1⤵
PID:2884

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2007829992094365032-1147743375-22829097076365757-1912429484441135147273239288"
1⤵
PID:2220

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1139472789185451902510372050-437270177-792306589-159600742-1782162060-6799700"
1⤵
PID:2828

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "127524074-966426183-1985884712120048525-6229539971152706686-17011888481072757783"
1⤵
PID:1932

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-45102621-1420441520-613977863-16131928781180062087207875176-25987344-1269507157"
1⤵
PID:1568

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-11196082691201615966-18451443924790638991668470650-2099345541-676256216804464639"
1⤵
PID:2252

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1675120537-13464349751627216122-309310863-20887051961169362572-3966124762129524286"
1⤵
PID:2276

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1306776896-17020293921211158841170048151-1598862315-1192540990808276414734128314"
1⤵
PID:824

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-201513523121397909781688181929-1291142945-1071239744-894955262-19999480101453520226"
1⤵
PID:2004

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-20537201322083663374-1754745460-777642951328403946-475037248-574195692-260121552"
1⤵
PID:1288

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-587134787-14161044991091421842-338863014-721693737-751879497-608974590-739671173"
1⤵
PID:1560

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "870808955-1842715700-1161598208634310042733603698951392994678558585-481617797"
1⤵
PID:2916

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-282826965-67087356617449169651175326-121224488511373971315205633981154003758"
1⤵
PID:2136

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1769816128-111681709-1817328547761009039-1648060061782861327-1683742519490401024"
1⤵
PID:1912

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2032501230-1955089651-1656734345-166988212-1865109794-1721134642-2032525444-2074946436"
1⤵
PID:1148

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-145884856-1049215472-96765047-1643843796-16124689471617990716-6409737491752803918"
1⤵
PID:564

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1844582006121166717410709569002023989814-134492956146527752-457283870-803083365"
1⤵
PID:2548

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-15138445841193569412-242788034-1764376287-1001264722311255094698444439-812941826"
1⤵
PID:2544

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1872909384-12369321631852318372-1339434234-1074564800-1978384861-16146802961572250895"
1⤵
PID:2012

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-935107883-986094308962088241380445973176338856851968733410349174351428266660"
1⤵
PID:1564

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "335788696-2063079985-48026328-5821884693117449001197713863-1740229671372057172"
1⤵
PID:2520

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2024486108-1928939957-1990714536321138691258838522-892915343668129059-1428083832"
1⤵
PID:1324

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "279256314-1443067061-1509550375-819299321-1724669910-933793108-2004098484-2113182168"
1⤵
PID:2500

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-12015345631348180422106077591081755277-9376103170226811-1134753266404028970"
1⤵
PID:2972

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1448606617-1725894023124038601911833668417612486761653534017-445152252655931458"
1⤵
PID:2120

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "320659234-1771022514263590732204432917-15662879571816829360-2128006744-2091731239"
1⤵
PID:1812

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1096408049-1448041560-1215774763790184262-1335414169065469381859547531-1306148593"
1⤵
PID:2152

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1766605484-645634807-1816802058-1786843193115204810-952541291-652397404-1045405854"
1⤵
PID:2668

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1997890441108655418619246182731821829318620238598439043699473982331802508264"
1⤵
PID:3044

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "48256266-13915804699523401381888165054-381301571786825916981209769-853286572"
1⤵
PID:2892

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1591350312-7488643756625618792016888515764711036-285833710125665346560103685"
1⤵
PID:2792

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "41425170173370172123003026-18971544281767978698-1764087264-120238100-1196107042"
1⤵
PID:1504

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "274302144552099845-198265692019450937051645008459-768144270-1164986921860919062"
1⤵
PID:2704

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-291486029-2142611119-16624481221116702621-17166246381048581811-794797939-1713998212"
1⤵
PID:1368

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "334981489269032439-984237767671452592-2074971938-1859664368877783609391186003"
1⤵
PID:2956

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "11802251451861179245450914715158009710-759116674151687836176638292-946338682"
1⤵
PID:1720

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-13416651543717889072129002607-8472126681755689614409546387-1572217989-1800051174"
1⤵
PID:2568

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-10237242601776490038-2015194206-1223895218-540699540991440114-14542872841469968000"
1⤵
PID:1376

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2052636747-17706481170955362511623375621402481619-1335210688-366033840-977626811"
1⤵
PID:2932

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1025500774-898434113-135764686316577869612006919690-804011484783792915-1881061667"
1⤵
PID:2700

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1998630946-1954523289-473155032-108878395219104401351558502152428900764-372478653"
1⤵
PID:1712

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "12024469691586212562284498055389006549933893312-701515866132932670-114478078"
1⤵
PID:1548

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1109475962-1229361319645668444-515124712251207634-3968802001531933366-1055670717"
1⤵
PID:2616

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1857430761-1938622288-385666312-419372010-1372116980-1514419796-1556536879596732962"
1⤵
PID:2188

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1097512273507957233-929111877561045545-12559339791110968049-598620636-531717068"
1⤵
PID:928

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-13602206991912335110-159701196411444942808614409271336888630-1597227322-418526736"
1⤵
PID:1976

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1615591006911545475912113229-9877723981609339909-1937311491-2652001501729928236"
1⤵
PID:2516

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-4244328762125905662-17162687261550584100-277656750-15269120878735038261549565431"
1⤵
PID:1688

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-11102337401139604326-564334604-11442143091677094753-1921217529-536992368-1417044386"
1⤵
PID:2084

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-174121248845124831715026974815200641741961763302-11948400281100818688-1698282086"
1⤵
PID:2980

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-357580441470937485-1556404284-2022040664756906946-168902291813091864171200850699"
1⤵
PID:2264

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-137483291860623878-17573091332014843978-146644401-1327446266-11086518671638532193"
1⤵
PID:2960

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "130881452316222387731171120675-78367866-288414267170835696-2127244699745286630"
1⤵
PID:568

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:2388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png.exe

Filesize
239KB

MD5
53edfba77e03f6d2792309423a346e61

SHA1
d61bf2dce6a15f1adaa904f6b43cde8537751bcb

SHA256
c72189b0364d4f9735b3ff23e07507eeca6245f6a9076401fd34ad125dee988b

SHA512
42b9360fc067360e9a5b3e24916497cf870a816d9663576063891c9200748f7ed5bc704e56d8ce5570189e95f02684e76f39e8a32f8e542d702f92686fc03ea2

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile13.bmp.exe

Filesize
237KB

MD5
3be2075522612eafee67b5986c174000

SHA1
a83442c40e721c7e9b6075cf529063063bd76ea7

SHA256
b6f082cd99c446189b910ec5bfa10672bcea6e9853b89e4fecfada9796b76c8a

SHA512
4b51a4dfbc4d6ab61967133dd6f913739b76111620fd6a0bc5fc0abbbb768c1e21dc27ac76241cfe14a333d1c59d2742d942611c1c3ea603e8f3a6a2c0f8c185

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile29.bmp.exe

Filesize
238KB

MD5
a8ed3a30d7c7f1cd83e9e560d369a518

SHA1
b0c1c27655c5b2707db6520eb922b74e59aebe9a

SHA256
38f66eb482d930889b0f26eb4f52e9f97cebf857e1fcf6a88eb835b983b45606

SHA512
32681a5347118673900851739700dd34417792ef9174f85d0d3df5dd5a6be104a04ba2ca3ae55dba9ff9251a580b2e7963668931218f07d20a71516fad64deed

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile30.bmp.exe

Filesize
243KB

MD5
73d2e277b64be581fced4243eda02e6b

SHA1
25e8d85e9963354eac04d0636e9c10099fdbc651

SHA256
93d28a9be7d3f1f89aad92697c4e3a67d4690fe28a953b36a24f49c7aed058ba

SHA512
064c4d939ebcef7dbd75110d1bcdaca0d3d3f1f3b071e3e545b2d2574283a3be5bd756519264d39f1883971ad6e41e0b13db6d6bac5d99635acd67b95bb278a2

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile31.bmp.exe

Filesize
235KB

MD5
02ee37f653a562b08190fd449bc2e299

SHA1
238c548a0c0324b9059225a6544942de0a184c3b

SHA256
d03354bda239230f6ae546a42e154547934fb4dbad9d8078ac3806d0babd5bf1

SHA512
c90dfcbd73b176080a1cc9b33c4105faa86c87b19a96351a84d47557ae952b654ace92637eef621f3497fb9e49b56cf6d28440bb54290046b668b1c99b9dab95

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile35.bmp.exe

Filesize
246KB

MD5
2b5e1fece77b6da9d185c2c4f2a550ff

SHA1
73b4599ffd6fe82ff44b47e30b98406334285aa0

SHA256
df6a37c1468de7636a47c283fb985b6e65f2b46092782376bc164e1145605af3

SHA512
f312aff21ba5fd44437af7b2f36834a7c017643f78e96f3701f5c70bdd05559050c6a646dd8db92bb61855d82de23c3d5df00b4d8166d9888eb33ac1be40a1fe

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile39.bmp.exe

Filesize
235KB

MD5
382a832831da8a9031e2e12ad49b9f41

SHA1
862405ffc07e24f3a49443084e6a51f06459d091

SHA256
2f159719ccc1be818a04d3455990d5f23ade05b920985149f09801aaa5043a1c

SHA512
384afd1838fc6e9e9dbad7c37101bb55d6e229b3ee358dea26b01858d2bfc496875d9fe35ed447e3ee8dfa442f4a4b2049bd7c8b47613176b85521abaf95d0dc

Download Submit
C:\ProgramData\jccAYUoU\VescwYEM.exe

Filesize
198KB

MD5
eead03770e3c17653928778644ff759b

SHA1
11a7b74430a8ccc5232cf63a730cfb4dab017caa

SHA256
7d33c6c95415c41a76ae3baeef08db34322abf9d8148910cd01db0f79a99045e

SHA512
9916734e4772877ddb16858debbf630570225de787b88f2c244e6f5f91cba40783c5d92e0ec1a1740118cffea8db92436dbd510d63e37242c406b3f5d2b8160d

Download Submit
C:\ProgramData\jccAYUoU\VescwYEM.inf

Filesize
4B

MD5
cd6078ad8e063fa3016a925f8050abfd

SHA1
c2532a3bde89846fff56a5b7b3bcd58ee823f604

SHA256
f5839a4805b37caa0bdabfd16de0c9f36a30db59a1f25a37e2a52a0f5b7c8d3f

SHA512
151467d21217e6fa18875f906242450461bb8491dca927ae95f967c0271563544b5d0c5d050a145c90febf9ae50b00212a0b5d1b141e0851b40781fb3203ad0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock

Filesize
7KB

MD5
3ed2012c1c8e57798e077855d8e8ebc6

SHA1
db4b84afb91f8fb3759c97dad938b01bd8bb9059

SHA256
e637ba906569d2393bfa7db260611cb966b149431eef1137da488aa3764a3ca0

SHA512
185f834ad9bffa42f7c3fd5bdb43f3b861d77e0ada4faea2d51e3d5a1441928e441e007fb60f8b53813f508794cb1c43b9e675ce326b80cf44f9ee13620e4692

Download Submit
C:\Users\Admin\AppData\Local\Temp\AkwS.exe

Filesize
239KB

MD5
9868db76cf549494a2801d38d63bfbb9

SHA1
ffad1ebd8a5bb7cc1f6258aacf845a01442dd9b7

SHA256
bb1dab31f849bf4d46188b4ed8770448dc25763a04d577e8ccb1efe0296e01de

SHA512
a9db9ae9c4f71d4f6b8e9116bc51ad99655f22187522f1eab9914f525ca7bcb9b28bed51bd05ee8260f840bc59bbfa63e333b6675db92ef363e232ec4f63c707

Download Submit
C:\Users\Admin\AppData\Local\Temp\AsMe.exe

Filesize
425KB

MD5
2b8c07e928f358f5c9fb5c7623b731d1

SHA1
695ebb9a2d27cba28c7f9c1d02e54ec2a868ee0c

SHA256
9a96d923124e4d58906ef9119c0eab365f133e73609ebaaa7a7dcd3203c2d29f

SHA512
9dc5187d67749597d909c1e203062fd700058b1d2a6c4202ef97d69324f5d56da3257c07accadf2e0d1cfe81c84da45e57b62537b77b1b48e12332abb5908221

Download Submit
C:\Users\Admin\AppData\Local\Temp\BMwUEgMQ.bat

Filesize
4B

MD5
eaef6a7b1aedb7288ec07cf3e398d7d4

SHA1
e4702f91b2fd84e83ed188060019efa2c078453c

SHA256
4c30f79138e13e74c2a6e1f54343357dc3037f1e480fd7ff9a291a671c6ad4a0

SHA512
a3a9734db169662a0a7b763a79668c181edd88b2ebef08a36779a450ffa40c0f74e0f2c70ed26afb8d9ff9a1ffb32183278942a6ecdb5a9e5b0db7625775f86b

Download Submit
C:\Users\Admin\AppData\Local\Temp\CUcu.exe

Filesize
252KB

MD5
198c4dde77651ab473b2f5073f63b262

SHA1
cc528efabd91fa54a0709948ea82b308b4afb9a1

SHA256
33acfa12c34f1a2da85ce9e8a542352e14240054ff1a469ecfa17a85ba54d85d

SHA512
038df4dc9944dcc49b264fd3b63be4b222d26bd00a675c1bf8233085480bdd986f9687e4c97e3498275c854f4db31b7ef2c0b0274d4007cf573ee6f336222090

Download Submit
C:\Users\Admin\AppData\Local\Temp\CwYO.exe

Filesize
222KB

MD5
b8e64a59ddf9c8bdf687f346ac7cf5fa

SHA1
59a20095c2dd5378c8a59f6d09ba9ae40659a54d

SHA256
70366288dc494caf3eec4cc9d17d0f3b07178eb344ba4075b16778a33f1ec307

SHA512
b4db8fcfbb4ad95d47d6b2fd61a3f971cb711db655b1f0e6c8d27afa393bb7a97f2aeea49c8134b6d4d1219364cd2030b3348356e39dd9abc32f0bd0176eb60f

Download Submit
C:\Users\Admin\AppData\Local\Temp\EQYs.exe

Filesize
245KB

MD5
8c19256d7a4d7798711826acc4752d7f

SHA1
a70660c436e15ecd489a5850ff1e43862d3856b8

SHA256
005cb7a8c95cb666f648397662279ad719d64d5016a6dfe5a0b37f9552cddc6e

SHA512
666cfcf72093af9d42f572ccda1d3f81b461c2b6e5730e5e1fe0773154e4f9aa7ab6661310a6c9c093627c79d46d923f325477e386436e42c99c42350dfd9cdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\FMgMIIcM.bat

Filesize
4B

MD5
05294e2a9fa2e1ff6e337deacaac0154

SHA1
870d559fda831c93cc717395b39c8f499bd2d43a

SHA256
4259f1db5aed6b9910b16dd6164b96b5a71c9d0b7e8543e4dcc4c2968df01693

SHA512
9c4558c558a4069b2e88d01575d5cfa728e092926266e23e464443a329ba1db436abd28baed3e667a80e9919e6f1c81cd3993a201ef4304f2dc11dbd7f1d152f

Download Submit
C:\Users\Admin\AppData\Local\Temp\FqAMYkMo.bat

Filesize
4B

MD5
d1f23638695668ebb9d2477fae2113c7

SHA1
4c8731599188d06b248b008e9e5f359063adbc03

SHA256
10cdd5c80c625865d4983917a9166997d8bdc8e6726da7a2e4a6eda844394b5b

SHA512
6091726a50afc4afdcc0975451065aeea1c2878daa2e4478b43a6f842f9e8cf51bbebfa25221138a47bc99440a95d1940d779bb21729b465c978c696702d9423

Download Submit
C:\Users\Admin\AppData\Local\Temp\GMIo.exe

Filesize
718KB

MD5
504db13f75f8c818fd6665c76f3c7844

SHA1
0ab53c53d33d527d573426ca6182f53407011449

SHA256
1451e806cd3aad0a6113261bd1ed93e955c6c15c7b90409be70b20f65d73f139

SHA512
9139d34c015ba0c12cf6193c60e73a55ef937f89642e565c36ca45ea3c6e229f596378f5f1ee6108ab3927766e3a7f08c62711f9058c088555659cf6b0415bf1

Download Submit
C:\Users\Admin\AppData\Local\Temp\GQUW.exe

Filesize
235KB

MD5
9b458819e151f8c23cc5e01008dc1134

SHA1
c695fed99d34cd5f5bd650ed0d564536f368e85f

SHA256
f85736d9eeaa0af35c64c95f56a6f16214158b8b87b3db48bd42a57513a3203f

SHA512
0375f538ac28f7f77830c19958b43e61d6959b9ea2b934d4919ee97428427ed95abfbb2d8089f065dcaca3c44a4070a1a64b00fe82ea41b8277b31d4d6a2f79e

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUwQ.exe

Filesize
410KB

MD5
364e33f251cea5d2a19cd99ac44c806d

SHA1
d5efb90e1cbac07da86f3d563e4e56bc32a625e3

SHA256
f3eac67379c155ff02f752d66062a148ea2396145369ecef0d4e8e7a730ab7b5

SHA512
490615218b8d7061696281a3d65e023a1f9e6521c84b954a6ffa247bdd4ea4bbcfa6c30cb6b5af97a8bb68ab61e58c3d527bd44d0fa56ea034053166291cf09e

Download Submit
C:\Users\Admin\AppData\Local\Temp\GooE.exe

Filesize
347KB

MD5
42a39b7e566405823aeaf27f295f29cd

SHA1
d397ad34b68b0099130b0650eddea93a32e94ce5

SHA256
e5d36cfbc48c7289b58809806ba16111edd4229e7a8474f9d08391892929675b

SHA512
9ddece23e0c3b562fd98f780b01c2495e7e899359c43b78a46d9ccc2ba62c5c7fda8a71200664ea3b171cc7e894ab5df6cb197ba899f236f73e4cad27d8b3b05

Download Submit
C:\Users\Admin\AppData\Local\Temp\Goos.exe

Filesize
251KB

MD5
30563d523ab91d3ed33d3b0019097e14

SHA1
a888d74abc8f0f077ccbbd69d1b5d03f1fca946a

SHA256
4adaea0a714452ad52eeb738beadfcf59394143e99b8c607611428bfd56a464d

SHA512
4c9ed671076d605607fe92a536fdcdaa7af7de4d26f35c575568e59985b739dc0256fed55191cbed013e1abafe14b481f0846cfd98764357916b4c35725160ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\GsYW.exe

Filesize
240KB

MD5
33dd0b4bea1e90dd4f0b5edb1cae8bbe

SHA1
2148d64998bd68da9eb49018ee40afeb75a89f0d

SHA256
457bbc46c8cd3cf0e759853196ae92ff28ed1cde6e7c179aa254de3721ccadca

SHA512
67752cf3a9dd6a7de0dc1c90e96ffe021f28e2f1550dbaab661ba7709b9687613b5ff8dd109b4422609d8d34b91fafddf09305c7f5a9479e767366c64c540fae

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gsgq.exe

Filesize
740KB

MD5
0493c267cb8028941319397032e499d1

SHA1
ac9d77a8456ab91b9a0d2773affe251443c955fd

SHA256
bb14c1a01d00e94bc618f1cffc9b8f4443f30fe01f4c982b1338ed7425eb0a67

SHA512
fa4a34c68e4ee7648bf7b13e23d9bd33c74b0c385c649636297667c1791f3d2f53116908028713621f312f4eadb0c8659f01f83f0f09400b581c1d131a855de8

Download Submit
C:\Users\Admin\AppData\Local\Temp\HQEoAwQc.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\HgYEAwco.bat

Filesize
4B

MD5
45cbb702f058d5337f8a3835a392759d

SHA1
ea90eb31eddc68aabeb6dbf994d7b0b0951cf8a0

SHA256
14ec59b5ba9838c5825cd8bc8c6f0c9e74ae0c4b4a81523f4f1d90ff43f90a75

SHA512
a510b13054d2e65a219b4b6efa94bd82dce5ae6fbfae517a8559713a5f24e7fe308bb78e89bbc744569ad5cb860d4fa981ea809d890224d194f3678d1302d3d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\HmQIgMgk.bat

Filesize
4B

MD5
e07c73587073dc77b9981dc0f18ee955

SHA1
69d105e63385fff280bac7e41798f9c96f63e71f

SHA256
1d9d065fe701d86897f4ac633643701ffef379187c26199485cee08aca3616a5

SHA512
69dad124a2a9eeb75371cca820e9495ffffb94c9c51498c9b4576e70bd391e980259447552c4268077f5aa01401200c5edbb4c1bda4c6afdb5c36496e80bfd55

Download Submit
C:\Users\Admin\AppData\Local\Temp\IAcy.ico

Filesize
4KB

MD5
47a169535b738bd50344df196735e258

SHA1
23b4c8041b83f0374554191d543fdce6890f4723

SHA256
ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf

SHA512
ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IAkS.exe

Filesize
525KB

MD5
5ebcabf3fe54d266d3325ffba3882299

SHA1
be22e8383789548480d3b3e9504283afb5b24108

SHA256
4542abddad050db671a76d146fc267c868ed16cd44dab2ad07d60b372c2ceab1

SHA512
db5ceffc20cb2b8be82dfa9b790d997424f1e4bad6118d38fb93f1a66a1dd44c641c0b483e034d8051c595aba251c6048d2e5191620ec07f748baf11d5eb902c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IEUa.exe

Filesize
777KB

MD5
8249d468744f4196a370e79276d4b2a5

SHA1
13a78f420082c1ad738de672bab34f749a143e5a

SHA256
8bb41ab736dc347d55b681dce1a004524c530fc4573eb8165a5e3c3fae5c906e

SHA512
d8d0efc698b89d093fee4aa1306b058033da25dff2e53dfb51fedf85413ac7370c144ea95d8b4529ea87d0b429964fbf438d56cad2b003f3cd804338e25fcb3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IIwy.exe

Filesize
241KB

MD5
2ba48cc2f512c024142ebf224aeabd1a

SHA1
1a44175c801d90858aaa248108008e95a2fe7229

SHA256
6934467b890cb1f7eeb9f7b249c887fa5604e061ec21209be6eeeb349b101587

SHA512
aa0750e693285462274ed0630361ae114e7c4ccc8e0ecc0ad8ecc27c011d8ebfd28a255ca187eb55f2c418d74680f6e6982b5724c9b98c4a17c674c0c7febdfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IwMe.exe

Filesize
248KB

MD5
6a95bfb3ee50973bfe53b6fc076b02a7

SHA1
0d9ce0dea1f7b0b06df402926970939f68c99ccd

SHA256
2818c650d7fce625383c8413a6517b0c5c828b32d82802068e43554a6a738ca0

SHA512
8ceef9cfaed6fb2ee7879fde86ac3355b048d73c7d35c582b1db4b4ff257ea1940e31837ffcf861d67c5902100591a61d8954d930ad648d0109160addfbf6276

Download Submit
C:\Users\Admin\AppData\Local\Temp\KAAI.exe

Filesize
1.3MB

MD5
c34eb5540f6ccddcc4e1b005b6a56262

SHA1
7b62957ff493b20768e512f774e939f7e1421ef6

SHA256
46c75fb1cf92c6a5b684212e38a20249dbf594cd06b11f418a2af6101fff8e8c

SHA512
74101a7a7076cbb3dfc6f38897006025847fddef5c1a3122180539c17012a4d643ddbf36a0676cf0916953d8ada6d81a0ae4ce64471fc56a597dedb212d60df3

Download Submit
C:\Users\Admin\AppData\Local\Temp\KAsy.exe

Filesize
242KB

MD5
d98069854692f6422cfa03fc646af482

SHA1
552a5c39a8dba2322cdbb4ee9a94abf16abbaa26

SHA256
62ac8da4fbe976b1a85f81a09e92d798976ec35d68b94da5be154e08484f520a

SHA512
1f40bbedd0df3e88f0f4f3a37c9796428176194b12cf2882b77695886a57038cc24e360b3a71af7c73b61c1bcd51912aec9ef6760ed5ed14c17b6fa1d31741cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\KEkA.exe

Filesize
244KB

MD5
5e9de814823334dbae8067ba3dfd5253

SHA1
a207d35a2fbec5f3f0d64a01eb55bb8690f7be21

SHA256
0087cc0d66a820e113e6a1e8856852ccf9700b2e40b1a0600a273060d174e1ca

SHA512
429d0b51eb70574b820a02e6fb2e4d0126aa4fb90a8d82e407617291fe469e0459e43bbbde9da7faa905fede939dacd42d1960f3ed2c0f4920776fd72a38b7b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\KMUi.exe

Filesize
231KB

MD5
62f2eda85f776be81de464d94ffe96ca

SHA1
6fd2065e5fc684db3bf3781bffca13ed72c6823b

SHA256
896b1c21461720dda803c961e3f591a8862018e6b4aebabd59c2819792f4243a

SHA512
913250f7532dda20c203204a9070e63b4b7df0b3885f0349c3276bf81815d9b2fc27ddff33c066e682d173ea61fd24feeb22ca0f3bad004d425459392614bb4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\KQkW.exe

Filesize
231KB

MD5
f4e851b318f6874805b534c8587bd5ba

SHA1
94d4b2f85811c2d80b7671b8dd3d0b46d9f259a4

SHA256
92d6b66431e8645ccc908a9233cc9b35c8c571452ca8f69f4d4aab9a4ec81ce6

SHA512
dc2beb5d65518ad250271eb6e26a1b413dbf26befe9b8e31cb5ac9d31e741a7a9a357e9b8df3d19f1bbdc63acf4e5700f78107cb9f98aaafdfa1542284ad7627

Download Submit
C:\Users\Admin\AppData\Local\Temp\KYAi.exe

Filesize
225KB

MD5
9c848708ef23ed0d1a8ca68854b337a5

SHA1
16265312b442d86e1a3ad70093396b16b21490ab

SHA256
595de71d08130614ae856021996398ee4aa77081fbe1cfe914ac29d3ba1a97e5

SHA512
0eb3cba2f387196f803a64ba740cd380331f931e93e530d10cb92f856116677d8e7c811d80ec6f02588c13ae06fb2be360cb042d6b4150858eb97cd146169f15

Download Submit
C:\Users\Admin\AppData\Local\Temp\MQIi.exe

Filesize
939KB

MD5
831a182e75b679206da232675f9e244d

SHA1
9402fc6846577912cc38a9a572aa520519f7e651

SHA256
ff345e4028bf1ca426d029ccd9c04035dcce2996fa6d097156b59aebc4fb45e1

SHA512
fc3c24293d2ae30dbf11729e161c33edfc63ac9a8883b0be9944bf4f5b469408c6c769482440386004ba28df56dc93bed621556a78f4502cdc8d908099f3eab5

Download Submit
C:\Users\Admin\AppData\Local\Temp\MUoY.exe

Filesize
235KB

MD5
e13a28a6f0bd822b8fdbee64d2103090

SHA1
7e8e3fcf476ad1600c7d4848239a5c81cf1c1adc

SHA256
4a9dd2c69daf9479b0364f4ee6388cb86f586c134ae771a2aab01e059a3b6618

SHA512
2f9a761ff51df65d57fa11ce9ac9fe84bc7e595d26853e1e3ff4db3fadfc3329836fb64801ad56d2b6cfb0e8aba6835a79ab0cd344de6173b528ca962577ce8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mwoq.exe

Filesize
229KB

MD5
1a900485c774d44faa0d407b0cbbd092

SHA1
2985888cb5f5596da2d9714ba4b900d82d8bec84

SHA256
ddb21e706f4ab193fca4df2e0bca9b328df55538748b13573d83bc88c7c39b5e

SHA512
a7ef3e8eeb1fe5fc001085da2a58377113f6521ab02972184bf22e5776b121c70eacb2b590b4d80e764596dc1ce623988a771ca44a24a2086af61248e0f65ef9

Download Submit
C:\Users\Admin\AppData\Local\Temp\OEgo.exe

Filesize
240KB

MD5
dd3ec29fa572a5d5da4ab725445d4179

SHA1
bb9bb0678694b55cdc91c02799a0e3c1389718c6

SHA256
3b4529aec730072bd8691239a66e2857251fbe77a36057a4a23311be399ace83

SHA512
68f4622fa19bc3d37a414e952e051b4b90e84b3456de182a81fad8930b1fddb78bda5a0e6c850a9497f6736c72dc40c6691e35c73db9275fec4a0941dddfacbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\OWEgggMU.bat

Filesize
4B

MD5
37662558a86f7ce59ec69cfd095bcb8e

SHA1
5cbd6c5a5a479c61ffdc1497681eb00c7422fc1e

SHA256
54c99543c6771289c000afc38f94d79c75d7bf10dc483024f40223f196dc55e5

SHA512
59ceeaee6e26a3328a1c289e1ca2d0bc1b4c5a57b30db3adf311599ed695720f65064f2132f5137d86c566991dc1af8a290ad23c01c0e92a78c443f4f10f88fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\OssEQccw.bat

Filesize
4B

MD5
cce353162b9c45aef9b062ef81c42194

SHA1
e2c284c8e0dc52b0083edb9a13debbed2c44aa34

SHA256
64129a07da194bf9f04934e9fed740c8aecd19e48b44d6a6807b71f4dfcb7593

SHA512
ac63ca2018d9a5fb86458e43508f921306e9de40f8f2c10a5c1dd3ade98dd6dc963eb59236a4b23350b0d6362e8f4a2aed3339f96b67db75a539bebb5c983840

Download Submit
C:\Users\Admin\AppData\Local\Temp\PAIAAIAE.bat

Filesize
4B

MD5
6b46c3d6face4a6d730429019aeb8c5f

SHA1
ea128497fb26364ed229b01e6f0a12fdb3018cb0

SHA256
2b2048c6132f4352ed72f584db58594fd74daa343c038b751e6b28bb69c12655

SHA512
d3e3771d90d09644a2c3ffaafecfc274d4fc26e76786046f415858087882b59c5ae3d2cd0542f62931ff8bae7a75f54e3e95b65b0963bc983842b804998ee4e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\PaAMcowg.bat

Filesize
4B

MD5
39715cddf38dde5ab0f06df6b0917a89

SHA1
a65651668bd8f77cba1f6f3de515a49ce09e92e9

SHA256
3786b7be7b1158871129fb26aeaf6b433e77a98a3cdb3089ea042bd2fa15a4b8

SHA512
71ea2042cc407a87af7c99e92d659bb53c8537573da7b7ae8dd06357fd37fffdf9bf038a65cf51951507a40f3a879664dd7b50ff0464ab9985f437e8654006f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\QCwoggoM.bat

Filesize
4B

MD5
22f3608af6195f348f0b30a3e676971e

SHA1
e51feaa0f73ce163ffa0128452b43030db024c6c

SHA256
7af6b1a6170431c1fd6fb5d4d9bb8e5ee203937c33809b5f5d1de7c775823a65

SHA512
d5a0aa95b3d232a43538a8bf456fe839c4f3d69fbb2dcded7fb3f0773685e2776a3251acd34e68b32df4b5655358f938e2f488bf91f4a0c6e8b58ccb6713a5dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\QIgoYQEU.bat

Filesize
4B

MD5
f4693a2ba6120dd24b81c33bc5ecef23

SHA1
7b0fa416c6b8593d9f175c3a3165436a927f8f88

SHA256
8c28b87cdd68b49e3963ae8cd52237d12c715650c8d3e355afb1c22ca1bede84

SHA512
7960a526c68b88eab7a9440efb402e0335cc3ba2a95a1d1e43aa027ec481632a5aebb3e7712cc221b97682ade4d7f0267a90e42f0f81e7109e70e1df45f0b13b

Download Submit
C:\Users\Admin\AppData\Local\Temp\QMEs.exe

Filesize
233KB

MD5
3e7c15e28c5c069ffd5b372cc385d31a

SHA1
305f263e162b5bcee417dbfbc7bc03d9a82edff5

SHA256
fb9fcb2b61b023023b0744c869569e77fa98234bc1b5722c5e9f1a52c473c639

SHA512
fb560d5266dcb677bb3584886aec5834456232ade1e9e9b32ac9e8ca49eb5e19ff4049cc5e2ee52fbfdbe651c9b9737289a247dc7293305c98dd512404b57b38

Download Submit
C:\Users\Admin\AppData\Local\Temp\QMsC.exe

Filesize
645KB

MD5
0adc6fc16ee0b9b4bf13bfa09c081f69

SHA1
885e4ce9029bf66bfcc9b8de5560b21c333ae246

SHA256
85fbc48035ffc01b9a3a58d268e14b0fac515b23b59edbf618cd66da9f76299c

SHA512
a8445b66aadef15d6b2e33deec40cec8e5a62a19b37b09303bc4177ad0de995c8426d742516f09c5c2e174ee828d289c1048ab18cc22336a186956b9d6708ebc

Download Submit
C:\Users\Admin\AppData\Local\Temp\QQcs.exe

Filesize
502KB

MD5
c080195f6efdf30085370ec05e5e8541

SHA1
76642e21821abcf8c5860d5a195aedaaf7d0aa45

SHA256
c355c027eeb348eb9588c6f7b79f43941ee677d1445501dbbb018c5f3fe54209

SHA512
2406a3b75d3721543a4b873c893df6bfd3d42c32a63146b37c52ec61ccc781e4e93f6ba539d1b27f3bd97c763a65ef7fc07246eb29a536b5c048e9a94c9dbdaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\QUMS.exe

Filesize
236KB

MD5
441234ef20067c426abfbc34c4ced5ba

SHA1
09b4d7e3c12f7446b655119e538c268c42d1de4f

SHA256
15c9edd3c6abc99444dc02622a386441d3ae71de28388ac3a9648b75557ddcd8

SHA512
59d0374427361b0d2940e3eb87c3b988710781e8b6e27e62cc64ae76c6d144fac3f771fcdb2c8e22c0e27a7ab7af1481328d8a93fcb4e470ac32fcd2bfbb4a79

Download Submit
C:\Users\Admin\AppData\Local\Temp\QkEUgkYo.bat

Filesize
4B

MD5
9252487e85f7b2fb516b0e27853888a6

SHA1
53f130367122f52cb5070157d87af2992bd45806

SHA256
2e082b83b6e46d11561aaa6ebf022c53689d11f07fa742915d79d2d6b0b9c5c4

SHA512
bdf7e36a4f81ba094c3001c83458f81de91dc3fe5c39259f93a699440d6bc9d86c8ec1b362ed750850178d6d60779a1cda208e6626995148853d4b2226278c14

Download Submit
C:\Users\Admin\AppData\Local\Temp\QkMO.exe

Filesize
1.0MB

MD5
aa6430169d1c29665844f8627aac0120

SHA1
e7ae6c1f489a11aa7851a614e3c23176f62b908e

SHA256
944c2f96282d0f5d41e5d4f1d6cf70f312ba7ad8075f95e6e8229c84b671ed72

SHA512
795495b1b038120255b60c8121c3d8d456bc9fcedaab18c61734e4e03eb3358243b5e8cd63946bfb13cfb694fe039214a516d9741e7104f13adc750f34c32434

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qkow.exe

Filesize
631KB

MD5
3a423f42e4c582b2e56007374aa4bb50

SHA1
530a0715aabfbafe2e298abe3c5369cc5719a6aa

SHA256
046ea089293e0ee409bdd8bab61f0074295f4b91b6bf2eec7f967955bb239610

SHA512
addb17734aea91acd78c06e9602d229c4d9e08ae98e1b189ea4bdad674e4b0d093591bef49689efb0d51e63f05668713105da580b2409b28bed6abfb62362a39

Download Submit
C:\Users\Admin\AppData\Local\Temp\SEgG.exe

Filesize
240KB

MD5
dfcbcec7288f4ff4e6a8dc803ec310c3

SHA1
42474e5fc514c512585d61a1c9ed19407f3c5cae

SHA256
8286e2c2de31b3940c746048aa6d96207d1682a2cc2d7db616f8e57041daa841

SHA512
3e88f37d1877f79adac996a41aa450e7ceb17627926ba9321de1f0a9f8234c0674478e014b9f7294fcbdda81209e5efb4b05f1a4c3f7576bb79445f7503ad648

Download Submit
C:\Users\Admin\AppData\Local\Temp\SGMcAAAc.bat

Filesize
4B

MD5
343fbe54fb515e367f7966ac31b5c701

SHA1
b82a93db08135a6813283feba1134a3a48a97272

SHA256
fc551f2c070f185a9d0720cbb1b4176e8c65188049f60cd0bee5a15d5859ed1e

SHA512
33ca694251cb5db9d4096ae5ac3a94f4e801fd9556fd3f3b89f2a28b86f09a5c4b82201b01953f3d21e3ffc59da122a97d2861bb8f89d27b31343d117013af0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\SIUQ.exe

Filesize
240KB

MD5
f239424ce6d66d48312a4fba0c7669bf

SHA1
e6337f70ed7703f17e66476036bcb212434a4541

SHA256
1f4a4727e367fb4c7fc35188e970844982aef0fa8d5041d05e528388c008ea61

SHA512
2cb3f34895c253f381af6634574a002a27be34d3433d409651b8ceffcfb2a082e4a3a7aa48f3e859222bb8f5ee1981f478a825eaa543141d9dae3e5c0499de61

Download Submit
C:\Users\Admin\AppData\Local\Temp\SQUO.exe

Filesize
237KB

MD5
bc772f20deee48f8db305b730860c0ea

SHA1
e6416433a8a359bb26273d7e75f286fe15de0b93

SHA256
5b4a2723b83d97930576f4956281952b2ed6a22211ce4d617b84e24dd5be46fb

SHA512
5f240657e46416604bfba258883568a3599412b08a83718f76a133a955cea549af86c0f51023b23c3023f4683599bebab44e7deb3488cc776ccf68af49e78786

Download Submit
C:\Users\Admin\AppData\Local\Temp\SWQUUUQQ.bat

Filesize
4B

MD5
8276f46449c6e21c35a926f82d7a9a2b

SHA1
667af1c1052a5d78c2b155d6d211b283cf7c7d56

SHA256
653c80ccdc634146d42197f72d5aec5a424616876ad7f1e47aaa9a3b2a7397fb

SHA512
bfa65bcd1b68042ca8d046cb3fa493809f08a8bad67d6da4bfcf205cb54711b5778b070dab9c4b14afbf50b6ea920b6f026b052c3953e09aaafee7965a4aa5ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\SgwK.exe

Filesize
237KB

MD5
3f2df04667a4b3028ad07b53ec86163a

SHA1
f4379934076c2658c7e2b3ae90f98bfbfb0283cf

SHA256
a7575870e8294c67c9b05d0098d1dcf807f1d16d57ec8f75079581ed812866ae

SHA512
ba3e6b87a814aaed32c76a44b5ed9d18a193246f7fd22a56d1e83b9811dd0e2f03e4d27c043f942655a6b21aa9fa325eb00803577e249bd7ba2a1ce9f176059e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sksg.exe

Filesize
249KB

MD5
9d18ee4f7f807d546df34aabad8c6f53

SHA1
5b5d8265320f7dd919bfef2d183d727348db469b

SHA256
d351823f72c61b73dc58cf37d4d6caa063eb30cc2f8b49f4fbc56628494bb551

SHA512
90ac25ecbea9ce4da1f424c4a24159911b5b989f72e7888ace8b3acab92bf90d7570dab24ab77f9e483a193b57066a6ed474c1c13e975a6d1d452ebef575d512

Download Submit
C:\Users\Admin\AppData\Local\Temp\Swcu.exe

Filesize
222KB

MD5
ab11c6c4e23605337a2cb80e6adf5f9a

SHA1
8a40bd12ea743426888ef0b99d800c58c8f14410

SHA256
1282e09961f7050387df980267cbd35d0b7ba359e057a8579715416b8a13214b

SHA512
74bf0b95c018b7e4850d47a1cf0015d31906c9c33b71087cc49aed0e312177da0162ed358a7e1ffb8c1940e7ca17a7ab825629088d23ea234077978b88b8fda3

Download Submit
C:\Users\Admin\AppData\Local\Temp\TMckoAYk.bat

Filesize
4B

MD5
b6afcd1524ed88caa0d252ca9faf7a9c

SHA1
593f8b2ba5f586d6707989f54ede888b3cbf7a66

SHA256
b1303abd41f9f6b59fc114bbfad88d516f630c48a02d23064ddec0f2255748a2

SHA512
af50c5736593730f0d9b58d21095f7b8a87349bd420820187efe394b46ee03d961bd433e80d2c1937bb0a947e07435f2eeacb98d3ae6cfad1417273286a3a730

Download Submit
C:\Users\Admin\AppData\Local\Temp\UYok.exe

Filesize
243KB

MD5
52d31109b2b426d6e69e6a3d01058735

SHA1
558906f4d4eaab43075a75da58d8a737cd22badd

SHA256
377b7b4baa997b868f965a47a4ee659d03aed45567a7de0548f8c7708bf51418

SHA512
2cdf6b766a4b6a94a6647a750e36672fcf9498a3a645fe7a45e66e4a897c5c54712bb596fa345018b5e80a665b77714c8508716fe4fb0a5556803fa2ae6fdba5

Download Submit
C:\Users\Admin\AppData\Local\Temp\UwMy.exe

Filesize
639KB

MD5
8f927988c57da6c3e8bba86df2fff407

SHA1
74392e47ae74e31c94c400dd423bfbd356914fe6

SHA256
e8b3f34f555f6cfa13abfe92ccac5caa284be4f92dc90ffb7266f7ceadc182d2

SHA512
405816eeec4d43c4f6e68177d2bff7ea4afa67db5f6163b018d99e35067c55c6244e3cea951155feffd36969926a5d65c9753d45b32ee678673ac65b87d82d86

Download Submit
C:\Users\Admin\AppData\Local\Temp\WIEe.exe

Filesize
231KB

MD5
617468ae1ab05cec75b27f2d4feeb832

SHA1
df208c12773aeeb826a3689d2dc72936baadc3e3

SHA256
88b8e31f4ee37cd0d36711e3064631ae02d431bae336ca92d81674bd361fcbec

SHA512
03c759887761a284a456ab905cf43fee0d9a5e26f7509eac3d1d7e8ce46c4ee60d8623b6b94317589ab6890e41e51dccd06a817ae20cf4f07e5ff642197192c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\WQIu.exe

Filesize
235KB

MD5
b6fcbf2176d7e4566344aee73d93181a

SHA1
6e23f4bcf318c278a9c37d79198ecdfcdf9c2a47

SHA256
611b64734e6fc993649b8697aef161a75763cf4d8fa899fc9b5d2bcaddc8a29e

SHA512
54f7421dd1f69d733fcfb6c8a57bb0eea64dd83bd59c647ed6b6d06fcaed7ed821fa3d91cbab9743093cdbc4c2a3c840be37b78e08bb5d314a8be5fd8b671a6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wccw.exe

Filesize
808KB

MD5
83c37ea6fe05fc3b23e8f91ab1d3568f

SHA1
0db2ed98246af2a7e3509404fd035205dd7c1965

SHA256
c6ae1ef22b2861f2a1a22a1fafcaa8978a842d17e635e1662de9876dfbd58f36

SHA512
a55041ede1e12fcb1d2fb1510488650547812f1e9b655efc53d8e43912dacda18f7a00ec4cf3737b99b0d9d024ff162af75308218ff1ef775df20905103882cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\XAMIUEME.bat

Filesize
4B

MD5
19eeaf89cde8232e3f4690539d4c750a

SHA1
8045026f955cc9baa94577237571ff6c2f781977

SHA256
e48d20ad5aac939306b8478bd66225d7f4bb4832ebba22896a3fa792271ac078

SHA512
16eb3676531348a8fabdfb307a042a0f6187302c25928b60b036cb837660b0de88f217d8de5243f7af7d14885124f98701dcb4791b3a3d804c73ca4c72e24460

Download Submit
C:\Users\Admin\AppData\Local\Temp\XKUAgogA.bat

Filesize
4B

MD5
a16168bac9343b51989982c181f1897c

SHA1
773a80bac00dcadd9f40e0c453ef711925feabf1

SHA256
eeba065092d6266feb4db58f59c6d57b7daca264445f4d90c5b96f5da95a6ecd

SHA512
a51616bc23d2cbce55ea24670e94f2d874265042c758680cafeddc052a699ccc633caccddb7ab9c5ee99b113df80352d546d52819807ad3ae2702a133cc6176e

Download Submit
C:\Users\Admin\AppData\Local\Temp\XcUoUQkM.bat

Filesize
4B

MD5
bdd561155635b18a867418cee6a528ed

SHA1
b7b4817a1adf3f218267feb7f69eb747938abfa3

SHA256
b697e7071e58c6738c252bc68818c84a74ae3b6b49df1a08c38fb4a6e02b9cbc

SHA512
15611701995515017dd6ae931a29173044bd0e42221daa34ab67938f49dec7395a2a895bb2f37afa3f17b3d50c5494d3d6b86bd1242f745b4b6af0c5e488c63b

Download Submit
C:\Users\Admin\AppData\Local\Temp\XqQgYYQM.bat

Filesize
4B

MD5
5704969c87e768dfe272c2b2f0d9a61c

SHA1
21448ee5274c40dd6710ba59a01c25b125be745d

SHA256
850d8d3016cf6901fdc455a108af5bb9752d680e0ec35a1bb444040ad74634c7

SHA512
af184066a1127bd550884babdb779c20595e033a60fe4137d03051a68f016cf279795e4805b5e8078e60ea4872b0b7f03845816954b6af36779a3ba32614509b

Download Submit
C:\Users\Admin\AppData\Local\Temp\XycEsIMI.bat

Filesize
4B

MD5
8986e0d42cc0039d18ee4f88c5c63274

SHA1
b4ce4bf4e2205fe971e8876595c6e53a6b7ec113

SHA256
00d402512000f17a0aa98bad1ecdf035b8122119f5308b571237f6b31186e45b

SHA512
71c6d902c4c2627cb39e81715179af1dea28043e5cf57384575697b1a072ba10306965fb77f1a74ac8a8ed3b680d34557c42c1e241cdf56368f066ab704996d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\YAoO.exe

Filesize
230KB

MD5
585debb1af81ba61b68000d3b13dcded

SHA1
bbc30b968d81fef9ef2bfa0c6e631c6e81c039fa

SHA256
7ea6314ba987f42041c640c9654d2129d515a8284222c7c6bdf148e5fb16d7e3

SHA512
73deec20040e656529a85918eb9809810f1bf32b7eb5e14751f9c4e9337b73c1387664348a70981c81139e421e00d156c8313acd8041412e0d16d66e3837a9c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\YqsUkAYg.bat

Filesize
4B

MD5
4703f5f98bdb78b6fa1659ef662078b8

SHA1
ad091f2f7e515d68caa2c12125dba18eea7418a3

SHA256
aec01ad81db33dae9e2cc7f29e87b3b97b1e112cc42e76352d01ad3f5b1d722a

SHA512
6c7744a3bc6b7514d4193a92def49de4e85e5a14a2a87e03c2db08f0bb753e2ef8c7b9dc325f464af095506b4c3ba091b328f20681e1fb9978859d55c1f0f926

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZekQsEEY.bat

Filesize
4B

MD5
3a5a4938b72ae2daac8991e37fdbecbf

SHA1
6cc5baf8c291a2bed9cbba600b4a684f76ae079d

SHA256
8d2c7f45d7337ecc1ea75de3f19b3b84296d7cc4b1eb4447e382caa09170ade7

SHA512
eefca84d87bc6e8f986f4f5324ee737d1f20588f3ffdfe152b3d479dee275107cf3983a6601329f473a841bd2603c8d4691c2c9f1ee509a0981c8376f618ff92

Download Submit
C:\Users\Admin\AppData\Local\Temp\aEgq.exe

Filesize
228KB

MD5
38672eeb5ce345bc645264cad4102cb7

SHA1
b927f8a7f294d799ccc0413f32005470d1fee5df

SHA256
9b2e3b1979fee71e7008658b632c42805364abbbe77c53792f904ef58f66db81

SHA512
4cc7496af317e80f2c687b7ad5d7607498df9b947e793451bf1b6e5be92ddeee373fab9ea28e9ccfdb55d4a4893aebfd3dc06a56beda6749ca31a421f9ee0d70

Download Submit
C:\Users\Admin\AppData\Local\Temp\aMMq.exe

Filesize
228KB

MD5
26ceae6c51d99c970da326562e5f6060

SHA1
16e0157e965d0b71208dd7dd2098e41981e868c1

SHA256
2b70b71313cf9614dd27f27cede6ff396e2d9f9ef4af541c13c6321796038273

SHA512
41f8f451991a50a7794f09c5c4a8a5e87f36629fa246cfb90cc2735d7f86d608741cde901ef17760409823c594981ce04841b6ac7fbe22e18579a48b55d72727

Download Submit
C:\Users\Admin\AppData\Local\Temp\aQAm.exe

Filesize
827KB

MD5
1be6df98498d3cc73f7ea22239145c30

SHA1
f61717c37d8356e1749e5ef0fbf8cdf09b6ac15b

SHA256
ebf8d23668b4e6ffab092896db81210f4727a8bc5794f5e6f7833e0e484848a6

SHA512
f4b23ea2e5ce45adaba34f8db13d09dd75068b2c5be2ef3d3f332b0c0d1d466c079e5b6b50636eb81916926db6e19cd899ebc746cbd1cbd27885f23317a08ee1

Download Submit
C:\Users\Admin\AppData\Local\Temp\aQcA.exe

Filesize
1.0MB

MD5
68e3beb0b6810766b85afdb7db1a53bc

SHA1
780999e6251035a5ada15f1581188486a5d87dcd

SHA256
4952782e86f67029103d8674a05b6a018f0d9f7888849432bd0a99660b47f268

SHA512
2b3aa51295c554811b77c070e4af0d4386d2e8c165928668002203a79c61ee0a47e56be5dcd3677efa5cf87ac364d733e0e6d9477d6c94de3594b97321cbc098

Download Submit
C:\Users\Admin\AppData\Local\Temp\ackM.ico

Filesize
4KB

MD5
0e6408f4ba9fb33f0506d55e083428c7

SHA1
48f17bb29dcd3b6855bf37e946ffad862ee39053

SHA256
fee2d2cfa0013626366a5377cb0741f28e6ec7ac15ef5d1fc7e286b755907a67

SHA512
e4da25f709807b037a8d5fb1ae7d1d57dfaf221379545b29d2074210052ef912733c6c3597a2843d47a6bf0b5c6eb5619d3b15bc221f04ec761a284cc2551914

Download Submit
C:\Users\Admin\AppData\Local\Temp\agUi.ico

Filesize
4KB

MD5
68eff758b02205fd81fa05edd176d441

SHA1
f17593c1cdd859301cea25274ebf8e97adf310e2

SHA256
37f472ca606725b24912ab009c20ce5e4d7521fca58c6353a80f4f816ffa17d5

SHA512
d2cbf62540845614cdc2168b9c11637e8ab6eb77e969f8f48735467668af77bc113b8ac08a06d6772081dde342358f7879429f3acc6984554a9b1341f596e03a

Download Submit
C:\Users\Admin\AppData\Local\Temp\akkQ.exe

Filesize
248KB

MD5
869b5b7bd1383520e39f75fdc1ba592e

SHA1
16415ee6cdb08345c97bf52b52997561f099794b

SHA256
0bcd0e37a44f977b8c4548e705ddf93801edaddc4da411eb33ea1f3d3c477331

SHA512
dedd8f35b1022ae0894c499b94499a1b2413f97f188709f521e753e8bf06ee083b0995806995a19533ad0e5e455665ae3873d0134c25666706e62525a4a639f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\aoEW.exe

Filesize
238KB

MD5
a6deb43c0ff4aabadd08bfab7aabc404

SHA1
2f2cb799691e919a3341040c9c68eaf3f0773eb7

SHA256
ddf1c90bb79dea6e9747b05ba6d31cbd36b9cd5b598427874ce688f85536f9b4

SHA512
e6073c502612cf9d04e92a1382fba0244fce035660707fe06ff350dfebe0a52e7391fe5fecd841ffa9abbbc8fc91173aaefe68726429fc2b2c97e671efc87045

Download Submit
C:\Users\Admin\AppData\Local\Temp\aoke.exe

Filesize
247KB

MD5
4bc89355c21020ee2ccee39266797758

SHA1
6f09b6906e898a1a424dd20026c36d2a1f2772d0

SHA256
76748ec6a317fb023698ca545bd5b60a6023a4824615caad032d557cb6bb14be

SHA512
d6c5b043293daf610eeb6e47169ad8ebe98c8a15260caced5dc167106b21e94c1b397a4f73401e99accc43570d14431a65fd861b1d80f5794c8ed3af306bd0c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\awoq.exe

Filesize
944KB

MD5
47d685b2752dcd3dffa18a37dde1be1a

SHA1
5017afbe7ce7ec7a763821b0ed04330fed67f490

SHA256
0f2da565d489be89935465a3390ade62f5d144a11d5a5e7d6b79d488cf0655ae

SHA512
3d7542675a4688645afcd407293699af3980d7cffd6f9f49e02a4114f9c51e4f925c1342e77321b5fdf14aeab380d9091d4d75a9665220b07b52d37c5bbb04b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\awwg.exe

Filesize
230KB

MD5
619ced428114ccbd77bbb733d49ceff8

SHA1
502591c4228199e4cbcaedc717b390b0738fbc10

SHA256
7363345f2dd4792fef24d106589b85d94031e23fe056477f74f82ef3f9659d05

SHA512
895660e22ad71591ccb7348d6952c7c6165dbb6ba504d961195a793cbf8b1fed8ed73068ddf6ea887c05d5d07d5e9b55ab3af9a075e8c3e516141fee78985518

Download Submit
C:\Users\Admin\AppData\Local\Temp\cAIUUscs.bat

Filesize
4B

MD5
00ca78c5ded5f8f8c2ae3f8812b2ae94

SHA1
361280f07d49affdd83bb6ffe9a8d5d952136b95

SHA256
d51bda20c9cb2b37e219b2ed63eedcd1cf1408b9ec248c253f20dc6ee9e192a3

SHA512
2c47341cc82d9498704d2709adbffddeee39823c0d6f8efa22ed6ca9ac442164092ee303338bca02748f4c86f0043a9dff6b89b253b926112bee31ec1067ec3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\cMgM.ico

Filesize
4KB

MD5
6edd371bd7a23ec01c6a00d53f8723d1

SHA1
7b649ce267a19686d2d07a6c3ee2ca852a549ee6

SHA256
0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7

SHA512
65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\cOAYwkgY.bat

Filesize
4B

MD5
1b2891849e17a67e027832bd80dd0b6e

SHA1
c6ea2a9afdcffee157286c54bca959a0eae42511

SHA256
aaaf917a20ebae9e0959dadaafe02b5337066dbab467dadca364dcac2c058411

SHA512
19886e8cd1f99f04449829f0f9af16a9dd12c97fcc326d22e42546a70a03a1bb0b8e2f0b83b1cad11cfe89f78db1f0501aa2da927196e90bb63c1a0d5b81e24f

Download Submit
C:\Users\Admin\AppData\Local\Temp\dAkcAAEo.bat

Filesize
4B

MD5
df5d8be477c37677c185c8dae900fa12

SHA1
fa8981b51b440e0762378c90473c1ad01019846d

SHA256
7f2d2ef91a44ebdc50ec8ab229d04946db421dc4eed55d0314a1ec9c506f2605

SHA512
f9c9bcf6ced8136011010cb2b99952925c90724ed03ea104062ac9aeb0071c91119dd7a3b9b178b7a299c66e9ef4490a6c1ac8762fe10aec4995526134bf4693

Download Submit
C:\Users\Admin\AppData\Local\Temp\dMUUIwwA.bat

Filesize
4B

MD5
0bd434e8fab9715d92b3107b5bab110a

SHA1
c7575ba7dc2b2034306ecb3f6781bd8e28c00026

SHA256
6e561d95c1af20307e1fbd72d1a52789b39ab904a34b410958ee8470709769ea

SHA512
9224f936f8c0bfb0297d8b4f8a26ec9d83bc0ad77ed7249c941914b50ad42324e0bbee1f2eed64244f31771906ba26aae09bafac029cfc344db001146d776a01

Download Submit
C:\Users\Admin\AppData\Local\Temp\dOYcIwEY.bat

Filesize
4B

MD5
226a70de34272ae34f719efba59c8c70

SHA1
c9af277a9305897f1ee7e6db103fd63170b3200c

SHA256
813aeace122b84438342cf4b904c8b9310f30ee3933138678bdc9f5ee3666852

SHA512
8c1fd5be5903824b3b1cd37263a54a7443a7e547bf51d5e19d0791fc21798415506696851673dbb6e2ae41fa8421c2847b764710acc11bd43108528b5c8a18b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\duMkAYQk.bat

Filesize
4B

MD5
3d0d58fb1a527cb90e060801f2ec5d4c

SHA1
9f5fb88c2dea4e68f5db926f71160680a9923e7d

SHA256
cdda8e4db36d72e067217c0fec59e58cd26fff5c20f3b279d43637f363e3f07d

SHA512
48f98a784e7e23ab9aabc9ce654688063a3571945bb01330e917885134022cb9782688b7361da0f70b14b2d60f54f6df395be83eb900ad8e49176d9568931cc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\eAQo.exe

Filesize
247KB

MD5
98467866ac78261a4e990d150600e9f3

SHA1
eff160f49ed8a76f541d20f52f2e32e39dd9ebb3

SHA256
dc5605c203d0a9b1dff57f837d97b641cfa8915509dcc957d0a6d8d365231e64

SHA512
72e2630db1f103636f2884ed32c8318a122c95ea442fa79f7a77309c1e0275f58b446a7a953b9e18198afaceddd183e798da2b75c21f9d79d02c0ee9a48a45d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\eEMU.exe

Filesize
246KB

MD5
1c33d0824868b5fd63d21bb2fe03494c

SHA1
cb1af0d9de8e856da9c622f3b849eadef6dee5c6

SHA256
c7088c335afb9e47d47d5e44a3afea29b7f4e9929270fd99db3c0075de27d858

SHA512
da24088a80730e79d5d9dbfc014fcb600d858eaad89d252612fb34bdc5a7a9b0092048e98c4e7c3acdc43f39105164efdf91166272b3ba7fb4586b7656a76272

Download Submit
C:\Users\Admin\AppData\Local\Temp\eEMa.exe

Filesize
246KB

MD5
35c87fd91c1a4a2f4937402caf47bcfa

SHA1
78b1dc7b23bce2ebdd88ebaff7e2b1d71edffade

SHA256
2352e21c30277c0087a8cc11df9c142b43975c4e090e58c7478b3795de505790

SHA512
d3bef1902cecae8b1d44ba4ff7fdbee4a7de435b2c78666bc37f146b3f76f9475e9bd17498e1236f1955411a6ac13ed484100fa35cabdd39b15791a53852ea00

Download Submit
C:\Users\Admin\AppData\Local\Temp\eUga.exe

Filesize
926KB

MD5
48124c7f5182ec3cd13b21634ba9ac5c

SHA1
822bf22b562798a68a5f21d9fe0da8bcd4a60b1d

SHA256
d835d4288726742eee2b3cfdfc88cc9daa9c7807a8f37e8d7c265bab661a7aaa

SHA512
d4104f3ed821adb95ea0f412fdc9eb63ffd07ababe3e37f61531f796d263419fed65cfe0a6cd7022811bcbeaa870585dedbad369a892403ec09df974990050a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ecEU.exe

Filesize
240KB

MD5
43b686fb5b64718bf4b262dff2bf6c0b

SHA1
f72a2af0a7df76990b970dc4a4ea3bff29ae1952

SHA256
0f1269a2ec917f4694cb8b3de69c132e5beb853ec08b80a1a6911358264f82b6

SHA512
9501741b443ea0c4c2f9d8cacc1237ded6e085a0492e9ca12fac9810e596dcf60dd9878b068049fa1452e1795330fc378136ace3c53d1656f13b3d4a7572f055

Download Submit
C:\Users\Admin\AppData\Local\Temp\egQS.ico

Filesize
4KB

MD5
f461866875e8a7fc5c0e5bcdb48c67f6

SHA1
c6831938e249f1edaa968321f00141e6d791ca56

SHA256
0b3ebd04101a5bda41f07652c3d7a4f9370a4d64c88f5de4c57909c38d30a4f7

SHA512
d4c70562238d3c95100fec69a538ddf6dd43a73a959aa07f97b151baf888eac0917236ac0a9b046dba5395516acc1ce9e777bc2c173cb1d08ed79c6663404e4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\egYu.exe

Filesize
241KB

MD5
15c68fd3140d6c437b87cda2e1be7db2

SHA1
e4668e45e8afd13944ce375c0317aa1860b341b4

SHA256
b02854ee6e75f5d089354b2777ce857aa56020279c84574526e34b7f7308226a

SHA512
47fad6b40cf7b0f5c2fcee7a9bb830e86d913d2303c6978ab2c8b8d070fb3d7ebdda371ba91994792b683ddc04d74d801f927737bcb9baa1098474dd2a62fa18

Download Submit
C:\Users\Admin\AppData\Local\Temp\ekQG.exe

Filesize
239KB

MD5
ae9acc7f6027e8af852e11b2b3733ce0

SHA1
37b33cae1716248c963c9636efef320c02695469

SHA256
515d36c7d890d20af5de0441a44c5a69ab86443f920e88cbe16e8384e08cb45e

SHA512
d41101a0dcb01dcf9477606b7bce817a82850297effb1f1b0d0c021fa726bfe374cc283fbc2b63e7858a2e635db421ef5bad3f537096e0bfd62a6913a6b3bdd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ekYU.exe

Filesize
244KB

MD5
652f0ea4dc06deab59c8b982e192405b

SHA1
6e1621eeb0798ed6ed33d6a7b5ca9dd14ccfed0b

SHA256
d227713207111540b247386cc2f2a34019af88a617cff37dd0c3b52b90bfe7ec

SHA512
7b190c3374fb33db7469fbf077b67c2257a8bd48e9d21c82bb82268c64d41cf32d4433958bce6070d9c47dd76a3a44c57ab83d4a7cf87d6a9a92c32e5e7d527b

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gAUYUUUk.bat

Filesize
4B

MD5
2edfbc3762de0f5bc25894c0d59fb97f

SHA1
f11d76b4b82a365c72deedfba1f6427265113da5

SHA256
e4b4a42b86fbe6d92fc7a8066b130b565e61f1ef2c2ba2041123c93ce759dbb2

SHA512
0a604247d0b9eda33504293f5e0c30d14e62631a3fee7857b1466c04d4a32306521e01284390456348480e96d0056962ec99fbe3d377dcaa39797a42c3865ddf

Download Submit
C:\Users\Admin\AppData\Local\Temp\gAYK.exe

Filesize
4.8MB

MD5
e34e163ccebc9fb9812fd644869d3a06

SHA1
b11de9377ed00213d63a0458c89f30dc5fbb1b00

SHA256
52c3a0fb606f05ab409810ec9a88f56ae4d433d80b793f64a06b5ca3860cb1d1

SHA512
4e392be5c48d5dc5ed8d23deb847f7adaa4caaab87f7d1c55c5c5d58422def8076dce44c404bb899974f6e5d6f072c79f9bc837c265b9e7f5c13439d34b94373

Download Submit
C:\Users\Admin\AppData\Local\Temp\gMEw.exe

Filesize
238KB

MD5
4fc2af7434d5a2c16ce62e66ce05c0a3

SHA1
9bc90feaeec5cfdb058bf8a87f5de6d24a85035d

SHA256
83122485350aeac7b25f4a3f4410607f5151f195abab53403c1ecb306459e850

SHA512
78484249e6f2ea0e587d997248692a616ac6fdb606995242e616dd7b7740fb0411154a0a56d6a37582330c4934fde8045ff281910ab15da21a0dec756de5beba

Download Submit
C:\Users\Admin\AppData\Local\Temp\gYkk.exe

Filesize
239KB

MD5
71d9ef1a16bca97fa4ebff89009b362f

SHA1
ab3629ea3dc22b57d791d427f8b8d95a634f0e3a

SHA256
53bff2305fcdd485635a239cd1df38bea7e1165eb63681f46cbcd5d1bafaf74d

SHA512
86a7a84732ddf9b70dfd5c6e624e559da90c37abcb1f4e0a59498436f97ba3a65b4d66732c9bded4256a17a035cb4eb0fa37d5830dd420236ffeb24460dc951b

Download Submit
C:\Users\Admin\AppData\Local\Temp\gkAg.exe

Filesize
224KB

MD5
b97d50de1560703c950e5c271bc7e887

SHA1
03ef1731eb27bd001b849b62efe2b9ed86349cc1

SHA256
a6102649252878161935ee0b543be723e652d8f73479daf0224c879815cb835d

SHA512
e5718c844c73bbfb1ecf402bd8989209d3570f0fb3a10d9d60b00411e6797faa2b68612521590741b9083e56f06d7b0abb996c0a4de84f4f6db0a751c0489feb

Download Submit
C:\Users\Admin\AppData\Local\Temp\gooQ.exe

Filesize
641KB

MD5
5e3e838fca815209cdb2ed02359694dd

SHA1
b3efa990873659a1fb4450c83381223cfe270169

SHA256
67d6be3de30c315977f44c330e63f1e41b25cd2c1c856a6430e8d8640d9b633c

SHA512
0a06cc8dc88a6bcc7b9bc1224c1dffffaf2c6eeb04a5a4943ed6368da7473e34d5add22b02480b32582e0fa59c1d457465e89ba1c8fc7747003db2048497566f

Download Submit
C:\Users\Admin\AppData\Local\Temp\gwIm.exe

Filesize
242KB

MD5
8baa90754674108dbef787dffca3abaf

SHA1
040c6bfe6406910de0ab85c5feec4ef4d4f35b83

SHA256
ac3c798071f56762dfa7e90061f073ecc2a5741c066a253c9c4abf13491ed2f9

SHA512
7b7a844481f8cfaa94bd9bb8e963abd9c0507f9e9602784e830019629492e0e8ba30b7c7e98e46f3d2e4bf57347280154a998c7298a108aa44df6fdb9c539e52

Download Submit
C:\Users\Admin\AppData\Local\Temp\gwYo.exe

Filesize
238KB

MD5
c9c5a347973de7141a75bc144facdea6

SHA1
d98bd3583e0df887b2a9d3c9804952591839a8b6

SHA256
6f71816a0285560f7641c31c9d171e603296f6acf726a67abc49c807010b6775

SHA512
373a9baf068c76dc1602501cba31bd75f22083124c7ac981b564c97999d48ae173ea271702dadcfc90c96c739b818108a36cfe2e386c8ad623cbfe4de86f0e79

Download Submit
C:\Users\Admin\AppData\Local\Temp\hMYIAYsI.bat

Filesize
4B

MD5
6c9dc4681924907f0cdf7edfa16974d7

SHA1
977d9d7f7ab532a13fa97846b43a87642aee966e

SHA256
d4c68d2174bf24abf939470951c89d5da45c9ca005f3646f895feb2aa4538dae

SHA512
e6fe4519edb4d120c98790659b6d6c1cea48d4629cf843acd026cbcd09f2ef6db8778405c1c553085e4aef42e682d7dce745edbfa550d8334562f86fd6a3f8d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\iIIi.exe

Filesize
1.2MB

MD5
0fb6d3da9d101bccf641db2310f48f18

SHA1
fe5f6e33ac26df46a31fd2148d59d9f197827f70

SHA256
2b00c064c91983936a75484ea4a17e805de9f73b3137998ec55a28f96c098e81

SHA512
63e8ef017b7123febab6d69d14a71fcac39f552089ddb66bbb3d859fafebff97ec5a0914fd531d4069d5a7691d9be0d36d607fbed44329164eaea04be6ec5ce1

Download Submit
C:\Users\Admin\AppData\Local\Temp\iMAc.exe

Filesize
330KB

MD5
e74f7b92c67a218b3deed1bc23777134

SHA1
9f515ec6f37461d6d160d3135c578e846652e112

SHA256
5cf832f630ee04bdc46db20d982ba275b8d47ba5e280d5fa72d291bb1d1d82e0

SHA512
b1c13cd437caf57d79ffcc44b6e8bee9a2be14b1bcd1709506f9ce8195381973d995072f3ff0d2ae9ccc87ee127545c00c2e656d9729b022d843145ecc20b84d

Download Submit
C:\Users\Admin\AppData\Local\Temp\iOEcUccY.bat

Filesize
4B

MD5
564b781f92099154208bd1b0f5fd8f5d

SHA1
e4d1012891fc49cba0b77b61bc0a6108398ab10c

SHA256
5fa784f704bcd2051e06f5b8e1422245208c721a79f1a353a2c464ecee0ea2b3

SHA512
96195c419169c11fe6f6527fa6275fb21682ea4e6053ccb0a27fe8ea974a0429d6a9528ef7841aa9e43d512260315c5f08065b43f348c8593dc83724e7379797

Download Submit
C:\Users\Admin\AppData\Local\Temp\iUYM.exe

Filesize
4.1MB

MD5
f3b81a2f8fc42615c5cb5cc26e542f48

SHA1
18c997412ebc84603d54b70bb0d23d5e21f6f7ac

SHA256
0eb05ef57274254d198f173c43e7540ab056ca0cf97f69b50e9e401482ba638b

SHA512
70eb3caebfd205bfacd128e60e89f021ffd4bbd2e5d9418e0c07e85866d5e6520a47f847a55e89e79f7df99a9ef8d729bfafcf19c35b96e6f27bb68757a0b46d

Download Submit
C:\Users\Admin\AppData\Local\Temp\iWooUgAQ.bat

Filesize
4B

MD5
0ccbd042cec5e9a73a40dfa5e1eddcbc

SHA1
627308a5d102ee5aea5e4bf764a547c1d285109d

SHA256
5714dee47d0618fa53b4560f26566963a5c34a9f6b3cc8f1b53b85e55e2a3641

SHA512
23070082d3fd4a889f996ffa47445b23a04c903bdaf2f11159ae6083c97a95ea969c782b0e723fee6e479db723df075cea96ae18b274eed8746a5e773366c25e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ikke.exe

Filesize
250KB

MD5
ff358bf77a1bd0e8bbe199c162df4cf1

SHA1
8d527865410337e5c156dce45504a908d643f848

SHA256
e0eb8ed73fcf7e439f586dd3bac51166413c41c58b9bda6300703167ca430833

SHA512
1375be0ceb6b941be7bac49dc0c336c77dfc68485e62d6f50bbc759d9ff92490bc5ac56a9d83450002af4c8c5996082a389ef5571154b0cb5c9e7f530390f5bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ioAq.exe

Filesize
324KB

MD5
c3f77f5a87187968173a5f8df5b0ff62

SHA1
eb7cb32db752b1e057908a88493402f5c929877b

SHA256
c265ac099907766fd2ded3f4d60e2d96d2ed956570fb286de058fd08ac44b68d

SHA512
53c521e50ca08726580dffc68a3a042f8ef0dd3f196d85772c74a987164760a2eddfcd594ef4d3f33302b1aa3f8c38d61b83b77a0e6333eba44042e6c21991bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\iwwE.exe

Filesize
230KB

MD5
f666e7dc89ce721b0c972c157459b33d

SHA1
c72b1a99039bb6ae39486e500bc50141b6c389a2

SHA256
f2bd1b3b94a796f31e42ce920bb5e42f78e272c24f13a8ffddb75adfe3ae3725

SHA512
baad237f6da063f31a20e5423eade3e5421ddb2aac0de5b743799259d8f999694051204b042f4849168a9340847cd054e3ccff46bcd83312945fd873804aa582

Download Submit
C:\Users\Admin\AppData\Local\Temp\jcYIUYEw.bat

Filesize
4B

MD5
e81ebc2813abed2c32dda36e8722d13b

SHA1
88456314eae7ad668400bdec57d2888967790db8

SHA256
ee07a97e29c26569aec280a8f21bf269ce2f02d8c552bf4e314e6e07b252a6e3

SHA512
66377d609f263bc0c9ccc0fb82db308a810162d8e260a19ae41442b0700faaa302a6c9a01870c5f00fe74e3b310ff85f80e94138da4c298c36fee28265406f07

Download Submit
C:\Users\Admin\AppData\Local\Temp\kIkg.exe

Filesize
228KB

MD5
85a840d868feee4b50b545aefb1861bd

SHA1
a57d9397ccddc193969d0d87fe7dd5639f98ce06

SHA256
73f04e438e90fdeed5690a918595eba447458f2f48b5cb3b08325c1fa3d17f5c

SHA512
dda0a475ab8331d4c07790c118f12658eaaa22aa95547e71560859a685903495682c3cfd84de78e0f0ffc6ab182c0c0a0fb9a5594c265774537b23838035f2fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\kIoM.exe

Filesize
230KB

MD5
6168e73d6766dd991e55ae0e68fe960b

SHA1
c616920fc7bdb235893a85e17c139bca4271fb08

SHA256
7a74b41006f1b5fcd1ea2a2deab8df85a2153d032147cd6ce277713add87ef64

SHA512
5837a8ff5c90f43b0ab978283c276128aebc2a9a5597604acc197a2c00f02b85ec93d480003f1a0717251d761ec7afaa90ec63241163677675f0f414551a1d85

Download Submit
C:\Users\Admin\AppData\Local\Temp\kMQAwQAE.bat

Filesize
4B

MD5
7b717d4de5c990dba6ebb8a8c9cd4671

SHA1
cf4eb5fb2f52cb876c1b5411659869b580a36a50

SHA256
8509183c8c6991a801032f1cf9341d5f778317018bcea363d3c0a8757bfa30b5

SHA512
0a4c70c31fb12504b9f304671f77a30b0e467c3f54dc4a9ab36ea05399b5a9dc70a6562d44bc0202e955329fcb26fe23628a53afc6bf9e2aaa7716702a346423

Download Submit
C:\Users\Admin\AppData\Local\Temp\kgUE.exe

Filesize
706KB

MD5
33cfc99af7816b5734fcbece29bb2123

SHA1
59773af28114180c5af99e011d7f7f80e897587c

SHA256
106b1796beb33d5d805781d2612278bf30f1df2700f959440507b25cc9030296

SHA512
ea00871c1b8969643393632366ce9d5846b6062e49944ef22abf29000681398f71fc536214da2f4df67c583c4233f1a5f1b09e52c718f38958c1a03558450744

Download Submit
C:\Users\Admin\AppData\Local\Temp\kiAsQMgY.bat

Filesize
4B

MD5
ca74df6ee1f045b66b104c604b3417a1

SHA1
4f1ef754c623ce77c220b2d2b4a79e0c87829eda

SHA256
684d4e27236ee559ba3ede45b94f5efe06209f81a0e09a38158eeef5fa8875c8

SHA512
a38846db9ae1076931324ea1f311d79da62566c47a66fe2664362664ef724826236f5dba99dfc4e5a42ccc5f1e733fac8787be416aa9f79399e47f674aac14b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\kkQg.exe

Filesize
824KB

MD5
7fa36b97bd6d9f7c45e4360524697179

SHA1
d338b0c89a664d35c95a7adbd1c3a5dd39611763

SHA256
4f82d723d1862a65a4476cc2b6f025f4231ff4937fff365cd0c88d73b0ca533f

SHA512
c35660f66be1af780846825d6fe81db7aec179878d7550ddfdf2b7eea0844aa4edf9ec0664aa9d2d5bb3d54f534b9a84a6c7ec15d0e90b65d3c0cbb49ab138dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\ksYQUkAQ.bat

Filesize
4B

MD5
2be5416f7f97ce381b11fb35cdf4edbf

SHA1
d899e17b26542f33a95861fae843b37f8432bd5d

SHA256
61fb4d3e8f17790e147efc48e0a30cd6a00b995984ddcb3fe2020e95d280607f

SHA512
030d0e1458b02781cf85baa66de26cc40148e2aa04ff7b20e3edf0d28f68f9071fae120c701e48ec862c000cd68d0ac75257cd0b941958c18293ad54b15c0c6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\kskYQgEs.bat

Filesize
4B

MD5
93bc3efc5019d70eb5341e5c5635abb7

SHA1
e38eed9b3356dab1dea61a9c19b6d18a8ffd391c

SHA256
099b05bd347964a64782d5e4455ea5a695c1f6a4f6ad78d5daf4ca6545227f66

SHA512
63ba63c0601dd6b7e3e05bc2aa31415a30f7f09c4fb94defd5230716f937da04e17643a5c17bba1df0c046729d87df540752a5fca20378488b02f3a508cb8369

Download Submit
C:\Users\Admin\AppData\Local\Temp\lsYcEUkg.bat

Filesize
4B

MD5
59357d7c86375e3fb440d466c94ca51f

SHA1
a51f624321f95baff968e7d6f3687319ffe93859

SHA256
253117cb1e23e7a75943dd5b481e172f055a66fa4337aa681a81121ddce4383c

SHA512
264c9658ea71758d5c753f00ac64fe17005ee2b1888aa9e716e40f84d059c7b09a7aabb821eb959eacbc7208d528b160de7b8d57d78d4c81c02558ddb8aa37a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\mIIm.exe

Filesize
247KB

MD5
bf826ea84ac71aff655b8053e2387c21

SHA1
2fa8b9fe145d128321c415b99eb19259177bc587

SHA256
52f4feba37ee79ac27b1551cc32d7551a8bc75dc052845b4f7d76556475f4487

SHA512
249aeac1ec13fca17dc33094376bd1a5fa3363dcc77ac53775c029e8b52040127c49bee03210c6bc0709eaa11a5deb0a00cc661e5bf538ff533371277398cae1

Download Submit
C:\Users\Admin\AppData\Local\Temp\mIcM.exe

Filesize
209KB

MD5
0fe0d0fe7581465af034e1c827aa1765

SHA1
224c79aa2ad0116f47c05e20fed5713bd68fe2d7

SHA256
76db782e2867dfd44d9510b2d3dea241154cca8650c0b2a65f80dd2b6bb69f36

SHA512
c9b90793fb773491f7eb830b66fc9297edc9a3d630cd0d540f925b5991f5aa102dc4ffb5a295bc9d79f74d2ebf8d822aa5907e276556311175a089a2e2766c34

Download Submit
C:\Users\Admin\AppData\Local\Temp\mIkc.exe

Filesize
227KB

MD5
0719da8f710342a6ba3a6f96f1205686

SHA1
fa4e64987f1d68d8a8246f9d3b05161e0cd94705

SHA256
731af9b2aff56733b23589700c9f9eb0cf162611f85d86ef253a4445c7a72db9

SHA512
ac30fd330b8d8a8478214637047c5890b3de7fe2afd9cebd19156da47c7826d1ad74d1bbfafa599d8618015600d7d0912958a39fb532a3079de5d729eb4081a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\mMAy.exe

Filesize
233KB

MD5
b6ecb8154d7f8161330e1a23111a355b

SHA1
82f849c55274d4e5cc1a3530d59e4bb4491a5e63

SHA256
447b56f6ae13ca448b179ccbe756434c5dbf51a50bed733105514d211ab5026e

SHA512
436735901fa262e2bbe849be2c7a1645e68e6b62001bf22f755c64f08a359f013271a8891fcc9d10ffbd52e39f8c08df9a80e73167231b7c902dccdae6e8aabe

Download Submit
C:\Users\Admin\AppData\Local\Temp\mMIk.exe

Filesize
246KB

MD5
96317699ba24f119c2559f2a805fde06

SHA1
dcccc44877fe0880bbe430bb5c87284aa19014a1

SHA256
593f68749a4cb81eeaad6a55ac01d537a8b79148abb9e6e17901c5a405779ccf

SHA512
2b04bd7871ce58c1c22b5c65227e39a4c575754a0c359e7596e62a3f1820da28ab646e42dc19c141eeeca65a32dd86fccd62853b5f2aff623b30dde86ffcf683

Download Submit
C:\Users\Admin\AppData\Local\Temp\meUcwAsA.bat

Filesize
4B

MD5
70d094b2b075561d7861be335cea3bb2

SHA1
d8baa516f0c237b267f133b1efdae58ed4ac1660

SHA256
243038485f99a736aaff4460cc289d2043cbb7628e6883b1eb0a5431ba54a541

SHA512
17e5cadd3eecfce41733b4d77aafdda2f4b671035a6c6685f59a4b362da34f6c04604b97f6821abfcc8aec074d90b62a2138470cbd0405fae9bbf58c1e38b358

Download Submit
C:\Users\Admin\AppData\Local\Temp\muMIQAYQ.bat

Filesize
4B

MD5
e17d166d1d314dead02394a8c18fdab7

SHA1
2d23afb5947d76d7a635afd6878de454e920dbf6

SHA256
22e5298638a1899896b8367601c5ba142d2212ea2c4b78b7f474f067cb56a381

SHA512
e5249e75f94f1e958f8321c73dc4f08cc4d57842bdacd1b7a780ca93b847d1885b9ec2407c82d754172dc792f5160fafbadd565b3e7d4b345b9d63f6eff3a104

Download Submit
C:\Users\Admin\AppData\Local\Temp\oAUo.exe

Filesize
827KB

MD5
70cf3ab6174a07987f6335ae18860e04

SHA1
5b85a2cf3786cef49155c126d3508c5809a09a42

SHA256
d47cd235d6fa66bf8bc7826547d5ec9bb56737bf09250227e3e4367c410624f2

SHA512
be8971de921a662b81c7a2e2464f099cb614e325c35b208cbd7d3e30214cef13558b07e43dcfd1ba05a1bfc437ec7aabb6de516506961e98d7b3b9cb8ead308a

Download Submit
C:\Users\Admin\AppData\Local\Temp\oEwY.exe

Filesize
8.2MB

MD5
8b89798a4b1a1fb0f2ffd9a87b3443fa

SHA1
37e958cad2494784bd4c08ab04e82aa672ac45a0

SHA256
c7b1957456b0ba04cdfd8eb00b55944a0ff481bdebe19d28ce0b29da0b6c56ff

SHA512
3dbfa241b2c3abae021e40becfbf957f986c88af0c678fc0b509a8826974b10b688bf38ff4c222ecd15a6d548785c540fd6b1541a3d7301e1fd7adfb8e01a68a

Download Submit
C:\Users\Admin\AppData\Local\Temp\oYIy.exe

Filesize
939KB

MD5
e43c5e14076d2c8902cc0559e416ea12

SHA1
611575328995c822f8e5096b750bfb8000d64c56

SHA256
eb80deda5da2f112434b68d9bbd36b339318f8cc0becb89dbb5b4aa874927a74

SHA512
8a037ced6eb14ae0700d12bfde87844064697850abad5051d3631b937a5d755b82b71ac20a33da0c7f35a94c01d2fa56db8ac2b78e97a31c0300f89f77710153

Download Submit
C:\Users\Admin\AppData\Local\Temp\oaUgkUMI.bat

Filesize
4B

MD5
a725e60bf2ee36f90ab9f7c47e8a2a40

SHA1
05253828ed28f3edd08661a0f263fe79fa31b3c9

SHA256
75a27e1ee25c23f2023290e5e3062106be77a13a4d46e0487c7b2c7315fbc694

SHA512
a4ee31128d2832f72878ce2c53f304cdf8fd8035539bcf463291854f47ebda2724945fd918de8f989bc17f8455131909b5fe1f451ae05b50bc030f42bc81fb1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ocAg.exe

Filesize
247KB

MD5
78e90fb8261ae480c81dcae15596c28c

SHA1
60431bfb288ba6b094def34dcef5a58f73a61d26

SHA256
9723f619682bbb5fcfa6fbdba72b574a7e9c6e64702e8f12c88812f44db0a6ff

SHA512
8aaa8fcadc4b37be9baa816cc7206296b3b0cad515f23f65f4bed746c4512f4c3c235d466fadcc8d979e40871a87048122236545a081deb9ba9730057cedc297

Download Submit
C:\Users\Admin\AppData\Local\Temp\ossMogkU.bat

Filesize
4B

MD5
826254607b258d0270cb20b7568d3129

SHA1
8d633c51de5f9dfdb8a0c09eb99b57b18d1b2a74

SHA256
e887319fe6ed34f23390411e919c810cfa1c3864ea4cddefd6477c2bdd1fa310

SHA512
1eed742d0b81190fa1cc0903b77b8e484c0b7874a8424ab39e64225fa8780791dd8c0f6a2fa238e4602da20b012a5bb753cba5e0b5f64546e883a35fdcab9e65

Download Submit
C:\Users\Admin\AppData\Local\Temp\pWoEwMgw.bat

Filesize
4B

MD5
a00fe5ebe7760cd965a9d4e017eaa4ca

SHA1
374671d17f904a79f21a1201ab40a7a7d51da349

SHA256
a7ea3eda2c9129e0a03873f2f9d7ca455e05beacd49b36f19a9c62561c84b26f

SHA512
1f16ee7d82fc64afec2663c6db01ba92e20371f3fbe0a7816ab0400869876c86e3ce676ab987d004bd0413a14564034c558388fbf846d8a4d47afd699dd3e23c

Download Submit
C:\Users\Admin\AppData\Local\Temp\qAMsswkA.bat

Filesize
4B

MD5
a256554c82cf2d12d53789008e399bcd

SHA1
2e0015ab9c31d4a3a1689ce268180eb3f5526363

SHA256
73bb5ff3ceb0122314f4c4bf8753db3c085a2e6351f2d0f81d3f0163319a7871

SHA512
b802cc3ce3eeee810f8a33db95c6904568c56f57c7d0c53d0e8982ea3de59093684f105d9e277be40600149e191ae01932c95b75c21a52a785d9280301b84fa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\qQkK.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\qUMC.exe

Filesize
235KB

MD5
7114cf4195f87b6fcf4ec2469d21047a

SHA1
8f7810b5ded658ac7e4b8a466a56e18f82d61f15

SHA256
009bc9030f329c8478a6b716395ae4df5cfa443d7f02461d02dc2bc50ea323a0

SHA512
54d87a93f68dbe87d6cbba6bf9abc4fa04af2ce6cda3bf9576ca5155943272823994a9fd5c399e8766f377758ca15e7fe5374e39ce20ce042b43eae0ef357995

Download Submit
C:\Users\Admin\AppData\Local\Temp\qYsW.exe

Filesize
474KB

MD5
07381120a2bb8c0eda1e879f96332654

SHA1
bd9e97798b245a3a918b3a7fbd23341c5155b35e

SHA256
001e0a05090bbe53fe12c80f5961f74bd70063a60e192c9cd5bab40f32ba2324

SHA512
62ec672ec29839c92630d81ba60d880ad3cb73d184302a866aafff33983e438fdddacdd274cc0401abb37065b7da812595963c2ed828c8a74f351593b5a62db4

Download Submit
C:\Users\Admin\AppData\Local\Temp\qgoa.ico

Filesize
4KB

MD5
5647ff3b5b2783a651f5b591c0405149

SHA1
4af7969d82a8e97cf4e358fa791730892efe952b

SHA256
590a5b0123fdd03506ad4dd613caeffe4af69d9886e85e46cbde4557a3d2d3db

SHA512
cb4fd29dcd552a1e56c5231e75576359ce3b06b0001debf69b142f5234074c18fd44be2258df79013d4ef4e62890d09522814b3144000f211606eb8a5aee8e5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\qsIg.exe

Filesize
419KB

MD5
e9473cf5d67605dd55038030895e6a2e

SHA1
58ff820ff0ce87bdf0cc240396c0ccad7e46c0fd

SHA256
e9e36bba401a6d23fb8b07332b314e78b43a39c7a2072c83b3193252bad3c294

SHA512
b8b4af2adfd30c72f1a0eaf49c339bf325e039c2f8bfdc7f550c2b7c23fb7268e47eddd32b70425facf090309b924b5ae218f64d632b5f1dc435c6ecdf9579e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\qskY.exe

Filesize
1005KB

MD5
07de465279cbaf8dedba2d552a550d19

SHA1
cfa73aa3967e529b295ceddae8875291e498f676

SHA256
0ecf7cea922293fd84798c362449146b86801e2d63dd41f8887b2e360a21c9ba

SHA512
92c00675d59d79607e24b4806bb0b8a69dbea329aafa750f88d816019f7b5ee1d8a60dd2ef1638d96ebd023e3ce655375f1319532a45f5a3d3a6d7e172b764b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\quscoMgs.bat

Filesize
4B

MD5
77ccc4565d3c96800d1caeb4aaa0184b

SHA1
161aed3eef305dbd2e5a61c2f9e3352ccf723fa5

SHA256
36fd58513dc87cc2689cd2a6c2986175c4d2b80fcbcf2c810e2fa67fc2d8abb9

SHA512
9319bb030e3c60ecd90cec3d40853632c9710260c5d671f7176797abfc82a7040a872e3896af8255df7cb0181f46cf7e587e21091c029071503af0b76f6a4589

Download Submit
C:\Users\Admin\AppData\Local\Temp\rIsocgYU.bat

Filesize
4B

MD5
ffbb14141cc097693fe5cf75bf410838

SHA1
7e48b74d791fc35c20ea3d190a927ad2e6e66661

SHA256
2e833034bd37346c3cba4375d6aa33b60599b0c0baee30fcfb01c179b692090e

SHA512
436250b52926f2f5ec9d8787456c613c95e5f12ba1ff917a851c9eceb12d282180d98063dda2bf5d35cae5e809903a2d12afd297be853f6b4a1adf5e67914f0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\rWkwUYgw.bat

Filesize
4B

MD5
228377bb068c70e84184ae2b7f97cbd7

SHA1
9a02d2962133676f6ce9ae869914891588af173c

SHA256
0f411f14d3b2b0642472387e1da33a922e7ebe01820749817365c769e12e1674

SHA512
2c3db1c05b9031842b2e12ba79c3db2793e0222767576ca866c14ea7b196d239287af54a168008ed754273383d7571a0d3d1e15d11679b80f8a887eb02135371

Download Submit
C:\Users\Admin\AppData\Local\Temp\racEQsMw.bat

Filesize
4B

MD5
483af4c6ebd0aefaff31e4752fd7ff17

SHA1
222eff23098582cb0aadaff51d5a6b23eae11994

SHA256
15e9933c62043259fde0c162320829d1988032c4e84f73d026321033553dd59c

SHA512
470f719aeafb03f1928dceccb3cb0e783d7fb0d450e9abb0029336810305cadb9e49f5adfb68339d36878c3ec25dfbc598338f7386a4043da48f4152a66ccc26

Download Submit
C:\Users\Admin\AppData\Local\Temp\riEEQQEs.bat

Filesize
4B

MD5
d492b398b5af3f58ea81dffb74a0ea9f

SHA1
828d6224e026a9631da3d7d2b98de703827ded64

SHA256
f5ae86ece6dee41ec0176cd8fa67753e236bf0b87b349682818b81b0ede0fb9f

SHA512
41361d712fcc9d27d4ede87d9c406b74dec02345ed4e1febecc8e78e672e728dbb2c452eb89a1311bba4dc35aa9415c1608ac267005fe526490cfc56c195dd7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\rkIoIsQQ.bat

Filesize
4B

MD5
ca68b7cbd8b5e95ba675453218d1800a

SHA1
8287cb8ba5d4baa42dbc0ac0a75d6cfd1066133c

SHA256
e690af332b38145b50d5305e090f826b7d1ae0e601e06a0310d6770f6dd91de1

SHA512
c910f10fd31a41fcbde073c2b92b31301075b2bf6ad5e2ec2bfd385f8873598fc34ddb3d055ef639b892ef9e4fa218dcdd8556a8e51d03b4ac9beb193ba34916

Download Submit
C:\Users\Admin\AppData\Local\Temp\sMUG.exe

Filesize
231KB

MD5
9cc50a375e8b54e35003b8f4b6ef86cb

SHA1
3ff4e7f4df328b704f644633fc3ce7b8b5f48954

SHA256
3c73f3e820c7ea0f22377a299e7c6ec9328b6f5c894602d6dd44ad614f277441

SHA512
fe95e9a1a7008d8042d1288cee5b4a35a2772d2567ecfa95514a593bd1824a15afe4b77467f29b497b40eda55ddc2cc8f3ba1b3f059ba48385cfc46d3cba7ea6

Download Submit
C:\Users\Admin\AppData\Local\Temp\sQAe.exe

Filesize
636KB

MD5
2f80d883d5bc6ede33699883b9df32a3

SHA1
2356a4064a6fec218e5f462f08690c74f36c7d58

SHA256
f8d55a9b06019bf860bde47a5dab56e73ff79a8903ffa1fc8bc781c297559d3c

SHA512
8d771f6c66241d3abae2ceb89f0cd94823c59b738e44f30a76285073b07b28b532f369b064657dfb96164a5e2894241e81b787027f941b9b149d78d5e56393f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\sQIQIkYI.bat

Filesize
4B

MD5
4c57e4337487ec49e7d7b4148214d118

SHA1
fef6fd56550288e6a7faa83a69d36a3c9a2ef359

SHA256
76fb46198b69fc64050a552ccc18cfe28de11d5e8497d61090642e5a2b57b5ff

SHA512
2fd6c78056f9fa176759e9ea3c6ff41d1fe26e2912cdc4598ab62811b3fd184f9865d9b9537b8d0a9ea31723fe3c36c3761b1cdaec74ce3bccf0f764b240ff44

Download Submit
C:\Users\Admin\AppData\Local\Temp\sUMk.exe

Filesize
222KB

MD5
8ba631bbd2f4fb26a7b53a078a12a86d

SHA1
99ebff79203df30c33a6c34219937ed8e8d8ff56

SHA256
23a5786cfdec043d0ef1ab7615f23a2b7d2a885b71fbeeee5b21fbb495acff4c

SHA512
c6f5319a2ce91974ffe5e49b4b995eeb48237b77ec6305ec27b726369a8f39677cb10fff961eccc0024a24488fbfd2fc73b007b68500b215fa9028b5c439aecb

Download Submit
C:\Users\Admin\AppData\Local\Temp\sgkq.exe

Filesize
227KB

MD5
10e79d56e4fbe47c75417bc2128d0ccb

SHA1
ecfd190dfa6672784b9be008ab1fbe9cacfaa288

SHA256
4a68c2d7c941ee258cad819b1dea78a92df533e82d42e6fae0c4c80b278ace11

SHA512
39b298370f83fbfbc2cd79b12e05f99d96e81ac8eef29d987a9db7b1c573b03841731823ddc51935073cfaa841f3aa8976fc59f867d77066c2de3cf1363c5229

Download Submit
C:\Users\Admin\AppData\Local\Temp\ssUU.exe

Filesize
244KB

MD5
1e0132aa03dc6c065dda0bb9eeccd21b

SHA1
12d30057cd76f35eee9453624632dd091f41a2a9

SHA256
3252fd6548953c14e0dbd9c6ef3b921678c862f384a19c264e659e706e1fc9b3

SHA512
1d154e6390c2e2786d067c48e9a5b137c94996995af32cb0734fd6d186c8a9ff1ea81382c6e801790ec4039dcdf7266db568acfec9f5fbcd7a524a63df375e02

Download Submit
C:\Users\Admin\AppData\Local\Temp\swokIsUs.bat

Filesize
4B

MD5
6f2e766c7c40e7b67dfdac6f2516906d

SHA1
eada0d456d9e5165f3fd3edf2df3fd6a5ad2ff97

SHA256
9a4f43bfb59a19e693495c784e42cfc90318a71972dcffc91cd6bc7d3f8bb1ba

SHA512
3082b3b1263e26c00a311bdd517ceddec102337db936998ec992ed2ca2dbf8e17607870d03a86721cdf2ea4370939469bd87c55f3200dbc241ccf07d2515d973

Download Submit
C:\Users\Admin\AppData\Local\Temp\uEQQ.exe

Filesize
241KB

MD5
650b86ce47d0a9ba45307e4be117ed46

SHA1
285cc745641f5fe53a7afb899de354d8fcd17a3b

SHA256
806ab88d17f98fe4f6b32bae2a323139807ce903806330145b1e6e9cc4861fc0

SHA512
73185d0629ee752173beb1688eae7222a200d8386233a83eebf33305b5b056df37cba44835c5746ae32ceda11e1bffa7ed8ff4723004511935f2d41283fbcd65

Download Submit
C:\Users\Admin\AppData\Local\Temp\uQkG.exe

Filesize
243KB

MD5
7ff016d7f1e9725d6796617fe24bc3fd

SHA1
167e975b2cd607b749004a301efe61d6fe847b1b

SHA256
cf2e4594af9862983ec753f619f78aac991e4abd413a23158e1fafae8b629c1c

SHA512
0248e9049f126540638af5277a6f117baa8c4c551b94ed54425c2433c1d39c8deb0568f99ef81d5f95a1d0f8a0d2fbc886c3180700c67c00d8ca0e323c886a07

Download Submit
C:\Users\Admin\AppData\Local\Temp\uUUY.exe

Filesize
230KB

MD5
33e1bbe2c620a7eb19e9a95acfae19f4

SHA1
57a144694e0d0a0ba23a5615ae7d0854bf5eaf06

SHA256
8fb962a024a89f4ba71e69527b3e1b0eae20ed1403c0a20aa9e71d049a7607b9

SHA512
64ab99ad2acc595970a411caf94fe718324b73c3e36655e99075e9870edf1a60b2bac57c2418c592abb0a1d338f8283c6faf53ae86422f298029f2bd97b04e72

Download Submit
C:\Users\Admin\AppData\Local\Temp\ucoY.exe

Filesize
237KB

MD5
6e419a47142470bcc2b8f5bc177eff45

SHA1
29ed868468d728138a15a63bf3ec7b1762f68447

SHA256
e55785a1a2abf3d561fb65ee5c81c2dced5750637e4d01f1dfcaa5e91f3250be

SHA512
6b541678536d38aa008b9f21c7d36cbf14465a72b8f28639337999ceacf887b864eba8cb326d767f7d010e292bff38366804a683b33bcc2bcd3b95a434da3ca2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ukAC.exe

Filesize
246KB

MD5
c269caa9b684aff3f8ddc029328d231e

SHA1
a4d8773165e98e3b75794e3da30350c6404f9269

SHA256
5c796ef38844dbc6ce082b71bf03661a88ddb1b92a0e21949cedab21fa668fdf

SHA512
8a957e5aa9be305bf7b777d48550e225f4eda8910328c4ec2e14741b1c4628340483ea8114c4327cb16b723fcd72171627baf1fd277db10d1832b3bdd8b1bd25

Download Submit
C:\Users\Admin\AppData\Local\Temp\uooE.exe

Filesize
823KB

MD5
977e8f0a522b69802b6e56d73d488a67

SHA1
4a43a023efd83e76294584956fac5754255f00cf

SHA256
8ea3dfa49d952e1fbea0eae29bcdcdbda9afdc8c13ec143c948e25668da9ff69

SHA512
98483e112e0175ec3f6a153125406f0125010143ae2254fbfb1cffb024005a6ce236d0a47a17e85ee571a4b6b4aa7edf525752fffc575a30edaa977a8b941fcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\vuAgsAYY.bat

Filesize
4B

MD5
ab628f8708b73c3a32e0a2e7a1f0fadf

SHA1
80744aefb1bf64bed46669b0380934b3bcf0dad6

SHA256
6f43840c111d13b9c0e41f8096db4128a7db8f9eeb6ad14e52530b8c1c5bf465

SHA512
51d0d7286aeb5512cfd6eb7f342c7a25c27016cabf9053e6621951b37619359ecc33ee4b652f130e88c820d8a35b50c5f2304211121b64d77b036835a6a28684

Download Submit
C:\Users\Admin\AppData\Local\Temp\wAwI.exe

Filesize
236KB

MD5
9be4fc57462d0e8946e7cbd71dcc81cb

SHA1
a1da67aae50b031a738f184b87039aa275b2bc83

SHA256
f9ab37fc84b607b21ee72dc995fd117915073e4e12295a71639d2a25aea69616

SHA512
f8ed8d90685f0d6af8362fe325c9bcca0942930ed81701314f1b0e9ba7236878fe2ddd5f533d0b11dcb9091d092c55a5f200a848def61f762a4e7f28ea7afe7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\wEYE.exe

Filesize
241KB

MD5
6e37505aff0ef78d4c77357c4be188d8

SHA1
05ddd9e51d5fa43afbb54f3b82cdd9db50f5034b

SHA256
ac46eeade3f01d6175d4a51fd17b72b5170f807689023b2f57a0cb61b6524b07

SHA512
dcde1e1adfab3113a3170cf457e94dce125d77aba8ef11947c40bd8da5a5af9d7a54bd9c0afef1fedd3698422c814c6b95f416b84b05985ef39c8a26dd74d5d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\wKYYgsMk.bat

Filesize
4B

MD5
f6d24dba258e0c2b435155b188170d87

SHA1
50614484f83e265686a6ed34892380328fea7109

SHA256
e17ec77badbc5e704a9096169282970c5e4fb4893584f55ef197fd8039243227

SHA512
ccc635890014b367893ca5c7e6e20199f780cd11904a7f9996cd779ddbd56a4ae78080c67574d89e8ebcd19f441462ec7d483a2d8618ee05fa5a3fb2b0f56b79

Download Submit
C:\Users\Admin\AppData\Local\Temp\wMQW.exe

Filesize
234KB

MD5
da1db4fc8ec01afa31b83edd36962fa5

SHA1
d358166650874b49b27fe624cc92b56f3438ac29

SHA256
26ad810aeeb93fa56b91ec343ec90dc39c4436ded3ac5250d8a6b908e7304e2e

SHA512
f7749c466d6a3c5aa11e9eead2fcbcdc0ff804c2a42a3329f175d4e56d4112773a815acf19dd91d55847ba3c5ef55960cf12f4615cf1b21ac004cae0089d6df8

Download Submit
C:\Users\Admin\AppData\Local\Temp\wYgIkQQU.bat

Filesize
4B

MD5
ce44d21314ae777d932033458870a0c4

SHA1
0c8ebba2c74a96590ba16f7a4a6896c00ed8638e

SHA256
601123ce1563e36788298e4c624c09d4d51a26683085abee69934faf67a81b82

SHA512
af19abbf02bc2208fc50343a92837006d682de11948eba8e796c0cc6e6d591f1616c34e1dddd3b546402517f23a9d6813f369385d7e8fda83dea63b2fc3adda4

Download Submit
C:\Users\Admin\AppData\Local\Temp\wsAQgQoM.bat

Filesize
4B

MD5
c16409e9ca440b9984f94f1ccd1db1df

SHA1
2ccfdbb4c63c3b89899adecf85598967b044d186

SHA256
ce4e93f4cb3aae818bc60343cd1437de989d67bcaaf93b0cbab552ad17e3b077

SHA512
f20380a3bc470b3ca48cc3d7d1f90040005fdce7cf685c1d0fb4ab1991a998ad6159589d1eeb27044246b1b0650e3b9bb7b4ea0e3766f5cf15aee60ae8976882

Download Submit
C:\Users\Admin\AppData\Local\Temp\wsIS.exe

Filesize
244KB

MD5
d16236079370b2ace705a3073da113ea

SHA1
d5b425c04ed8f4863335c98a94b163bdf525e239

SHA256
8bfada89db1bbbfe661a8380f682fc59f438a8b70281cd4f504509f301c3e306

SHA512
d5f858de503cbfada06b57237e3cc7894eedb2da63d6d31f69c63f4b381c60fc4cf7e891d4033381b1e14c86027466d4365b237ae59579a29c33a6dff5358805

Download Submit
C:\Users\Admin\AppData\Local\Temp\xYEokwwQ.bat

Filesize
4B

MD5
14139321ad42a324b9c21727a0248a40

SHA1
4447f392c642615113e660845a7393a184d6c956

SHA256
0376664c420a7538975edcda6dea4c85a5db38e43660cfcbbe441e112b64fecf

SHA512
5f662d84d4884aa071821f28ab5c08f1c7d3573f52ad6000137fd4a30115b728de8eddea162b4f61fba683d97c4b5ad1f61d9c65749be99f8ec90dacd2dd373b

Download Submit
C:\Users\Admin\AppData\Local\Temp\yAIssUcg.bat

Filesize
4B

MD5
4875d417215382f2972a6710219eee38

SHA1
dbc8298ab655566dce444e23fe0a3fae84879f7c

SHA256
e75d05bd44b39624e91ea87785cbca870a850cd474477851e308135e7cf876d9

SHA512
23880d420f7e87abd3275822b9f1318baa530ffd6efcbc783f56e84cadaede7323384191bcfdfa941961710f770072f863af120a67183c6f1cc3b311ce854cf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\yWogsgEE.bat

Filesize
4B

MD5
f47c818e86c4d6bae03b488e6fb9bda7

SHA1
8a376b43b25504d1d24eb0972380cd1688bf63e2

SHA256
7d22acd2f24d14a92c5286982f949e84e1f49f50297e4c97a88f020237f5336f

SHA512
7d1b090ad73ded1005f3a1a3088857413d2ce7c2b49e833be8347d7d95928d30c192ff0c99993d991313dc1853720543b27f01a3bd60daf7d5f4887c19514cfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\yowM.exe

Filesize
826KB

MD5
0bf8578ab6b046c6139ed3728c054d7b

SHA1
a2fa7eb7b20a52ae70a811b1f06c7ca46b533f71

SHA256
d374996b7ccce95716693af397d9aebea067d803949b9fbdfe77bdab60662ab8

SHA512
435924d8cc0c3178f1ce167e027cd02de74f19f8ed19138759e76a0c36be4521e665e51810149edd72e9055aaca88ca717d5d8a2b5cb2509903949936e2215d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ysUK.exe

Filesize
322KB

MD5
1f4bca59a0727f6378f62cc5b53fef8b

SHA1
086183da3ffd2f431025e88cd60e45cb8c70d719

SHA256
676a663832b9a4ba7ff4ba913a165cddd177a870d47477f6e88398ee1ffb2a7b

SHA512
bc28a94dc4f96c2c1f3a611e4d90c63eeb36bfa5771356fcf0786d382592ebf9556ea9c9818e410d849361e76e881bbc198dbd912228922069a63935dba72f68

Download Submit
C:\Users\Admin\AppData\Local\Temp\ysos.exe

Filesize
311KB

MD5
fec5736290a91da3d5c418cd96903d6b

SHA1
369708ea8b7f84729a1c4ee7d387d502e1878c97

SHA256
b2393f085dfbe3b9677942a7710fbfe6cf9c016a371494da3ad2d7ece5f6a72c

SHA512
d16731924e38657ae54419583936242ea4d56e5da77e5002d200ae318094f0f6c64a578674cd3545ed051a8de3293803668386d10247bd01a0dffd76c671f6d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ywMe.exe

Filesize
571KB

MD5
27dcf8a3f4f87c142112717aacf52861

SHA1
7873b3c48e4113566bee6041b643cc23499509b7

SHA256
c3ab5dcdea7e08e107789debe6dde83c06fd003dfeb5c1094cebdd30063bfda9

SHA512
5a14099e04a75efbbeae8e88fc8f07dfe4666621097881125ba42213acf90d77e1204cf11864cbb9aa63b97423a57676fc193331e2b45b22c5012af68b314af7

Download Submit
C:\Users\Admin\AppData\Local\Temp\zKQMsYsI.bat

Filesize
4B

MD5
5e8ca8fbac5d19fbbc2e1bd4f4e626b8

SHA1
0a710aa22b46cc9b6332b7a74aef3596e84f80ba

SHA256
b3b9f2bf4de388fd99faf1bc01f085ac347f09fc2474b8f2a7bc8b109279ad84

SHA512
1b8a44e1b499e1c22b3e11ac0f4e5c0851e0998ddb7dced6edd55bee8cd42824a18bfe6db00b21d2124d0d9536831c27bbac863a92a7e0d3389474a035946251

Download Submit
C:\Users\Admin\Pictures\InitializeStep.gif.exe

Filesize
355KB

MD5
f9366824ec9dcc13c693501d6436156c

SHA1
393d91a998d815ec4333d826c06922265f0139ca

SHA256
9ed5f4cbfd7742316d8c2ce065d604755c071700d4427b701a7623ac136bfa1d

SHA512
1b8f358d20a2e5050a01a45d37db14744f9b9dd6ad271e5ea0775a0599e91546657e9809e58a52c1771e1da5dad8fa355ba1be80282faabed9bbb382af09b5a6

Download Submit
C:\Users\Admin\oeAYQgsw\uoYIIQwM.inf

Filesize
4B

MD5
e129cf97910b51dd56c2ce0f2d831cc0

SHA1
848d7e913908b26cd6f071ae00c9d144ac6e4385

SHA256
df9b8d598a8d577f87e8b91df9129d39ac6e261aca60dd3fc278a517acbe4376

SHA512
8ba54397dcd02aff006799376b284b407953a588776aabf9f671dc37262571ffbbeaeeea8e62cbdcac1f22b8988e7958519534f08f11fa0adaf4096b9c972e07

Download Submit
C:\Users\Public\Pictures\Sample Pictures\Lighthouse.jpg.exe

Filesize
742KB

MD5
193f45b39c7f985bd1219f3ee97271a6

SHA1
ba8b9338ea5d876559db45aaea7691c9b48696ca

SHA256
d3fcdaee9ffb934c338c795c19ce5c129ee38df2d99801b747df830b6cf26618

SHA512
2e4faaf26208511f056a14033944de53c3924f4de2fe3c8d333df2fc06604ef7cd5ae052fada5fa25292b05460ea3f2c4493df5557ccf3616926382e1260e5a7

Download Submit
\Users\Admin\oeAYQgsw\uoYIIQwM.exe

Filesize
185KB

MD5
6b0b718f9e9bb19e7284fa31e85a2978

SHA1
7dd5687eb09dcb78bb5c1125dc6de62e8b606e78

SHA256
a656a6bd86dd616d38b5a263c0ad8f357bb880ad8ec4be5698d44058620d13ed

SHA512
8efd313c83b95531f5fc5c0b931b31ebf5a056248742526f3b31ce165e00c6a59b0451196f8239b2a933e0eaa35ee9d1bf7e6dbc75ad960d024fddf94847f501

Download Submit
memory/824-414-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/824-380-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/936-107-0x0000000000170000-0x00000000001A3000-memory.dmp

Filesize
204KB

Download
memory/1008-685-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1008-667-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1064-709-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1064-731-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1088-504-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1088-486-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1236-561-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1236-587-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1292-540-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1292-569-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1324-453-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1324-484-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1356-644-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1356-617-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1376-686-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/1376-525-0x0000000000410000-0x0000000000443000-memory.dmp

Filesize
204KB

Download
memory/1496-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1496-688-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1568-461-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1568-436-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1596-700-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1596-14-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1620-31-0x00000000004A0000-0x00000000004D3000-memory.dmp

Filesize
204KB

Download
memory/1620-30-0x00000000004A0000-0x00000000004D3000-memory.dmp

Filesize
204KB

Download
memory/1620-12-0x00000000004A0000-0x00000000004D0000-memory.dmp

Filesize
192KB

Download
memory/1620-11-0x00000000004A0000-0x00000000004D0000-memory.dmp

Filesize
192KB

Download
memory/1620-41-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1620-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1668-60-0x0000000000160000-0x0000000000193000-memory.dmp

Filesize
204KB

Download
memory/1668-59-0x0000000000160000-0x0000000000193000-memory.dmp

Filesize
204KB

Download
memory/1676-85-0x0000000000120000-0x0000000000153000-memory.dmp

Filesize
204KB

Download
memory/1676-84-0x0000000000120000-0x0000000000153000-memory.dmp

Filesize
204KB

Download
memory/1676-271-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1684-86-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1684-116-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1720-405-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1720-435-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1748-139-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1816-364-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1816-388-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1932-340-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2012-539-0x0000000000120000-0x0000000000153000-memory.dmp

Filesize
204KB

Download
memory/2060-295-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2100-378-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2140-548-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2140-526-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2148-363-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2148-362-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2164-250-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2164-664-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2172-635-0x0000000000450000-0x0000000000483000-memory.dmp

Filesize
204KB

Download
memory/2176-226-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2212-699-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/2236-175-0x0000000000340000-0x0000000000373000-memory.dmp

Filesize
204KB

Download
memory/2252-129-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/2300-184-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2304-153-0x0000000000410000-0x0000000000443000-memory.dmp

Filesize
204KB

Download
memory/2364-205-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2372-285-0x0000000000270000-0x00000000002A3000-memory.dmp

Filesize
204KB

Download
memory/2372-286-0x0000000000270000-0x00000000002A3000-memory.dmp

Filesize
204KB

Download
memory/2376-506-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2376-666-0x0000000000160000-0x0000000000193000-memory.dmp

Filesize
204KB

Download
memory/2376-524-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2376-665-0x0000000000160000-0x0000000000193000-memory.dmp

Filesize
204KB

Download
memory/2484-403-0x0000000000180000-0x00000000001B3000-memory.dmp

Filesize
204KB

Download
memory/2484-404-0x0000000000180000-0x00000000001B3000-memory.dmp

Filesize
204KB

Download
memory/2504-162-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2532-591-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2532-625-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2616-94-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2616-61-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2628-241-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2748-687-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2748-708-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2776-43-0x0000000000270000-0x00000000002A3000-memory.dmp

Filesize
204KB

Download
memory/2776-42-0x0000000000270000-0x00000000002A3000-memory.dmp

Filesize
204KB

Download
memory/2792-452-0x0000000000130000-0x0000000000163000-memory.dmp

Filesize
204KB

Download
memory/2792-451-0x0000000000130000-0x0000000000163000-memory.dmp

Filesize
204KB

Download
memory/2804-722-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/2852-559-0x0000000000170000-0x00000000001A3000-memory.dmp

Filesize
204KB

Download
memory/2852-560-0x0000000000170000-0x00000000001A3000-memory.dmp

Filesize
204KB

Download
memory/2856-70-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2856-44-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2884-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2884-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2884-505-0x0000000000120000-0x0000000000153000-memory.dmp

Filesize
204KB

Download
memory/2916-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2916-316-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2928-485-0x0000000000530000-0x0000000000563000-memory.dmp

Filesize
204KB

Download
memory/2980-332-0x0000000001F20000-0x0000000001F53000-memory.dmp

Filesize
204KB

Download
memory/2984-589-0x0000000001F10000-0x0000000001F43000-memory.dmp

Filesize
204KB

Download
memory/2984-590-0x0000000001F10000-0x0000000001F43000-memory.dmp

Filesize
204KB

Download
memory/2988-723-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download