36a8ed42def4507a81b435292ad20bb61c6a2d54374747b18599df5a7a76b696

Analysis

max time kernel
150s
max time network
117s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19/09/2024, 18:34

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
Size

116KB
MD5

ed70fb782a4e3b26dd15b305ab4bc759
SHA1

05dc573207379f0fbe568d882fb1bd5d2d0f7300
SHA256

36a8ed42def4507a81b435292ad20bb61c6a2d54374747b18599df5a7a76b696
SHA512

e7d0801c9f6a87e29b4569114a4d1b1fd70b016922c778223633772d6f07964ebdebfb12b9cfc4f1d8a148d15d9d32b0d1d80b0d4ba378d053e49897f1db9df3
SSDEEP

3072:CbpAVdYIYQA2CKkJli8pBVWBb9u55OdjH:CICKGrpUk550

Score

10^/10

discovery evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\International\Geo\Nation	FYUkwUMc.exe

Executes dropped EXE 2 IoCs

pid	Process
2380	FYUkwUMc.exe
2792	BCkUMsAw.exe

Loads dropped DLL 20 IoCs

pid	Process
1992	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
1992	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
1992	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
1992	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
2380	FYUkwUMc.exe
2380	FYUkwUMc.exe
2380	FYUkwUMc.exe
2380	FYUkwUMc.exe
2380	FYUkwUMc.exe
2380	FYUkwUMc.exe
2380	FYUkwUMc.exe
2380	FYUkwUMc.exe
2380	FYUkwUMc.exe
2380	FYUkwUMc.exe
2380	FYUkwUMc.exe
2380	FYUkwUMc.exe
2380	FYUkwUMc.exe
2380	FYUkwUMc.exe
2380	FYUkwUMc.exe
2380	FYUkwUMc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\FYUkwUMc.exe = "C:\\Users\\Admin\\aUcAYAwA\\FYUkwUMc.exe"	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\BCkUMsAw.exe = "C:\\ProgramData\\CEUwYkMQ\\BCkUMsAw.exe"	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\FYUkwUMc.exe = "C:\\Users\\Admin\\aUcAYAwA\\FYUkwUMc.exe"	FYUkwUMc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\BCkUMsAw.exe = "C:\\ProgramData\\CEUwYkMQ\\BCkUMsAw.exe"	BCkUMsAw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
556	reg.exe
1828	reg.exe
704	reg.exe
2016	reg.exe
2996	reg.exe
2348	reg.exe
1172	reg.exe
2912	reg.exe
2500	reg.exe
556	reg.exe
2916	reg.exe
2184	reg.exe
2436	reg.exe
1860	reg.exe
2988	reg.exe
476	reg.exe
1660	reg.exe
616	reg.exe
2808	reg.exe
2004	reg.exe
576	reg.exe
2716	reg.exe
2600	reg.exe
2388	reg.exe
2988	reg.exe
700	reg.exe
2100	reg.exe
1948	reg.exe
2676	reg.exe
804	reg.exe
1684	reg.exe
1520	reg.exe
1228	reg.exe
3032	reg.exe
1608	reg.exe
1996	reg.exe
2656	reg.exe
316	reg.exe
2656	reg.exe
1256	reg.exe
2340	reg.exe
1780	reg.exe
1808	reg.exe
2580	reg.exe
2100	reg.exe
2244	reg.exe
1416	reg.exe
1048	reg.exe
1776	reg.exe
2468	reg.exe
1532	reg.exe
2928	reg.exe
1448	reg.exe
2968	reg.exe
1828	reg.exe
1476	reg.exe
2076	reg.exe
1596	reg.exe
1644	reg.exe
956	reg.exe
2888	reg.exe
2288	reg.exe
1960	reg.exe
3000	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1992	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
1992	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
3032	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
3032	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
2240	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
2240	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
1292	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
1292	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
1752	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
1752	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
1544	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
1544	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
572	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
572	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
2920	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
2920	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
2840	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
2840	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
1168	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
1168	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
2368	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
2368	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
616	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
616	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
2516	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
2516	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
2216	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
2216	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
1680	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
1680	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
372	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
372	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
2012	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
2012	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
1568	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
1568	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
308	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
308	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
2104	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
2104	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
2480	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
2480	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
1484	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
1484	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
3012	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
3012	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
1376	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
1376	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
2824	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
2824	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
1612	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
1612	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
1756	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
1756	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
2748	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
2748	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
2340	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
2340	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
2404	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
2404	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
764	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
764	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
2724	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
2724	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2380	FYUkwUMc.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2380	FYUkwUMc.exe
2380	FYUkwUMc.exe
2380	FYUkwUMc.exe
2380	FYUkwUMc.exe
2380	FYUkwUMc.exe
2380	FYUkwUMc.exe
2380	FYUkwUMc.exe
2380	FYUkwUMc.exe
2380	FYUkwUMc.exe
2380	FYUkwUMc.exe
2380	FYUkwUMc.exe
2380	FYUkwUMc.exe
2380	FYUkwUMc.exe
2380	FYUkwUMc.exe
2380	FYUkwUMc.exe
2380	FYUkwUMc.exe
2380	FYUkwUMc.exe
2380	FYUkwUMc.exe
2380	FYUkwUMc.exe
2380	FYUkwUMc.exe
2380	FYUkwUMc.exe
2380	FYUkwUMc.exe
2380	FYUkwUMc.exe
2380	FYUkwUMc.exe
2380	FYUkwUMc.exe
2380	FYUkwUMc.exe
2380	FYUkwUMc.exe
2380	FYUkwUMc.exe
2380	FYUkwUMc.exe
2380	FYUkwUMc.exe
2380	FYUkwUMc.exe
2380	FYUkwUMc.exe
2380	FYUkwUMc.exe
2380	FYUkwUMc.exe
2380	FYUkwUMc.exe
2380	FYUkwUMc.exe
2380	FYUkwUMc.exe
2380	FYUkwUMc.exe
2380	FYUkwUMc.exe
2380	FYUkwUMc.exe
2380	FYUkwUMc.exe
2380	FYUkwUMc.exe
2380	FYUkwUMc.exe
2380	FYUkwUMc.exe
2380	FYUkwUMc.exe
2380	FYUkwUMc.exe
2380	FYUkwUMc.exe
2380	FYUkwUMc.exe
2380	FYUkwUMc.exe
2380	FYUkwUMc.exe
2380	FYUkwUMc.exe
2380	FYUkwUMc.exe
2380	FYUkwUMc.exe
2380	FYUkwUMc.exe
2380	FYUkwUMc.exe
2380	FYUkwUMc.exe
2380	FYUkwUMc.exe
2380	FYUkwUMc.exe
2380	FYUkwUMc.exe
2380	FYUkwUMc.exe
2380	FYUkwUMc.exe
2380	FYUkwUMc.exe
2380	FYUkwUMc.exe
2380	FYUkwUMc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1992 wrote to memory of 2380	1992	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe	30
PID 1992 wrote to memory of 2380	1992	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe	30
PID 1992 wrote to memory of 2380	1992	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe	30
PID 1992 wrote to memory of 2380	1992	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe	30
PID 1992 wrote to memory of 2792	1992	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe	31
PID 1992 wrote to memory of 2792	1992	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe	31
PID 1992 wrote to memory of 2792	1992	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe	31
PID 1992 wrote to memory of 2792	1992	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe	31
PID 1992 wrote to memory of 2736	1992	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe	32
PID 1992 wrote to memory of 2736	1992	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe	32
PID 1992 wrote to memory of 2736	1992	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe	32
PID 1992 wrote to memory of 2736	1992	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe	32
PID 2736 wrote to memory of 3032	2736	cmd.exe	34
PID 2736 wrote to memory of 3032	2736	cmd.exe	34
PID 2736 wrote to memory of 3032	2736	cmd.exe	34
PID 2736 wrote to memory of 3032	2736	cmd.exe	34
PID 1992 wrote to memory of 2912	1992	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe	35
PID 1992 wrote to memory of 2912	1992	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe	35
PID 1992 wrote to memory of 2912	1992	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe	35
PID 1992 wrote to memory of 2912	1992	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe	35
PID 1992 wrote to memory of 2168	1992	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe	36
PID 1992 wrote to memory of 2168	1992	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe	36
PID 1992 wrote to memory of 2168	1992	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe	36
PID 1992 wrote to memory of 2168	1992	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe	36
PID 1992 wrote to memory of 2860	1992	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe	38
PID 1992 wrote to memory of 2860	1992	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe	38
PID 1992 wrote to memory of 2860	1992	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe	38
PID 1992 wrote to memory of 2860	1992	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe	38
PID 1992 wrote to memory of 2716	1992	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe	41
PID 1992 wrote to memory of 2716	1992	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe	41
PID 1992 wrote to memory of 2716	1992	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe	41
PID 1992 wrote to memory of 2716	1992	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe	41
PID 2716 wrote to memory of 2724	2716	cmd.exe	43
PID 2716 wrote to memory of 2724	2716	cmd.exe	43
PID 2716 wrote to memory of 2724	2716	cmd.exe	43
PID 2716 wrote to memory of 2724	2716	cmd.exe	43
PID 3032 wrote to memory of 1496	3032	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe	44
PID 3032 wrote to memory of 1496	3032	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe	44
PID 3032 wrote to memory of 1496	3032	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe	44
PID 3032 wrote to memory of 1496	3032	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe	44
PID 1496 wrote to memory of 2240	1496	cmd.exe	46
PID 1496 wrote to memory of 2240	1496	cmd.exe	46
PID 1496 wrote to memory of 2240	1496	cmd.exe	46
PID 1496 wrote to memory of 2240	1496	cmd.exe	46
PID 3032 wrote to memory of 1624	3032	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe	47
PID 3032 wrote to memory of 1624	3032	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe	47
PID 3032 wrote to memory of 1624	3032	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe	47
PID 3032 wrote to memory of 1624	3032	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe	47
PID 3032 wrote to memory of 2996	3032	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe	48
PID 3032 wrote to memory of 2996	3032	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe	48
PID 3032 wrote to memory of 2996	3032	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe	48
PID 3032 wrote to memory of 2996	3032	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe	48
PID 3032 wrote to memory of 1032	3032	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe	50
PID 3032 wrote to memory of 1032	3032	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe	50
PID 3032 wrote to memory of 1032	3032	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe	50
PID 3032 wrote to memory of 1032	3032	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe	50
PID 3032 wrote to memory of 2876	3032	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe	52
PID 3032 wrote to memory of 2876	3032	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe	52
PID 3032 wrote to memory of 2876	3032	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe	52
PID 3032 wrote to memory of 2876	3032	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe	52
PID 2876 wrote to memory of 2960	2876	cmd.exe	55
PID 2876 wrote to memory of 2960	2876	cmd.exe	55
PID 2876 wrote to memory of 2960	2876	cmd.exe	55
PID 2876 wrote to memory of 2960	2876	cmd.exe	55

C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
"C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1992
- C:\Users\Admin\aUcAYAwA\FYUkwUMc.exe
  "C:\Users\Admin\aUcAYAwA\FYUkwUMc.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:2380
- C:\ProgramData\CEUwYkMQ\BCkUMsAw.exe
  "C:\ProgramData\CEUwYkMQ\BCkUMsAw.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2792
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2736
- - C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
    C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3032
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1496
    - - C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2240
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock"
        6⤵
        
        PID:396
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1292
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:576
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1752
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock"
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1344
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1544
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock"
        12⤵
        
        PID:2216
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:572
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock"
        14⤵
        
        PID:2756
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2920
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock"
        16⤵
        
        PID:2660
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2840
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock"
        18⤵
        
        PID:2700
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1168
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock"
        20⤵
        
        PID:2268
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2368
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock"
        22⤵
        
        PID:840
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock
        23⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:616
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock"
        24⤵
        
        PID:2520
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock
        25⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2516
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock"
        26⤵
        System Location Discovery: System Language Discovery
        
        PID:2740
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock
        27⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2216
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock"
        28⤵
        
        PID:2572
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock
        29⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1680
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock"
        30⤵
        
        PID:2840
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock
        31⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:372
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock"
        32⤵
        
        PID:396
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock
        33⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2012
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock"
        34⤵
        
        PID:2244
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock
        35⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1568
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock"
        36⤵
        
        PID:1540
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock
        37⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:308
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock"
        38⤵
        
        PID:1728
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock
        39⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2104
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock"
        40⤵
        
        PID:1684
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock
        41⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2480
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock"
        42⤵
        
        PID:1612
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock
        43⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1484
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock"
        44⤵
        
        PID:2636
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock
        45⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3012
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock"
        46⤵
        System Location Discovery: System Language Discovery
        
        PID:2100
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock
        47⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1376
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock"
        48⤵
        
        PID:956
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock
        49⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2824
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock"
        50⤵
        
        PID:2856
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock
        51⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1612
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock"
        52⤵
        
        PID:1032
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock
        53⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1756
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock"
        54⤵
        
        PID:2488
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock
        55⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2748
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock"
        56⤵
        System Location Discovery: System Language Discovery
        
        PID:1792
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock
        57⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2340
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock"
        58⤵
        
        PID:308
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock
        59⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2404
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock"
        60⤵
        
        PID:2780
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock
        61⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:764
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock"
        62⤵
        System Location Discovery: System Language Discovery
        
        PID:2656
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock
        63⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2724
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock"
        64⤵
        
        PID:1296
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock
        65⤵
        
        PID:588
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock"
        66⤵
        
        PID:2776
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock
        67⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock"
        68⤵
        
        PID:2760
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock
        69⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock"
        70⤵
        
        PID:3056
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock
        71⤵
        
        PID:768
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock"
        72⤵
        
        PID:3012
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock
        73⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock"
        74⤵
        
        PID:2964
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock
        75⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock"
        76⤵
        
        PID:2128
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock
        77⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock"
        78⤵
        
        PID:2664
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock
        79⤵
        
        PID:2984
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock"
        80⤵
        
        PID:560
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock
        81⤵
        
        PID:1540
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock"
        82⤵
        
        PID:1584
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock
        83⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock"
        84⤵
        
        PID:112
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock
        85⤵
        
        PID:1228
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock"
        86⤵
        
        PID:1256
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock
        87⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock"
        88⤵
        System Location Discovery: System Language Discovery
        
        PID:492
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock
        89⤵
        
        PID:348
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock"
        90⤵
        System Location Discovery: System Language Discovery
        
        PID:2080
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock
        91⤵
        System Location Discovery: System Language Discovery
        
        PID:2368
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock"
        92⤵
        
        PID:2452
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock
        93⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock"
        94⤵
        
        PID:848
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock
        95⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock"
        96⤵
        
        PID:1836
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock
        97⤵
        
        PID:2556
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock"
        98⤵
        System Location Discovery: System Language Discovery
        
        PID:2920
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock
        99⤵
        
        PID:2580
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock"
        100⤵
        
        PID:1508
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock
        101⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock"
        102⤵
        
        PID:328
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock
        103⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock"
        104⤵
        
        PID:1684
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock
        105⤵
        
        PID:1100
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock"
        106⤵
        
        PID:840
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock
        107⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock"
        108⤵
        
        PID:2960
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock
        109⤵
        System Location Discovery: System Language Discovery
        
        PID:2004
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock"
        110⤵
        
        PID:308
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock
        111⤵
        
        PID:2516
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock"
        112⤵
        
        PID:1984
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock
        113⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock"
        114⤵
        
        PID:2252
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock
        115⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock"
        116⤵
        
        PID:1476
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock
        117⤵
        
        PID:2052
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock"
        118⤵
        System Location Discovery: System Language Discovery
        
        PID:560
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock
        119⤵
        System Location Discovery: System Language Discovery
        
        PID:2884
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock"
        120⤵
        System Location Discovery: System Language Discovery
        
        PID:2912
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock
        121⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock"
        122⤵
        System Location Discovery: System Language Discovery
        
        PID:2636
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock
        123⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock"
        124⤵
        
        PID:992
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock
        125⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock"
        126⤵
        
        PID:2480
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock
        127⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        128⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        128⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        128⤵
        UAC bypass
        
        PID:2700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        126⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        126⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        126⤵
        UAC bypass
        
        PID:2640
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\nQMgkIUw.bat" "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe""
        126⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        127⤵
        
        PID:1136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        124⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        124⤵
        
        PID:2928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        124⤵
        UAC bypass
        
        PID:1088
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\WEgUkIks.bat" "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe""
        124⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        125⤵
        
        PID:880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        122⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        122⤵
        
        PID:1304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        122⤵
        UAC bypass
        Modifies registry key
        
        PID:2916
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\YcMQEEgc.bat" "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe""
        122⤵
        System Location Discovery: System Language Discovery
        
        PID:2036
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        123⤵
        System Location Discovery: System Language Discovery
        
        PID:2216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        120⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        120⤵
        Modifies registry key
        
        PID:2184
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        120⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:2864
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ECMMwcgM.bat" "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe""
        120⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        121⤵
        System Location Discovery: System Language Discovery
        
        PID:380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        118⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        118⤵
        Modifies registry key
        
        PID:2500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        118⤵
        UAC bypass
        Modifies registry key
        
        PID:556
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ycUIQoIA.bat" "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe""
        118⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        119⤵
        
        PID:2544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        116⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        116⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        116⤵
        UAC bypass
        
        PID:1612
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\TUcccAQw.bat" "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe""
        116⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        117⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        114⤵
        Modifies visibility of file extensions in Explorer
        
        PID:112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        114⤵
        Modifies registry key
        
        PID:2808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        114⤵
        UAC bypass
        Modifies registry key
        
        PID:1828
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\NyMoAgAg.bat" "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe""
        114⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        115⤵
        
        PID:576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        112⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        112⤵
        
        PID:1568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        112⤵
        UAC bypass
        Modifies registry key
        
        PID:1532
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\BsgMAokE.bat" "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe""
        112⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        113⤵
        
        PID:1764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        110⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        110⤵
        
        PID:1376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        110⤵
        UAC bypass
        
        PID:2584
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\XikoIoYY.bat" "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe""
        110⤵
        
        PID:316
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        111⤵
        
        PID:1756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        108⤵
        Modifies visibility of file extensions in Explorer
        
        PID:492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        108⤵
        System Location Discovery: System Language Discovery
        
        PID:2972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        108⤵
        UAC bypass
        
        PID:2720
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\uUgEYIEc.bat" "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe""
        108⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        109⤵
        
        PID:704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        106⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        106⤵
        Modifies registry key
        
        PID:616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        106⤵
        UAC bypass
        
        PID:1624
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\KokUEEMc.bat" "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe""
        106⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        107⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        104⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        104⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        104⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:1792
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\OcYUYQMA.bat" "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe""
        104⤵
        
        PID:1852
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        105⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        102⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        102⤵
        
        PID:1292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        102⤵
        UAC bypass
        Modifies registry key
        
        PID:1228
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\okYgQIcI.bat" "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe""
        102⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        103⤵
        
        PID:952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        100⤵
        Modifies visibility of file extensions in Explorer
        
        PID:764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        100⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        100⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:2080
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\JaMIgcMU.bat" "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe""
        100⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        101⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        98⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        98⤵
        Modifies registry key
        
        PID:3000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        98⤵
        UAC bypass
        
        PID:2128
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\DGocsMUw.bat" "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe""
        98⤵
        
        PID:1756
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        99⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        96⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        96⤵
        Modifies registry key
        
        PID:700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        96⤵
        UAC bypass
        
        PID:2668
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\XokMQMYk.bat" "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe""
        96⤵
        System Location Discovery: System Language Discovery
        
        PID:2108
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        97⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        94⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        94⤵
        
        PID:1792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        94⤵
        UAC bypass
        
        PID:2984
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\KYoMEIYQ.bat" "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe""
        94⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        95⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        92⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        92⤵
        Modifies registry key
        
        PID:476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        92⤵
        UAC bypass
        
        PID:1088
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\SgIIwgsk.bat" "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe""
        92⤵
        
        PID:1548
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        93⤵
        
        PID:372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        90⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        90⤵
        Modifies registry key
        
        PID:2968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        90⤵
        UAC bypass
        Modifies registry key
        
        PID:2580
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\wygosgwg.bat" "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe""
        90⤵
        
        PID:888
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        91⤵
        System Location Discovery: System Language Discovery
        
        PID:1036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        88⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        88⤵
        
        PID:916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        88⤵
        UAC bypass
        
        PID:3060
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\wwcQkkgA.bat" "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe""
        88⤵
        
        PID:2544
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        89⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        86⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        86⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        86⤵
        UAC bypass
        
        PID:2320
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\vqsgAooM.bat" "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe""
        86⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        87⤵
        
        PID:2160
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        84⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        84⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        84⤵
        UAC bypass
        
        PID:1588
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\dYIYcMsg.bat" "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe""
        84⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        85⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        82⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        82⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        82⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:1772
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\nuYsEwgQ.bat" "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe""
        82⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        83⤵
        
        PID:700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        80⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        80⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        80⤵
        UAC bypass
        
        PID:2268
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\JEQUMIMw.bat" "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe""
        80⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        81⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        78⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        78⤵
        Modifies registry key
        
        PID:2988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        78⤵
        UAC bypass
        
        PID:832
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\IiUIEMsk.bat" "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe""
        78⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        79⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1168
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        Modifies registry key
        
        PID:1780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        UAC bypass
        
        PID:2500
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\COwMEksk.bat" "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe""
        76⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        77⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:1416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        
        PID:1392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        UAC bypass
        
        PID:2772
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\oSgMEogQ.bat" "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe""
        74⤵
        
        PID:556
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        75⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        
        PID:1588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1808
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\VGQgAUEY.bat" "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe""
        72⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        
        PID:2988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        Modifies registry key
        
        PID:1596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        UAC bypass
        
        PID:3044
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\lqYcMwUs.bat" "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe""
        70⤵
        System Location Discovery: System Language Discovery
        
        PID:2992
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:2892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        UAC bypass
        
        PID:2736
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\POoYsYIM.bat" "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe""
        68⤵
        System Location Discovery: System Language Discovery
        
        PID:1448
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        Modifies registry key
        
        PID:2468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        UAC bypass
        
        PID:1796
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\BqkUIowM.bat" "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe""
        66⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        System Location Discovery: System Language Discovery
        
        PID:1804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2184
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        UAC bypass
        
        PID:932
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\OiQEcwsY.bat" "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe""
        64⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        UAC bypass
        
        PID:1548
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\UWAQEMEY.bat" "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe""
        62⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        System Location Discovery: System Language Discovery
        
        PID:372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        System Location Discovery: System Language Discovery
        
        PID:2496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:2600
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\mGwwgcYE.bat" "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe""
        60⤵
        
        PID:1756
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        
        PID:1168
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        UAC bypass
        
        PID:1604
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\YIIEowgQ.bat" "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe""
        58⤵
        
        PID:2568
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        UAC bypass
        
        PID:2104
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\AcAIkoUM.bat" "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe""
        56⤵
        
        PID:1260
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:1136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        Modifies visibility of file extensions in Explorer
        
        PID:888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        Modifies registry key
        
        PID:3032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        UAC bypass
        Modifies registry key
        
        PID:1860
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\HiIgcgsU.bat" "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe""
        54⤵
        System Location Discovery: System Language Discovery
        
        PID:2892
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        UAC bypass
        
        PID:1752
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\XWYAgwEc.bat" "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe""
        52⤵
        
        PID:1544
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:2468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        Modifies registry key
        
        PID:2340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        UAC bypass
        Modifies registry key
        
        PID:1476
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\HucgEoYs.bat" "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe""
        50⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:1300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        UAC bypass
        
        PID:2712
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\RwEkwMoU.bat" "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe""
        48⤵
        
        PID:2548
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        UAC bypass
        
        PID:1752
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\AcowkMkc.bat" "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe""
        46⤵
        
        PID:916
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        UAC bypass
        Modifies registry key
        
        PID:2656
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\mqUIUEIo.bat" "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe""
        44⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        System Location Discovery: System Language Discovery
        
        PID:560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:2176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        
        PID:1056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        UAC bypass
        Modifies registry key
        
        PID:316
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\mwgowwsM.bat" "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe""
        42⤵
        
        PID:1588
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:1156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        
        PID:1440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        UAC bypass
        Modifies registry key
        
        PID:2436
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\cEAMMMkA.bat" "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe""
        40⤵
        
        PID:2160
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        System Location Discovery: System Language Discovery
        
        PID:2128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:3032
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\EwMMkIQM.bat" "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe""
        38⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:1668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        
        PID:840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        UAC bypass
        
        PID:912
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\RmQowIwc.bat" "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe""
        36⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        Modifies registry key
        
        PID:704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:2580
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\vKYUwEwg.bat" "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe""
        34⤵
        System Location Discovery: System Language Discovery
        
        PID:956
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        Modifies registry key
        
        PID:1416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        UAC bypass
        Modifies registry key
        
        PID:1048
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ByckwYwc.bat" "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe""
        32⤵
        
        PID:804
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:1352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        Modifies registry key
        
        PID:556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        UAC bypass
        
        PID:3052
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\NygMYMMo.bat" "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe""
        30⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        System Location Discovery: System Language Discovery
        
        PID:2584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        Modifies registry key
        
        PID:2656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2716
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\kWcYQoAQ.bat" "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe""
        28⤵
        
        PID:680
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        System Location Discovery: System Language Discovery
        
        PID:2880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        UAC bypass
        Modifies registry key
        
        PID:2912
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\wOEocUYE.bat" "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe""
        26⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        UAC bypass
        
        PID:2308
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\MSIkIEYY.bat" "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe""
        24⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        Modifies registry key
        
        PID:576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2288
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\OgUgwIAk.bat" "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe""
        22⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        Modifies registry key
        
        PID:804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        UAC bypass
        
        PID:1296
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\NmYIMYsQ.bat" "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe""
        20⤵
        
        PID:408
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        System Location Discovery: System Language Discovery
        
        PID:2240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        UAC bypass
        
        PID:560
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\vEckUwMc.bat" "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe""
        18⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        
        PID:2996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        UAC bypass
        Modifies registry key
        
        PID:1996
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZkowAoIw.bat" "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe""
        16⤵
        
        PID:2896
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:1036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        
        PID:2772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        UAC bypass
        
        PID:2620
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\bAgQUgwM.bat" "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe""
        14⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:2452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        UAC bypass
        
        PID:1692
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\acgEUYok.bat" "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe""
        12⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:2904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        UAC bypass
        
        PID:1616
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\EYskgoQg.bat" "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe""
        10⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        Modifies registry key
        
        PID:1256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:2096
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\IyUcsksw.bat" "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe""
        8⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:1740
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1440
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        Modifies registry key
        
        PID:2100
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        UAC bypass
        Modifies registry key
        
        PID:2004
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ucQwwkIA.bat" "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe""
        6⤵
        
        PID:1480
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1244
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:1624
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      Modifies registry key
      PID:2996
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      PID:1032
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\jMYIQgQY.bat" "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2876
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:2960
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:2912
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2168
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:2860
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\zgMcUcIg.bat" "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2716
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:2724

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-504042162609233817-14458613931228163747-988416418-16884174421520130273-728059606"
1⤵
PID:2836

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1321935762-2144683346-493530153-346244922-80372685987347077817962730161279185032"
1⤵
PID:764

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2633578623865949481549058547752300097526133741842383612-1552546446848631327"
1⤵
PID:1548

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "627881352-92464043755394951812931827263243286551691561774-70781213-93197587"
1⤵
PID:2760

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-21043988831049053424-530023983-2082011775-1185194871508796507-400079622989587489"
1⤵
PID:2076

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1703520187-31032090911724683455709216265448065891251094070-209248673-2047015197"
1⤵
PID:2788

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "729156119-57142453454324911-1963847247-1891556324-863000437-8040023271388804157"
1⤵
PID:1780

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-112286051997595012-896707724-19355255601011456392-142312582668138607389031071"
1⤵
PID:1168

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "145956593921000082181337813003319893107-1677359223163147905212739751561677782596"
1⤵
PID:2984

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1466914319-1078595107-1917487335-82289870-5447404761654346792-462971525-1301149304"
1⤵
PID:2656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile10.bmp.exe

Filesize
163KB

MD5
cf183f3e74c41f88a8a9bb47b2f6592a

SHA1
0966942a6ced54a7fb2109a6998999af097e7772

SHA256
2b5dcf03bd0a11070b54e9de36ddab6c2f24201028d63d22338d33584c792b4b

SHA512
4a6748557b3c66b0609e58723a87240f8c93f69a9246ee56a68514019946c116ce40a1124dd87e5d9a1530189fe35ab3b1bedc9f23afb6fd2c3aa7fcc4093525

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile13.bmp.exe

Filesize
159KB

MD5
18a6b671f460f709ce12ee46fea78d06

SHA1
8c29cf8a3fd037d965a6f5fa84c17c0675ddf23f

SHA256
02143589b6c28fc1516b1f642f640e24684f110408aa7120fda5d5406f436ea3

SHA512
f8f94730a2b0a61bdccd8a4cc1e16485167018b7888135471c0914391df0d9b535c46bff4c2eaab6995008f48aa251094592fedd1ec51566c3f746e5e8060935

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile15.bmp.exe

Filesize
159KB

MD5
c3de5812be55d92cdae9d461141e752a

SHA1
ad2a5f9bee77688c40b4f8f6d6e7aa48c008e195

SHA256
d611e882978e147e7bcddc0d3f9cc6988816bff6c9e9cddd4f55f6aa7248a72e

SHA512
540354bab7ddfb728f589ab38a9c901b005d9a30770f57fc5b0d169b8c2d8f546bfcee37e113f8ce77246c9b1d322726887237f586d8dfebaad4b5156d03960b

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile18.bmp.exe

Filesize
158KB

MD5
b018e45653c83597cb858be8ae75303b

SHA1
6b6ff4bf225e53174fe03513276650025d92c72f

SHA256
863fa4bda8b29370a22546f7676c3181ccaab93b2da5100e04ed92d50794125e

SHA512
5ab748e3d447fb4e7808d6a4d9243ff7fd2e4daa1f52e277370374f7d76e5a97bcc02b1e4f4b27a9d2fc94f6fd64f5a63b8cfb0562d20cffc7898a30b524d773

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile19.bmp.exe

Filesize
157KB

MD5
84639fb16c296b55c43804d03ce414f7

SHA1
94040e9d54bb5781a071b517886fad9c97278f13

SHA256
9cbec76b6297876c9f97d52b1f29cdc6ec4d5515b7c305fb953f36093b2bd541

SHA512
6a7f6b92914cc43026841610ca52b9d62f1a55b26d6655eec755652fd22a6eded59dd9f8065320414fca34d3283706ad91e187180254286f7210232f33f76610

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile26.bmp.exe

Filesize
160KB

MD5
e8403ab29c23fedec8dd28c38720fbd5

SHA1
2b8fd4d3aaf6a34f2ab1abcf6658b9186de51958

SHA256
067b7e3fc87ff538be7bc3bae22b4010893f7634a97dd7ff33deb7b8ba25fe53

SHA512
e8f1742fe9fcbbe1b9549db9033a32a10288422cbf26e6c894eab2e1d0cb975256366799391f18b08fb02ddbf7a4db8cffc1bd3e6530f673592f511cb4f68359

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile36.bmp.exe

Filesize
157KB

MD5
9b727152de7a4a6a708d3d04e4a61136

SHA1
c72c3ce559d99a3dc7a442cd9cee8493e1e56e00

SHA256
b251ba3a20401a247bbb9b6226be44557fa1103a400d1d3a50ab1ee45652e9ad

SHA512
e3a2ae650c1d35c8266178ddb9ef79b9ecb91897f6a576cc43d42df0bf3b0d3ad353293d00e91b0f2c16cc1f769a91c0720d92dea810dc6ce672a731065591ab

Download Submit
C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe

Filesize
556KB

MD5
167fdd0a06707b926425ced8b920d04a

SHA1
d183799deae770e0642158b6e3f23ccf713f7136

SHA256
2ad0ce6bfd6dd1a4c8e224114ea52abbe5a3909424d9f44dae2e9d91d986a5bb

SHA512
8f3bbd3cd332a4716d0e7ea305e36b22738b1a2363e9fee5b2f1d8d02909171c35713f5b05a6cddb064ff5559e0db16e92187ce134798d0cf749ac8202620fcb

Download Submit
C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe

Filesize
567KB

MD5
1747c7cd40f1d3629275bce1297cf5b4

SHA1
23a767b593adf4e4b7fcf3493878560bc84a096f

SHA256
5597d0908a63509ac1a788d3d470865e708b77f373189d49f361f3a94bb8d678

SHA512
8496351be26260538dfed900a35cf10f048fb44d76d258546303a029966e3bb4a4c847ebc3855cea3dc1847b44578caccfb1dc2070c34210cca702a5a0d9b8a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock

Filesize
2KB

MD5
068c52eb2659fb8a987eaea13dcb6d49

SHA1
4472f4c6de4c8816f1e39dc2bad6db205827400a

SHA256
4a404d5bcb1109a33329f0e099fa8c07a8b02401da4e531bbc6de733a90e45aa

SHA512
e1abb20a45614ade94037ef0a2f1236a32e47adc7d3674c89e345cbfe3b04438fa103515f602b446d9e0deeddd997e02da1f42ca157efb253ace7f39cba17a4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\AIsa.exe

Filesize
158KB

MD5
b9dc8c89a08a4bc93d91aa77dc0ae6fe

SHA1
b2ca9755e540ea7b17dae77cf7a41faa5e42812f

SHA256
2ffd8f3d487462dcb334b6587af67c13884f610eb40c367eff92547c5a26ba7c

SHA512
19bede4c9a5c30b0247599681037e2004122f9c9442c16f5a8bf02720592b22b9a2e3d6c68019bc7bb6ac7ac5260454317c064ca0815251c1a50f74e6d98cc73

Download Submit
C:\Users\Admin\AppData\Local\Temp\AKIoIYAE.bat

Filesize
4B

MD5
74b6fad3dac5c9afc54a18e5e7609b6f

SHA1
add00b197a49c04c1fd096fb46085a1e3b35283d

SHA256
84246cad7cd37a0d6749fa889ea1b11640e35cc28776c1cffb416e5865e6d7ee

SHA512
a3f696b4b579a1df6438139bd2604cfbecaf237bc0e106729829a72c56e7eec6a84b92e2d3e42343b87bde8beedf5c98360fdc777a65c95c122be9ac02ef74ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\AOEIUEIw.bat

Filesize
4B

MD5
5ddeb07ac4ac568b625daa9566fd17bc

SHA1
711d7fbe2b1a285a0870bb3438f403851eebbc4a

SHA256
da0968d3fe287babccae62d7c3800b323d3b1c2eabb52ad8ba073ea6569c3161

SHA512
a904dda6923d65776c4f9b5a4b9cf73e252efa3adb885f2328382f9a12a66054c26be4d18a03b0184f83b4a41155ec76283f82fcc30c611309a12acd54169c17

Download Submit
C:\Users\Admin\AppData\Local\Temp\AQcm.exe

Filesize
159KB

MD5
2ee8d1ac140eec6244f918a0e3f301bd

SHA1
469583c882bdf9b4ffe53e71cde1237cd2a3cfb4

SHA256
bce6f7f18be0e0e39842da3038949afc67ae4a874f6d07f82f99874c378f99d8

SHA512
8e982e0a183d90cd7de14f91e5386e63e3f054d67a63624252a4da17c77a8159634f041f2148302b71e70fb396274e2d3e30d609b4bbda0ae9a0d1851d024c9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\AcUA.exe

Filesize
158KB

MD5
e61c0dd78e232e160136a63475bbaca5

SHA1
3e4333d6919af411749c1bae04992d40688613f2

SHA256
fcb3a66a099c16f3d5dac49bb19ba54477a3a858cb4e3f12b20f3e80e2822dc9

SHA512
1fd064633366d852fc0f5d3934c4e7b4c68de7fd1bdaaa810dc54d17792e9230cea8c814a8ca5544c565c32cf1f073eeb0e90c6a4d6642c8b0860f621bca89cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\AoIo.ico

Filesize
4KB

MD5
964614b7c6bd8dec1ecb413acf6395f2

SHA1
0f57a84370ac5c45dbe132bb2f167eee2eb3ce7f

SHA256
af0b1d2ebc52e65ec3f3c2f4f0c5422e6bbac40c7f561b8afe480f3eeb191405

SHA512
b660fdf67adfd09ed72e132a0b7171e2af7da2d78e81f8516adc561d8637540b290ed887db6daf8e23c5809c4b952b435a46779b91a0565a28f2de941bcff5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Aoki.exe

Filesize
137KB

MD5
f606c4b96ab8b936c7a4c26d7ad8d7e1

SHA1
45277347e7ca9369f68976c68647726dc58b197e

SHA256
86553cdea2878f26e9f683cb8dd4168bd5e9e93370ea3306915d90a26a2b6a10

SHA512
ff58e122e9306102350c796a279e728834c900a652f089c270d4659a5ab32833de17e038d0ade97fcd40224c2c35dbb8dac57579fb5c6776ddc1d8aeb37bf63d

Download Submit
C:\Users\Admin\AppData\Local\Temp\AsAy.ico

Filesize
4KB

MD5
6edd371bd7a23ec01c6a00d53f8723d1

SHA1
7b649ce267a19686d2d07a6c3ee2ca852a549ee6

SHA256
0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7

SHA512
65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\BIEgsYgU.bat

Filesize
4B

MD5
1414e9183d2075f9d29c14a734bd2f88

SHA1
c4b5ffecaf81a101e34333e4ce19c153db9ac601

SHA256
188a9cb107e4ac581cc5639837189de0eb94822a7b4a5b25b5086eb4888b723c

SHA512
d1312c70ab50d908a6dd8e2fa3ce5348ff4def189bae5a523d74366c79efd3180f6189ee3f98cb06470785bd45362a521dc87112bfc7fc7be876b924af2605cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\ByEEUAks.bat

Filesize
4B

MD5
c607c696ead526f15f0573da8acac54f

SHA1
c28afcd540d665c29f4cbbae4847be6493444794

SHA256
cb30e7353706d522c5fd5e25719596ce65a1d9dfaa4d6befb02470a1f143bab0

SHA512
1e91fc5c30d24eeae45999509e8765b8d92bb8ace4690f9870def11fe0f4a690ffbb63e9fae08caa584a1603dcbd40dc99c68b25cca59cdcb64e9bbfb388a0ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\CIIg.exe

Filesize
235KB

MD5
481ceaaa106953d352d2a28f56de9eea

SHA1
f54462ad0e4e8da3faa7d1bbf2d43856688598c0

SHA256
5b9283a41187d4716d24e04010f27360169a744f85ac7e8d416e69be4e088110

SHA512
2870c8952a1144ecd56589a66c3ae660a2b1a493148476d26ca59b65db5a9d8f38ed7378569f29ded8ebc4c6374209f3f51efeed01a48dc4324db635e4ba7db0

Download Submit
C:\Users\Admin\AppData\Local\Temp\CKccYwsc.bat

Filesize
4B

MD5
9c0f88990617c3a699493dfcdff8cfc0

SHA1
3c2821f6050a662e838d3b5205e53868a72c10c0

SHA256
24a194eeab16bfa23824a00e9bea9131f52b21b6d44d5526e48f33dc8db5b676

SHA512
bd3e5623640e53274ebb5ea21355d8ef1d7b3c968d470298cd11946b46f61a39e92dc3a5879ce0043cee20259ef6aefcddcb84eaa9a94679d1f24cd07182b4fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\COwQoQUw.bat

Filesize
4B

MD5
c4aa4fbb88e2629a0306217223a768cb

SHA1
312b84dac735ee7a65fd05dfca4396cc2f4955a6

SHA256
e53ef0555021ce3b3c9c5f078954eb359bcf941c2946ed4c0299430982976b84

SHA512
6fe9e5d9fbfa66dcd6071ced3ebb28ac81dd32e0e8324a5c5ed77ffe567b5d566253646b3896b42d2735f7351b60c5717d0841c5a0e37cfbd3f11cb9da9bf1b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\CUwAgkUE.bat

Filesize
4B

MD5
962b20b0672106f2139036ebfbeae476

SHA1
f510294ad448bb84f1c32238a999f207c5a763b1

SHA256
fbd6324faa814a8828ad0142156acfef2521fa68133e239a36afa2abfbc22602

SHA512
3a8614b4afb0255865071f3bce16eaf17fddc64dfdb574c2aa8b89072c78107808d88e63151c179bef43240d7bebc645cd0bdde045dc9c470370bf8e24b1d12d

Download Submit
C:\Users\Admin\AppData\Local\Temp\CWcEIwMg.bat

Filesize
4B

MD5
c4e3bc87da3729bd7f871676b902e59d

SHA1
677edaf6e8c544d9ed7ab59d299a449a1d8a1644

SHA256
3f50915beaf483a1d97c37ea053cceff4b5dcac70a97d7c7aacc73c95be8667e

SHA512
4519b9c765f3f76402b85d6da013bb205d9406123f8e3a94e4612c342fcd9b94fabe73dc369dc6e6e22b43a31b0c792bfdcfed905e032aefa19b3fc1935939dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\CcEc.exe

Filesize
871KB

MD5
c1ae19715125ebf6a0a9764a4391c34d

SHA1
d1d86723237db4901bab87fcb42b34b9ff0b0620

SHA256
e33b7a7a26080290e640ee1fc6dde3fb59f2a1d84aa64e0d8906214b4b261fda

SHA512
f48d6630e91eab304834cc187a613a1007ae215a13ef593ae5b8c8f696e6463708d66858a76249ce2f8257e6d0f777139973fc3a2dc57542dcaedae057c87ee0

Download Submit
C:\Users\Admin\AppData\Local\Temp\CkMO.exe

Filesize
158KB

MD5
7d7f53c58b8b234d4c4a70a292a38273

SHA1
97f14739017a6975bfa462ddefa46c9824dd0f71

SHA256
6b72c15882720659527cf4a3c1ee8d5ca4894bfb7256ef1ae52016c6c7a1311d

SHA512
0d4105b0bb109925a936e260f544e2d7d3cdd420b19facfef23fef075929e552b669c890747cacd110434798ce8a6f96c32df4542740ace57f5faa1fc5654f83

Download Submit
C:\Users\Admin\AppData\Local\Temp\CwQc.exe

Filesize
398KB

MD5
d52a19410bf062b3e26832a782f5260d

SHA1
33b7146ff8caee7fca512942f48d7d9f8d6c0473

SHA256
ebfe45a91e779259d137c9ee821f3cd991acd983ae3d89935c9db55b58826513

SHA512
90c315e9ad89383912417f589bdfa885974ce4124cc610c905f1ba20d08751387dbf7c8bf3194e7e35ec410ba2ea739a432145bf7dc0482702dee54662eb437f

Download Submit
C:\Users\Admin\AppData\Local\Temp\EAQi.exe

Filesize
157KB

MD5
bbba507ca62cce08e38479b71f8c5323

SHA1
49920fc75988265c5054be1dc15e70f368e1a9d2

SHA256
e60f56fa6a12c935ed0abf7c73c04191fea78a968f189762536b814e6ae5810b

SHA512
6c35e5cd7e7dd445aa1cd54b4b20cb67889e0490467bc0f8aa6c9e417b24066b2d8c3b652844429858d089bd9956ada1e99a62d9e188c7dac638f324a3649712

Download Submit
C:\Users\Admin\AppData\Local\Temp\EIoY.exe

Filesize
157KB

MD5
c4fb96c21d34f40f208129036aa44cd7

SHA1
d57fa9aed8d16127dde289be3183294fa0a3029a

SHA256
9676ec5e21ecd592528f407d76a6a9383d9d6dd589e5b8cece8f5798fe77f040

SHA512
4443a65b7613938ecedd3d4fb9a73279412813c299ccc1b63dc332a99a6558c2a48c33d319871191fa8e2ff635eaa96375c6517c5a83dd2840007e349948a08e

Download Submit
C:\Users\Admin\AppData\Local\Temp\EUwW.exe

Filesize
690KB

MD5
a43e102a6dc6eeeeebfb4b0ef473c0a8

SHA1
02b0cbed96ee22bc2f82bb323e73e830248a4da4

SHA256
90d6c6c08578c1e25ea2577db72e6827bcf06c06529b1e2f04f52fbfa336605a

SHA512
82a9d521cd97b14297aa87b4f0d4241608ce1b9ef8cd4223954e074f529000921866bd3d5dfb3a5b90713048b970a4e05960f865689d2dbc396a15aca9588cf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\EkMU.exe

Filesize
565KB

MD5
3d3c847041e047d9b260a4ae44490009

SHA1
b2483b2d5964380b72e9789816c853352d28654e

SHA256
fb8f50a1c5662aaece9a40eeb7670df11e708da1a801bf82f21883e693a15939

SHA512
1af8db9bb2fff8547e1c89c09933ca1cc0323f56034614586e5485bf32a40dc498d7f2ea4cf876ff6dc3b322d456abb117ee6e7bcc3b57e753b345d0885974e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\FOQokEAM.bat

Filesize
4B

MD5
e842c7db8b73a0c9165e2047ebe70d11

SHA1
0263f256319fdd7c62059bb199a4089d92052e25

SHA256
1cbd09cf8950db8b09cc76649466515b7657652c93197e6a782238ba3015affd

SHA512
268f540f87e299272635331b784aca9e93fa4135724f09d319705b8ee9f35eb71a2336532ec62e447a93b6d5f3d0e1103fe88bf9274202832fc5f7959aa1f8a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\FOkAogAE.bat

Filesize
4B

MD5
ff0991b2d2c52cd3223f7c558ff80c7a

SHA1
4762e9f77dc1c88ec794e66a74853f0019f2fd2d

SHA256
d6bdc45119087b11ce46e3b96a4eee66306f04de4b3ee6ea31dafc0138de9604

SHA512
c7ce42408b65962902bcf2a085581897d65d7130cd7aa6f4ab6e12aac3604a51a8f0d3a791868986021f62c69a723ef0386747bdb5d980fd9c76beee4373319b

Download Submit
C:\Users\Admin\AppData\Local\Temp\GAEa.exe

Filesize
236KB

MD5
69fbf1974d26c76767345cfeab43d269

SHA1
029a225b57639201ace456c289a3b65e8474938e

SHA256
f51e3cce46658bc7b59ab70a85f3f08810e8b032696b82baaeb92187642e8504

SHA512
45ae3fe780f827b503892d9d41b9cf8e0e281607d85fbeb6a435e60d601ea1417b649b9e2375ab0bd0570fa2ef5b49f32f9ea984f7d0c325009e057486f38b0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\GAUg.exe

Filesize
157KB

MD5
610de8e82210f622a1ab6e149188bdd9

SHA1
2275636b971cb35e44a5354560a902b6b0c05e29

SHA256
5ed50c1aabbacba7ed8910d61dd8a13789b723c4bb0cf959d52f8a4918aa79d3

SHA512
30984222cb4424ebefc182de8bfa32b2aa1a600c7105fece903edf356a58efbfd4fc739944cbbfe0827bc8db7ba53ae8d92d5811953452c74a16819d37f29496

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gcsk.exe

Filesize
148KB

MD5
e8dab11dd877f6bf262c54ab32bf1db8

SHA1
11a6b743219ad3b48c2616c8ae4b1b787c5182b0

SHA256
a2a31d99920d89ac1db1f4fb5747dcb4b9f935cf3bd7b43ffbc26bb7210c1d17

SHA512
bfdd729174756f9b509c3b5f6e1e4611612dcecd3d4ef7e03053b9695ec99a1e4a8f25ddbdca9eec72fbf938cd4811e355968e595e8f8977ff8837c1a32e2894

Download Submit
C:\Users\Admin\AppData\Local\Temp\GgMi.exe

Filesize
159KB

MD5
d82302bbe0d1fca58eac07f7532cb7af

SHA1
f928402f98e14046a9fa5b5dbad7d4c507c943d9

SHA256
9e02c869eff1208cd147207e860c53140a3d6b8fefcba807c008e59fc5d82878

SHA512
78bd0f0b0cfb8e842f37219a339718d81e7d4ddc4533ea7beca96e49dcce748bbb0ce46402f610085e7416e7b2970753e0cc6d4d4251d7713179ab8072842f57

Download Submit
C:\Users\Admin\AppData\Local\Temp\GoYI.ico

Filesize
4KB

MD5
0e6408f4ba9fb33f0506d55e083428c7

SHA1
48f17bb29dcd3b6855bf37e946ffad862ee39053

SHA256
fee2d2cfa0013626366a5377cb0741f28e6ec7ac15ef5d1fc7e286b755907a67

SHA512
e4da25f709807b037a8d5fb1ae7d1d57dfaf221379545b29d2074210052ef912733c6c3597a2843d47a6bf0b5c6eb5619d3b15bc221f04ec761a284cc2551914

Download Submit
C:\Users\Admin\AppData\Local\Temp\GskckIwc.bat

Filesize
4B

MD5
b2499f4b803f73c779718b5eb4bc6923

SHA1
dea0472bab79ccb2ffd9ac07ab907b423050075e

SHA256
4c34a49e829252097e6e083e17f26262e1673ba53e7614245269674f391a0f79

SHA512
56f924f1b5145757194964b519ad37e61dd76bdb5a7753366954c8018cc391b497b5489a1e2d296c331b9e380170e22117788ba4eb367a2909ae445700a25df9

Download Submit
C:\Users\Admin\AppData\Local\Temp\HaYEMwoc.bat

Filesize
4B

MD5
0e236fabcaf0e2c7066d45f23a205016

SHA1
c09267a9bf48361e695ff1f75b1f6b0ab8f2d7f4

SHA256
17f249b0aacabbd6ce93987d6070fb861aac536f80fc45bf5f75bc6b98d213f1

SHA512
598fc23dbb170d22be19f150ea323013dfb49b78658099772a10ccadfaa918ef5c2cea0442cb3a5c4c87f1464ed736e4cfda2895b686d007e86ce7ca9113c3ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\IOcoQEcI.bat

Filesize
4B

MD5
c77eb950d0c7bc02df105e395e398798

SHA1
a18a9499de53032043ff324f3475dc03eaafa9a4

SHA256
118b89e1d40d5cf1d8f1ce7c4ecdaec36c680c2bab9e802e1cd08baf4e2465ff

SHA512
69e7107cc8feb2adb9735d7712f30fc029e79881348e313da7282cb7b4d084972f8aea9657544a27d1138a14f0b381f043bfb1dfe9c356cf0cabded93f331cef

Download Submit
C:\Users\Admin\AppData\Local\Temp\IYoU.exe

Filesize
158KB

MD5
17bcbce1c0adcad11d5b3b60be732f56

SHA1
5890e1ab9263b93ae8268b8bb9b64a291cb14772

SHA256
d90d05442c2c287d7f09ee04b9d34a4097bd80d10847aaddff9af92b9e68ad3f

SHA512
d3da968fd4ce92a3e3edaf7f9b49a57d06e2626e9322f62aa05bd073d4e4d1550248223020f7e9d21fe4145a7b2707e5fd5df09635260dff0ac2d62aedebe3b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ImIEQsUE.bat

Filesize
4B

MD5
e5f2b25e5c197161ce738a7895fc7531

SHA1
f34f65a96abba994d28372870ae8eb14d09db329

SHA256
390a66201b203232e26e691687ecf0ed8a6a42e139a6eb7848b1d08bd95bfe27

SHA512
52a18e927fe7253ec7b8f35c1dc84fcd428689f99e1d05645b8a00adf933456314c946ba4a4b6e650e985b2b7f63e83cd148daf9eea1eeb34043945ffa811b38

Download Submit
C:\Users\Admin\AppData\Local\Temp\JOwQsgYk.bat

Filesize
4B

MD5
31b877abad16e6e1dccfed917ef8a794

SHA1
076c549fbf5f0c8202c198b2bbf36ed60e25e306

SHA256
6754d35ed8aad7bc305e066c6a8f84df01a2514182ca4f8f3121fabaeea58cdd

SHA512
8b6ba7fa7104470b4ef494b13a5a620fe973cb3f812f124fb6f6ce7adc63116a7e21644ee186b23e14dfee77d7ea8a076679de3c53743e0eb0259043893c87a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\KKAwcoYE.bat

Filesize
4B

MD5
1736855fea198cbd08ea949183e147ca

SHA1
654d25b25324a644ea056234c68c7fb77629c24d

SHA256
c2c45896a6b212e895ca95e24ca51c795da8daefa2d0a32a03442c34f3394507

SHA512
78c7fd3f31b01f95358bd2b2a39bdf94ee456a304925aa34716e89a647b705e5953141d2b7dd7e4ad59ba71b378ce25d107962f2c6b2c70a58e30037eb66edbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\KUUg.exe

Filesize
159KB

MD5
91227242c94aade40e90c1394deaab8d

SHA1
036a6152011aa56490bb46397277b42d30014c2a

SHA256
771edfb45c9f8ebb5b7d7b5d5b0717eb97c0e8e9754816955a7ccd12c3c82cfe

SHA512
b6c5a360ea53772287db1e1afcaddbbbee810517f7dbfc67e1bd8b2348fea2a626933c588661ee4ff4cda973761b0cb9b24c85e5599d2bdfa9794f8fd261ddea

Download Submit
C:\Users\Admin\AppData\Local\Temp\KcUA.exe

Filesize
158KB

MD5
3115b111291340abe6d3abff3a188364

SHA1
767424d1b86cb15f1298c4b14f7422a90599d208

SHA256
7dd7fae2ef22f0f01f01d4ccb49bb9236f8b7f9eaba410f47eae9e73f1922ff2

SHA512
2d9bf9e31d2f4b9ec2fa22318e7ebc4dcda278a5f7e08b8c62ac174f332b7eee27bb6507d93d85ac0b5bf2727bb2298f925e265dabab683ad2a1210a93e67ab3

Download Submit
C:\Users\Admin\AppData\Local\Temp\KmkEgcMA.bat

Filesize
4B

MD5
f526c5eea1217ea1f92ae6ecdf5f3ddd

SHA1
df342b6767cacc14ad8beb338bc651f20c890c9b

SHA256
11b7e0e675c16702d43ad9279d3bf038376cf84a8f448ea4e479de7811309219

SHA512
54bc75f6120899cf4243e657a696a22ff78e49381318ce4d7e6d6325c18457e83d6fa6cbf83ef567d3d06d2f17984f098a6200b977b9bf195bab7b1236007f98

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kwsa.exe

Filesize
606KB

MD5
74d81146ea22d6bcf6e863714fd22104

SHA1
2c96c29a6214d6eaffabd97dbc07f0b19ef7bb67

SHA256
e5842d2c5f29060cf1b513d798a953f38f29517ce24242b27d1d1fe9a0f1a75a

SHA512
4ab597f08067e6a99fb8746382a4ac5ad4449f571d493a06d4714a0401fe2b6b9521f185c6859ad6bc565203dc1f0209c8b6982c2821eb91d8ba001e53f5c06e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MAcw.exe

Filesize
235KB

MD5
fb8d826b45b56a92df1e3b302f06e256

SHA1
4602a027f479fb27e2610a96fa50828152b2ae63

SHA256
80fee53527ba0e357e5e1e0ed182c1f945acd56455a170d8b2cce56aeabce63b

SHA512
7e6c8987e743180b08d42471fd19d8e0edfba8f442ce3fec0d067245bea021c9fc8860881b07ec886d5d795c4f9d3d4470e24cec1682962697842b1ade46fc20

Download Submit
C:\Users\Admin\AppData\Local\Temp\MMQW.exe

Filesize
497KB

MD5
71e0f8b8e1a49ece76fad29c8f4ef02c

SHA1
e972951fe2de60ce10a4e4139cc80d53ba607117

SHA256
c702ece6dae714e1fa44066f674d60304f8f04c43232795be7c93804ce1a5e4d

SHA512
147530560f44961990b739efeb21eb486f672b9a9663a7cbcbd05511ef9c9966bccebd32d9962805a4d18ec4cd45f5e89e8fc0b11a2c33a22d8e7f07032b3f65

Download Submit
C:\Users\Admin\AppData\Local\Temp\MYUwEEYo.bat

Filesize
4B

MD5
3aefb3563d9d5559625038a6aff65219

SHA1
33291c871c65f1f45ca9b2a061477d8c062df8aa

SHA256
14fb50e1a535f2d6869379ba33d17916b556fef0444f95dfdc9bb1e6b8a46329

SHA512
886ae24d433f0c717d3b695c9704910d29166c0817550085aa02bdd01bda1ff2358c4b89e99646011d833ca6f54b7984c1503efcf50b585f2e687731f287cc24

Download Submit
C:\Users\Admin\AppData\Local\Temp\MYoA.exe

Filesize
158KB

MD5
946c7cede220c47963ae66b3dbbd124a

SHA1
196a27164d4bb69831004ed3b941833d1cd81ffb

SHA256
b2d73bc2361f583c78550a9427e64f879b05dd4b1d09ee306a071a7180bbd371

SHA512
89b614673bae9bd6c3d2423b004c9bdeb0082ff09124af21c8ec0fe74a5317d4919d18dd6dbbec7b08faca759ac6a8942b9c29ad4cc161702d67ef19a579ca9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MYoa.exe

Filesize
969KB

MD5
7c54bf155c67b679f538501bb976a81e

SHA1
2ba2aae63398279b106f673137d2f583d2877ec3

SHA256
11b9f8c479eb94e5475f6980df30297e1c4db9e60af34137d5199dfdc1647c4a

SHA512
3ffba5128af18d77230446f0bb97841eebfb342dbdb7252bc9e0407aba238a9a01f34f9b134213e3bdc739b2b9c0496b84cdbe8059734eb80ebaab05f8ab363f

Download Submit
C:\Users\Admin\AppData\Local\Temp\MckQ.exe

Filesize
157KB

MD5
cbe99540546ca5362d02f42b835f47e9

SHA1
c47931e19cf87627ea63f834a186f7ab9da003d7

SHA256
efac4a2152faefcfa6a17168a08fa1b2f119d48a5fa131f95c2d794b6ed89e2a

SHA512
ae10196613693be9076844d87063b3b4e1d58187d762c26183e11f81c1eb380338d7b33ec0c7af30eecc0b98ad67e4a40cc4aa21d4ff983f133834b9a2a4bbad

Download Submit
C:\Users\Admin\AppData\Local\Temp\MkAc.exe

Filesize
868KB

MD5
5056e6d9b4d382d02fd0a53ba6e716a6

SHA1
d263cd87b1747659cbd1df35f643b8b3ea7fa3ec

SHA256
9e8df24ef97049cd9bc973386a9d7b85e4bf50990ec06341e38722608a24e1b3

SHA512
854bd460bef596e9981c202db441ff3d18b89ed8803bb8e90898405bc2df1870bf25f5080eec288ac7f357c96086d693b74333dec84d56d38591d0e92684c3c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\MoEK.exe

Filesize
641KB

MD5
bb7162ccd1fc0eb3cad4465c41a4fc83

SHA1
a554e43526617122e94843a60e00132f65aab204

SHA256
030048f90bf1bf20a0219119e095fe74962fb9ebf594b1d145d4ba337937010a

SHA512
84c2eb60eaa66649656b64ba7469532d7566216b86bd075e0f299970fc954f4e95c3816713c10ef394b91e3ceead5e7f98c66514a7f1f33bbfe1b6d840714b96

Download Submit
C:\Users\Admin\AppData\Local\Temp\MoMU.exe

Filesize
160KB

MD5
67f8a7ff68f854075ff1a4237ece30a6

SHA1
bd0eda3f5400d903725182efb73031f4112801f9

SHA256
64b06f2784f017a120070c8830d13a4c5c9de530ffcc4685a5e212357d1c1d63

SHA512
419c370a6d5e4213b76d96c33ab56c84d2792f721f678ef5415e05c9ddc10d3ebc2a987273ac4b39b16ad9198d24367468dab2eca9580c61f318b1326842398f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mwko.exe

Filesize
159KB

MD5
d9fc94c3fdc904550e0e6bd879cd102e

SHA1
d8de810fedb0b4ce638be8adb8708dd69f6af662

SHA256
c9323dae8ad87203cc94dd63596cf43636220dfe74308a72e068b4ade79677f1

SHA512
f5704a2753457296dff44a2a45b62658c2815266b7538cff1b9d8d61435d815abcc2dcb082f1d9c4fd1fce0c76ea61dc5a31ad6891ac50674e144b74588c38e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\NWsgcMQk.bat

Filesize
4B

MD5
5bb0e0dd67df0ce0b71eec281056e48b

SHA1
3041a7120b3a87afb5aee251cd2816de143ea770

SHA256
9f3981dfa638026b1f4a670a0d35b2f10bb6b705ce68a37eaa0ee9361804b2bd

SHA512
23151207533e1519139f4f9f8c38dbecc66be65d41d39585a73b6e6701c60c6a3731ac207fb595d921b34228b754610390714850e5c9dfb6bdf5e8b07636b080

Download Submit
C:\Users\Admin\AppData\Local\Temp\NasEYcQU.bat

Filesize
4B

MD5
c4a8843b991169bce24a24fdb16df9eb

SHA1
8328a5ee99d90395fcce4c9f8eadbc6ffde19204

SHA256
ca1bcb219975ed5f762aca514ea2c4316b33a37394b2a363bb230906ac9dc39f

SHA512
d8be60352e1d2ff50f82db25e25e101ff20478277d74c2af866c7960bff898189d918556cafb29bdbf6e74667f050b907f00a538b83511ceeb1bf32e6e54a35b

Download Submit
C:\Users\Admin\AppData\Local\Temp\OAIg.exe

Filesize
158KB

MD5
e8a87ee226edd1261ecd44d0944852cf

SHA1
1cf178577d8e60731f09196cf7856aedd2db1067

SHA256
7f48c9083fdc771a16f56e13bd4a638e48022ba24cd1c5a4be7adbef8213f637

SHA512
8a881cfa019282603d27b8a33b0948dafdf51ca7ea89ad9eb6d6df9ed27d538e3c741a8920f80f8e71b4298238f82d64c4e070c71ca6b456a5a43c8a24225127

Download Submit
C:\Users\Admin\AppData\Local\Temp\OAYswAgY.bat

Filesize
4B

MD5
fb2d67b63b9a81a831bda17f2afad1ed

SHA1
2e34c70883daad432d94d08cdf62e3cac17aaef2

SHA256
88c247de92b1cf4dc1393c673b6dedb979ee599920645d59b7e7aec4c9b9ffa3

SHA512
73ce181b3a98d43dcc41537289baa448b35917d0a58fe949394b0181dfe76b555975accd3fc7dbdb7c591211145f015ab71407393b6e1babf6714b725cceec46

Download Submit
C:\Users\Admin\AppData\Local\Temp\OEoy.exe

Filesize
141KB

MD5
85250ca9304a50f1d6bfcec6ea21124e

SHA1
c9aced67ff52bf266280add35f7b09df6b529302

SHA256
2e6a3ee9f14dd08ffdc8c0ebea53f335480c567ccf3d3cff469e11635f67afe5

SHA512
44a00274a1b09d7367b18ca893f2ea05c63f37e18253dbf56b48e614d512d786af5678a8d5d5315779f860d8fd0c1bf459e82af83d0edee1415a6e31dc0b3369

Download Submit
C:\Users\Admin\AppData\Local\Temp\OIEs.exe

Filesize
139KB

MD5
7e6e687b6a22915aa3f05ac0ee8f3633

SHA1
07090531b3dd4884e0d5351a34aeaf3c0ac89df3

SHA256
c1a4aa9ce877883c682b672d74135bf39be6a424c1cdbd6221616ded7a3fe0b0

SHA512
8d973277e6e8c1d52bd2e8ac1c4927a640d0027702ec300f0c9a5aad9a9424a27cb50d286644bda3c3abfbb6b3ac4acef007b926a1c1fb6bb7e4d393b501c0cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\OUoQ.exe

Filesize
156KB

MD5
91d209eac64cc6980781ec05df009507

SHA1
e155c8905dd9411efad6546ff5479763396412d3

SHA256
36221053fd582c8e1f48571957250dc77f02751a8ae7cae8a1e7d6a6394feb8c

SHA512
0bb49b9d5a31fba0ba93ec8ada408788f9b98732d45c1018fe2fe84f8ea07be12efbe90ed29110bb911ae391766cb9a36725b2f9b70dc3b8de62cda9a93d7482

Download Submit
C:\Users\Admin\AppData\Local\Temp\OYkssQsM.bat

Filesize
4B

MD5
b7c69aacfc618aeb18e0f797b22f1d6c

SHA1
05bc7caef7bdaf7bba8020b2b43613188eabda76

SHA256
e12a06ef2fb9d5bacd44d979a1a7522547d651890c05a362d0179aeb4964bc30

SHA512
5968acb9689f7fceabedc9786f003996decf4b114b38d8476fe4a30c1b1841e61c75175ed42baa8197b94634f3f06779229cf7d0c8f78b63033d321d83318389

Download Submit
C:\Users\Admin\AppData\Local\Temp\OcMG.exe

Filesize
157KB

MD5
64bd13fb7f2ce32865534b1c237fd17d

SHA1
20a46e33b00de0f92a113fd8c0c61f71cf2aa412

SHA256
8d0d4483e6e25330e15648e7479c6de7b283fb160deb6f7745930004f2fff4c8

SHA512
f0df35cd37b8d5ac65a7385854a5c38b851a1a17b631471ebf843482d12a8e5cd0c3830bf95ade2b30e99e6247e0f803c69a1285865258a2127cba7085cb3a48

Download Submit
C:\Users\Admin\AppData\Local\Temp\PWckAIcU.bat

Filesize
4B

MD5
eead02b2d16eecd67fb019b580a7ca44

SHA1
901d05bc8bc974d4f5bb8ce7fcb37033de0aae10

SHA256
b3fe97d9a26ef2d279fc3afdda6d5fd5cd8eef382b31906f86b032461b679514

SHA512
734cf9aa98de5301f68d289b1857910800477aab5c852b2c44df05f41ef85a92d87eed3dd2f9b5a63b99c5cfd3edf31673b229a448f7e5bfb3a8f6002fcf22fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\QIsE.exe

Filesize
159KB

MD5
2e2dfc22ec8236b83225312d122d09ef

SHA1
2d9a261e7d509e98fa2a851509dd2a4dbed1c4f1

SHA256
8a148610f584017bcb0d931ca5eea5ad1495784afc24c03caead67582e62cda1

SHA512
fa037ca0197d9003ee88107dfc0109c9b1c456dfbd64a1da928426ccb7fe5cfdbca45df752a63c3f54f2b9b233268f5d8304b86505e8cfa320606c51e992e1c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qwgg.exe

Filesize
160KB

MD5
16f6c9e234aa493417bbb207d88e2071

SHA1
45a514de84a401ebf9294f2d5584f92c233cded9

SHA256
6ce54d597315b49d5a6e67df8e04e93d20fe30b6291b04e7b4b2b2b8ae419c8c

SHA512
bb2d99d69a4ab0889a992bd62a5453dbef257456cdae6d3a5b93ce5369ead8991deda256c80c6f429864978e0e729bcb2d714aab16ba6cfbd2d8852a2f4c0b4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RwMUMUoA.bat

Filesize
4B

MD5
5a8dfe4fe622f12abaca619ecc1920dc

SHA1
08fffcb9064ef59ed0fe819c970aa2e0070e4162

SHA256
47c2fdc0e7ea8f391ac9619752b1bc8428c39495b155d673697b620eb51d9127

SHA512
df64277dac9573b87367b010044f385ff9b57825100ddc21d7998bdb2fe12d790c6133092ce4d4b4b21d9d845fafecc42842931bf717817ccae75bdc1e42349d

Download Submit
C:\Users\Admin\AppData\Local\Temp\SIks.exe

Filesize
387KB

MD5
73b82e97ec85c4181afcb8e7375dca5f

SHA1
051b0fb96260e2ef5c7abc5cfa53fdbbce407989

SHA256
7aa258c1b610795fc55ffb8e554259cfed290f36445927d4a6076b0fad57fe5d

SHA512
e55e968a01005c695693a4ce6326ad68e05d39d14b92b0f3d5f323ca784f1b7b7453a9eff09cfbd2e8d195860c9d970d77f239578009c60ee140f4537a98ff34

Download Submit
C:\Users\Admin\AppData\Local\Temp\SKoQgwMc.bat

Filesize
4B

MD5
e53666e8f454687f14976b492d8c3515

SHA1
d30a9de5ef14f3bf0079c9cff3fb66d0aa0277b4

SHA256
e8f46319506a860ea1ee6c20098607e4aa69d7f2ba396ab3b72994ca4c41db09

SHA512
a8a226ee087d2f469154e95ab768f66216ea8b097157c0f148bd3bd8002a835a9fd24ac3f965e3135b8fb752731e2741713e81d1364594a66b87433f4f36e5c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\SYQAQsgY.bat

Filesize
4B

MD5
5cc8bf1f5f95cc20372dbd93f8a1cf4c

SHA1
c8ba584685fe2080f8004cbac792845b4d00991c

SHA256
76910889350d799c8e5776e4aa81a7e51e9f331024403b86c9a5b024497fc9c2

SHA512
edfeeedc760d44baf58e87fc001041ea438661e71d5ca444fd3e182e5c22aa985fd105f25108cfcf995d667b1d9484c3ed74ba5a1a711b25d78511534a2debc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sccq.exe

Filesize
148KB

MD5
978883f0982e34678365a7707fdbfa25

SHA1
791c0e1381e2f0dfb7e1e9a150ea20ce5af84c29

SHA256
321ea7a7afd0322008b88cfead02b2be28a25658a2967e64c3a9d768f4368715

SHA512
f8650ddbe2bff46dd9ac58bcf697d9efe178351f7a024cf95858cfbbfbd2b644e8c099d9ba6fd2e7c519e570e65ead92224f98b6eb7d29501cbc193046c855f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sgcm.exe

Filesize
870KB

MD5
8baec2ba4025d1308b4e53e56c559bde

SHA1
cd158b2910a237ba3929f5ef457b698325ce53ce

SHA256
0fcfd30d5a8c03f299c3f57c306de8e046ecee732cfdde8b709b1d876e25cb54

SHA512
ba8e81922c659f243fee59544bd1817f5cfe5d34f63806df5eee6880d5c3039dcf06b72b6b50071e994ce5aa539342ad7a0883c3138f575d8e5d230c99654f2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\SkEi.exe

Filesize
158KB

MD5
348a422cc7028c374b54134042fe6041

SHA1
4a3d2de6ffa9225dba111b5dd2159c5a294240d2

SHA256
eddbece7e286e73f5a566561d6c7c7f14ecd4b5fc9d64f276eb6078527eeb734

SHA512
c3c9ef4872cf69f2da31be9968be0a0c199be7d44a9db4b16160eb90fe8a3ba78d00dac26059415e2af36a9b00253ee57377929c4ca62e46009cf2f9fc1c767c

Download Submit
C:\Users\Admin\AppData\Local\Temp\SoowckEw.bat

Filesize
4B

MD5
54d39940045dbd51c37cd2cfb6324b27

SHA1
0d6265a48d6de6e001d112c6bfae7c41b34e826e

SHA256
3afdffc9f3cb8be6257096fadcb6f0710cb8edbb9a5136217be91df5b051064b

SHA512
e93431dff78b220390b46ba175a55e0555b01a938d715d3249452284ceac09d88f9ff58c2908f88f9ab18514a866fdd1316d0423fa36c3c612fd3479eec383b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\TukwoYIU.bat

Filesize
4B

MD5
c835692efa0b108a04a8781f8285e081

SHA1
16e2c0d8309b7ac616322743b99eb9acfe82584a

SHA256
c8fdc0cad25e28bf942736926aebdb1f77d7d73252c677eab7853661adffae48

SHA512
b03ca99c881d8a07e186fd6d77e014304048545c370a04ae4eee36dbc5b538738d482dec88100755b6c332a575d4949a870a4a99c8066d23998bf7f39b6c117d

Download Submit
C:\Users\Admin\AppData\Local\Temp\UGMkkkUA.bat

Filesize
4B

MD5
3fe0b5e328069fbef5f95126d5dac19c

SHA1
594a6273ee034f7949bee3d1e303825ba000f7a4

SHA256
66f35b864dd67bfc4adeb88e36816d8093c1defd721cf2858dcaf3e3f80eca5a

SHA512
9a08f2f574f2dce59d3eba33ff695b21e3d52f5d1efc4cccd7ae77ffedede011bf059def55c53223d7cd8c5c899f87f468ecd4bb009d443c00a2f8312d73e624

Download Submit
C:\Users\Admin\AppData\Local\Temp\UMccAgkI.bat

Filesize
4B

MD5
e9332ca02bcca084e24339856606aeb8

SHA1
c056c2430b3fd74987a2229fccdda3095ec47c76

SHA256
df2a8b2df93ec456effdb9eae207b197cea88b4cb07fd00e266c9312ec82f4e9

SHA512
b4d9c336822ea88dcb967bbfef331dd534e8d7bfaea0ba280ba04efffbea148011d89c262d93e153f3d812698cee172120017e94e4525b02b5ef79fdd671208e

Download Submit
C:\Users\Admin\AppData\Local\Temp\UUAO.exe

Filesize
159KB

MD5
786df98332ddd8166ffaacef5d04293f

SHA1
382ee9d77571144fe62c6c9ce9febd4d8df010a7

SHA256
cf0c87a1a98d9ebda559f9c3cef98a37f52b4090ff8e4033f2ed06d954a94139

SHA512
27ec88431efe98fa1f72d0c95fbd2f181c6bff2e55637f1c811c562e66aef2b54dc2290717b9179d3acac10c6b80be57430e8f88793dd7d9f6bb3c037540c6f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\UUAi.exe

Filesize
159KB

MD5
8d48b38806e0b8838021c03878b7b16d

SHA1
282926d236b13ddae28cd129b63b6bd46cf7811d

SHA256
4de6655c0e7d4970cda6b538f6ebd26d6fbb40d4e2ad05b10bc2edc7b53cec04

SHA512
8259a7ea46e2837f676a0bb330598759e813bdae6d1b99c8e530dec9df6f37a0e64add60c4628e478735324f5890f2117cc8de1167f297a7d02eece1a8d4ec80

Download Submit
C:\Users\Admin\AppData\Local\Temp\UUMa.exe

Filesize
158KB

MD5
da5965f0bc1097625d7df35a0f9bb46f

SHA1
79d73504ac86c840e7eb1077571fd0e45d991c5b

SHA256
1f940d2bf0a50801c5990efabf0336f8d234897bd22d97d6e39e57c4e42dd3cc

SHA512
564195526cba2f0e763f30fc2b4817c0030d276f1e99cc03b8a57d37e49ab476d9783b9815fd55ceb55f9eb9dfff1d569f72b8e78da3e5f8a95c38ec2f92f1cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Uckm.exe

Filesize
157KB

MD5
1e8c78b19b74017657405aefcacee4aa

SHA1
f1f0cfaed8cbaa191eed74c65f18f37cd9cd6c07

SHA256
63091fa0847aee6b23a3f42c670f7724d41a8f21a503c119cad6f933e6de2c85

SHA512
912ac8c2982657937752ba4fba392ae3e9182deee9e0926ef8f55a0f628b06fe346fec1e9f86e604497fcf264773c13a19d0fb7f2cf3b06f510b1e1eb3f999b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Uooa.exe

Filesize
159KB

MD5
f6009ed02385409791816187b126c1ca

SHA1
a7e6edaedf503f1039edaa0acd9395f578423c63

SHA256
265b2c52e37e96f58a5ad283eee3ede7ea9c91d12d9ff104f93e01eb00caacfa

SHA512
2438acb484b2c9c6b10ccb50b44d0fbce36a9ae2778b3ac63a759c9203bf49f4eb2d19e3ae57652edb71a9b9d8549ea47342a33eb9913a08ef0bf52e4d8dfe0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\VoQcMskc.bat

Filesize
4B

MD5
61e84328c102d1675679ef4ef97c68a4

SHA1
c8535175d79dd368db636b6cd6ef7edc8bfb6b1d

SHA256
b0e7d4c78046cd16b8ba0c389d7e1769062c382f4e4885b6bc01b52d6546125a

SHA512
fec573dbc331c03b9d0586f78a118ce91bf1589ae1c3e1a749d4989aeae14abf66b7655bab4f2b54459afe57b6a0272918ed6578865fe85162862763a4055107

Download Submit
C:\Users\Admin\AppData\Local\Temp\WQYM.exe

Filesize
160KB

MD5
24917d472fab1c535b65f024c2fc37b8

SHA1
d797a8f6fec33b5df67bcb2ef392416cbb50a0bc

SHA256
a2546c3795fea99da4cf98f9927d6cbd0fc1e32cc129c47cba8efdd289a08f2c

SHA512
50261ac3e87b046f2e0e2397837f3ccffc50990071d7eba9c9a2b69b6b244297feec66862c8974b699daea5b7ea51823f0b4d6f3733a3b9bc3d2b35c4277659f

Download Submit
C:\Users\Admin\AppData\Local\Temp\WQkK.exe

Filesize
157KB

MD5
bc513c701348cdc037f0a38b43084a6f

SHA1
be158af47ee9a78d4291b30004ba19dc73f2d878

SHA256
38de86fa42a4862f95e968555e4cfae94433aa851096051789eb20f54700f4ab

SHA512
7c80cb48a825feb17438c83c3fa4647f61d1f1be0acd036f1d135a7c1563560421a03867572cf6d08c49e1e31bd8445d37b400219466776dca83f75fd48fb7ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\WUQm.exe

Filesize
158KB

MD5
f6b114859397c9da70be237551003428

SHA1
f735edf93062c967d5dbe0542b58e7649a916785

SHA256
63d2874cbfd3fa6994f2c242c228048a9554b2673feb70ddc254eed4ae850d98

SHA512
fc5a63bb80012bd9a387ab641bc92685a95c69c9be458c45ca832ae68e2a0d4b518338caab2607cf993ae15408361bf311788e51988ff54ca8586b062e652547

Download Submit
C:\Users\Admin\AppData\Local\Temp\WoUgoEwQ.bat

Filesize
4B

MD5
dba25f33179bb78bee966b6c7810ca20

SHA1
0836c4982bbee0f5143884041867e70b26065682

SHA256
b72822455cfd1a8b2ca3ad2ba7ab901f5e84ea5dd6905006bf177eee47a19a14

SHA512
cd04cd999d8091bbe501915d4913b1a95f80e02a1612b74687e73063a272ed4d5855beb82cfcde179ef2abe81cf956d7d715871e8f4f25268b10cc2479ca80aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\XAEkQoMQ.bat

Filesize
4B

MD5
d2c05f3a592e576e588e14859c2807c9

SHA1
3871adbd30989c08efa82775479c1d803a7b1573

SHA256
bebe0b73c5d201764e43ea499a9b23077d572dfe604be35253873f7fe607607e

SHA512
23cdab51a59f8c72ef03f008a1d5c5b7df204ebec0f41ff4b05665be073ab0ed211809867c726db9af35bd96cf3093277d136969c4382037858917fe7d3d2056

Download Submit
C:\Users\Admin\AppData\Local\Temp\YAEy.exe

Filesize
157KB

MD5
d4b59f9438d60a08b41612b8967c7063

SHA1
02000b555429c3956a3ae068ce32faffbf00c264

SHA256
add59c0d49a8656e0e2765fae1cd68beb10a96d307be0908f4dc31c8be0837ac

SHA512
eebc002d95670486f9bbc42e111e9d7335688fcc308d2cf16c2b25f4854e21ae7130c17be52b487cb36d6a57f9cd5167567adfd191a2cafbd4e4abe805cbbe91

Download Submit
C:\Users\Admin\AppData\Local\Temp\YIEa.exe

Filesize
744KB

MD5
e7fdf0abe0015100459603929a3b0d1a

SHA1
3d7e1a11ff5d55933b74732d0fbf09918fb31ddd

SHA256
bcd246309aa34177ea295eea399b8f26e901784b7089c3398a08c80c5322bded

SHA512
95725d19731fbdc41a1ee027ca82390237e82ed99eab7ff90e82ac58144ce04dd7ebdefb3e841b472d134ba8b132ea934c8ea06db350866742b7c269a8d3a920

Download Submit
C:\Users\Admin\AppData\Local\Temp\YUIW.exe

Filesize
156KB

MD5
e5e0de81d09415d9de48adaf1cc1ae29

SHA1
6743e785b42452f5edc385e72549a6e08136145e

SHA256
6dda11ddfce45b786e838aa5a5012ff59ea574d6884e1a52a76f2878bf28b4fd

SHA512
eb14f7e09a6fa44ceb8c456ee7bf7378814456d11973e6a0404fc1461126f818f0211942dd83bc4e53fd03b6dab5193a5b5b257a79fb08745449af6acba1e4df

Download Submit
C:\Users\Admin\AppData\Local\Temp\YYUy.exe

Filesize
572KB

MD5
4779cbecf35d785e5f66059de378761b

SHA1
d4417fa511e63e0fda60fbdbb3e91a02203d6014

SHA256
a957290d756282d08073c03a4b4edfb42d37b0958f5ff6aa8e7d05e1c3248e49

SHA512
2b48182436d33eb4c54a2daba1a56b677f6325a3b85076b645deefcd6026b47c3af3d373b8d43ede6057ffc5d2e98aa0b959fa7f06081b53cc58ba84b63dcdbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\YcEY.exe

Filesize
159KB

MD5
6c789c18a3e36eb1bc250a39853100e5

SHA1
d3ca932bf8f965196a479ac279b123b80a228d5c

SHA256
d7d0ea396ddb127dc3654a25852306d187ddc2043060ec072c48f00a75595495

SHA512
946faf41d7ff6a16e4852e705b419790cfe93dd1dc8fff81270de40ce3894a9baed4fc521bbec35eb7a636be088991d6c8934a8c5b9518360fef1378e986a82d

Download Submit
C:\Users\Admin\AppData\Local\Temp\YoIW.exe

Filesize
158KB

MD5
62e4d8c8435c7e1cd2f446e6fd63aa67

SHA1
94e34accc28424c7bf9379f8267dad687d34139c

SHA256
42659449f36c6c0b152079fa7f0096099718bc29f6d72bcf5f299d2cd05e279d

SHA512
8f343c7e08659915c6f1a7d440046e45eda052174a1e8c282ba8073d055fd47782d6cfb53d04f5bfc5126331d6f54d85b33888940161125d982341104ef3e067

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZGwMUoEA.bat

Filesize
4B

MD5
d431cfff57d6e7af594666008a93b228

SHA1
e9cbfe0b95a2cc9e04750e1ba763bbf5b4099ab1

SHA256
75fb66e011e0eea9738dd80105563d7b89d1bf367406e717a6284d70b0ea48ab

SHA512
b5c00d34817b7f807cfc0dacd1163c4d0662318e5b8f743ef60fa95422f91af6fc94e1af53a80cf30376ca257a10bfbdebe856c1b3f0eed1d6e601f9c023b020

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZUkgQYsM.bat

Filesize
4B

MD5
2a112a1d172d3ebc9095da6887418432

SHA1
e3b08543a2f88929b267a20d80debbfaaadc8c08

SHA256
1544eb5a4037646b3c67b3e7463001c7f79b4c339fecbaa2351f0023911956ac

SHA512
321b20c4081a9857e06e273745cd892f1752b0e45090070973edd77b2d7bfe4502e52bf39bb118159d3343d41b52d9c8fc8eeead0ceddda871bcc19c26a5839d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZooMsgUg.bat

Filesize
4B

MD5
b3e1bc9f46cdd36e9ac4c563df55b871

SHA1
20f864d39b3444fb52ffdca5d738ee95795a52ab

SHA256
df2bfca90da4f84a8e86f298b3c7e8a692c893c7a46217935ea0ce93649e5c11

SHA512
b1d4aeb248b723ebfee8c65b9bda6b5bd834f6900141b2769ac0cab6da98961c98f20fd669a2f4696e6b28a2983b962b2791156223e72af275aa0dd2ab9ec019

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZqgEwYMU.bat

Filesize
4B

MD5
3e6ca975997f32490bd139651cc8f12d

SHA1
eb45a83c142e4ffd6ddd6f872c905b990314b00b

SHA256
cbee901c60607f95570e63e8054a81bbe6a3879d3d03b3cf25d6f9217907f591

SHA512
6e400973dd1b31dc8e2bf0eb413a27b959814702a77aac9d3e59f4bf46f981b6dd82b3a51c05d60599a4518321f08ec96508e84cd4aae7b83cacfb972297d97a

Download Submit
C:\Users\Admin\AppData\Local\Temp\aGscoscQ.bat

Filesize
4B

MD5
df8c9ef9457588e8e5cd9fbefac40460

SHA1
4f2f609fe7c49fd1beaf189f3656397b64c99e18

SHA256
1460c159649e0cd49168040b0f9755d82fa724a98efd8c4d51fc8f4708445e93

SHA512
b06c7715bfad59f2df2ebbc6968358eb194b3568ffdffd8c46da329c5bd22ab0d6fd4d6513d3c3fa16cc34309f210a87f5defe86be557ef1b1a0383a0acee682

Download Submit
C:\Users\Admin\AppData\Local\Temp\aQkA.exe

Filesize
8.1MB

MD5
6a081a7e6487db12e930c6f0e4224be6

SHA1
96699e421b15b6489d25642603b8650c8321c868

SHA256
a45c8a3cb556a92275f9d15161a4660f32fba400c6aebf374c645e0f068cbb70

SHA512
a8ce88b7659dd26e55ffaaf90ae67218a430fbd87a49425ae8243a3ac98675ce2bef00a54780e384b9aef922d09941676b994fb57a61265194937d12ab46cd7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\acAG.exe

Filesize
446KB

MD5
6dd72a0a1ed00e79086ad6c3ac2c3159

SHA1
0dee01a43b61a7d468e79a248b2be45580d7dde9

SHA256
30d00d6b7ad9b25ec86b1ed7654407916097db823167c1da7c1afd55e61a52f9

SHA512
7683598e720c2bbf529447b1bb4905f1b9a6f268a8ea22ee62ca903ec344e13b70b1427fa0f3de50579663418487a2fd03dd2c9b2afd39d5004e65685f9d7933

Download Submit
C:\Users\Admin\AppData\Local\Temp\acoE.exe

Filesize
159KB

MD5
fb76eb2dfdb04e457f6acc57be299fe5

SHA1
901b8de50389b495b1fe2d5e6582fe2ae62507be

SHA256
fe8686fffc3a9c5a427e36da9ef0390f94406fb0ccc20e5ad185fc524f1e4cac

SHA512
caa6dfaadc6cf6ba776a6ffe828bcd6b3ed994bfee1f43d1633c2d83226363702078fb7f4c8d761d807ac5413c4f8631fb51fa60083cf7cac3dc21a5cbac8e60

Download Submit
C:\Users\Admin\AppData\Local\Temp\aokO.exe

Filesize
364KB

MD5
8c5585b7649f31ee50d44c1829d39cde

SHA1
04cd4b8908bd90a5030e0e292b1643d459421890

SHA256
a5fcda702efd48c2e47620033bcea7ff2b69058c9e0866cfc0d78c50e6326dca

SHA512
673f8be3bae166d964ccd5a2eecf10cab9276d96c9802e6daa0154d95cf3f0d0cc2367bdf01d7516e2783a06eb5340ddedc07b5125bcb10827ceecb86e43cb51

Download Submit
C:\Users\Admin\AppData\Local\Temp\aooa.exe

Filesize
4.0MB

MD5
d396f72cc686d8e51c382d1053aa3cc9

SHA1
9b9dc19e8cb7ee26bdc82b5b3b9214fb543b3917

SHA256
aaa47f44a336bdbbb561e10cc67cd02d0d1fce82a12d06e209610756a3df31cf

SHA512
7328046ff043d9e10147d92e0cc05c6615a1c8afa850abd5697e79a6563bb43331b1efa37cc6935af39aa501eddbbc4d19a81d6cbd757cf64293e9351bcd341a

Download Submit
C:\Users\Admin\AppData\Local\Temp\cAkkcUMg.bat

Filesize
4B

MD5
8b353ee968b65097ef955d4d50fed82c

SHA1
86c5d9e9c6a5741ddbe68b9493a524275e027c80

SHA256
583cd6a8b6630c6b730e5ddb7caff78826d47b2fd5b3109611d40f11d0cc02b5

SHA512
28988a9dd5a48c3a17628e9a02a36f3af1177949c49ea4f2eafb0ed6face830c87692b4f9bfa3fba44d3f0eeba2d52d6ee445009d9cce64b4a1df7dd3bc0913f

Download Submit
C:\Users\Admin\AppData\Local\Temp\cIwo.exe

Filesize
157KB

MD5
bbb6ec25580a9f1f8df95aed875dcf8c

SHA1
237e2b925c1ab82e358a0dcf46f538a3a635943c

SHA256
2ceb7451102817f2d060359a6bbf8fbb7668bcde45cb845dee9b707fbcef640f

SHA512
650254fba69b621b86a79ed9e8ba550537708211080d8d9dd28e69b96b993ef08fd43ca9c8dca18d6b6c811f756fe282175f1124c6658ad1d7aa7a67a9471187

Download Submit
C:\Users\Admin\AppData\Local\Temp\cQEc.exe

Filesize
160KB

MD5
3a3d4b9ca998a0cbb023a577abe4ee11

SHA1
dd5b4abfcd7769cd151dc58a99d74cf76f601d0e

SHA256
c9bd6eb957501c41fe540a1d999c190545f955436b967f0ec3d697352bf29803

SHA512
14b585b888fb26a428b06aaa25fe6034479ab28e8addfc6fa7a496d1b2e3b791ab8321dcda99cb98f268799b45b7dc3a8c4f50112e0d90eb5d0d0faa064c1099

Download Submit
C:\Users\Admin\AppData\Local\Temp\ckEK.exe

Filesize
158KB

MD5
a9fe7247772154e27e24c5447c2d5642

SHA1
68cde192a19835e5a097b5fb54ad603c29e53e3e

SHA256
1a135628d9c03495df7f3d47f98c3af9f41156344d44d631ae5c2ca4208e2521

SHA512
d85996a5f66233e5a21ae73ea49807ce525e4f8444a1d8d4d6361e35717515c596b77ee3fe53aa048eb392d770325fa751015d5018afc4fda72727af48670a17

Download Submit
C:\Users\Admin\AppData\Local\Temp\dOAoMoQU.bat

Filesize
4B

MD5
2f65c804b2c2ccdf483552ace40c4bce

SHA1
e30f3d2be5dd646c6e9fd0dc6df282dac4b8597a

SHA256
53dd302eb43b34fd5108900fe5f2b35d77ff500be67316518e6d20d78d7046a4

SHA512
bd6c7559914fb085a005d62d1a37717799266bac882d623c8c3b9cafb8b626830e7727afd30b243e705ad115bdf7d435de012b062940b50ea7663c636c026c64

Download Submit
C:\Users\Admin\AppData\Local\Temp\dUgIssYQ.bat

Filesize
4B

MD5
24f757e72256d3b4ec81873cb554a32a

SHA1
3f9e05d4c8b91b3c514e5a8127d7ada39acf1601

SHA256
e54ced07f4d88d8f9a1f156723e7c24f3f28441fb70fecdd4493119ea86f63a1

SHA512
35a8e6b1d81bc4d4201502c75a7c24cd1514c8e746e3f13a7c77f8c611460b0b72902c2d2ed6a506bd8c54576c5eb3a451626e8a62ff6dbb4ad7b9b1ae0e2e30

Download Submit
C:\Users\Admin\AppData\Local\Temp\eAIM.ico

Filesize
4KB

MD5
5647ff3b5b2783a651f5b591c0405149

SHA1
4af7969d82a8e97cf4e358fa791730892efe952b

SHA256
590a5b0123fdd03506ad4dd613caeffe4af69d9886e85e46cbde4557a3d2d3db

SHA512
cb4fd29dcd552a1e56c5231e75576359ce3b06b0001debf69b142f5234074c18fd44be2258df79013d4ef4e62890d09522814b3144000f211606eb8a5aee8e5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\egEq.exe

Filesize
157KB

MD5
0de5d16afb449dbeda925a8091c75b5d

SHA1
f7ee653be30d49b09333284b23431457808ca16a

SHA256
7b15dfc1903b59ca4eb48f36522ce00c10f61fec2e85e4f427d00cf0461810c0

SHA512
c4f7f01253e94753be8cace03e9fef70202f7cb77eed8b6e3089b9f94aff9291461c420947a156efad4d07221886f2e3b0717515b78950d49eecb2c16dcb38c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\eswI.exe

Filesize
134KB

MD5
63823aaede8dd205ae129d2e1eb45897

SHA1
b574d8279aba1d1e732fc4f1936e10da66e2a78e

SHA256
b559d669a77bbbe07b078551aa8cc6d7a4222ce38f95dc1ebc4a3269418fc2f1

SHA512
d1a93f02b7855db3e67d60d406cc804bd9d381dd46cef312e5de8fab23a92b6d8e4634cba61b62b3e8dc25069f57a7ae91c8d3760d8e313632efc61ca055d4fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\fmsMIQcg.bat

Filesize
4B

MD5
4e2cde0cfa31dcae88f4d0871226058a

SHA1
5b364a2e7e2dadacbe43844fee874cbe9bd3aa1a

SHA256
9d5a9bed3e71a203e22759c1ad7e7a015155a42352286741031fd21f123bd210

SHA512
a47f6b5059dbf602e1b9d9d9954010c849bf8051f4fbbaee4f093b858541c07d3544006010089d2796ed27ca8a3a8daced014d07fcb0bf6a5df2a053aeceba42

Download Submit
C:\Users\Admin\AppData\Local\Temp\gEIE.exe

Filesize
160KB

MD5
9c4fb863b4cc6cce299d0f3fd9e2d7ad

SHA1
2eec7a512a1950a488ce1ef9dc404eb41012e693

SHA256
7d5f4ea217ef3f5335a24f88f152f929af02d20902b4503c10eeca9b5e2a729e

SHA512
8c50ec1f7eff970adefb85eefc3ff71f8750945034028d815983459e6af6e9ecb1b65c871c6e68701081a09ac415d9ad47c39cd7c7900cc044bb17bbe9c9843c

Download Submit
C:\Users\Admin\AppData\Local\Temp\gMEEAcIQ.bat

Filesize
4B

MD5
ddd68e6d0bf9af685dc9ea809eff4f5c

SHA1
6e5e44d7aa92c6ede512434c47a68dd89c8ead08

SHA256
840ca62d614d7beca1b75b9da46295898471db0538e3c791249c495a2ac000ef

SHA512
1ab620f1cace51d581c03602ef8b8405cc03ee029666647934bff0a164244ee27d59be06a26d6fbe3c252827d9c48111638f7ef70e53a95b7c531a15d02121d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\gMEg.exe

Filesize
157KB

MD5
a6cac685024e414f44187d331221ad0f

SHA1
aefef80641e7a4a41514463e734e9486ae12375b

SHA256
7d99349c121593162822dcdf549f356af868257f59d6e007f375715078ed42ae

SHA512
faf8f59a3260089083205b42a6aad256aa84fe94aaecc31357aa297977426ec8167d6f221c470c0722ac8ca4b403ccc48708328524f47a774c9aea13e0a058bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\gMcK.exe

Filesize
159KB

MD5
8d104d4dc96d9660cadec75cbc3c86c3

SHA1
6090a4d695bbf48f667e84c35191e84af667c76a

SHA256
f7232178c5903b43cd07e9d6e7aeb581cc334cd447ac960329bc529d844f9bd9

SHA512
6dd7031587a4c237d7c4e5483c454739b512cd57a920780de67a1947e86d64d5cadb629931d9b7ce75eae3280cc46a271016298194750df27c78a9cf9e4148b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\gMwI.exe

Filesize
158KB

MD5
e685d01f45ecf19655c6d28861226e0e

SHA1
6db8da76a76c0031b1a34345bf7aca5c0d6da7ff

SHA256
6d2ae888e0a45a60330a78fd6a598f3438ea32d7bd71a0ad54f1c8647364c7a4

SHA512
9ab5af6e0d89e855159af48477f9cfe0b9f7183e426dc29a8d005f17e9136bf704632c6f7f31e8817e702ce829e890a080df0be98b898559f74dfa5577f538db

Download Submit
C:\Users\Admin\AppData\Local\Temp\gQsg.exe

Filesize
160KB

MD5
9b7e7429a4677fa0d0b43178067a695a

SHA1
33a879156864b68891ebaa7ebee0b2143005cec3

SHA256
6b8ab024fa42ba83f9783e5709d565cfef3cf47356435c2877be8379c5c45832

SHA512
00092ddc2e7789a19c00e9a68435260f1d4fc1a9c85cf4d659d89f5aa63ebde563f73a715b337cc6604c2514d43b04cc2df84bbf7c23945074c24603ea99790f

Download Submit
C:\Users\Admin\AppData\Local\Temp\gYEs.ico

Filesize
4KB

MD5
47a169535b738bd50344df196735e258

SHA1
23b4c8041b83f0374554191d543fdce6890f4723

SHA256
ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf

SHA512
ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ggwg.exe

Filesize
159KB

MD5
f7fa4b3acbe3ffbbbfa007656218c182

SHA1
6df2ee4573f459663ccad028f4230ae53ce74265

SHA256
42759fa117129eeb7ac075cafc7d13442a821c25345d8c289cbf1f073808bf74

SHA512
9c9ccec8b437679ef6ca3061f386e2644dbd04f0e29f6c50028c9d5765f80cb058d3095a021919d200a3ee6a8d7157da768d8e1fd85d3a1550eaaba35e2bc03f

Download Submit
C:\Users\Admin\AppData\Local\Temp\gokG.exe

Filesize
312KB

MD5
bd0d0c5f93c4fd238303ebe5777a4975

SHA1
773ff2e8f795c5c7764743f4b35195af3d455bc0

SHA256
48a61851a1dbf6a23a18e24e22894ffee5c466591606344b7ec7f20b1bc6402e

SHA512
906973ec2f87dfc5e8ba7558f7b0cf6e1b1c90793270847db14494e1d63014de7c698e2b18bb51dcafd9f509eb20bc218b69ee432bfa34b72fbf72727ac7cd0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\iIEi.exe

Filesize
158KB

MD5
b6a77d2ea603de63e3fafe20831e5394

SHA1
88e31613a6a5eda9c1fd042464dc36a378a1695d

SHA256
6ab490c613f0a253c3a17e034ec31f8f1b2f9c5976a3f97080b359f2c43af6ac

SHA512
9c171ab20adcd65b40fc67b18d3e366d383fc71329843ccd656a4cfde346d65d2cc4b6537bf7d682f9dc5880b1c2b4721fe128b9e22a62fe73b9d54ef3a965b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\iQcK.ico

Filesize
4KB

MD5
f461866875e8a7fc5c0e5bcdb48c67f6

SHA1
c6831938e249f1edaa968321f00141e6d791ca56

SHA256
0b3ebd04101a5bda41f07652c3d7a4f9370a4d64c88f5de4c57909c38d30a4f7

SHA512
d4c70562238d3c95100fec69a538ddf6dd43a73a959aa07f97b151baf888eac0917236ac0a9b046dba5395516acc1ce9e777bc2c173cb1d08ed79c6663404e4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\iYYa.exe

Filesize
158KB

MD5
ada2d7f9f853050338485fb797884f3c

SHA1
bbd79070b4e8181403acdfaf70cc8a91aa15e2b2

SHA256
b215a2142412449a2d5d31b7ab06166674bf7629666af979dfaa874a2bb7b79f

SHA512
45ab6cc098443d4934ce979c20dd1dfa4630d37af81cf4e516594454d0a7eb09ec647c37a79b75e7d40d6fc39905a67021d2b229fa987cbef39cb25749b176cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\igYK.exe

Filesize
137KB

MD5
a5a8efc200dd7f6b275519936d01a751

SHA1
9927905995a4503ea8ab5df99a54a0e23024a5d2

SHA256
654a99653e672d1262cf66de80fce799014fa2d5fa8d801373ef24b34718f9b0

SHA512
3c0a4cb7f3a477953be2f35978dfa90597adc333ed205408a58a65eb1dea2e401723fd73ae906a22757088dde9f6bac5fefdbbece9b085818d561c8b28f09571

Download Submit
C:\Users\Admin\AppData\Local\Temp\iskw.exe

Filesize
159KB

MD5
55b0053793568111a58b39b79291fb30

SHA1
7be7c388e616d6519e50636f73dd6f70d72af15e

SHA256
3b78ad581662cc370d02f772146aeef78c231d2d6ede1eb4c9a1ef365549dae1

SHA512
227784319ca9e95683e63cd952534028cde4f7b3a824668e661809dd07c3a5cf63fff755f16c57367c892f2dcef0d7dec978749dd0544d18fef77cbeb2fbe859

Download Submit
C:\Users\Admin\AppData\Local\Temp\iwYo.exe

Filesize
160KB

MD5
3db32d24a47b8e2ba7dd02609858e29e

SHA1
e21bbdc55e773c4fc599647713101b19cce25cca

SHA256
c93048412d4cdea7b0cbf457473fe4f8764a9e2aefd68b846b5e4a9a095de43b

SHA512
0f7cee7554ee30f753439289487bd55aaf2253ebf5cb980c7665839e6f2ef1b13d39ec967fd1c1cace4b7bf5c040369fd14ee37113f8cbf0949a843daf13f4ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\iwgcgswA.bat

Filesize
4B

MD5
3f0ec9295aea712402304d0c31f11e0f

SHA1
da994dbf7b8d813341e88e581380246f7a6320e1

SHA256
4be3f1f4b91b2ea5fb2133c2a96dd6a979ec1eff9d445c6c82818966f1255cf8

SHA512
dcc254fc6f05d552f81cc8eb16efad944854b2ede2baf0c48c5d0c04af56e788ebcaf6667618455a017aede817adc1a63556fdc348501b65b062a08a5271aaac

Download Submit
C:\Users\Admin\AppData\Local\Temp\kkMIgAoM.bat

Filesize
4B

MD5
c6f19b73fa2209be28f36e8a6ff2b648

SHA1
97b0be885ec3879a1a182312f64f9bd6c365559a

SHA256
1f2e4d49c8bdc92333d738d0e42913bff0b027e665ae5399265d040ad22f5d91

SHA512
1c6b5d1d46591a1f397e7f23196c18462082ca026ca4d4327fbebc76089c345f8e6c705f20031a1ff0ae8575bb43d6142cbd334d3651f9945fc408dc1694754c

Download Submit
C:\Users\Admin\AppData\Local\Temp\kwgu.exe

Filesize
159KB

MD5
d5e886352920315a957546055de7485a

SHA1
0036cc26cdd58edde8e9f6d74f011b7e3c364410

SHA256
c0f801ded00d33ae74dc9b941f65a0a49ba8c0012fbfcef6bbe68f8949bd4669

SHA512
dbe24be2acf2e904c42ae5eff2ee75ccd792d6007a3164ad0119b8a4f1323960b3867af8b9c5cbc59f6b2fe7d78014c89517d00b80b1c12f1e6a8a661a5a0ec5

Download Submit
C:\Users\Admin\AppData\Local\Temp\lowkkcQk.bat

Filesize
4B

MD5
4a3df2ebc5f055dc256573fb8bb67016

SHA1
34ea2a31bce88d0397f1fb5a13c2f3aefa839de6

SHA256
46f21d29f3662d80be9b1c9de0baa8df036679c00da6d8349eb77d4bd5a45761

SHA512
4c06f66772d4a9cb62815a434499ddec0a6d3f0b452800dd751315d5137fa0a4e14560ac250f6285d6e94f4795d015ed962de665795c8846f1dfcecf73b157f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\masIUQUY.bat

Filesize
4B

MD5
a3c699886fd915be10f3cc366f9b54ca

SHA1
e614b6cf32d0c3baf3e239b71108b4d746711967

SHA256
0ac19ab88bb8a558c93a792fcf0fb9339c4e7747f3e52890c24bfe669fa58a65

SHA512
ee9712c27ef5d6e2368417b0ba99b6826130ee475beee5fbad322406b38037c8f99673e99c24a37750e65af5a834c2538071301c4068ffe74db86529910090df

Download Submit
C:\Users\Admin\AppData\Local\Temp\moki.exe

Filesize
158KB

MD5
e084b31d6e14bee772f32d374205a8a3

SHA1
df94945e64800ddd4e0a0ee0d5b7afca8e816bab

SHA256
abd86ab309b05f3451d646123c4060d3c6c6020bad1e540b7cf88e6dd65eea36

SHA512
b109a36ee1f4267f49b9044fa79e37fca81a0338b6046ceeb5bfd82a72dd55d399afb97b970ac811b6c8a1f28711c96081aac0a4ea698910313957a80d9b514d

Download Submit
C:\Users\Admin\AppData\Local\Temp\mskU.exe

Filesize
160KB

MD5
596d922cea33fc424f086ecdd0aa7887

SHA1
d37abb98d5abb9863af002c7671eb7aea886442c

SHA256
5eea2235d56b30af6acbd8e6ce5d1df6578d53e8b6506c4c60752c961eb40202

SHA512
897a5fb54df9ab23b4889b1a33f29ecf3cb1e8364b916a81a0b17a194f722abfd01e843da69e76ff0807a6ea9a86e201a6759c55120b9b4dc23aa81e88c25b37

Download Submit
C:\Users\Admin\AppData\Local\Temp\nCUkMIsM.bat

Filesize
4B

MD5
3080ac62ea57126ecb554729111817f2

SHA1
9f8f280195ce9c7c818dea2ff2e99f68463744dc

SHA256
182a4d09c20075c6a7cda0a6270660befc8f96be34d7adc07fd070096bb80640

SHA512
7e689b6ef2eb26c30fd9378f9bb1527e5bc4f41ca3a10fec83922defe4e3ae26da80be56e110cb70396cb4463d517d7fd527dd51e6ed999bfc3854d4c1bb3114

Download Submit
C:\Users\Admin\AppData\Local\Temp\nKsgIYQM.bat

Filesize
4B

MD5
5d8ce0655b18ca05dfabb1a804de616e

SHA1
2156507fc1938c9aace0df33ab512a9183d2720f

SHA256
c00fa2a3d7c69318bfbee1da4cd26ec04e11e3802140df4a3cd33551b662f236

SHA512
ce669d3cc85b900a231fac7172808679cc221aae6debc9542fd5136283feaaeae226cbf1b6931d172b82772a61f18167092b9e578fb742df6dedf0dec7fe4c5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\oMIMQUMU.bat

Filesize
4B

MD5
ffe5b33f9055056512f1fa5a738d52aa

SHA1
d388e3cb858a20d646fadd8a4eb687df2a85ab01

SHA256
4f69bf6c05bad7e843d567fdeaf110af32bd0027e03b9b8bdddadb9af41cbe1c

SHA512
7de1aeab8c235c8e16392faeafbfd492d3b913dcaf7ea3cc1ffc2132e9c02fc02534d307ebfe095689acf5526cd9f35dc70ce784faea87981676063ef0ba0a83

Download Submit
C:\Users\Admin\AppData\Local\Temp\oQUW.exe

Filesize
715KB

MD5
3d4f043f43d6481b9bc1a38cc9063e84

SHA1
b448490258e10ac0993ff0b1f5d3e12af37db2ca

SHA256
3c08f1ea19a2ac0c74d91199dadede1b5855540fb11b4ea18a8f65cbd94a45e0

SHA512
cbde0cf14fe6d6bebfe3c40630077bb770bdbda1b6c8abdebc7b6283380b3db77fdcc4ae4a837d19e56b6ed8d1ebd2c531e2332eb5b3917cec5f867c58e478e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\oUQI.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\oocI.exe

Filesize
431KB

MD5
1b92baadb0fda2f2cf3b946e212d6881

SHA1
4209747d208728dbdc31e3c63488e2a45607866a

SHA256
84eb0fab7231de21f25e0eb589a1bb75b39f5574780b1e2c013ae13f5b726348

SHA512
1f0f582c208035036726b6d1c56cd7f7a7a1289602d0b414902934ae64c1bd0128aa31c9677efbb9c9a4b7c48ce1165ca36f1669328075e20a4f6ba705679311

Download Submit
C:\Users\Admin\AppData\Local\Temp\oqUUUQkY.bat

Filesize
4B

MD5
1db273a7d40f43d68aa4cf8e43fdf0dd

SHA1
2cb3a552e600603dfb558f45f39ec006337995ad

SHA256
e494a43abdccdf68325fa2f514c2d4480d3b3422e80c3e9d87e1d5c97644f3f8

SHA512
cceb3de0d03191db271463faf7c97a791235adadfa91fda13427dcb040c938d9f1e6816b78fc3a9700ffd5975163dfc8ec2029386eefb6ee181c9e9c7707d2a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ouYsEYsw.bat

Filesize
4B

MD5
9bea4a789fc0dc08763160b68b5a1b91

SHA1
97d6fcb92913ebb94d169afe93f04ad10c5d145b

SHA256
3d7879c8a8680f67b85dd2a1bd9d634ed7242f9f0c10b97fe1a64778cb830bdd

SHA512
0a3e96c2063aabbc7e9b3f9ee61df13bf88dbf4c2e648c5d12a0d37dbf610e85239337f0c0582cf1d9e08969ff764aebe932a175ebf2ecefd1190199166f48cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\owos.exe

Filesize
529KB

MD5
a1a7853154a7c693569ea654ef40e286

SHA1
93182bd41cef5c1c98b43d4fc1021860f85bc375

SHA256
b6c2aac7ca83f1daf9ff3eedadf6fe9aea85a2c5d0f26d3b2e38f5fedca4a0d7

SHA512
ee90bae70181e251bc89c30ed7635bb2d9550bd4ad120042e7bebeeea921ed03d8b00d85d52a7471c371169db72ed58dfc85ee757389bbdc9dd86fbb00dc575d

Download Submit
C:\Users\Admin\AppData\Local\Temp\pCUoUUAA.bat

Filesize
4B

MD5
2bf3e6981e377ac8b1f3e208cc7ff523

SHA1
4b9c09aee1ad8836da44c60488de0e13b41a9894

SHA256
fd088a3f9887c7bba16222952987cf594cf488656162be3ee0587267075cd0fc

SHA512
3c395f14e25d797fc7f92b82341c98e59baffbe3d4c3388ef6bbf9ec8b46eb0d0ac1a46134506b420ed3af126a7bcfe6cbe2435bf1cbf1a8d8add394118b3ae2

Download Submit
C:\Users\Admin\AppData\Local\Temp\pGEsUEwg.bat

Filesize
4B

MD5
4abb1e6a55ec065313c49f733b9d23af

SHA1
490f7316f037a38d0b9e0c218802c19bef6943f5

SHA256
bc958f4cb6b7df9f69cafa0622fa39fdd68f869771c77052919e624b31579850

SHA512
1e77f6b284faf5dd8d321e2f1b0105cc3df29a29293aa2ffc74555a9455f9c1ec671acf22dd189c8a2638cc98dd1d0f056ff43171fe1d957457445d8d01a1e7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\psAcAIEo.bat

Filesize
4B

MD5
fdfc0c5300ad3c4439e212660bc7c307

SHA1
1550f1f2966d2faae49573dc8ceb6dc26eb18615

SHA256
536fce5a140a92e2fb2c4fbdb58621d2468a0ba2a960a154a04c66f3d336be3f

SHA512
887ffe837cbb6ab1f6bc6668c8ebc4ac73791076fbad0f050c2ed5c70d8600d779a65b0bb4cee47e90dccaee5781c0330d985304959f9ecdb82a6ccdaec0d87f

Download Submit
C:\Users\Admin\AppData\Local\Temp\pwoAEIck.bat

Filesize
4B

MD5
ba2187b653d4721621da23daed300308

SHA1
6d4f4cd7e730fe3873819f6463608bc8f6516c48

SHA256
c047609ac645abe5edc79813122a40f9842b5e0c01010f26aa069c3990b93b1e

SHA512
ce880cd78f0dd4a0edf05f5ad268f7b8748e2c0b047872a6a6fdf31fc552b9b8d4319d944d3e2b6800c940743f4bf1d49dbbe0c2bffcafd1704271dd2de0ed23

Download Submit
C:\Users\Admin\AppData\Local\Temp\qIQy.exe

Filesize
152KB

MD5
486961f48ddf8ab584bea0bf008ccbcf

SHA1
88f7e39563226ad8d938e29c05d383c29c3c9972

SHA256
e52844e230570bda1c3adadc28cc1c95c87588970814c9b8d43b1bafe0f6d583

SHA512
69112e08889e567566a4c6a955fa1fad33f9a51b0abfdafb2475e984a24ddc100e3e88ad3b2938c54af1127efebaee4fb84bddac42d86f01c899dc5dbe6b0814

Download Submit
C:\Users\Admin\AppData\Local\Temp\qgMA.exe

Filesize
159KB

MD5
248f1af6e704c0c1b7d592fe203d225a

SHA1
7bc7b3dbbabd4efa16b9df43a91526474b3ea51d

SHA256
fc95737379499c93a97c855f25a8f2a2a21d33f8c6faf05fc77b4e386ddcf476

SHA512
77fbd75fa386a91254f63506f824b8eec61a7879f0d4399f372f6188745406aa08743e02d3d96f78be68aedddf5185ba8c2fbe05c96b62e2ddf4ebca19584142

Download Submit
C:\Users\Admin\AppData\Local\Temp\qgso.exe

Filesize
158KB

MD5
20866736532436493c51f0cb58183266

SHA1
3b79cc0c04179ceab031c8140819c54f96161998

SHA256
fd8844300a5f16abc2c302a022d87536d7fb4404db268a6efb59e8f6ad3f6d26

SHA512
ab051f25fb6c843e5fd6339c02c67f67eb45292a76e664d27698035831feb6bb8030c247645b6b5dc54f86a211ccb7c96e9b4debe28f0689012b265f6264e12f

Download Submit
C:\Users\Admin\AppData\Local\Temp\qsoAcYEA.bat

Filesize
4B

MD5
239bf58bdf7689169ce0677866f20114

SHA1
7d40dd885d961aa3370cd0c81af8fc5fefea0716

SHA256
548702ccaee006b45e640cc51afa4810d0593c32a2406ac40b34c2efc84b6107

SHA512
3d0dc0915fad0a82e276948e60c4451a5fed3d262179f822fca423a864adc0c566a30085f2af335f5d7af13e9086a6fcd994186eb7a1e6afe857f5bc5b374de8

Download Submit
C:\Users\Admin\AppData\Local\Temp\rowowwQU.bat

Filesize
4B

MD5
0aec2c7bc7ee79f0693fb8ae1b36db00

SHA1
c6bffa757cbd82f711e6e9d89ec7d0b1e07d8d9c

SHA256
2d63f5c75c65473a9d24650e9d9345abf4fe01260b2abd4943e9bd5ba96ec46f

SHA512
05af36a66a2aa2d4a13fc3fcd68c85519b3c04ecd4cc5acc6dbc2bbd74eeb28a6546def69ecc8ca951d0a684da7474aa9e3b2183af6194406e02484775844c9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\sEYc.exe

Filesize
745KB

MD5
40791ebd7df9d50dbedbc4c1f7ba23b8

SHA1
03d498cf07371b41553db86ba115e00321ef2725

SHA256
c14eb50b776f7c2d598e2a7a8da65946124ee3f6774a1e57d7132c236b054209

SHA512
613007e339a8d731940dd7446b8d307828cab0eed137332753043b03c4caa59f49638e7603cdce5d1b46350741d8a255c6ead88fe7fbad7565f558b3192b1764

Download Submit
C:\Users\Admin\AppData\Local\Temp\sMEc.exe

Filesize
159KB

MD5
e8003ee9df89bcd89bd3abe549d842e3

SHA1
171d21a8127c8b72706fde07f4e040254b15f9e9

SHA256
f2189c716855586f19b8d18ea1989b56c2187ef76999aa3dfcbc68b388ad1965

SHA512
5e3af9032721a43010edf3b5a25a9a8cd9a6dbf39c7cc7fb42d45be2802ab043269f02eb2f649aece4ad59579981a5ef04eeac47efc303fc597cc0e8ebb9b9ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\sMkK.exe

Filesize
556KB

MD5
02a813a9c5ebe347c74ebfcde6d47465

SHA1
c495396761909caf4f659eed59fb83cce3e5b358

SHA256
ab66d119fb30f152cc6ea009420f2f0beb8f19fc8e64895ea301b907b1977fdf

SHA512
bfc7c720ef48e1c8b7b7bcb333d63a9f854c2bce3485dd2fdacf4383e0d692ed23a65b1cfa9112ec649af4f9282db1ebed57db0ce923c508f20da98bb2390b0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\sQkU.exe

Filesize
159KB

MD5
af155d4ff7b1f4093bfbf7b3d40204ce

SHA1
dfd7bbcfdec5138c2320f918c90a79ceb8061270

SHA256
a59b2dac8e1f9488a49382b1c0caca2db087a8456344ebc7dcf31a982c5fb251

SHA512
5356fa9518edd1e1cfdb6cf97fa81d10e7ac0ccc4583b1123d15153227e3b7f51a4feb1bdd18edb3709b77c498a12eb40cfe7a619e45f601eec13b194cabab73

Download Submit
C:\Users\Admin\AppData\Local\Temp\sSYgcMAE.bat

Filesize
4B

MD5
312ea27ab1277347a6566c7a8cda15d0

SHA1
fc9f5dca31630a6a2cb458c38ce89bc39c94e2aa

SHA256
3719c2b9891729fcaf38a2edb9e9dae2e61db3416114c7963cb00e12a523ce81

SHA512
631ad8df981ffb18b0a135c01fc9cb825b9b53bfb953ca774f60128fe381c4f497a4e7d7cc9fdd108596efecb9f5b0fc60721c31aba917d5bc94da247cc461a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\soQW.exe

Filesize
1.2MB

MD5
7950a96cb29767295ba47630e178a2ea

SHA1
bb34d67cd5d832cf26dd772e7f271ec025b8ee55

SHA256
7039121b57e87865b293153423f3e0e4b33385c5feeefb295d1e3ad42887fbbb

SHA512
52a665fcec8ca51a98519bcb1f7c99f657bd5a840c2c014fa7bba134d959727cb32a5f1d6d38e38ee014adfc5db3c555d4ad1acf86254a6185878157baa573fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmsYocEo.bat

Filesize
4B

MD5
0fd14a346a087a3b790b67aba5b9ef2f

SHA1
f9ffcbf55a25ff9c21481ca94a782f81bcbb7e36

SHA256
1250ea7be81f9b5d0825b6dd594fe75a512c315a9a194fc2416ddb860d5c19be

SHA512
22ebfb318d2bf54882cec120a72e56cb44a03151a4255271dba702d9d4f047b6d0c913af2d48e9245841859433b0c95effd5f9e3a950ecdb5f91b42eb80ef990

Download Submit
C:\Users\Admin\AppData\Local\Temp\ugQY.exe

Filesize
159KB

MD5
a3b22c375e16627756833046b7443995

SHA1
dcb3dd92cba7d053a34426e69e1bae38bacdb257

SHA256
e22516e082d34bec10f0867a39fd2a485d0b53dce10f9a0566625aaddbe35405

SHA512
0c0aa83588a79061dbb00101a0276a17749a90e736ecf4eff793d270ff62c24347d0a037a996261385b4bd290f84f9994040e1539a2fe1cdf1b95e20cd685fd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\uose.exe

Filesize
529KB

MD5
1c14df82eb0a92654e7af83a2af72990

SHA1
989a52fa02fd55bf7c779f2f503d9750d06ba030

SHA256
8555c5ebeebdf4dc9f45d4df5fcd734e64a3f12bf5dfffcbe0737e039bfc9b41

SHA512
f08940a374c665979d901e57f5223b0e076f6c4ff21448cc61aefad44fce9ca2ebf528530ad252fa5badd1e39bb2c21c9d48c0f6554f29cbf4e49fc37fa7a20c

Download Submit
C:\Users\Admin\AppData\Local\Temp\usMi.exe

Filesize
158KB

MD5
9ca7c1ab557e7b757069ae95500cc7b7

SHA1
b95373f8a2f35aac2ad10d5b658c7357faddaa7d

SHA256
66829acb93c901a5a26f9ae531003e3d08124480b2c7af155fbb5d56609ae0ba

SHA512
23e7d74c8d14a2e767b8409a7d7514b67c4d57a135a9f1977f25e2a9c6fe883aa90c9ce7eb8edbbdff839d41d3d0d085ca853eb938cfb78ba8ebc198825a1bdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\usow.exe

Filesize
160KB

MD5
74e5a566ecaada3837e358ce0901ea67

SHA1
334316052d5cc0a4b1bf1e3db66f35db5dbf711f

SHA256
8b8eb83f92c07a99ecb92002d27bb50ef92d78ff26e3b68cc18238dadce8f537

SHA512
6790161e6eaeb8e0efc190789279f7544a721d0d31eb05cec821c90c6ba695c24cc5387f8d0a14f24c67f9e1d8c49b0e214a8bf8025b29a0d7a55f5415ae942a

Download Submit
C:\Users\Admin\AppData\Local\Temp\uwwK.exe

Filesize
935KB

MD5
dc07186003b31ac2b0151ca356ecd6b8

SHA1
975c719702c1002acec930e955ebf8f1ffc5ace5

SHA256
786ebdb6f81072a6067d9f8fd2af0b35a6757a7098bf0b1d3203d4ce1d5899f0

SHA512
46af93b2858d230a1d79a1ed5be58cb58063c689eb7cd0dc7fdcbeb16e2c0a1fd0e078adbb6dbd99a942727629e2669e4a169a365c389faf6c905562d4006e97

Download Submit
C:\Users\Admin\AppData\Local\Temp\wAYO.exe

Filesize
236KB

MD5
dc5378f72861b2e1d1cc29323be52ce1

SHA1
17403cccd9394e50276132341f810d8a63c297bf

SHA256
53197e74ed97049e5fd1c45b721db29f8e5b19b374d291ea747a2a83ee975207

SHA512
81e9f5250cffe9ab394d6491f35213d5bae83a2878f2189165c9e4315d7ebaa2ae1f8a39df0d1d95dacc7142f847aeb0105f8584740a5633e7dfc67010345789

Download Submit
C:\Users\Admin\AppData\Local\Temp\wQEAgcUs.bat

Filesize
4B

MD5
0cbb79cca47b3e210f8b07ccfa4001f6

SHA1
768128452479bc15e772c3088758dedfd5130680

SHA256
c324d609ca77b7d9cdc53031ce897bd46ba347aabcd9786f529e3a093f7e5ea3

SHA512
025409cd69f53026c6a81e37ad884631e40b75623fae2e9597ca35cc68b14bd64f2bcf7b770a04e1d133bb5368377be259affd557117039ef7f4071093e12710

Download Submit
C:\Users\Admin\AppData\Local\Temp\wUYU.exe

Filesize
158KB

MD5
5afb2ccacaec8ca11ec6adf919beb175

SHA1
5ba54424b8fd2fd2824e5348a827a2ba239a5539

SHA256
12c2b454d8d9fc995559da412c5a90c12c64dd956c1dd0ebc514bfa706bfafe4

SHA512
0b9e292a5fe158cc5f695b858432891bf3e64986086c9fab9bba9f700e4a3a14300a3e1da0870a3139382685622673faa37b685d727e939ca532b8a6886d21ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\wcEk.exe

Filesize
633KB

MD5
8ab89b80d1c13b1dd59742cf504d580f

SHA1
32e8c071b72ce68a5787ca81abd735f43d012114

SHA256
292fa084f5dfc04b6749645cf723289cf5cb4aa569cc6aaeaf2e63ada8087844

SHA512
bf08a12ee232491b3cedb59984c58e55646a0cdb475a79241bfafbf888d324c5ad98790a1134a290264a68ca4afbac346a3e0c92210d467c3c9dd8dc6bcf482c

Download Submit
C:\Users\Admin\AppData\Local\Temp\yAoq.exe

Filesize
1016KB

MD5
60e903e11480c8808f856fd662ab96b1

SHA1
de0b6d2cc1bf26228225696ae884a4a5d4fd6127

SHA256
fa9cb61ff5ce20748271da8df7df859b9cff8cfaa54fd555e73f6dfb5ae45551

SHA512
add4a6a625663f8c9bcddd2aa8532db022d73a8852293491b6c7b351a4969a220a188029d9a7408586d2e4fdc303243d32874d854660d2d3c1981c5c51d5a6b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\yAou.exe

Filesize
157KB

MD5
b8ae7eb51ebde528f28cf2dc8ae8bb4a

SHA1
5fc1890617d82a59b1bfda41794cf0a127ff8fca

SHA256
20b8181303e7fa79c01be6257ec00b60c06bc0dffa3611c03e90237da2ab0efb

SHA512
799217884a600f118cc7891518b699a86d82174301b74d1851ad3ab75f86ad43348cc209fb456e076dba648961c721a07b64ddafdb56b3f9b4378b9193161a53

Download Submit
C:\Users\Admin\AppData\Local\Temp\yMkc.exe

Filesize
659KB

MD5
d60a0f067a60152a84feaa76796cc3e7

SHA1
750a75b9d7a5baf2f7fa981cea87d266b4d8e8d3

SHA256
80b99d0701ffaa1238ffcdf7b4840033f1299ff3a6307a47071b4c06c36d848d

SHA512
1b7e887ae16c5313080f87586bdabbd7a924077d81f0f7928828cf2aa3dd6c62680eab83a12408e1488cafb3f7a5a880fda5926031be7a4d2e6ffc06b49f422c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ykgE.exe

Filesize
160KB

MD5
1649e371721c35b3c548e69c57fc7d8f

SHA1
70288bf659dbd463ef088b663d3d1df7e6394f94

SHA256
a3dc6d2033a61ec5c55b58664e4f088c7328a23f07f75bb9b4757280b68ea5ce

SHA512
32ef3b8ee9368c7bcff3aca57724ec268a116e0c56ed36fa360caf381ba1fe39e388f0e6423a4a2779f70c88d081c93fdf900643aebab40a2a2c75425b2f276a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ysMC.exe

Filesize
157KB

MD5
ec241071cdb35579acfca9188fad7f91

SHA1
6a14bc485aba6e413f8979360be0a8ea41fc8b98

SHA256
7ab871f9b72f30fe84dc2adf42188ab5f36393fc7bea7f64d13bfda92958db4e

SHA512
63d3c5e2c15aa851a142b54589edfd29d2cf56ee9b921aeec247953fb9ff4a9a8376ea48254f96bb4849633ab0caac27d9fc1fcadf339e25b31d9842d00912c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\zWQYsIQk.bat

Filesize
4B

MD5
89be26d2eb520a8c02a980522875a2b1

SHA1
a0711b225be12ec08f230471e07dbbc328762c01

SHA256
8b7563df5e10b6ef8af39facb0d69adfbf93d8edee00851c913d868fe045ac17

SHA512
cf5ffcf2d5e7ceac66254809dc35f098e764003fdb2983648b73466aedb42f24d68a44d0bebe3cec667c333f83f2b25a2d9d77871fa4a1044934fce6483ae101

Download Submit
C:\Users\Admin\AppData\Local\Temp\zgMcUcIg.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\zocIYwYU.bat

Filesize
4B

MD5
822aa707cfbb8007102b11508dd56784

SHA1
64b17f58350c2e73488430958e81225e35c143c8

SHA256
52907c381521d5b6f43c111bd83362bb8cd79c24f96e4b6ba997fb5bbf2398fc

SHA512
b6b4565da5b236f54678fa852c1ea21cc19779c74eb4685a9455522d4e68f9b4f4cc61ae8eb67cff80c22d298de4931a3466d32daeaaa4d0609b842d488f42ed

Download Submit
C:\Users\Public\Music\Sample Music\Sleep Away.mp3.exe

Filesize
4.7MB

MD5
70c71e224ff0bf0e7fb631e3b212ffd9

SHA1
1300a9c29f24e6c757262db693ae43eb845e5614

SHA256
3a0ada6f093e9e1a464c0cf5b09983048e1028d7daafb09236586f9e34443886

SHA512
ff4712d4cdecbdd482dcc622961b16fee4a18baffab04db29c4cfdbd9ef6fe331a46db04919f8dc2291afb6cc413fa63797b1989b80e92655bfb1ed96f3a32ca

Download Submit
C:\Users\Public\Pictures\Sample Pictures\Desert.jpg.exe

Filesize
936KB

MD5
1ef963b09a2c9f9fa29f7fe8c2e52ba2

SHA1
13bc7d0a134a4085d0f8d15bce42a1dd79ddfab6

SHA256
f27b2cc267c17fab36cbacedbe62f4f7e8b8a5c6f723c8b1f6e39341f12dbc26

SHA512
48fc67cbe670796ac2590284e62b455097989401c324f651773d11690897e61d584d946543bb44d9f3a3354d660c17d3e0ba1a86bd353c1bee4b378ea5694c12

Download Submit
\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

Filesize
145KB

MD5
9d10f99a6712e28f8acd5641e3a7ea6b

SHA1
835e982347db919a681ba12f3891f62152e50f0d

SHA256
70964a0ed9011ea94044e15fa77edd9cf535cc79ed8e03a3721ff007e69595cc

SHA512
2141ee5c07aa3e038360013e3f40969e248bed05022d161b992df61f21934c5574ed9d3094ffd5245f5afd84815b24f80bda30055cf4d374f9c6254e842f6bd5

Download Submit
\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.0MB

MD5
4d92f518527353c0db88a70fddcfd390

SHA1
c4baffc19e7d1f0e0ebf73bab86a491c1d152f98

SHA256
97e6f3fc1a9163f10b6502509d55bf75ee893967fb35f318954797e8ab4d4d9c

SHA512
05a8136ccc45ef73cd5c70ee0ef204d9d2b48b950e938494b6d1a61dfba37527c9600382321d1c031dc74e4cf3e16f001ae0f8cd64d76d765f5509ce8dc76452

Download Submit
\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

Filesize
507KB

MD5
c87e561258f2f8650cef999bf643a731

SHA1
2c64b901284908e8ed59cf9c912f17d45b05e0af

SHA256
a1dfa6639bef3cb4e41175c43730d46a51393942ead826337ca9541ac210c67b

SHA512
dea4833aa712c5823f800f5f5a2adcf241c1b2b6747872f540f5ff9da6795c4ddb73db0912593337083c7c67b91e9eaf1b3d39a34b99980fd5904ba3d7d62f6c

Download Submit
\ProgramData\CEUwYkMQ\BCkUMsAw.exe

Filesize
110KB

MD5
25a54adc0d262d3516f899fea581c2d6

SHA1
898237726ef2e3ddce8866ef078f0cb059e717f1

SHA256
f17b822c458b0a7fed3727916b6f37de38cf1bc0c2c650a7a1e3221f3aeef371

SHA512
0a35bbe395c64b4423f7dfb3f68589b6ef54c5423d70339b3f2655d8bd8dd8389b4c7a32abed07c53c668cd49793b4e21711ff0625d39ce64b9c48c348602b11

Download Submit
\Users\Admin\aUcAYAwA\FYUkwUMc.exe

Filesize
111KB

MD5
61608bee78caeb0adf1c69b51aca2da4

SHA1
f44f7ed431d7afdf6ff0cfd5ecfedebca56e526c

SHA256
a79b2d878af2123e8bea7d9d7b68eb14e870c1faffb465810aed42a79be9f490

SHA512
9665628d4e5028c8e297923ae9c26c2975f85f58624b65b8abd968ca69b21e14d24de704d22c3091b9d7085f01f33132a242b377dadcf85573f1be6076b4c51d

Download Submit
memory/308-1325-0x00000000001F0000-0x000000000020F000-memory.dmp

Filesize
124KB

Download
memory/308-1324-0x00000000001F0000-0x000000000020F000-memory.dmp

Filesize
124KB

Download
memory/308-481-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/372-380-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/396-78-0x0000000002230000-0x000000000224F000-memory.dmp

Filesize
124KB

Download
memory/396-77-0x0000000002230000-0x000000000224F000-memory.dmp

Filesize
124KB

Download
memory/396-371-0x00000000001C0000-0x00000000001DF000-memory.dmp

Filesize
124KB

Download
memory/572-177-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/576-100-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/588-1554-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/616-259-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/616-290-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/764-1478-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/840-258-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/840-257-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/956-912-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1032-1080-0x00000000001A0000-0x00000000001BF000-memory.dmp

Filesize
124KB

Download
memory/1168-244-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1292-109-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1296-1553-0x0000000000160000-0x000000000017F000-memory.dmp

Filesize
124KB

Download
memory/1344-122-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/1376-947-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1484-741-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1496-54-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1496-53-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1544-153-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1568-422-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1612-993-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1612-1115-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1680-358-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1680-327-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1684-550-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1684-551-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1728-462-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/1728-457-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/1752-131-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1756-1214-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1792-1263-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1792-1264-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1992-40-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1992-4-0x0000000000390000-0x00000000003AD000-memory.dmp

Filesize
116KB

Download
memory/1992-20-0x0000000000390000-0x00000000003AD000-memory.dmp

Filesize
116KB

Download
memory/1992-15-0x0000000000390000-0x00000000003AD000-memory.dmp

Filesize
116KB

Download
memory/1992-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2012-401-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2100-815-0x0000000000170000-0x000000000018F000-memory.dmp

Filesize
124KB

Download
memory/2104-574-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2104-467-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2144-1617-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2216-144-0x00000000000F0000-0x000000000010F000-memory.dmp

Filesize
124KB

Download
memory/2216-336-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2240-87-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2240-55-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2268-233-0x0000000000120000-0x000000000013F000-memory.dmp

Filesize
124KB

Download
memory/2268-234-0x0000000000120000-0x000000000013F000-memory.dmp

Filesize
124KB

Download
memory/2340-1265-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2340-1348-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2368-235-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2368-268-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2380-1266-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2404-1419-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2404-1326-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2480-631-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2480-552-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2488-1178-0x0000000000130000-0x000000000014F000-memory.dmp

Filesize
124KB

Download
memory/2488-1179-0x0000000000130000-0x000000000014F000-memory.dmp

Filesize
124KB

Download
memory/2516-281-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2516-312-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2572-326-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2572-325-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2636-705-0x0000000000280000-0x000000000029F000-memory.dmp

Filesize
124KB

Download
memory/2656-1467-0x0000000000120000-0x000000000013F000-memory.dmp

Filesize
124KB

Download
memory/2656-1468-0x0000000000120000-0x000000000013F000-memory.dmp

Filesize
124KB

Download
memory/2700-211-0x0000000000270000-0x000000000028F000-memory.dmp

Filesize
124KB

Download
memory/2724-1563-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2724-1469-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2736-31-0x00000000001F0000-0x000000000020F000-memory.dmp

Filesize
124KB

Download
memory/2740-303-0x00000000004E0000-0x00000000004FF000-memory.dmp

Filesize
124KB

Download
memory/2748-1275-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2748-1192-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2756-166-0x0000000000160000-0x000000000017F000-memory.dmp

Filesize
124KB

Download
memory/2756-167-0x0000000000160000-0x000000000017F000-memory.dmp

Filesize
124KB

Download
memory/2776-1615-0x00000000000B0000-0x00000000000CF000-memory.dmp

Filesize
124KB

Download
memory/2776-1616-0x00000000000B0000-0x00000000000CF000-memory.dmp

Filesize
124KB

Download
memory/2780-1409-0x00000000001B0000-0x00000000001CF000-memory.dmp

Filesize
124KB

Download
memory/2792-22-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2792-1408-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2824-1006-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2840-220-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2840-349-0x0000000000120000-0x000000000013F000-memory.dmp

Filesize
124KB

Download
memory/2856-983-0x0000000000120000-0x000000000013F000-memory.dmp

Filesize
124KB

Download
memory/2920-168-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2920-198-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3012-850-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3012-706-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3032-64-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download