b649d63cf8fb7ca5e87b146542d7685a2704d09a9cabbf8070e07e168611fcfb

Analysis

max time kernel
150s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20/09/2024, 09:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe
Size

121KB
MD5

e6c5435f48b5614f16ec5855e2f95a00
SHA1

706056a2a2d65123e156b7da1f315198934c7c69
SHA256

b649d63cf8fb7ca5e87b146542d7685a2704d09a9cabbf8070e07e168611fcfb
SHA512

6f1c91c70388f4a85260e200b7710bc0c568ec2d8aaedb353864dbc8ea2121fc32ec5c24dcae65813508c51b3fa21943f8912c6fd9b32c928cfc8a84b7739376
SSDEEP

3072:cYTpwa9cj1PcBoUm1V/txsXtqg6r2kfeWRJIOwgDJLZzFQTVKKN86n2k0R:cYTPcjdcBxmlLoT06QR

Score

10^/10

discovery evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 58 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 58 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Control Panel\International\Geo\Nation	KSUAUIUQ.exe

Executes dropped EXE 2 IoCs

pid	Process
2656	KSUAUIUQ.exe
2804	bUowIcYE.exe

Loads dropped DLL 20 IoCs

pid	Process
2172	2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe
2172	2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe
2172	2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe
2172	2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe
2656	KSUAUIUQ.exe
2656	KSUAUIUQ.exe
2656	KSUAUIUQ.exe
2656	KSUAUIUQ.exe
2656	KSUAUIUQ.exe
2656	KSUAUIUQ.exe
2656	KSUAUIUQ.exe
2656	KSUAUIUQ.exe
2656	KSUAUIUQ.exe
2656	KSUAUIUQ.exe
2656	KSUAUIUQ.exe
2656	KSUAUIUQ.exe
2656	KSUAUIUQ.exe
2656	KSUAUIUQ.exe
2656	KSUAUIUQ.exe
2656	KSUAUIUQ.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\bUowIcYE.exe = "C:\\ProgramData\\mQsUgEIE\\bUowIcYE.exe"	bUowIcYE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\KSUAUIUQ.exe = "C:\\Users\\Admin\\NEgoocwg\\KSUAUIUQ.exe"	2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\bUowIcYE.exe = "C:\\ProgramData\\mQsUgEIE\\bUowIcYE.exe"	2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\KSUAUIUQ.exe = "C:\\Users\\Admin\\NEgoocwg\\KSUAUIUQ.exe"	KSUAUIUQ.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico	KSUAUIUQ.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
1308	reg.exe
1792	reg.exe
2416	reg.exe
1992	reg.exe
2984	reg.exe
1028	reg.exe
2212	reg.exe
2408	reg.exe
2868	reg.exe
1764	reg.exe
1344	reg.exe
2832	reg.exe
972	reg.exe
1688	reg.exe
2152	reg.exe
600	reg.exe
316	reg.exe
2064	reg.exe
2964	reg.exe
236	reg.exe
2312	reg.exe
848	reg.exe
2608	reg.exe
2940	reg.exe
916	reg.exe
2284	reg.exe
1952	reg.exe
1720	reg.exe
480	reg.exe
1048	reg.exe
2044	reg.exe
1140	reg.exe
1840	reg.exe
1700	reg.exe
796	reg.exe
1676	reg.exe
828	reg.exe
1744	reg.exe
716	reg.exe
2340	reg.exe
1752	reg.exe
1824	reg.exe
1644	reg.exe
2304	reg.exe
568	reg.exe
2088	reg.exe
2152	reg.exe
2960	reg.exe
2524	reg.exe
1840	reg.exe
2152	reg.exe
2596	reg.exe
2604	reg.exe
2936	reg.exe
1772	reg.exe
2584	reg.exe
1748	reg.exe
2712	reg.exe
1516	reg.exe
1680	reg.exe
1940	reg.exe
3048	reg.exe
1756	reg.exe
2844	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2172	2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe
2172	2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe
2572	2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe
2572	2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe
2188	2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe
2188	2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe
532	2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe
532	2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe
2216	2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe
2216	2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe
1572	2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe
1572	2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe
2248	2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe
2248	2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe
2716	2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe
2716	2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe
2288	2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe
2288	2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe
2044	2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe
2044	2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe
1068	2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe
1068	2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe
1980	2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe
1980	2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe
2084	2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe
2084	2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe
1748	2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe
1748	2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe
884	2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe
884	2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe
2016	2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe
2016	2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe
1140	2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe
1140	2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe
1200	2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe
1200	2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe
2856	2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe
2856	2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe
2172	2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe
2172	2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe
2236	2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe
2236	2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe
700	2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe
700	2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe
1528	2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe
1528	2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe
112	2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe
112	2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe
1752	2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe
1752	2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe
2772	2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe
2772	2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe
576	2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe
576	2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe
300	2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe
300	2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe
2544	2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe
2544	2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe
236	2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe
236	2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe
2980	2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe
2980	2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe
2056	2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe
2056	2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2656	KSUAUIUQ.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2656	KSUAUIUQ.exe
2656	KSUAUIUQ.exe
2656	KSUAUIUQ.exe
2656	KSUAUIUQ.exe
2656	KSUAUIUQ.exe
2656	KSUAUIUQ.exe
2656	KSUAUIUQ.exe
2656	KSUAUIUQ.exe
2656	KSUAUIUQ.exe
2656	KSUAUIUQ.exe
2656	KSUAUIUQ.exe
2656	KSUAUIUQ.exe
2656	KSUAUIUQ.exe
2656	KSUAUIUQ.exe
2656	KSUAUIUQ.exe
2656	KSUAUIUQ.exe
2656	KSUAUIUQ.exe
2656	KSUAUIUQ.exe
2656	KSUAUIUQ.exe
2656	KSUAUIUQ.exe
2656	KSUAUIUQ.exe
2656	KSUAUIUQ.exe
2656	KSUAUIUQ.exe
2656	KSUAUIUQ.exe
2656	KSUAUIUQ.exe
2656	KSUAUIUQ.exe
2656	KSUAUIUQ.exe
2656	KSUAUIUQ.exe
2656	KSUAUIUQ.exe
2656	KSUAUIUQ.exe
2656	KSUAUIUQ.exe
2656	KSUAUIUQ.exe
2656	KSUAUIUQ.exe
2656	KSUAUIUQ.exe
2656	KSUAUIUQ.exe
2656	KSUAUIUQ.exe
2656	KSUAUIUQ.exe
2656	KSUAUIUQ.exe
2656	KSUAUIUQ.exe
2656	KSUAUIUQ.exe
2656	KSUAUIUQ.exe
2656	KSUAUIUQ.exe
2656	KSUAUIUQ.exe
2656	KSUAUIUQ.exe
2656	KSUAUIUQ.exe
2656	KSUAUIUQ.exe
2656	KSUAUIUQ.exe
2656	KSUAUIUQ.exe
2656	KSUAUIUQ.exe
2656	KSUAUIUQ.exe
2656	KSUAUIUQ.exe
2656	KSUAUIUQ.exe
2656	KSUAUIUQ.exe
2656	KSUAUIUQ.exe
2656	KSUAUIUQ.exe
2656	KSUAUIUQ.exe
2656	KSUAUIUQ.exe
2656	KSUAUIUQ.exe
2656	KSUAUIUQ.exe
2656	KSUAUIUQ.exe
2656	KSUAUIUQ.exe
2656	KSUAUIUQ.exe
2656	KSUAUIUQ.exe
2656	KSUAUIUQ.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2172 wrote to memory of 2656	2172	2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe	31
PID 2172 wrote to memory of 2656	2172	2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe	31
PID 2172 wrote to memory of 2656	2172	2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe	31
PID 2172 wrote to memory of 2656	2172	2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe	31
PID 2172 wrote to memory of 2804	2172	2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe	32
PID 2172 wrote to memory of 2804	2172	2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe	32
PID 2172 wrote to memory of 2804	2172	2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe	32
PID 2172 wrote to memory of 2804	2172	2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe	32
PID 2172 wrote to memory of 2744	2172	2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe	33
PID 2172 wrote to memory of 2744	2172	2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe	33
PID 2172 wrote to memory of 2744	2172	2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe	33
PID 2172 wrote to memory of 2744	2172	2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe	33
PID 2744 wrote to memory of 2572	2744	cmd.exe	35
PID 2744 wrote to memory of 2572	2744	cmd.exe	35
PID 2744 wrote to memory of 2572	2744	cmd.exe	35
PID 2744 wrote to memory of 2572	2744	cmd.exe	35
PID 2172 wrote to memory of 3016	2172	2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe	36
PID 2172 wrote to memory of 3016	2172	2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe	36
PID 2172 wrote to memory of 3016	2172	2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe	36
PID 2172 wrote to memory of 3016	2172	2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe	36
PID 2172 wrote to memory of 2688	2172	2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe	37
PID 2172 wrote to memory of 2688	2172	2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe	37
PID 2172 wrote to memory of 2688	2172	2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe	37
PID 2172 wrote to memory of 2688	2172	2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe	37
PID 2172 wrote to memory of 2592	2172	2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe	39
PID 2172 wrote to memory of 2592	2172	2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe	39
PID 2172 wrote to memory of 2592	2172	2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe	39
PID 2172 wrote to memory of 2592	2172	2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe	39
PID 2172 wrote to memory of 2612	2172	2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe	42
PID 2172 wrote to memory of 2612	2172	2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe	42
PID 2172 wrote to memory of 2612	2172	2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe	42
PID 2172 wrote to memory of 2612	2172	2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe	42
PID 2612 wrote to memory of 1640	2612	cmd.exe	44
PID 2612 wrote to memory of 1640	2612	cmd.exe	44
PID 2612 wrote to memory of 1640	2612	cmd.exe	44
PID 2612 wrote to memory of 1640	2612	cmd.exe	44
PID 2572 wrote to memory of 1692	2572	2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe	45
PID 2572 wrote to memory of 1692	2572	2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe	45
PID 2572 wrote to memory of 1692	2572	2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe	45
PID 2572 wrote to memory of 1692	2572	2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe	45
PID 1692 wrote to memory of 2188	1692	cmd.exe	47
PID 1692 wrote to memory of 2188	1692	cmd.exe	47
PID 1692 wrote to memory of 2188	1692	cmd.exe	47
PID 1692 wrote to memory of 2188	1692	cmd.exe	47
PID 2572 wrote to memory of 2152	2572	2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe	48
PID 2572 wrote to memory of 2152	2572	2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe	48
PID 2572 wrote to memory of 2152	2572	2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe	48
PID 2572 wrote to memory of 2152	2572	2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe	48
PID 2572 wrote to memory of 2160	2572	2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe	49
PID 2572 wrote to memory of 2160	2572	2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe	49
PID 2572 wrote to memory of 2160	2572	2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe	49
PID 2572 wrote to memory of 2160	2572	2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe	49
PID 2572 wrote to memory of 2312	2572	2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe	50
PID 2572 wrote to memory of 2312	2572	2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe	50
PID 2572 wrote to memory of 2312	2572	2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe	50
PID 2572 wrote to memory of 2312	2572	2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe	50
PID 2572 wrote to memory of 1624	2572	2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe	52
PID 2572 wrote to memory of 1624	2572	2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe	52
PID 2572 wrote to memory of 1624	2572	2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe	52
PID 2572 wrote to memory of 1624	2572	2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe	52
PID 1624 wrote to memory of 2028	1624	cmd.exe	56
PID 1624 wrote to memory of 2028	1624	cmd.exe	56
PID 1624 wrote to memory of 2028	1624	cmd.exe	56
PID 1624 wrote to memory of 2028	1624	cmd.exe	56

C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2172
- C:\Users\Admin\NEgoocwg\KSUAUIUQ.exe
  "C:\Users\Admin\NEgoocwg\KSUAUIUQ.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:2656
- C:\ProgramData\mQsUgEIE\bUowIcYE.exe
  "C:\ProgramData\mQsUgEIE\bUowIcYE.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2804
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2744
- - C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe
    C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2572
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1692
    - - C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2188
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock"
        6⤵
        
        PID:2840
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:532
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1656
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2216
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock"
        10⤵
        
        PID:1400
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1572
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock"
        12⤵
        
        PID:2484
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2248
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock"
        14⤵
        
        PID:2544
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock
        15⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2716
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock"
        16⤵
        
        PID:2748
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2288
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock"
        18⤵
        System Location Discovery: System Language Discovery
        
        PID:576
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2044
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock"
        20⤵
        
        PID:1608
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1068
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock"
        22⤵
        
        PID:616
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock
        23⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1980
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock"
        24⤵
        
        PID:3068
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock
        25⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2084
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock"
        26⤵
        
        PID:2964
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock
        27⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1748
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock"
        28⤵
        System Location Discovery: System Language Discovery
        
        PID:1624
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock
        29⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:884
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock"
        30⤵
        
        PID:1348
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock
        31⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2016
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock"
        32⤵
        
        PID:848
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock
        33⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1140
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock"
        34⤵
        
        PID:2124
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock
        35⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1200
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock"
        36⤵
        
        PID:2772
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock
        37⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2856
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock"
        38⤵
        
        PID:2376
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock
        39⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2172
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock"
        40⤵
        
        PID:2920
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock
        41⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2236
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock"
        42⤵
        
        PID:2732
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock
        43⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:700
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock"
        44⤵
        
        PID:2356
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock
        45⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1528
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock"
        46⤵
        
        PID:2540
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock
        47⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:112
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock"
        48⤵
        System Location Discovery: System Language Discovery
        
        PID:704
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock
        49⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1752
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock"
        50⤵
        
        PID:2680
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock
        51⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2772
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock"
        52⤵
        
        PID:2288
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock
        53⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:576
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock"
        54⤵
        
        PID:848
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock
        55⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:300
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock"
        56⤵
        
        PID:1096
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock
        57⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2544
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock"
        58⤵
        
        PID:916
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock
        59⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:236
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock"
        60⤵
        
        PID:1068
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock
        61⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2980
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock"
        62⤵
        
        PID:1080
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock
        63⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2056
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock"
        64⤵
        
        PID:1072
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock
        65⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock"
        66⤵
        
        PID:3032
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock
        67⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock"
        68⤵
        
        PID:2716
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock
        69⤵
        System Location Discovery: System Language Discovery
        
        PID:2932
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock"
        70⤵
        
        PID:2784
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock
        71⤵
        
        PID:2668
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock"
        72⤵
        
        PID:2408
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock
        73⤵
        
        PID:904
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock"
        74⤵
        
        PID:1296
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock
        75⤵
        System Location Discovery: System Language Discovery
        
        PID:568
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock"
        76⤵
        System Location Discovery: System Language Discovery
        
        PID:672
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock
        77⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock"
        78⤵
        System Location Discovery: System Language Discovery
        
        PID:556
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock
        79⤵
        
        PID:1100
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock"
        80⤵
        
        PID:1564
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock
        81⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock"
        82⤵
        
        PID:2604
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock
        83⤵
        System Location Discovery: System Language Discovery
        
        PID:2376
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock"
        84⤵
        
        PID:2484
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock
        85⤵
        System Location Discovery: System Language Discovery
        
        PID:2832
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock"
        86⤵
        
        PID:308
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock
        87⤵
        
        PID:600
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock"
        88⤵
        
        PID:1816
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock
        89⤵
        System Location Discovery: System Language Discovery
        
        PID:596
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock"
        90⤵
        
        PID:2288
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock
        91⤵
        
        PID:1152
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock"
        92⤵
        System Location Discovery: System Language Discovery
        
        PID:464
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock
        93⤵
        
        PID:652
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock"
        94⤵
        System Location Discovery: System Language Discovery
        
        PID:2920
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock
        95⤵
        
        PID:2232
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock"
        96⤵
        
        PID:1772
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock
        97⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock"
        98⤵
        
        PID:376
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock
        99⤵
        
        PID:1312
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock"
        100⤵
        
        PID:2016
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock
        101⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock"
        102⤵
        System Location Discovery: System Language Discovery
        
        PID:3008
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock
        103⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock"
        104⤵
        
        PID:2768
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock
        105⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock"
        106⤵
        
        PID:2712
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock
        107⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock"
        108⤵
        
        PID:3048
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock
        109⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock"
        110⤵
        
        PID:2572
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock
        111⤵
        
        PID:1168
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock"
        112⤵
        System Location Discovery: System Language Discovery
        
        PID:2820
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock
        113⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock"
        114⤵
        
        PID:2240
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock
        115⤵
        
        PID:1072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        116⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        116⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        116⤵
        UAC bypass
        
        PID:800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        114⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        114⤵
        Modifies registry key
        
        PID:2844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        114⤵
        UAC bypass
        
        PID:2884
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\wIwAYAIc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe""
        114⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        115⤵
        
        PID:2444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        112⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        112⤵
        Modifies registry key
        
        PID:1756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        112⤵
        UAC bypass
        
        PID:3016
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\xkkUkYAA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe""
        112⤵
        
        PID:944
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        113⤵
        
        PID:2988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        110⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        110⤵
        
        PID:1772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        110⤵
        UAC bypass
        
        PID:308
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\FUocUoAg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe""
        110⤵
        
        PID:1876
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        111⤵
        
        PID:2052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        108⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        108⤵
        
        PID:1884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        108⤵
        UAC bypass
        
        PID:1688
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\LGsgYgIE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe""
        108⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        109⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        106⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        106⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        106⤵
        UAC bypass
        
        PID:2688
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\BQUcQYko.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe""
        106⤵
        
        PID:552
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        107⤵
        
        PID:1040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        104⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        104⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        104⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:1816
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\euoIsQgo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe""
        104⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        105⤵
        System Location Discovery: System Language Discovery
        
        PID:2428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        102⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        102⤵
        System Location Discovery: System Language Discovery
        
        PID:2416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        102⤵
        UAC bypass
        
        PID:1396
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\owIckQwQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe""
        102⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        103⤵
        
        PID:2840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        100⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        100⤵
        Modifies registry key
        
        PID:1140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        100⤵
        UAC bypass
        
        PID:2672
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\yEsgogog.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe""
        100⤵
        
        PID:464
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        101⤵
        
        PID:1788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        98⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        98⤵
        Modifies registry key
        
        PID:1688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        98⤵
        UAC bypass
        
        PID:1976
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\meEMAkwU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe""
        98⤵
        
        PID:1204
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        99⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        96⤵
        Modifies visibility of file extensions in Explorer
        
        PID:564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        96⤵
        Modifies registry key
        
        PID:2596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        96⤵
        UAC bypass
        
        PID:2556
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\VkEsYQgI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe""
        96⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        97⤵
        
        PID:972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        94⤵
        Modifies visibility of file extensions in Explorer
        
        PID:568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        94⤵
        
        PID:1368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        94⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:1712
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\PwQwUcMs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe""
        94⤵
        
        PID:2564
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        95⤵
        
        PID:304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        92⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        92⤵
        System Location Discovery: System Language Discovery
        
        PID:1120
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        92⤵
        UAC bypass
        
        PID:2772
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\xasEEEMY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe""
        92⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        93⤵
        
        PID:992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        90⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        90⤵
        System Location Discovery: System Language Discovery
        
        PID:2984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        90⤵
        UAC bypass
        Modifies registry key
        
        PID:716
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\OMokIQgs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe""
        90⤵
        
        PID:236
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        91⤵
        System Location Discovery: System Language Discovery
        
        PID:2712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        88⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        88⤵
        System Location Discovery: System Language Discovery
        
        PID:1564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        88⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:532
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\YcIkQMYQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe""
        88⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        89⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        86⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        86⤵
        
        PID:2588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        86⤵
        UAC bypass
        
        PID:2968
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\yscQIEQU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe""
        86⤵
        System Location Discovery: System Language Discovery
        
        PID:1068
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        87⤵
        
        PID:2540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        84⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        84⤵
        
        PID:2556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        84⤵
        UAC bypass
        
        PID:2012
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\lOgsEgoo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe""
        84⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        85⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        82⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        82⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        82⤵
        UAC bypass
        Modifies registry key
        
        PID:972
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\BYUEoskI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe""
        82⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        83⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        80⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2184
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        80⤵
        
        PID:824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        80⤵
        UAC bypass
        Modifies registry key
        
        PID:1824
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\PCkksIog.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe""
        80⤵
        
        PID:584
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        81⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        78⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        78⤵
        
        PID:1516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        78⤵
        UAC bypass
        Modifies registry key
        
        PID:236
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\BGEsgUsY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe""
        78⤵
        
        PID:2584
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        79⤵
        
        PID:1828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:2964
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\aEgIgQws.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe""
        76⤵
        System Location Discovery: System Language Discovery
        
        PID:2152
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        77⤵
        
        PID:2548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        UAC bypass
        
        PID:2504
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\IaYwgwoo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe""
        74⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        75⤵
        System Location Discovery: System Language Discovery
        
        PID:2756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        
        PID:916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        UAC bypass
        
        PID:2908
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\sYcIAkEc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe""
        72⤵
        
        PID:828
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        UAC bypass
        
        PID:1644
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\AYMUwgQs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe""
        70⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        System Location Discovery: System Language Discovery
        
        PID:1824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        UAC bypass
        
        PID:1988
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\rgQAskQg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe""
        68⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        
        PID:2612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2940
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\DIcQoYEs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe""
        66⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        
        PID:596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:2292
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\veQsIoUA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe""
        64⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        
        PID:1100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        Modifies visibility of file extensions in Explorer
        
        PID:896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        UAC bypass
        Modifies registry key
        
        PID:1344
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\vCYAAkkI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe""
        62⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        
        PID:2396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        UAC bypass
        
        PID:2312
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\QYQQgAEQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe""
        60⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        Modifies registry key
        
        PID:2304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1744
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\meosUMkQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe""
        58⤵
        
        PID:1756
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        UAC bypass
        
        PID:1344
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ymkgEcQc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe""
        56⤵
        
        PID:852
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:2772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        Modifies registry key
        
        PID:2212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        UAC bypass
        Modifies registry key
        
        PID:1028
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\uwUcggcQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe""
        54⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:1516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        UAC bypass
        Modifies registry key
        
        PID:2044
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\MqoAIsko.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe""
        52⤵
        
        PID:2232
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        System Location Discovery: System Language Discovery
        
        PID:800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:1372
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\zAsAYsEc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe""
        50⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:1040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:828
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\lEUkUIUU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe""
        48⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        System Location Discovery: System Language Discovery
        
        PID:316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        Modifies registry key
        
        PID:3048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        UAC bypass
        
        PID:1868
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Dugwggwc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe""
        46⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        Modifies registry key
        
        PID:2608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        UAC bypass
        Modifies registry key
        
        PID:1952
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\PgogsMoE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe""
        44⤵
        
        PID:624
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        Modifies registry key
        
        PID:1940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        UAC bypass
        
        PID:828
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\VicYoIUc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe""
        42⤵
        System Location Discovery: System Language Discovery
        
        PID:796
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:1884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        System Location Discovery: System Language Discovery
        
        PID:2528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        UAC bypass
        
        PID:824
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\gecYgoQc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe""
        40⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        UAC bypass
        
        PID:2572
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\aKocwwIc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe""
        38⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        UAC bypass
        Modifies registry key
        
        PID:2064
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\YqssYwQQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe""
        36⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        
        PID:2516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1764
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\IUcMgAEk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe""
        34⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        Modifies visibility of file extensions in Explorer
        
        PID:704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        Modifies registry key
        
        PID:2284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:828
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\PKQcEowQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe""
        32⤵
        System Location Discovery: System Language Discovery
        
        PID:1728
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:1456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        UAC bypass
        
        PID:1072
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\RegckUoo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe""
        30⤵
        System Location Discovery: System Language Discovery
        
        PID:2424
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        
        PID:1308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        UAC bypass
        Modifies registry key
        
        PID:1680
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\pqsEogcA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe""
        28⤵
        
        PID:824
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        UAC bypass
        
        PID:1796
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\FYYsEAQE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe""
        26⤵
        
        PID:652
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        
        PID:2668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        UAC bypass
        Modifies registry key
        
        PID:316
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\lsosIQwE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe""
        24⤵
        System Location Discovery: System Language Discovery
        
        PID:2808
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        UAC bypass
        Modifies registry key
        
        PID:1792
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\sMMEMoUk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe""
        22⤵
        
        PID:2512
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        Modifies registry key
        
        PID:848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        UAC bypass
        
        PID:704
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ucEAkYkE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe""
        20⤵
        
        PID:236
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        Modifies registry key
        
        PID:2524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:2056
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\mgUgUoIs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe""
        18⤵
        System Location Discovery: System Language Discovery
        
        PID:2764
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        System Location Discovery: System Language Discovery
        
        PID:2924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        Modifies registry key
        
        PID:1308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        UAC bypass
        Modifies registry key
        
        PID:1700
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\cqoMwcQE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe""
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:968
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        
        PID:2564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        UAC bypass
        
        PID:1336
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\dqUEgEYk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe""
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:2636
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:1952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        
        PID:300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        UAC bypass
        
        PID:2192
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\faEwYEUc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe""
        12⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        Modifies registry key
        
        PID:1048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        UAC bypass
        
        PID:1792
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\JscMcIYA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe""
        10⤵
        
        PID:1028
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:1068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        UAC bypass
        
        PID:704
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\haQgYYow.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe""
        8⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:236
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:600
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:584
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        UAC bypass
        Modifies registry key
        
        PID:480
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\JAMoooEc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe""
        6⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2052
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      Modifies registry key
      PID:2152
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:2160
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      Modifies registry key
      PID:2312
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\ESIscgsE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1624
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:2028
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:3016
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2688
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:2592
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\qossIIoA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2612
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:1640

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-9439748431210989870-123191335654715381411031566-170751220515881637271114790651"
1⤵
PID:2152

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "15509328598944619891851845210-859294157-2137206050488949417-717906654-630964920"
1⤵
PID:596

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1280966086219070231094932365-934376341-1755726166-20092921481019892265-1869867294"
1⤵
PID:3060

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-987426462-2089972671622107558879375970-19748457711282670768-11216122581617089151"
1⤵
PID:2940

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-9561046416282816171748984048-1700742982-746898044-626190271758426196-1536339729"
1⤵
PID:3068

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1109154910965834078-15192735141157024559-175981442446461652965857418-763028998"
1⤵
PID:2784

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "13996286118678436012483673011060137150-1093102439-91038347505060115506815165"
1⤵
PID:1516

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-10583677191610964311-1937144378887779750-405940719-663009782-1060620476639072084"
1⤵
PID:1100

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "788087067-149359559711833852192013411832965948109-285003086-1073218747272467358"
1⤵
PID:824

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "160791930316819621701192362848255598029-375405-1907664759-39872240-271851333"
1⤵
PID:2416

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1556428061326504183-818243581797653712-1614104394-1816312256-1935010115-1798117560"
1⤵
PID:1644

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "14171738771660186038976854489-448975694-13217830641455927092-579008414-1531324531"
1⤵
PID:672

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "72959886766485322-1675388026-182761437-487907714-1745276505-72498997861724034"
1⤵
PID:2968

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2126118401518978893239303790-1641270206-10185438581089650-1558733140-829108133"
1⤵
PID:2772

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-369175285-199619908911183713251854934863-14569526321881924915-8864502781067063181"
1⤵
PID:2540

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "44377733479845903-103517939184265235818251252-124694404514562532842088427347"
1⤵
PID:1564

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "256671011094267404-681940499-6003237912035940537136078757016967564-102663056"
1⤵
PID:1976

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-156462326-334299715-194129854-1187346387-517603644-14821315649629363021900117402"
1⤵
PID:1312

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png.exe

Filesize
152KB

MD5
a9c7dc0e6a7c967731718caa2fd44ccc

SHA1
9e759707aac1fa815b956e53af71d6cdcf556c94

SHA256
28cda1d3f51844e520a02f4b0f28005e4ff43b6a692087a5a539f7ab73436746

SHA512
e6cc727186c193e031b8fb38cac045f24033e7954847c63ab22fb371285db4325d23f5d0d1d5ea00078475d632e73fe98f64542fc7c1d37b131f3d103b28aa35

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile15.bmp.exe

Filesize
163KB

MD5
6dacbdafcd53f0e409037e7349cd682a

SHA1
3e507d6900b5cd770592feb3d03af8fb938485d8

SHA256
790de2224886615b1b029c42ecda89dee910d9787060fd9655a9f437d8f85803

SHA512
0d697dcf0b21e844f279f2581917eb677262b1de6bd6a8e3648a711ed2ad3b626856a98aacef26264b9bf048aa60070a12c52c3e5f08eccda19d6981048c7b3a

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile19.bmp.exe

Filesize
157KB

MD5
165ea603c80b04bdff8e6a51b6549e51

SHA1
866b7761c28e6965126b84f6c840331a9138de24

SHA256
25a18778f0c37332bea48844d2647002e6646df32f22c59e95d954c47b3f381e

SHA512
e47e66294ef465443b09becfd5eca1ec16a5113e59550a9ddb364962436ac66033ee599b06d33b0dc5d829feea4fa543a10ddbb9801e307059b6e8a1e7c3f36c

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile35.bmp.exe

Filesize
162KB

MD5
4f68c0c8792632338f1f039ad2676e00

SHA1
b2e0254a4784426c3603d52525c56a91225be3f5

SHA256
b97392dbe439a097f26fc2c13fef52d282812f857509b2e6b4e5db9fb860193b

SHA512
278599796bb4781e9de5796ebb7b5f55d21f89da5572363d0c04fdae87b5461f6779c7612d889f4d026012e4341564c8d452eb8f22193641884034920c2c29af

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-09-20_e6c5435f48b5614f16ec5855e2f95a00_virlock

Filesize
7KB

MD5
55c04f03ca58e621fabc6f1ed8d2b37b

SHA1
296c5279374de3e701af2786ee3ecd191288fa35

SHA256
af2ed6e14af5d86790a884af0c5822ba6580a0762e34b134b0a737564b20d66c

SHA512
56436b4b303e53b9b8fefe0371c42fbf9f7550761fb758e39355a523d998ca07e7c1cf082fe249ef4e3b691c4e04533428a4c3eecb9be280ea82a7f9559e3917

Download Submit
C:\Users\Admin\AppData\Local\Temp\AcsS.exe

Filesize
600KB

MD5
4455a9448e6ca3c85e866f1bbfaba41a

SHA1
2b9696a2f4a4f2e4e510c8b33dc413e80ac1a87a

SHA256
5eae6467f497c17195111339eb79e667bf1ca0f87c6955a7778723e06df12322

SHA512
b0052350fb074cabe02169c8270a1445ecabead23528a27f40f9dd4df31d01b46bd6a963ace6f4f9f433a0fcc034ea9b1bb4e3f609da82fd7afcfa036adfdea3

Download Submit
C:\Users\Admin\AppData\Local\Temp\AgYu.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\Awow.exe

Filesize
970KB

MD5
5be60cf64d2dfd6dfa0025e98cbde9f6

SHA1
a8c9884b8138222b65137b3e140ec6dc4606e120

SHA256
1501797a96093f92eef4da3530c18b3ef3d679fe01c2a6e27bcda29c826ae70e

SHA512
ebaa58aae5f84604ea9ec591a874539d150291abdf6b6fdf746419b87a167cb5b18297f812e4c47c586e78fc4974c061035c21c3daacd8ac1c441d37f6fa97e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\BksQowMI.bat

Filesize
4B

MD5
24aedf26cac24705767491fe4a32a2d6

SHA1
2710971d6791bd86890271e6fa1c5c2cd0ebdb17

SHA256
8798a5744e274a21b9cffa64ce3349600673ef643949f5c5225ce7c6ec35ca1f

SHA512
2c82d77169fd3c15583fafabe16ec4b4204afdf2d2fdd6ab1f7b4bf9738e99a7f40ac394fd8794dcce5c3470f9bd91f89b6d06cba7deae23d027b1b650cc845e

Download Submit
C:\Users\Admin\AppData\Local\Temp\CAQq.exe

Filesize
160KB

MD5
7d70d3b46e8f62b7dfdf9f8035249036

SHA1
c409a585f5f2d9cf992fa8c90402df2ef3de2b4e

SHA256
0d03622e5a606763c78909b7611ff1582316ed31ccd28acdc2fb1434520e7853

SHA512
15a5628b3514936c876c0d0f7df8ec097d79f641033775592ce5a3ed847d2356dd5121f7f41977970f610a39a9e5d86c26a95696927f583d2d157ee51292d965

Download Submit
C:\Users\Admin\AppData\Local\Temp\CAoG.exe

Filesize
347KB

MD5
115bb33f09b68fa207b49f6ebac3d9cd

SHA1
f831ef2919028bed91d8116f12389f753ce3d723

SHA256
bcf477810ab3ffc472a979d820c93d3dd5088f26ec9a0643a597d95aeb88e7c3

SHA512
42823c007cd5b03e8032af7704b367918650538f291877170419ff579accbf768e77405c6e9936e878f51b30d8ddc0fbccc52e9914a6787c10ab53d5ae7ee623

Download Submit
C:\Users\Admin\AppData\Local\Temp\CMwMsAEo.bat

Filesize
4B

MD5
162f2a6cb9dae6b4fe55af666db908b3

SHA1
d1d694a8d3c332113cd09174e14a354ec8c409f1

SHA256
4ac7a572fdc0ad7b15f00d0766399d5adae6fc61a72e38d00ee1a08cf1f9e942

SHA512
0f2ed29e66833d99bedd55d0e73c9faac37acb99338ae5124a4874c76af3098526e89ffd37723762711c2016518427797c86f84b2243e6a1c588feef8d53ada9

Download Submit
C:\Users\Admin\AppData\Local\Temp\CQUQ.exe

Filesize
158KB

MD5
d12e784e075e4cbe046d7c5bf9c2091d

SHA1
1d70126b09565e57b7af722a1634521301fd1954

SHA256
51614e1e0d68481221b584e8b4450e302e97d5540e330b16906e661222853575

SHA512
f5098d19e94fe7868bb5cc04dd4e80de80190f4c92fe4b295959ed3954cdf57436a941b3aa4749f308b5c704a5a88c5dd4c5ddb77731b1c95e94df6845d6485f

Download Submit
C:\Users\Admin\AppData\Local\Temp\CYwc.exe

Filesize
157KB

MD5
7b4ad8c1d20fd78fdae71204614e28c6

SHA1
69235ebca32cad9545b313145011cfa75acacaed

SHA256
de23c818cde960db03d6539884ebd261abea6c54fdb3328aef0bd31fa2cb5c1f

SHA512
d96627dc1f841af1b81f80642d9cc7dde11d6697e8200acb30361de368296003ba5295bc460de334f2e392ded18d2a88f40f8698444dcf138d36ba60903ece6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\CoQW.exe

Filesize
868KB

MD5
6602f5b3ed247251d3d662bc861e40e7

SHA1
08e1f2bf91da2d8b0e0d542d3ff4c2ad0a41b020

SHA256
023ac199a7efaf2cfa322bb43512482619e70b46ddf918a731766066b3670c04

SHA512
0a6426e805fcff395d286523dcae4738374546b93763938d3203a669dca4671d21df5ca009607b2a71488373617a0d5c46d8c2eec47486e0c27e9b9e0fd3f9a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\CsMc.exe

Filesize
157KB

MD5
393e58236707784d1a8aaf93e8a4286a

SHA1
0be255992f8fc09af79508f0216b8cc73b6d59b0

SHA256
449d6f6227cbf5c965c1faa2c6192f6cdeb853c8417c726ac46ec973022409a8

SHA512
3e4fc79e2f473b8e443af4920aa879c5dc022b07a4d159d2fc0664802cdad2d9fe4d9dc6c8744793f9ab2562d1fd9ee9dbd80e041e1f18efd2f782bbd63df7d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\CwIcQEsg.bat

Filesize
4B

MD5
083855e5fe941bf13ff22c3834fe4ee7

SHA1
287f56e7d18ec41e9f3984fcce996704c538468b

SHA256
e5cfc735c43132cd912aaaed05263093d24cc280a4faff70903f549c1172344e

SHA512
4000ec715aaeba22f65e8fa341c03077f9d6cbd5e2e52a7b103bae2cdf63bbc6f624ffade2cf6000c4c5a657cd51adb981e3dfe53d7147e5de7bdb6a59f56a1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\DYwcMIIc.bat

Filesize
4B

MD5
b5a586dd6ba3fab23812a4f72f5f9009

SHA1
bd3e3d47070331176a807e1abd29af54cba386b8

SHA256
f8957bdb67f48534ce3d5649d56b98fd09ecb098340cf76cf37153572bc6b8dc

SHA512
0b2c8504ce8ca276246469e38c5d660242f3265e41150a1f64e4de130a6012d5df7cc37c6f62193cf7495587b3769fc3baf2cc9d1c9940fc35305280924ad4a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\EQsC.exe

Filesize
158KB

MD5
77cf063d05a83c52126a29577cdb7ce0

SHA1
17fbafa395030528b7718960247821c098b14206

SHA256
f37375692ba531e4aa454a86d73dc9c4af52481f1d2580a1524712848d0ffbb5

SHA512
4da6041ddfd2ba57c5768b0b2eb52c20c4fef9397e9f06b592a7a5155aa678cafcc4b36babf52eac923235d9b526bdc750b40ecc5ce5cfb2bab92b96e0ae59f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\EQsq.exe

Filesize
159KB

MD5
ca77780ac3d49c054cdf572c51431292

SHA1
d5eeb6b47ea907b0870f12d52d451421b6e04c74

SHA256
0f3691b331b204f5c933a5289a9853a1325503a574b1ea3ebd9bdcaef2bcad13

SHA512
36f5c849d525be9846bc74e985bda5dedb28cd4b6a5f88a412258da0c4283127797c0178c3eabfc1778dfa5a8d4796f0675bd04138b41c9434ec735c144b6f25

Download Submit
C:\Users\Admin\AppData\Local\Temp\EawcQgYM.bat

Filesize
4B

MD5
10738cf5a35115cc5f414ce5c1836ab6

SHA1
99aa22d8971a8e3bd523edffdf4848d9bd43be3d

SHA256
c0cab8b80df6eded6d106744be8c4be2434ac4b9ac41c36f1bf9b66af2c57bdb

SHA512
a1d9fc1004552717a1ccc7648f7661fbe359de133820a5b45eb498cec80cfa662150eb0f6e5a2d4ddf57134271fb923806c11d67069682eb64f1bf461a55408c

Download Submit
C:\Users\Admin\AppData\Local\Temp\EsIK.exe

Filesize
158KB

MD5
a01de4383f92fcde31bc96abf7fd3739

SHA1
93e54c50bba3b462c8312e884e0fc666c7908a76

SHA256
64979d18b3d57bce5aed546e4e98d6c5a6a95b4655933ef6ce51a4ab57f912d3

SHA512
1ae12fa135c5a8d4b4e4d2ae56aaf9e54028f643e29ad875e3cd623e3eca46aa3209f3066f002ab2af489c611883c1a837b5f13798e4fd5f5ab2481776848146

Download Submit
C:\Users\Admin\AppData\Local\Temp\EwUg.exe

Filesize
158KB

MD5
ee3fb1b37383208e92eefabab3b85649

SHA1
42cf590b0a2b9a328e1123fa6e9d2c018043f1df

SHA256
57e4d42ca51e685000ada5e83db9c201b2398216b602ef6294566b3fc937a5f4

SHA512
8e6316a7438ffab75e5a828ebd2da1d21bd6b6c58d98c379e05c468102ac3ca824c8f88a2d217f2da4932c26d7775407ca99b0a415a6e65308783f769c66eba4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ewgg.exe

Filesize
158KB

MD5
183c976862d708c41c75fd0f7ee240fc

SHA1
d7c35c79ff8c015fd9754db5263d14fb61ed85b5

SHA256
667e0db74d867212b679a016f48c9efea722e51e305d72c1e97b376ab761c7c5

SHA512
d58d8164f9f2c8fe04e0725b5a126850eff7d42a1497b584a2494775eee9bd7422aadaec4867edf0458a1a480376e1dc2a7345f98233aa97504ae685d9d018a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\FEIUUAcA.bat

Filesize
4B

MD5
684da1240b943b3dcc855ec5cf4cedea

SHA1
17138d1cc75a64a0cef2fd5fcd6bb9e68e94a2d8

SHA256
edc1219724b72e82c4021d42313ebd4459138e7fdb4377ff8197c31ea40be022

SHA512
dcce092306e3827903be4be067de4d210d9c1c07001197902322f79f1449174bf05920b11be814f1058ae0f8a0c08637f3fa526e926c06bb9bca68321581ed97

Download Submit
C:\Users\Admin\AppData\Local\Temp\FoEEUEEM.bat

Filesize
4B

MD5
1245a2529053ae63ed3026fce9dbe8ed

SHA1
fe3ae318465c95d0bf31ea20e4e18b749a18fa4d

SHA256
0e114f089f47feb5fddb1ddef0ed51b9aaad2538c521eaa70983fad54e84c4f3

SHA512
1fb8f57e6bf07595186e36ae32f478f8ed40810ae4bf4bc9fe6ed9a78fe569a8b11ac90f86c1fe050d0268134e91a31c5390c055b6674f6f29170c3380767b63

Download Submit
C:\Users\Admin\AppData\Local\Temp\GAQy.exe

Filesize
578KB

MD5
7e31d799b39b0271c8cf0e3b9817349d

SHA1
571db47695c0981c93abdde7ae4ac47edd4e762a

SHA256
cb65067e43c8d656fe3838b42ded1077ab06b74788caae633a4044e8231c6fbf

SHA512
30709adee06a9bb3dda341c9ffd8e735a389dc2b0e3c5ee79f7a09deee0f1c1ce663bd738989e40842928f0ae83d92954fa6557a08f4b27642590980183653b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\GEAQ.exe

Filesize
621KB

MD5
fcfa348d05e5862ccefb7ce63be7c874

SHA1
599d08f62b686a725253be1d581b8a83cc9ca152

SHA256
f9f111925be5b5d5541edb04a826abd3d85f269477ae34fceee8851a4a2ece8f

SHA512
62773602550541610713dbb605b64f34a2e9592da092c91efcb1ccdad8186159961b0c174031eaf233ca88ecf566164d9bf788123da64857c1af6c3ea3618c85

Download Submit
C:\Users\Admin\AppData\Local\Temp\GgUQ.exe

Filesize
159KB

MD5
067928e87f5abd66dc42f99d027c29d2

SHA1
37390e72980448ee563e38f334ae547e44ac86fa

SHA256
b1bedbf3bdda290b8e2e98d7a896b0b88e139aeaa10fa67ef7151057e6d40207

SHA512
655d45822174d77ce4b50d3fab0f96efe087dbfbbc607a69120fb37e98190711ba797c3c2908b4909ec3b70c23ff24e82e7b9c68015ae5a7e323317653b13b65

Download Submit
C:\Users\Admin\AppData\Local\Temp\GskG.exe

Filesize
4.0MB

MD5
e9de31230af299f23757ce348e6febed

SHA1
a6d9303d5ded6bdb73c4610c5ec316f59cb7a049

SHA256
ae795e71db0072ac0c1eaa6dc0477202c9da2bef34a1e643bc57bb3d00e208be

SHA512
3dbcef99ba45e717ca756f51315c38aabffef9f0639430e7688bb9850cea7c0b2cfedbcf02e08dcffef865e30475f4e2e6ab582d98d1e437dc68f980c71cbfef

Download Submit
C:\Users\Admin\AppData\Local\Temp\IAIs.exe

Filesize
659KB

MD5
e7e45d63e39e2edf9ac085ac35887c28

SHA1
fd1794a4f72c00ba09216079a2e51c5b608aa6ea

SHA256
eb48871a65b30ed2145f94c76773953036c23361e90fbd79191a82635c896793

SHA512
6f417d25ab25730706e4fd3e04a854419c224da6f895362b18a878b1eaa0e87a7b9f69631909fbd639d0976f07e59622d4ed163a2c226b942fcaf158ced5e6f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IAcy.exe

Filesize
137KB

MD5
1b14fa95b9174dc373ddaebcaaf96852

SHA1
194fe89472699b508fc74d060747adbea19725c4

SHA256
56d4ebd1f34e2317a1bda227cbc7bfcec476431f4d28375ed50287e26615cdf8

SHA512
08e0116fb6bc07aceb31ba6a4f7986b76baf4133bf33561f5483797c5432d7c3339ba7b132de928b5af7e88dfaa8fc1c8a26960b4a778bcb548b813164202251

Download Submit
C:\Users\Admin\AppData\Local\Temp\IEMU.exe

Filesize
742KB

MD5
a0f7220ac4d35d6f9fa3b6d5b10294b2

SHA1
d4b5ffe7ec2cccc606acd6e62dc495b026ed352a

SHA256
2eb1bc0fb94a7be8dc03a0be524b0be811b43dee30989d1f065c90d7bc5f89e1

SHA512
1d17506ffc6e5af70ce32c0485ec1ce59df00c52ad52324e5b84652d7890f281b9967dad1d4c10becad16fb47e2b655ce3a1a798f0b46659aad697d8c455219d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IIMu.exe

Filesize
158KB

MD5
8c23338cbb3cadc7326a6c71b6623090

SHA1
50747c7d7d3104f5dd2badc1b91f28cdbcf2ad0f

SHA256
4dc8f4664da74fe106862ecbf3786532c7fa7cc24c412c12788a6927b709d10a

SHA512
95fe7f613810a2a260207d7795b7f71dc06f1da9d09aa095767556fd1ae3f306b40b73561eb0739111096964fcfe1e05f5b2edd152fe1007db5d0ecb238bdd8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IYQS.ico

Filesize
4KB

MD5
f461866875e8a7fc5c0e5bcdb48c67f6

SHA1
c6831938e249f1edaa968321f00141e6d791ca56

SHA256
0b3ebd04101a5bda41f07652c3d7a4f9370a4d64c88f5de4c57909c38d30a4f7

SHA512
d4c70562238d3c95100fec69a538ddf6dd43a73a959aa07f97b151baf888eac0917236ac0a9b046dba5395516acc1ce9e777bc2c173cb1d08ed79c6663404e4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IgIE.exe

Filesize
158KB

MD5
f0431724bfd1bcbf6e5a608aaeaa99a2

SHA1
57f99237d8b0a26f9de08b9e1a2d93213bb41ab7

SHA256
bce1fc52527f984311eff1d37227b69dfb36e7c9d2e073fb0b48b4bd03f25ce2

SHA512
33e7d878b62cfc50275b9e80110ec9967ec0690abfbd4f31a0e609a455d01a2f8bac9d8d2c5178fe774b85b6f276b50ebcb121e44385a32db0222083f54434f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IoQq.ico

Filesize
4KB

MD5
47a169535b738bd50344df196735e258

SHA1
23b4c8041b83f0374554191d543fdce6890f4723

SHA256
ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf

SHA512
ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IwoC.exe

Filesize
157KB

MD5
04e88d1dc882bc309cfb5d04f8357e41

SHA1
6ca9f12ec549de079de4a3ef127d861c8e3571ac

SHA256
c56c45be66fee6a3932181e0566473383bfe34b2beafe721b57fbb40e03b340b

SHA512
ff2ad2c0657f540f05559a0308fef463070ba3518a373874342e2508a805cf92784921c93ebf4a66d7ecb900b588da6f8790612c3d3014ec0cf710ba8f977d62

Download Submit
C:\Users\Admin\AppData\Local\Temp\KAkA.exe

Filesize
159KB

MD5
c38f2e7f79c8b9403b113e261765a73b

SHA1
879c9f3e725d791f08361ebea936ae89a5b59a12

SHA256
1ec2eb7ce11fd493e6b43671186a37c48ad6df89338caa3cadd88d2f658a11a6

SHA512
9e6a05ef647ad43f46f7f794d4ae6593a668ad92348994b877d565f2fd363b9c70e689bafed01c5bcbafcc444ee8fc571b70128074419bd79d13f0543526bf6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\KQUw.exe

Filesize
159KB

MD5
f79b23dcf565cbcd53a60720bdb25c13

SHA1
c9f801c9c22f9fe5b9ea5cc9654c670e17ee11ce

SHA256
23d26187af007ffaa200c8400ce8e2e7ea0639ad3f4d827cb9d0e347de34a3f6

SHA512
42815e2f739d871c2406dac4f879ed8ae8b7ae413085a1bb98cc750563022cb94a55e1f55f3051d43c0a4436eb7fbb0e76db1d3d138531e60329b8273c91d386

Download Submit
C:\Users\Admin\AppData\Local\Temp\KQoW.exe

Filesize
745KB

MD5
8f09c819680880ce4377decb3b076e2d

SHA1
a22ad1760a6f063625820891cb9569c939096555

SHA256
0145665f9c8cbdd2e97d112cbd3b9c6ae92b7e2fffbaa359809ecf669fc2e0c7

SHA512
d2b5cb59179307dd043b6453c3947015f1c56361f1be1d5d4f8751a98766cf8f5cb507c71adf9f89c4e64565d9ff118c33c1540d16f6a2f2aea97a1d9e260ec4

Download Submit
C:\Users\Admin\AppData\Local\Temp\KQscUIUM.bat

Filesize
4B

MD5
e67f6faa34e99c2ceb70aad095f82c5f

SHA1
60c60efc84b108ae3de13ba5055366829066c78a

SHA256
10f4fc317b3d4125ac3a24de65895912038a6d9a346d7eb671a0e6539ccec0ca

SHA512
45946a35967c9faaaa78818e43ca9f6e92aa78a56f7ecf24b57f7fc18473b0c0e417ffe51035b33f1b8dee99b062d5f7b1c3cb90c44095bffeef1db91a43a5e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\KUAu.exe

Filesize
159KB

MD5
80a383b5523e0081c4a43bcf294a86ee

SHA1
91e8f0e99445585834b6804fd061603112fae4b2

SHA256
96c56435f040b483c4890a44ad7706a294180040d768030afc0740f3a70a3540

SHA512
c6ba5d3d4436c042c4f62baa8a70cf132376bb5033f10c4be5453f15d327e9835afc30962f440b4e3e824f51e76d8dc4172659f8586ff68566f186b2fb9ff6ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\KiMYkIco.bat

Filesize
4B

MD5
c98c7caae4466011f169377983c75ea6

SHA1
d8800b9db2bcaeda530bc42f212d905ecfc0c175

SHA256
7c98dd2c448c6ab32223a2d10619558cf14e57ba0e02b970725d53aee4147a8c

SHA512
cdad839e985f3b09abfbc290babde9f66796d84897a7b91a3e14da2ae551c940b80106631b416002ca1ac18c09ce7eab4a50fffecf08055ba1df81cabe9190b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kowq.exe

Filesize
158KB

MD5
c12a18689fb7ec82d8fd3b1efaee16b4

SHA1
0542a08f056ff15bdab279824b01b341e97175c9

SHA256
5f65920afd2fdd0ae7905e86044347817192eb3333e4d67e807cf679f4c55902

SHA512
dcc2b7bca94759fbc6d65bd25267edada85180eb415239a9f0f1f2f086061dc22b84e12fc1447af66a6acdc961dd91b6264af1119f11d6fa37cbd3462eab7deb

Download Submit
C:\Users\Admin\AppData\Local\Temp\KwEQ.exe

Filesize
237KB

MD5
12087b9309cf8c6add72bdd9d36567a2

SHA1
04ae5c3e45cd9395891290ced2b91c38ba93485f

SHA256
e3eb7f602fd242669c8925739f092a3b2f022c99a86020780833ce67d6fd94cf

SHA512
7227d3331da15945b11d0947683ce4a1f4af1e438bd917fd4d001ce304a33dad6bb15520bfb8d9694ec6dc9b96e50a84edd1a3a5c7a69e48f411d2353c9b613c

Download Submit
C:\Users\Admin\AppData\Local\Temp\MCUwUsQg.bat

Filesize
4B

MD5
b5f2b27751e120cb1d3e47d0c838df92

SHA1
92cb0b69b56cdbcdf92d39ec251591909917ede4

SHA256
d255fba2b6efee304f8a9d6449ab9b449a2e9f0fad6cf91077dcab283424d969

SHA512
4ebc6ba13295b052b09833630d50650174b1a31465637374b8db15f705ffc2941615b8db7f630e8f8411f01db3d5aa1d2aa61a07280a7c149b816fa42e8dad07

Download Submit
C:\Users\Admin\AppData\Local\Temp\MgAa.exe

Filesize
4.7MB

MD5
b3a7321c8501044893949f46c3d93eea

SHA1
bacb0e5cc7359e6e74307c4c9e4a0dd94ab32728

SHA256
71081f06b0ee8527fd134db0caeb95f48aa16340fb3828c27c3d0b8d968b9847

SHA512
7dba614d29bde66d7c3440b1be1c7c98163a59ab91afdc8fc3b909912254864fe4ea00b367d1a2f94d8d019ab855123c5f087ad196b5974a4c651e63a2476b0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MogE.exe

Filesize
157KB

MD5
7a18558961cd0a3130538da4e360fe62

SHA1
b4bd062396c22f027dcb1f5f0120ef8243dbdc7e

SHA256
4333380220d6a9254810b9c309dc4ea8e6814c3ee0370e738da1c0b0a5eb37ac

SHA512
1b436eb90267bbbfce5d07c0e1b9332e0ce57c4d4a6ab597567f45725da872df56e3852293ba38a65c9e2d21e508bf709a1f56daac8b9262faa09d19b1dacf42

Download Submit
C:\Users\Admin\AppData\Local\Temp\OMQM.exe

Filesize
747KB

MD5
47a9f53c39c42b64814bca95fbafc63c

SHA1
d06585f76bb71e4e888b63d9325a414aa660088e

SHA256
ac669401146c0b31878937fd0cf0e157d4b8a19bb4639840a42cd7d066d537ff

SHA512
ef49599124d4b87db49ccec405b1da11ef2bf4f8b03da60e2bec83c163f4473727fcf4353b241cf5f8a2266f2cf9036908f4fcb307ac6c545cddb8b5bb55c8ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\OaIIUAYw.bat

Filesize
4B

MD5
ec17e4f772db77f62e7a4006157627bc

SHA1
fa046c61a3202423ac7fdaa072bfee5265171bb9

SHA256
89b1030c871c076dd38407be9856952f4c76e8fb069119e5eb7f6be4fa3a144e

SHA512
5bb2384901bc01828e4e30bcffbe9bec270758c88d04a92fd87a735220955cb9ea8529086b4f979bb24db9141f3feab692d7fa964b64f2f1fa7c645b8d6d3531

Download Submit
C:\Users\Admin\AppData\Local\Temp\OwEm.exe

Filesize
159KB

MD5
216c772320dcb6de2f56b95408e8153f

SHA1
97dd25ec80a6b4077cf7d966bab647fb24f5941a

SHA256
458f4b85802a294bc3596ed34ec1bfdaa35c39d6b13478ad376ca6f5ea832a4f

SHA512
5eb6e821d36363d6907b3539baf6ba417e5291a46129ce19a74599b57c542e4c0f8dd23dbc7ab2472d9b1fed4e231e1158aed6a44677d8eac7c7fe5e8675e980

Download Submit
C:\Users\Admin\AppData\Local\Temp\PQgcQMgY.bat

Filesize
4B

MD5
2fab280131636979f83bb22637b05819

SHA1
6e49be832db6599f2d607d03001b33149349a146

SHA256
45620f948a2bce0b3c5e883293431df39aa7b9f488132f8f1a242157f593244b

SHA512
868a3c1f62c3710a834b326468d756fca6a880a0c353fb001bfc6d20f4fb5ee08aaa7b51cd0dbfaa11fcec58ae1087e04785d82e761e9bca8ff81824c2844910

Download Submit
C:\Users\Admin\AppData\Local\Temp\PkAIQcEw.bat

Filesize
4B

MD5
9a58dec5b7d9179239296b7da940cb98

SHA1
be6f898e89b9f327af843b83014122cf7fa33b9c

SHA256
0964b26eda7f64b6810e1bf368e89f0e8ce842640c1369c5f66d08472ecde1a1

SHA512
9e071eb7e1c4d6c5b8f870e3dfcbb31e11174dc9fa1d8b1cfdd8c52400af4439e54a3d3be09d370bd720fd4ead95d320b1ed7827f232f4b75f1e92cab3dd4e39

Download Submit
C:\Users\Admin\AppData\Local\Temp\PkkoIwUk.bat

Filesize
4B

MD5
0ca0da081fb19b00be19cc844aeea9c4

SHA1
c552fa186337bf4378f84e84884b1897d47ce4a3

SHA256
df55e42f5b09f270474367ca627c0831d8b4845d042247e9648f87b968f6d2eb

SHA512
2b575da0c6639fc331e01e2ccb663754f0e7c43000537888dae2d697de38bd25f81601b315ef754cb1356a844effc6a9968ee88bdc8b67105175a0554bd93de0

Download Submit
C:\Users\Admin\AppData\Local\Temp\QQcYQMQQ.bat

Filesize
4B

MD5
fde81e57cd9963eac14e334abfbb8574

SHA1
232b9c707f0f1e4e49c32286d5ed0d838e3a3302

SHA256
b947da06633860f783295639f2c763d5491cc24d08f38c4128428f1e533ce99f

SHA512
472d039d078fb9e510677cce7622187dae0933e7be3cc4139bf8bdb82fae152dea72b61db738f77c5646a4c683530e9a6a429f56d6bc3547543b07116cad7308

Download Submit
C:\Users\Admin\AppData\Local\Temp\QgAi.exe

Filesize
160KB

MD5
48c37f73eaf3da48b7402d45cf2d4831

SHA1
9cd986cdc132b96e5fa9b06a0c8202b88cd5f9bb

SHA256
fef45871c463cf472992760755ee6207c319233e1377fd7785c7390f75b1b650

SHA512
809a85cbd3d7e06ccdaf300cc1d27d49eefa7d687b128cdbea937cea7180fba237473866f70ddcc7639e1688c97d2153373b9d87f98c5a9bdcfabc44570d0ba0

Download Submit
C:\Users\Admin\AppData\Local\Temp\QoYg.exe

Filesize
134KB

MD5
82920a1b6664712a4c2ddc5bf41b5dd5

SHA1
3292a9668c83d9f6190e8c4d759585be4cef048b

SHA256
7b8c3bf4cac3a0053a5f37758770d94677f88dfd20d811f01a88318e5fbd7ecd

SHA512
458ebdb7775c8dfa08a71b17f616a539abec01d6fb7ce66b96cdf31cecdb2edcde3db3a8184d41454e46f315d365378052a7060e3fe3f7cd1aac2629949c46b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\SAIQ.exe

Filesize
156KB

MD5
cd67a8790e5caf29c88b6020e099437e

SHA1
da28bd178cf3946ffe307371fc2056a768ed3769

SHA256
d0ff2df19b5f5f2881f3cd3172443c81256fbc67ac90f58901664123b11bb556

SHA512
3353d8ab2f12c05489c4d6b06c11e127a4b1cf771fbcad1c7b09d05575811b40e3f1b98a36cb5cf29db88e709c1d74cfd03267ba822d07902caf45f9c834950a

Download Submit
C:\Users\Admin\AppData\Local\Temp\SYMm.exe

Filesize
157KB

MD5
07d306a90cbc3dd2a80a09da8d2dfe5f

SHA1
0efd9c7fb2aeca056ddbf568300b4c2733d4bb19

SHA256
514f5cefe4c4a5850573612ed2dc4cf80b9ef41da72510e9757c92650636dc35

SHA512
98237cd701f119eef3d7e12ff955a7f4a82db6ac2aa23e89b62d621711ea410ad8125a987d5e463e9571f3ca805eb666ba0a5125601205615190c9cfd4bc138e

Download Submit
C:\Users\Admin\AppData\Local\Temp\SYUW.exe

Filesize
158KB

MD5
b01c1f4657c568c7bbd862d75945467d

SHA1
0b6159d8f17656322b06027502baaa5fce41da8d

SHA256
ecb2da586c6a0ceabfd288cf1c6e2e06ca02f31a0aad0206fdf573a8501655cf

SHA512
fc8bf13a97d043e43a21f528b04e1d38b2886e1a98804a1cc060bb140d39c6a0bf0e7897b5aa02e4f39b3b94d07e7198e08bf472bd8cd3e36f04220b4506e9c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\SYwAEcEI.bat

Filesize
4B

MD5
bc4b08f35147230f4e5e8b82873eb00a

SHA1
b2e471cb52793a493cfa15794e789ee9f8db704a

SHA256
f2fee5b41feabf93bea589c5744f0714b90b23bb5a805f7676aa93afc30ce03e

SHA512
21e9d7a8e0f594a76d3d30d5eb5a76b5ffefc5f2318b4b95f48349b01ddf3deb95410a76b7dcbfe931bc1f535d4bb8fae91663e637f0a56aa3c4a732dca0beb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\SgYo.exe

Filesize
1.2MB

MD5
76dd693b2a2d15fc3f92f83be81a97de

SHA1
e1e35ab47b79a17cbf3e70c3cb45cf6471793a00

SHA256
e6846ed518e85b93d1bcd3d420df49c59c5f9033ed4d2c3a6a2d91ef0b509ad6

SHA512
079b1fe50a3222de86a35c3e0b7ae0358b848d5e57a278949d7d374d268e18dcb18a9d4534e2bca648ec3fb2e2ec868d25c23611f14a5427d55edd69f0952b40

Download Submit
C:\Users\Admin\AppData\Local\Temp\SkkY.exe

Filesize
158KB

MD5
f6bf27caecfa01559564a6047f63eae1

SHA1
c032e0555213cf98f1c8a26527f7b2b9d8d2a27b

SHA256
4cd02a2daeddba081e0b4e27f96901311bd263783334af177591a420c9d7a008

SHA512
9ba7c1e4b84b39440ba0c45bb0ac63d74585285a021ef22100418b4fda98a5f6624b19c1f9163553ea47a57875ab9f9d29e767d80ee9cc94a590f6343e5ea767

Download Submit
C:\Users\Admin\AppData\Local\Temp\SoQK.exe

Filesize
158KB

MD5
b207a2d0fe5a6938598a92139f4a2dc6

SHA1
fac837c5f750cbb19e88cae6c4f34d73ad0cd3bd

SHA256
2083a6658186f829d3bed46e7d9a932e9b15b037cdc2b11a979f75281a639fe1

SHA512
f32e696d4ae0ff5e85fd0f3f95974474f75e44b030e881c44b2571e1df49ee4045bf2c236407596ad3a6d268bbb9752fed172fa93465e67493dd126eb548cc63

Download Submit
C:\Users\Admin\AppData\Local\Temp\SskkcUMg.bat

Filesize
4B

MD5
3ebbb10d5e028e441d8d932f117adc8a

SHA1
d6c527085ca0837e0c59ca6c6174bc59d1535a53

SHA256
c9eb4f24ddd35d47c01b3184111f11bdc7f01c4b7d346fb403381655f15e6d09

SHA512
363516d73d0e58f64bcedeaf1ff3af2704444448ad7d87aece8b1dff8a1eea9c2295c994c3fa778999e734ead10786022ab096ef129079133433ebe4f40a1ed3

Download Submit
C:\Users\Admin\AppData\Local\Temp\SwQk.exe

Filesize
157KB

MD5
0bbb680ddab61d62c692a5985721fa43

SHA1
bffbefa52df5bc2dc1ec2a404021bfbe0d012221

SHA256
732518b5d823bc583aa978453f19198c5720328a75798f1cc54931c0c6396c39

SHA512
f61e25633ea2dea7a502602cc7424b13dd93a00d912f77a490d8521e9b588af47a70032c6ba932a48cdcbc99746c3c8ea5b7db992a077581abc6082fe6470beb

Download Submit
C:\Users\Admin\AppData\Local\Temp\UIYS.exe

Filesize
159KB

MD5
c1b2f4202fd6fbbc015967c80ba5378d

SHA1
cfc756d21eace69da20b045da6758484e523ca46

SHA256
8727fee1c931d6d90c6689fcfa1090d8c57fa8f8939d56d0934e936f5c966b68

SHA512
d62194cbe73d5b40fa602a67772a256a24bee4b7ed6ca0e90001f0329ac298755da531f87cd4877b1660ca820e89963da25548bb7b7043ac77e7e9d48d73f47d

Download Submit
C:\Users\Admin\AppData\Local\Temp\UIgM.exe

Filesize
158KB

MD5
94688e43798e2de330eef0dc84ae72b5

SHA1
57bf2251e53c3b6f14062cf160a6fb1c422ff748

SHA256
541f969d14ae514594822f7a4f7b14616c33570b6443ffdd04eba1924eea207a

SHA512
e7e88e11eb7dc2fc9c68b374eb20e4834a6c787d9808091974a1eb967a3e9b6d50ad35f1c493c9fc7b7e3af5ffb5e683ca865402082a236e7bf7d6a2992dabfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\UYAcoooU.bat

Filesize
4B

MD5
8cc923fb7c4560da3497f2f875ab0266

SHA1
7966f6c287996c84175f26d7875cf26befc935fc

SHA256
14a1665ba9f1c531a6537386548ad771b75fa4274da28938286193de08c7ad2c

SHA512
f219b33067bcc92d45df08510f1a4a3497d8ca25d34777d3ca9f252983f0f5d043854003da99e68e4ff1068c17e481aa8f8424f91b140ed3f0e5d48c00e02743

Download Submit
C:\Users\Admin\AppData\Local\Temp\UggMwgcU.bat

Filesize
4B

MD5
6658965c9ea35cb911170739e8d9aaef

SHA1
d7f66de3a36ad78da5c353fab4632dae06a8ed01

SHA256
ca7e656bf5d79d1d86311434d0303f1bb035db697ebdeb51f1f6dc77adff5e74

SHA512
7b06c5e5360db8fced06a7f05e2471f46ee878b724038b89dbf3826c3c3ac4ba5373cf1b1ad9595bd16b81dbc9df52e4ef332f22f29d55a5b63f1d32d942d3b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\UqIcgkEs.bat

Filesize
4B

MD5
de7b42c4b16c331d33c8ef226c65b4f3

SHA1
755559d31a985c0daaa826a6383bb51f8e582191

SHA256
bc7e1f0d3e3dc39578f92d49f12031e8d09349a4ea972c924fc7b1adb6b938ef

SHA512
640d33b85c5b9ffac7a6e925e04f6d512f437bb14c571c5bbe05009828a0f329b1ef62aabf47a2618501722ad30f18d26487522b83c408d4a93df2a8cf023b11

Download Submit
C:\Users\Admin\AppData\Local\Temp\UsoC.exe

Filesize
159KB

MD5
38a3413a80f7a96d9443aad71f41d69f

SHA1
3709dc42eb407b6f519d581084da7b465eb88087

SHA256
9986878b232d68904fcccd5bd792022536abbf44412321093987f4b6cf104843

SHA512
491e4387acc77c1687fd864f9210b15edd5fad20c4a3c4cb87b70d2ec317ae2be39aafd3d8331bb2cdc61c47c82bb9ff9cf84579a80a47963b15d0aa867f0d8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\UwMYwIIo.bat

Filesize
4B

MD5
acb0ae9adb3ee43036be22518a80454d

SHA1
5a7f958465d25aaed96e095f80989f18b6f49dbf

SHA256
f9589917ba93b3ce5a312b16a909dd768a667cdc616286373a61e4e8edf63b42

SHA512
ce51dcf86eddbbf9432f5f196d02605761e36818ba44105861ebc84d550ed9e513bf0e24948d5d9552bf5ecfdbf69b6ac98f171bc76f37ccf3b6f6d502a74898

Download Submit
C:\Users\Admin\AppData\Local\Temp\WIQu.exe

Filesize
158KB

MD5
edbf7b223301e6201cba50f6d7457953

SHA1
a46ff470ce54aaf74977a50d90385a021345edea

SHA256
e63ecca4ba436c6956c9aff858b9f5f754f0cffedf0e0a7a885b109bf0738540

SHA512
3120ed235bcbe96589caa8c7528471ebf20c4e4600f03b409af926d5ccee3bce9aebe1a16afb2ff301256bdef329d1cd13b25c512aedecd057b345ea16c28ffa

Download Submit
C:\Users\Admin\AppData\Local\Temp\WMwY.exe

Filesize
693KB

MD5
2f8088021f491f894b05b3e9708a08f9

SHA1
ee6a454f109e33acb347b9343e6f6ac40865e0af

SHA256
92acf173426de3c2982ba4ac31e4196248ae819a58f5467f289e54521e746202

SHA512
c5c5d13e738c44b7340e0d2eda85d8f288c8664467ff4c965adc9cba764e6b68ffa4af46c697a75cd54df1313de4ba3e2526196ec3ee69d1b21e81697f187f55

Download Submit
C:\Users\Admin\AppData\Local\Temp\WUYC.exe

Filesize
555KB

MD5
dd6e21257c220dced3710836ac70e726

SHA1
619b556d9848836b1c0eacd922bcc55ec8eda949

SHA256
194a78142839bac83cb948b326120b0662d9cc77a704f753e83213f10b641af9

SHA512
e10b9b07685c7a8252239b46df15a4d2ee4a3c760821779a42a7f87931f793ea2a171a1209efca9ad800b77d1a1349b02dc0ca3f69c7a10e5deddc1c1e2f6aea

Download Submit
C:\Users\Admin\AppData\Local\Temp\WcIc.exe

Filesize
564KB

MD5
a9f64d511aff1384765a53a18384668b

SHA1
4e4db5944ed45a6c3ea1c718dfa8411d90953e6d

SHA256
720c28f8f95d0c9fe0583077e31e2ae870012921ef39d2e81eda376c2e33a1df

SHA512
ddb32cf9b696f8184b048abd1ee8ff786644c064140520a604f7a9a32dd8cdd35e1c20c0af1b07e6f224c20091b2d6695f6d1a8e6cee9420151b71e03c0a18ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\WsUo.exe

Filesize
238KB

MD5
e73cf0f65037e99f5dd7c955bdc39951

SHA1
ef08aa7f530a0b0efa565f642cfc49ace19fec0f

SHA256
9737fd7231b032897f7e8a4ffbf190c02ccb57bafc90ddd003b187e4cff7c8cb

SHA512
573745f197c95871a90d18b8ff15ff01892561d228b53ceef4484e08592f498e9bb92f141d7f5cc9c3ae2e79fceb774af10cdabb0a6142b44c5cfd4791d71fd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\WwIW.exe

Filesize
465KB

MD5
cb83590d3bee0280840e4f7825b1eed1

SHA1
d73c075bc7abb8b23ba46959cf9f23823947ed0d

SHA256
7143992fafc0879e1722b6f423e84839e61d210d14e0378a2037909345ac8acb

SHA512
9f706c5f3d529a91bcbe482d4fd1365abf1efc987cc91bffe0794e1cf80ee2e5778aa96d067ca23bfca36a253f7c918f70613abb4eaeed003537f1de8df77ded

Download Submit
C:\Users\Admin\AppData\Local\Temp\YEMg.exe

Filesize
159KB

MD5
69fd08bd4b9fd248f0f389c6152afc59

SHA1
5fbdbff88257d4b6f385ae4060c585a4855bcaf9

SHA256
eb19c1f13994f3c29561e6a471f6840d4060c4301b0973ef5ffb96a91daf6b80

SHA512
e8b7bdff510f74917542ecd9b1595d063d6b79573fb8c491446a9c05be5e7523ac0974b4498f0582699f5b2780d85ef85c3a318a93e961ad7a1369b2e3254239

Download Submit
C:\Users\Admin\AppData\Local\Temp\YMUw.exe

Filesize
1001KB

MD5
eac702021d47e01ab56e411ab685c0c2

SHA1
d6e21d7b008360073b6e8cdfb0969463a1c34636

SHA256
fd37c7b1824b8c8cc0be0ec09eeea782c66f69c7788af1d0899645f57448126f

SHA512
41e6f134e7148cf8b9ae8b6e85659da1312032149a46c96b2d01090c93c961ce94fd27afea313e5de194bcb3ceb4b417c12960ec450859ffee374a18ef175eb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\YUUQ.exe

Filesize
159KB

MD5
7e77cf3b52379c86a6fbcbec4860ac3b

SHA1
f05e78a9d854c15a1eff9682b2ec4335eaddc151

SHA256
3b802102ba51f28555b8baca2499475052a3369a1893dd2b940315acf3a2b28d

SHA512
3fcb0ccbb89f2454934c6598bd6304b01346df0545a31c7ac29a2617aa8960b2c7e6c0c0418ed85bfc47f5e86d6d5875e4c1ec0a58bfdfedf28d928bbf3bded1

Download Submit
C:\Users\Admin\AppData\Local\Temp\YYEI.exe

Filesize
158KB

MD5
63bf1f9874cd4dd2d3837981f7f934b0

SHA1
98e5d563e4a8bef6fae86a622662bd72d61f3ed0

SHA256
b5deb28292e9bb4c48fd5dc255877b2831c42855b4b9ebe4f147b4113269dd3f

SHA512
9ddbefe6dcaa4b1f05cd5d6803b0d5d28c9c8112fc88234caaca1d33d27c7373e52b367d29dd5e0cf4d18e42ee22454e438ae2c9cd0f768ed93b028bc7fb275a

Download Submit
C:\Users\Admin\AppData\Local\Temp\YcUK.exe

Filesize
157KB

MD5
0a88c7412042eb9d9b769200db8d691a

SHA1
793306ca9322e22b540906040c71ca7b79bb982e

SHA256
edfc99d0c592baf668a34541fda48ca001fe7015798c34a20f005b1b2b8f717f

SHA512
3d25f8f3895c72985da10ac796bd324bcc6d66b96903a90cc7fd9d96faf1ee731a1d0e7aad4a508abdaec050916c7bbff0a0eb6e1f272c700a399a151dd6550e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZWIEkIME.bat

Filesize
4B

MD5
7e70da14ab1cda06f8a1345015688df5

SHA1
dc70a09d02d40d5637bb4ea66dbb6010cc16a10d

SHA256
1005c2833d260fc9f0954e2bf749c418aa6f6a825c76173183f789f898ca63f5

SHA512
b1fe0a63ab2e5d9e91569f9a43033c11c1e0cb8f40f3d93f58783b6b5080089154b414201e3c49bd0af8d70f3b4acb79e4e5c10abf26cd882f14172dbdb714b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZcUAwwoY.bat

Filesize
4B

MD5
d7defdbab263148dd7bc01686e0ddad5

SHA1
f376bf02591c04118f582d2e65804098c42d9793

SHA256
1e8771c56f4ab6369ab1d5e5b04f849bfbe3d844c973e4912430f601c0377e52

SHA512
9e94f4454b10ed8e4ffb0939e1232e29cde4b39f563a76210562e11909acf872e567114c3f350a4ef742021f1ef2819c4f9bf03f2f9a839e97f0f62e7789e3c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\aAMu.exe

Filesize
159KB

MD5
4d60675867707f6f5d44478722166c01

SHA1
493e6f60ed9988233a5fe20edf81cd5910c0ddf1

SHA256
eeda4ed4987dcaebcc1b3ec15599fd6d7ef4bfbf0d75873b2073a0dc6483aeb1

SHA512
0e2838355c4a7e05faff0b9054b364844fcf41ac3cb65df803fb0be7246f0288290eb5c94ed05dc7fb2c8000d3ee5b6283c0dd5511d1c0667cd2c9b373345105

Download Submit
C:\Users\Admin\AppData\Local\Temp\aMQs.exe

Filesize
158KB

MD5
e3d33a6253f7b0848a7134e9c85c2667

SHA1
0e0b801a3c89e223c4fb10c207071e09cc6e12aa

SHA256
83bb30c4bc74e37f1a5ced6151d1601c83de0008352b9ba78f50fc01ebc4b0f9

SHA512
12c66464760ea3b62d908e3efbfa5eb1405fdc41e7fadbea3bfa9eed7c276b7776aa1ee634aaac56db5165bddc278c73fc776c0e50a08037ac3f922eea78e4dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\aUAEAIMw.bat

Filesize
4B

MD5
1ea03e6aa3db0db8bae49533e430c24a

SHA1
94a8e1a3e2830306f5bfa4f05dcdd327dee5bee6

SHA256
68668fb5a453cc0fa056afcc267c36bcb0b24d57c54e6815909151e80a01eec2

SHA512
a94d3a4ee972119d0dc9e41bc654b3e88c815db24a083b16be3a90ed19ff87474f8d3928061c74dc1e8406b6e722594bc6693a1833e329c877f69ad48fb6ab16

Download Submit
C:\Users\Admin\AppData\Local\Temp\aYgc.exe

Filesize
374KB

MD5
9542b51190059412ecb204996f23ad0d

SHA1
19af9941210c09bb18d0ca50c54c1057180d76b3

SHA256
f104d5870ff3ab9c009f54cb47a397dc3232ca265df15d08f1651951d73b0c62

SHA512
dd24e51de76252a1066a399a168c505f5610923d30602b722cdd2a7f17c88ae1836eecf766332b01c32787cf0ecb602c905f49df74212f562845d279901a038c

Download Submit
C:\Users\Admin\AppData\Local\Temp\aoAa.exe

Filesize
160KB

MD5
df25767f53741450b9df570a4869c6d7

SHA1
ba7fa1a9f0690f63296668072a193d241c46eeef

SHA256
d763748a82d3773c747b73d69cfa6d42bfbce4e2633166792ac02d1587c18b7d

SHA512
33daccbd836ba99b993eb455d016fd456712e8e884c97a046bf8990caac03df6bd327494ea523a87de6061e93f39d731fd66047f5ccaf0cc2a7bf8465b8546f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\bkAcgQIk.bat

Filesize
4B

MD5
8be27415017c27dbe860628fd85023d0

SHA1
ebe8bbd3dda181cf42f21fe0afba8f5d58acdf43

SHA256
34a44244cb3513118aba7f7838e7b08f80314d12d3bbe3dec33a4ec82deb554b

SHA512
e8b3334b143bd376e1ca2dd929b829787457471aed7219e4bbd1d39c3eaa77728bed72dbca6b5635348e54633f42fcfc09d38f7533aa1dc6e0ad00670af8a0a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\cAAq.exe

Filesize
158KB

MD5
b5e767279176dbf1ce76dd2b49a531e0

SHA1
018d10878853fc26139c2215b49150ee916108d3

SHA256
e07dcf701448a69351d809d40541dafde12662f18b2762d690fc99e8693b9bea

SHA512
0d6f76723584842e43db1d33ca74171afca44b4bbfe19cbb55a85051d170496544b511b03888d555c084ed487f745092f7f8595259cf5dc1a90b55379b25d9cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\cQwoosMo.bat

Filesize
4B

MD5
43004ca754e3d2e1e354074de5d3796f

SHA1
648473565d379f49ab1e7a0ed11590c7f644e90f

SHA256
c9b31dc16d94f234378dae62d8d0b2bb61a8e694f9cc8218a7f6b27b848c74d8

SHA512
1d4e3e839709e768f18101f08df565cea82ffa343d58ae308f4046ab2a32227f7662922d92c8319bdc00e6770340b76d7372fa556dcaa55ade7b5e1099d0170f

Download Submit
C:\Users\Admin\AppData\Local\Temp\cgMk.exe

Filesize
157KB

MD5
99f60d64e571d1b5ee6894a00bd468a0

SHA1
79a59b7547adf89bad7f381476d5867fe2700c9b

SHA256
debd8979e151d0931f580cbfc3646b15405c5830a24d7c11549b6451a236e5d1

SHA512
8bb31d9565e3e62e0884c72d47dbadfbd46f5b84d198f5fd5d54d446a332f28a139cbc955219863714a1fca33ef9a02c0412ddf28d5887b2181faf166ab6374b

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmUcoEss.bat

Filesize
4B

MD5
560872c4b5d0050435466ddeac249842

SHA1
8b59ed127af9425fd8bf28f386c92f69e7088712

SHA256
62cf1e95dc757b2dcd467eb5d7ce1a46fbda947b7843332b6fd4b75da99131ac

SHA512
1f6fe23c8c4beb1daa1c4f7c14cbd44fcd49b918cc4e00627d198aa1e89c75651341c7105195e9942ebe68b95e6b920ed23a8c418b892a1cc79450d2a1a8d1a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\coow.exe

Filesize
158KB

MD5
c5939440f8b24c6204a4fb95869692db

SHA1
02044dd4a48a2c3f07653e04c758b70cc2632733

SHA256
bd3f5438b006b326c10bfe256ac1b33a4c93bae39c70d6c53fc87c99094cc6cf

SHA512
fb8109a02172235e946c58e51d621dc7d6bafe5da3fdbd2c37f86a7a1e02a73065b49dedb747b6c130616043c94755cc09a9cfca3b9bb0e0f87675e7e15026a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\cwEccwkY.bat

Filesize
4B

MD5
5f71c520681ec8bce5b3562a3d840ef2

SHA1
57b35c62a4f9ff453eed2a064f573dd12fa77f05

SHA256
ed3629d4d6d2381a5e6d0d1dbe1eef4d7eaa987c3705536bf1f3c35ac80de2aa

SHA512
9833f2db2fa55a173d0cc3ae378b7ed47ff1099e5372c110e1212d3c412327d0157956f3988a24676047959e3a4a353c0060e95b1ff0c52321ea54e6dcdd938e

Download Submit
C:\Users\Admin\AppData\Local\Temp\cyYoAAoM.bat

Filesize
4B

MD5
4415622149917f5fb0e213f933de5429

SHA1
efa10d3034ef80fda3925121a8f6f3db9bc6241f

SHA256
819434ca161ceb8859188b549c0aba092be1baa4b4cbb2ba63c33bd3544c6f12

SHA512
7218d6317031bdc7edc522fb4f244bb0cc7d661187f3612007762021381512472b37f1dd8f417bb706cadaee45f5faacfbe74c6aef36c03a8b677094df227eeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\dIQEwQkQ.bat

Filesize
4B

MD5
d80743ae966d9ac353e1969daf144422

SHA1
429fda76af17350225cda9f2f5c910fd1d3c350c

SHA256
67d0212e4e5e3ab63e4f9358b2b4b44f8366f5134a6665444f307d3b9e1bc311

SHA512
2774deb0e43402dabf0fa07476e80b9f675427c1b336efb8aca8c24e8b5644ef59664ca18b182996da0da42922c1ba9b8d5b9c497d68ef26d3fb4948617a9591

Download Submit
C:\Users\Admin\AppData\Local\Temp\eAYS.exe

Filesize
159KB

MD5
2a008f77ffa731d8c5be21b596a46ff2

SHA1
e5830aba9355211213f49febd9f68aa36cb3ee07

SHA256
6b5ac0d338b0c0e709f2d22c1c9dfc7d95145913add586b06a27cbb23b113d52

SHA512
7895098ef7f5c38d5234174fdcf5e966f025374b655ac4dcb9f5ec59097b9e1d5b45444b9d113b055d7288d5670e2b9e77d6c89d06e2d17ec6de5f60c5261400

Download Submit
C:\Users\Admin\AppData\Local\Temp\eEQY.exe

Filesize
873KB

MD5
b8445d5e5de9355ece32935431350d4a

SHA1
80e81d99182de55c7163187b341d3e82e3391c61

SHA256
4d33577d95f044a5e18ba784422c5078281c53519b46578140216e2db1dff263

SHA512
02527858db6e2fdd7cc98e6d45f592413e0c521f2e4ddca3c2e7a92ff55b1062021e478256d61bce377cb1bb6277399bb1ea789552b17c930f4a7c44dc8ed30e

Download Submit
C:\Users\Admin\AppData\Local\Temp\eIIoQowk.bat

Filesize
4B

MD5
e82b7b88d303dce1ed1d218d630e30e7

SHA1
3593541067516d65b0e86aa54aaeb200ccf8061d

SHA256
52fb6cfe952ecdfe516ff1cdd0b4d7d84e4570c2e9870383c0b379169adc7f25

SHA512
d17b433a963b819e0b5d07638fcae02a55fe506eeefa6be826ce8c5ad464011f97f4a5ad022fbf3cc2bc7d0aded2bbe9b4c90d0d4b3c6c20ba1b6378bf856594

Download Submit
C:\Users\Admin\AppData\Local\Temp\eMcY.ico

Filesize
4KB

MD5
6edd371bd7a23ec01c6a00d53f8723d1

SHA1
7b649ce267a19686d2d07a6c3ee2ca852a549ee6

SHA256
0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7

SHA512
65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\eggC.exe

Filesize
158KB

MD5
6a365f02720d3fa1c24f086a09843f9b

SHA1
771a82c41febd5070bd99226f6f2191533ba8ba4

SHA256
8618af250a891934095d0fca5f8394f5d40fbdbdd9098ad7e0aa8b7f8c117384

SHA512
53928a9e590a078bb88001a3b48cb41252a6e1c13b033084b68ef491f5a158abbbe4f2764b82d961f5f35cb0d80e5f3f6e5b0f3a956575f5b38980992b2abb95

Download Submit
C:\Users\Admin\AppData\Local\Temp\ekgg.exe

Filesize
158KB

MD5
ec7b82a6c873c1428d3a03c88912e065

SHA1
0822c73ada1514e79f3cd87a46359dc2a9081578

SHA256
fc79c74b2ba5118de2ec73845bd0098a5566eaeb2c513a16648661fb80a2951d

SHA512
83daba305f5fe8966fb279e883e742ad0a557ab6335ceffc7c9ccc9b368e0c4b2e6a6d44b21fd98c772991b700622d348c759b542ebc6e14959d05de0618e017

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gMMi.exe

Filesize
238KB

MD5
34732f9ab031f1ec904d37783c7da06c

SHA1
c881ef261930e8845bbbfb479c966e56ca7255d6

SHA256
d7959199c266c31b6b657052512bd261a7dd43396f20ab43097bdce7cbae4909

SHA512
2c84be1bba4b942abb54599fb2768476df9051db3194e4617e90b63c26b0ffd7fb58560b8ee22e4d78bf6b4761b3cbae1524a3c1fabf9a4492c9d5635e1e333a

Download Submit
C:\Users\Admin\AppData\Local\Temp\gcow.exe

Filesize
938KB

MD5
1131faec79780d68bc2eedb460561b38

SHA1
d7563c61cc09333a4a80270dae3b9911cb16a09f

SHA256
90b9e8a8a16366d5bb2f64987cf1de9c84389ca549741faea809c8049118ab22

SHA512
5890f64deb8e9a12563d5b4142ba49bf1ff4ac334cf7732130860ceed8b0ee75427c27f32ac6de9a7d9c521a594d7222990b5923343c3a59f646414940d416d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\gkAU.exe

Filesize
869KB

MD5
3f0bbc4a3e1fd6f04b8909c5dd4b743f

SHA1
17affd264d727fdacfe529a585820a48a150535b

SHA256
34a9a77c6dce24046d22c2723e66ab7415362240923085fcc3e0e5c31a9c6375

SHA512
26ffc25c941ac7128bf395729eee8dd9e562c170171474f12193c3202569f0871c826186491b8694f522181d2c9375717bfe72f891d7da12dd89217980100769

Download Submit
C:\Users\Admin\AppData\Local\Temp\goAa.exe

Filesize
159KB

MD5
7f0690859cc1994ac5699600c739c843

SHA1
635bfd8e5d7973faa36d619f2a5c28b7b7f1f86c

SHA256
ec8ba409d9235d14a84fc5edebc2ec32415779b683b26f37168e782ca2890702

SHA512
86f6ee665903b73067dd712bbb9e9926f1c19f9f185194d479b5bbb79760b6fcb2b63a85cb68f347a85fb41e933a8a97e69a98f2edb72b44024d905555ab3e9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\gsMM.exe

Filesize
158KB

MD5
9c44331e628b6a8af561ccd76ed19cf6

SHA1
c9b883f112288188ecfeeaa0b09f2468227c4ca5

SHA256
ad49c7906abf495a2611c50f465f50ec333d39cf44d2229d1f9a0fa2cdd66113

SHA512
3a793d0b94612406509bb74c101a6b82de5bd3b12ba7c2e9c720bb5d894faa62d922ecd1bb65f4bdc7ca2ea6b62cbcbaad4c56ee65171e9fa5f9bc52d026df92

Download Submit
C:\Users\Admin\AppData\Local\Temp\hcgYgEkw.bat

Filesize
4B

MD5
604d156e8ac60f394c52baaf36b07791

SHA1
f0a2b52ef5b924996565d2d857628f83dc0c0c48

SHA256
92abd7e492ca831fe0701e2c62048f76af88f304872ffba8a6693c7d7bc1fd3f

SHA512
f4d8cf5263f4a2bf60f0d89ffed486b2a3c77ac7eed091de032d47262554b97ae27bb2b7b5ce8f3b396ecee8513fa19fe1cc8ed54a27a64bd2febfee6084e848

Download Submit
C:\Users\Admin\AppData\Local\Temp\hgQQMgoQ.bat

Filesize
4B

MD5
6e7c92acf4a24f9a148a76f7aeedcba3

SHA1
ae5811c0d4cadf0bc29c88058a4593bc2f8c0d7c

SHA256
5c6d9d762aed8fe6381d422549ff82060df7c49ba95ef54f977f5e4f459a96be

SHA512
a61c790a3065c0bbaff177cb334b9c3526bc68c55aecb9cdaae748ef3f63ce8be8d2e112113ce2c62c2d6493d2e80eff0a0b29d7ec641d20c604d02ecbe2125f

Download Submit
C:\Users\Admin\AppData\Local\Temp\iIcq.exe

Filesize
157KB

MD5
9ca59a975c9e218f58f922c5fa7a7b08

SHA1
7ff7cf9bfb9a308c4e74aadeb66d2a01594893a7

SHA256
83e3b98df3c389ba0037d3c2e1f2ef94e0f974180b76296450f6167e7dd36195

SHA512
5fc2aabb73872f0fc5b006a56e67f9d4711d93b12726d98a943761e9df41f021952052783d210a6f8a6a2b74109244ef4672eb9429c449e8caa3972d00ef4ade

Download Submit
C:\Users\Admin\AppData\Local\Temp\iMAy.exe

Filesize
157KB

MD5
748c7acda4fa3a189435ba6b9cb00e6f

SHA1
588d94cc4f8b5fb245813e45510b016b6b126337

SHA256
665cf87163d10796585b518c98e5f3e2d3682505ddac8c1a853b5db8964434a9

SHA512
9d9e59b7078e3b782368152a694df5a9747aefedaeae911d359c85fb03a9b273fc1186fe3e4d4b01cec4a7edac646b69600b21e08b6d84aa98703e8861b8a0b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\igcS.exe

Filesize
1.1MB

MD5
60a9c0a8a48f8e5371a40163a2fe2d55

SHA1
f3ad3faf11dd92f3f1381c435ca71349b3544598

SHA256
eb9b11363cb3673f98153157ebb930d543f97f538e5856db0ed1644ca4d18ebd

SHA512
2d761de9c8f9a3038f74d8f867c776fe40e5e24360db09663300fc360707d6795e8631244008533a8aa679091bea8507b1938fb4740bf9dd3893f53e06ed9a0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ikAsQEoM.bat

Filesize
4B

MD5
9fb84925d7704838a6b1d5f7122df641

SHA1
5141990410229d49c4a67916e377f97833567265

SHA256
7a19d1133d23b06674fa44c3a468acb404cacd2321697822e80147cda4142d16

SHA512
d1fe972edd059c871cccdc0496cce8afdb397300bd6051f32ad4a8336a1afe6320ba8396005a05ff1389559194ec90614c25f60312ab747271b21ff57a97fa4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\iowk.exe

Filesize
715KB

MD5
f81ebca67cb0f81f0aa5cdb94f2ea0fc

SHA1
6546cdbbdd7b0bd42d99d84f1d345845e70702b9

SHA256
305ac8804c5d63ac6529ed9d36b0fd201d3e5e3535346e3e81e53167009d3101

SHA512
98d4b6571c687a72d1443f373f23c1031b441403abb1a8b08a086037898c44599c8c917a05545205072a8a23354123af381d45d4301d690590877329ec68bf67

Download Submit
C:\Users\Admin\AppData\Local\Temp\isAs.exe

Filesize
159KB

MD5
6283c83a94849975de7a32f9343f8adb

SHA1
dbf3fbfe5e104cc8d7f7b41dc652bb5bb9e4362f

SHA256
60da507e563ff7909244f9e5a60d55b452a06e835e2dee43b07a29b1a1e0240e

SHA512
13766acc385027663eef2cb44384693060cb723d89caa436adfc1143d2c7e122a646b82d3815fa99a95a79fbbc0df024eb73e904889a0e8a7d290ab3e0a721c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\isUw.exe

Filesize
157KB

MD5
fb4ab3e406c70e9956ea72803c708ac1

SHA1
049818540763c8235ac1fb3068577b451be0533c

SHA256
30551ac371c9b6638c86ffc3914478443f5d40d06269b7f734d921fc0d174cba

SHA512
90991c7c64f83711ac6a42aef6bf45fb9809da86fe94abb4fc68745d5b98e4896ee64683ab3e686cb70c3dd6afca6435c6001ca4288de827cbb03a3c3441422e

Download Submit
C:\Users\Admin\AppData\Local\Temp\jWYoYwgA.bat

Filesize
4B

MD5
b46dd84bb8b599aeb4eb65da6eb2ad74

SHA1
a64463a1b7bf4899ae4fe4dfe1730559291bec51

SHA256
36139245ab51d69eab08fe0a267d13df7d410972a5d0d93e85ac81eb611d9c2c

SHA512
ebbf65d1a6229f82d5756ecf12657cf01f7385eb32b0a728624d504ad9c0790c6e424c1fd20ccae5db91342293233fa19585fb2b740a399b3db43fec32cf665e

Download Submit
C:\Users\Admin\AppData\Local\Temp\jeYEwUkY.bat

Filesize
4B

MD5
63c54bdf3e66200e6e2197df00fe852f

SHA1
1b11698ccb3e6a42016d60305b379cfa810490e8

SHA256
6c0ab4ac5988eb8d326e3a0604143746d8a23b9ec9fcbf5c5ead3538b36a04f6

SHA512
24e0f2e3ca9c2024fc4565c7a6e533845acd036414a7ee215a32791c580370f4173bbaf575e77de18f6604dea91c0d6ded33fa9fcfd728b331dc6daefa50a604

Download Submit
C:\Users\Admin\AppData\Local\Temp\kMUI.exe

Filesize
406KB

MD5
e0cf3de59f3de59f677110f04b7e1ca3

SHA1
ce3536f3dcff843de24744ca41e009bc01991470

SHA256
34d462ea3cc9e5b3407af726f3d6e30ca152eee8ed5c354210026c3e08faeb40

SHA512
392333902b010e969ccc32aa9e55c0b83f48e48cd71d1c446534de3cde25ab635f6137b736871398ee60819056078f5e45bbab5bc3f70aa31d2157d1fc3f0891

Download Submit
C:\Users\Admin\AppData\Local\Temp\kUck.exe

Filesize
422KB

MD5
65b3d140461e025bbf34c5c5a04792cd

SHA1
0a5a9d9d04aedc3a6e55885f7e6dbacb2290278c

SHA256
0e1de4943adf5f3bb50c7fa88731622601b9dfbcf322eb4aaf94bb5a01580ec6

SHA512
bab103c2ab0fdaf890cb1c0cc08c29453478fd981b743930a07fbbeaed271e703ddcf78b0b25da3435f00eeaa3ceda200fc9e0f582e5c92434853025d670930d

Download Submit
C:\Users\Admin\AppData\Local\Temp\kkkO.exe

Filesize
158KB

MD5
52134ea9c46031963be91ab8e2ce84f7

SHA1
cd41ce36eba6ea4c6d2d72712cf282b5bc897eb5

SHA256
c950d625fe8bf2db1726bcc6f0719a567d3400159e88cf8cf69867515c0ee750

SHA512
5f5248cc4690a7ac2bab3ec3b2ef542586006662c5e219d4ff2528e528725c4f4fece849e220dee25a09c3b084062f15948ab9c29b606c686f9780f2b3fdd43a

Download Submit
C:\Users\Admin\AppData\Local\Temp\kkoskcQM.bat

Filesize
4B

MD5
6946c26b73dd2d6065895f31bd3f049f

SHA1
84635cdfd4d7fd07362f9dcbc16c79a34df40c1c

SHA256
d8724a36d0bdec11c7da0c8f63697e353730c420bef181d9e1df3de7f431d811

SHA512
7d6cfb6cb3aae190cce920633ce67fba726e0bec2d72d8d7ea14b5759287711048016f30a184b1dd40edf848172e58f3d45d6e2cfc1906750ddcc31a73ceccc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\kksQIkUI.bat

Filesize
4B

MD5
ff77d5ea8d7e0597893c332c1515b7b1

SHA1
d1f5ce82736db876a104bec7cc8b4ffd98238895

SHA256
926a0d5d41d67c8a02b610912e5bf42eaf6c7c429128dbea0f1c676e98bc40af

SHA512
2d4b9ec211ca8caea7ed0b9b55725964a03d64463dc9504e583e250bdd3da9a665034eb3f7197c2a9a2360db02f45ac413c06268511c42c5954f7676cf19a3ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\kkwM.exe

Filesize
159KB

MD5
c87e97d5de893e891bf1c0efdb439cdb

SHA1
aed3d755e9a77fcc1755bf1a2c02769d0ffba85d

SHA256
d70329c86b9c5ec75958f140f4c51b516eeb2caa7ccc9ee23475444c08ef76ff

SHA512
153ffe011f42c96d64aaeb5a42acbebc822055e4c4e6599b0aa24c851d4b4358b3f7448cbcae1f9660ae3be1978dd217df07ba3c2d80456249eefd8e68dcdf87

Download Submit
C:\Users\Admin\AppData\Local\Temp\kwki.exe

Filesize
159KB

MD5
249269eacf572a3c73da3af5888cca9d

SHA1
dc69d6ab72b2efc1d5a725028535228e53bbc039

SHA256
4f9c2614900add80e23f9eb1618982dfed81fbfebbbf0e2c4e3ff8dc1e4c604f

SHA512
1c0ec0782b23d05409a4b7a9ba24d19895c76008184bb83add247a288a71f71660faa601ac5f2ca60a495479dfdc429b05d1b587d169becc8c8ac72f802a9630

Download Submit
C:\Users\Admin\AppData\Local\Temp\kyEcYEEE.bat

Filesize
4B

MD5
9bd2141b7c06f824a1b565f6dd92cd0a

SHA1
2662a7bff820766a9d5d8651af5d745ab531783c

SHA256
468e7b3d9f2d092d0b9ef005ad008c434580dca8468dfa0829392244013f85da

SHA512
579b3f500617db4362f9295a8726eaa58160836d91207474964b732ad7a09189cdf30ed22094675bee590929d5dffd877f44cc5d5ff3c908c0ec53dbfa0f0f3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\lCMgYYwY.bat

Filesize
4B

MD5
1f54e2d151e61a61d0521021c781a9f6

SHA1
e443b0aa9b1cb422d7548874070a3d1a2af99eba

SHA256
c84261110170eee8f7701a45e5e09762544c8d6180908b38bfdf2133efda4c7e

SHA512
2e5dda286b621f3fca20abc4bdfb0d71fb31041647d01e0962f7c3b430351fffaced1a10661b53249829cf3d6f0b2a316e1089328daa86d596a13a27cf07e179

Download Submit
C:\Users\Admin\AppData\Local\Temp\mAkQ.exe

Filesize
160KB

MD5
5fd8172d0d8d14fe88097dff4af020d6

SHA1
81db460091bf5e61d29501f93a77fc638e5d9a6e

SHA256
6e56147a1edd7ece21bfd2b909477b2cd7c13715a688d00a00acd7f1c662d933

SHA512
189e77cb0679a273d86589c54229cd51da7760dd911f4bdc982f3d351a77bfa845b6b9ac341fed730761fee3139a8aeb9bdda5ac5a6fe7030620350328705612

Download Submit
C:\Users\Admin\AppData\Local\Temp\mIka.exe

Filesize
138KB

MD5
b48cdfff27942135eee2b30e1c2bec67

SHA1
0819ecf8c2b30380a4568f0e3e5f2af8b4d6224e

SHA256
db634f291b294c22bdb463f8b35018ecf95d10333dab0db6c450a7f13eaf45ef

SHA512
96ef620effdf265e33491021c9712b909eaad87e9a8cc02216dc2d55dacb324c9d49c728143367f4ea4a8a781aee51b54c5d653eaf024dc16f0d01e88fcc2928

Download Submit
C:\Users\Admin\AppData\Local\Temp\mQUO.exe

Filesize
161KB

MD5
94ae7ac5d82165b2cfd62048a0e31079

SHA1
28c2d68ba46def7dde3dd444d723e49fd691a6c1

SHA256
86ac58b547292b9737dd882ddc134fff31e1a13e5a85c341ae7ade2cb1ae249a

SHA512
02e6431540a0ed5823625348a03364544e11af4e8775fea6b37f6c3d7bc398cb89dce9f45a63546260ab3cd8b715afd1692b57683a5da83194c8db9a197eed66

Download Submit
C:\Users\Admin\AppData\Local\Temp\mUog.exe

Filesize
743KB

MD5
e242d4e5d9e4f31f877ced57cf4b6dd6

SHA1
f9b4c99340965aac7ff2cf5d6908ad9f19351664

SHA256
618009855c5c2eade8cfc9aebd3ab8deeefd4f5d636d9007ec65502b1f189a49

SHA512
5df7a294166204bd308ce9c018833f35cbb3f34c687d6731629c73b3bcb65922b4e7b2962990ae8a4cb767d92969925f0aa72def8ed981c26631a6524b01781b

Download Submit
C:\Users\Admin\AppData\Local\Temp\makcYcUo.bat

Filesize
4B

MD5
cdcdac149c34394ff40e65b039349a9f

SHA1
3596a5ce018d92f27b96d102931205241dd41b37

SHA256
bca0490d114be8951fd28c67c221370b02d3e441cabf8e5f28477700551cd952

SHA512
57c03c462baed1060771f4d483e3a183668c1e6f368beb25921aa244f68e773f79a8d1e47a6daf4f1c6dda16c232238cf233143fdda159971381e0e9b9a3894c

Download Submit
C:\Users\Admin\AppData\Local\Temp\mgcw.exe

Filesize
153KB

MD5
5c640d3166a5941c8c8de4112e11e3f4

SHA1
7f1652a256b2803b2a262f9f65a6db45e5b21009

SHA256
8637ba28eb7ada7277968ac088df80f282dca7e0a74167661d9df9a6b1cd7d31

SHA512
327cb8673c0bcb941380239b2cd85f04c5fb6db41e1cfe0c0e5666f08483f492f3c44ae72a5274ef952005e7214d48a9abc28d13ed4e8b908ab3c5c3bb39c478

Download Submit
C:\Users\Admin\AppData\Local\Temp\mokEMIUc.bat

Filesize
4B

MD5
ecbf1516fbdc527316ae1509e22235c6

SHA1
95d56185b12ac2bbf566ed86cf485abae3f8e14c

SHA256
f7292aa054cd615c425759c45bd2bd7124347828de51d9d304165a247ad2f86e

SHA512
1ad00bcf853647a66337ff5f078c8978e919f3d35017a55ef821e33eb4e01277560aeeea165b0bde5797cbf240e29f9911a4993035ae120600744679c5b97ba0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nUsAEAIM.bat

Filesize
4B

MD5
318d45901666764f5a6ad43c668cc3e5

SHA1
1caaff0b8a8439a8660a08b690fc2043aa1132bc

SHA256
60a281d64bf5aaf3f75ff83e3df363fb819f41d7b9feb72ddd294a5102febe2f

SHA512
c9db46b3f7dfe62c5a20472115932719a4fa93c9636997e054f06f8708916f539269aab0ac729861050df3f0d8c322f79817ad26c38455728d14011f238d498d

Download Submit
C:\Users\Admin\AppData\Local\Temp\necUIsss.bat

Filesize
4B

MD5
90d7b36a0aca73da30803e4b01747ff7

SHA1
c3d52960c1273494c38e23c996aa6b02809b8f34

SHA256
a6343f2ee632d049895394938b4a1ee48369034502c11f399408f097a53bb467

SHA512
ea7d6ae48728d059bbf86b1dcd56532d7f45d0ae5ae56de08000ba1949ad64efaa06a697d552834789f8e9a70f0171c7291735e1409548c814f39b7f6926a831

Download Submit
C:\Users\Admin\AppData\Local\Temp\nqYUoQwI.bat

Filesize
4B

MD5
0e48d8bccefab0435f0472423b89d8e4

SHA1
c5ee6046c239bbf3760cc819434d560ab93ed5f3

SHA256
4861d7d8f6a0c9b74260fb4fc5de185dfcb6aec1369bd8f376e2a9fdc39828a9

SHA512
750ab7e091f17555937e8a8e4a56dc3e9b4000c94e350b8a57ee5992b014e6d97b0ed3013f0765df632c54b47c99d6d0f1bd667a713ca9255a91124fc7bed58e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ocQi.exe

Filesize
526KB

MD5
eecf9b7f069f7065574544b50276b986

SHA1
5a7c991b8376c898a4552c1477432b2a40993452

SHA256
4c209955ce5e60ffc83b79dcefc67f2b133b7008171a2c3d882db2a5187ff3ee

SHA512
28c934cc5fe1ce98a0d0807d84860b831d616900366ddbb73182b12c363b1451df85f3c17adb31d77ac04606488c74e4dcce3dd52696dfb59975355c324cf070

Download Submit
C:\Users\Admin\AppData\Local\Temp\qAYs.exe

Filesize
566KB

MD5
2e2dc1e7c8aa94a54c64455cb87f9740

SHA1
20aca78e449c310dd959248215fb4abb107aa63b

SHA256
328f6900874f1fe98c582c112bed6c6946438faa765be2ed552a01e20fd6c57f

SHA512
0b3eb12ddcc76451f65327f05fa329f0225da6f57143992bc9147d6d27cd090c72ea1012b8b377df0a5cf3ac4a4e24c7c6fa2acfbd04f3a9afe2d392293ddee2

Download Submit
C:\Users\Admin\AppData\Local\Temp\qGsowMUU.bat

Filesize
4B

MD5
7b2ac638f0a7d2c61d7f1bd09162f0b8

SHA1
4cdd5042c81a40f999b65caa2601a8d06cf181a0

SHA256
44e2bc75d9d88f80c79088917b71f26b72f1bf2460507604c99b5f64b96f0911

SHA512
73719896fd68f40401e7885e6adc15bf8b2c56d2435afbef554f18354a9904393306d57599398405a04b44c4ea3241a10a632217271c22dd0ef23fb8f0c4468e

Download Submit
C:\Users\Admin\AppData\Local\Temp\qMYm.exe

Filesize
147KB

MD5
b1b47440949ec7477f01fce61fe735e4

SHA1
618a8a361cb16356f3e77bde6bc03bf5b8b37f17

SHA256
81d174c30b3d35f9fc20fdc2485ec91962fc3aaf9de6a70d74e183e195eb9c45

SHA512
51bf9c9a2c795c4817381c82be7cae3ef3b152df30cfa956fd29f035e534b16b9e8d30704c3e8bda392e0e5879c8988321e5b3588b9339666376e2c5a6933c39

Download Submit
C:\Users\Admin\AppData\Local\Temp\qgwK.exe

Filesize
160KB

MD5
f146dc16c0ad9dbfbed2bee30492230d

SHA1
698004719a8f666b25a532af5649559fbc9996ba

SHA256
63a23b30f65f05a91e0ecaf5601e8f051cdfe6505c913f616ba4eda68cf296c4

SHA512
0043f142ebca5ace41c7fdd69a5c8222eeb1ea25f27e67f52d943e082a785806453d682ad040d5e1f39dd0bfe04c2a460bd80d9b31d9c634ab56e64c093a882f

Download Submit
C:\Users\Admin\AppData\Local\Temp\qkoo.exe

Filesize
508KB

MD5
1834b02ab50dbe426b2e54dec260fa11

SHA1
45bd697453dc242499a52d5c12b56b335ac5363d

SHA256
f3882f1ca2b4a52a735ce4c16beaca8f492c4e44c361cb741c49e01b867171bb

SHA512
4172d31780ebffd22570274152721a5bb2d36f7533fd014b12353076337e244e65c943a784c0914e02cf8bd8529815a6eed4c3322c488206906970b05e9352bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\qossIIoA.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\qsge.exe

Filesize
158KB

MD5
ccf2f9f6693b92db213d0eab89619f8e

SHA1
8fb5b0cad0d612c9da78f0962ab4ead0fc814f21

SHA256
f94bb4b28eaf70a6afb507dd7a4dc3efd194bf0338313b18284c22b9a106f609

SHA512
27ef62375cd6a371e648c6ac76cf31bf6dcf87cf2e1f7ce02d377e3c0d773929f83b3428a9312b0bc1d34ffa31cf8cdda242ca8fcc56db8be0a8559f543f9aae

Download Submit
C:\Users\Admin\AppData\Local\Temp\rAsIUoQs.bat

Filesize
4B

MD5
f4855e7def38a35a5db2c6bbcc52c3ef

SHA1
a36e56263307af507628299ff8f92fc4c53f9869

SHA256
f752e0cd18510f3c04abeaaf63e9d74f656cfc7413d265adce745b0b03a1ba01

SHA512
7607f3a132d7ba05a64da4b26da7396df51658a963b3b1ed2de246015d62175370863f3fb2c388aa2f3144d6a725bb56bd3ad665fa91fa4eb675964c8f7a870b

Download Submit
C:\Users\Admin\AppData\Local\Temp\racAsEsQ.bat

Filesize
4B

MD5
d45828801fffc92c02d40bf67acf64e4

SHA1
98e9c68995702561dd107863a2a73478c27c11c8

SHA256
96a4bdbbcf2d007b710dc152ea2e46f4713067b0a3fb9a621834766fa82ff8f5

SHA512
6152f276be058343b71bcffa5299ee7e57ac445b02ff8a7792657493973bd29cd78574fe5d9313800b31c74238f256149d4ad62b19cc64d77c7e7d95d432d604

Download Submit
C:\Users\Admin\AppData\Local\Temp\rcwwccIo.bat

Filesize
4B

MD5
98e6c2a5ebbd9a5cce42613d69cfdaff

SHA1
b2bb631207a3830f8c83709b861e216003d96292

SHA256
6fbabb3333b16551939ed42b4262fe63f21c0dddddc464b5e92f7fbdffa37ad5

SHA512
5a550479c67a495da18efbd080d08a10ffbe643476e21a02b4c3e8a4d76d9d13dc0dfa09f04b866b914b4de8b644cf6812e1df9bf893f07b79346f3285ace8cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\sEks.exe

Filesize
157KB

MD5
5ae5f4c1633e3cefae6c087a00ec4090

SHA1
b069cb22c4670e3139fe627a0343cda144beed95

SHA256
a93d701e2c5b135939cea629928dfc3cadd1015e3ccbc1bc958f9f820447a8cd

SHA512
b61cae1a8c6acfb954276fa72d1aff906234e079fcb68fe41df6c18dd5440392c33c9ab3528d16a9d187f03f5b312e552d56228a0388c2edde40a423071d5d21

Download Submit
C:\Users\Admin\AppData\Local\Temp\sEsK.exe

Filesize
158KB

MD5
d53c6d4e7dc35d50eaa0090c237f63a5

SHA1
94e55ea8594c5cec960071e01fe3fbe85046568f

SHA256
37028e425cb7caef45cffeac78bf48accc1e19603f2b40c68aba07ff185ba369

SHA512
a51bb6f0ca5472164c526e0e5301593bc893d7827222dcdb6fa4d67798440f6ba32eac21150344592684b26c82cfa3c63a597a975f560000c910761f3f9a5f69

Download Submit
C:\Users\Admin\AppData\Local\Temp\sEwO.exe

Filesize
157KB

MD5
9c26ec133a2841c2136328e23099caa8

SHA1
d6f1f153a8159ea08cdc80f40478af44580fc99d

SHA256
e95371f11fcac163dad31530ba6bce7a4cbe210e808fed97ca25d7f1c88ccd9f

SHA512
b0d2ad92d209289b95ea71d7c0e5112df5370962f3950f9d74203460883d763954e47c420d65a7387458abc741b0918644372ac9652a1338ab103edd9585a0da

Download Submit
C:\Users\Admin\AppData\Local\Temp\sIEw.exe

Filesize
158KB

MD5
5adfa6b0e11c0b28b79903b6305c7e78

SHA1
6851f23db10867fc7d0a45f7a155135a9ae11768

SHA256
eb10da6fcdcaf8a4cb5d2ce5dfe7f9af101cbba6e1f1c00c2103258e71b6e71e

SHA512
e549a46442076fe53ee9eed923e239eac1bb23f77d9e2a6c3fed84ede688fef3b68cbeee2fe4780dce112a91fbc6b9898427bf680c8b1962cb7f694395b1bcd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\sYkq.exe

Filesize
157KB

MD5
3412b5dd14168c5106700614c62cd8cc

SHA1
ee0b19306d2a7ee3994e62d25690dbdcadc8c3d3

SHA256
cc1f4d0b43dff060b03c0cf3631eab278a1ef0ec9f557a1dbf2880b8ed198e3a

SHA512
b71e1c935fa99bb2e6ef7b50c330f2f1d1cfa8568f3b03383d5ea855ee71b2d21c0cc6fe9a31d0654135ef5f1365d8d09561eafdfe7a32bfd7af5a00af56106e

Download Submit
C:\Users\Admin\AppData\Local\Temp\scsq.exe

Filesize
158KB

MD5
574bda711f8bb0ae545c975f7b17733a

SHA1
441954683669b8a2c05c18a825567fa32bbaa90d

SHA256
4928287cf8aa3d5438184548c19d7913960401deea6efc83bc972583c0e7637e

SHA512
d42f8eef9d68c0e90837c8faa47348716bee565d41d9fd8c994b985a9cf82781f13d3a946de59e8203a65f7522d4bbff6c61c4eeb4de6559df3315e17955025b

Download Submit
C:\Users\Admin\AppData\Local\Temp\swAW.exe

Filesize
237KB

MD5
81e40c6f828df99a1083c01416c62254

SHA1
25cb82eda5ce8805986ae8c4a09b5038b25206d4

SHA256
3e24f7c83d6cd6cc288c071af4d57f963b89ffde93a17187cefe61458a4d9e98

SHA512
4cc99a3f31fba069eb03e1ea8e96044a67c3b0829576cb9a67096eca297b464a4ee0fd30b239a14cd553615d941dfe27f0fa118d6b7a236dd702e0db347614aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\tKcQQAYA.bat

Filesize
4B

MD5
79cabceaf2b1048afc0817a66e9e01b6

SHA1
d16419e86fc2c425cf38fda64ab4de3001a1bd03

SHA256
8360a25a721471894bc4a6d35ff0637a69ce0d95f64676bc7076f6ff712e6d12

SHA512
8cb60bb7233a01a635f4b27fafb2777604a23328633806f941b450af73ed2e878632200c26b9152c075f60b51c318ba0fda0ff4f0e444cf5380da7b3e65b2144

Download Submit
C:\Users\Admin\AppData\Local\Temp\uAMEckwo.bat

Filesize
4B

MD5
83eea5742f64a5feb91fffdd3d236e42

SHA1
d43a04267bbefa0b71060c02b4fd9e4c6f145826

SHA256
dce07dbde473d52eb1c8a1153fca5d40a496d58bb526efd6bf50634489d2d58c

SHA512
015ba42e1d5f2c45b73491b2fffa48b7501f969b831769d3a4e1014ab83ce784cead595730e09e6221d87abb3e6393d896d59061e045e99d27cb23c02eedd674

Download Submit
C:\Users\Admin\AppData\Local\Temp\uQMi.exe

Filesize
159KB

MD5
a11e6bfe2966bf2c49b9df72878fb2ef

SHA1
9e94244996705e128d248234411f0dfd3e408675

SHA256
5d9419e48e2d9d9458645954dce62402d8f2f938fc8c4fd0aa22d69df3a10208

SHA512
b1fec75dfc60bd99fe2e53ba28390617fbbfa1c7112d79be3f054a076bb9b83f86422bbbd90e9ef3f0e28d45b7d627405fdade91fd06c4a2080700fcdd2b8656

Download Submit
C:\Users\Admin\AppData\Local\Temp\uUAAEIEY.bat

Filesize
4B

MD5
1a350ae8d3e3c0491a244e73954ebb73

SHA1
ea4db969412a2e16e9c273a9765108d1321faa88

SHA256
4b8d14f63927bad3b291f599db98fdd8b9aa3e4617337d36c1716724adc9a37d

SHA512
7ecf6408617ae8cd6d2c2ca601722c7f1bd89b9d416bdf339608da99c337e3c2f15da81495bef0fb294fef5aa253f7b5f6239340c6a1e5734a291bb6e48d69e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ugoC.exe

Filesize
432KB

MD5
ac1a62d7d930ef7b7901bdf9f131bc91

SHA1
38d37612f51b03553be4ae9f4056e49bd3e42153

SHA256
1d8085e75385578fcca0375a851eeacced93af5dbe09f2dd000461da96392fba

SHA512
aa1af7aa6886f785c73c3b44101ac0661f0bc4c708b07154bdcbf20881f577e9f82c61add450ce2c133d28504d14922c55f24007ded68401bfebe933a2818419

Download Submit
C:\Users\Admin\AppData\Local\Temp\usYA.exe

Filesize
138KB

MD5
6f2099a1d36322d994b24265e3469f6f

SHA1
9a425cd4bb66610e326b22493aed61f4a232bb86

SHA256
fcd0d9fccd4abda51ad8cac986d7d4a9cf9786f7cf0e2e285fcf5896a111dc53

SHA512
dfaae97ffd900f075620e778b2ffe120c6a3021155e35223059ec04a78bae083b9c5f87dafefb10a81035ecc7babb793af2a9392c93ea9e9c5c777f96399e5bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\uscE.exe

Filesize
157KB

MD5
50795e0839397fddd73e83a10eebd846

SHA1
a7bbfc55a16b274ef291a423416390837b2aa25d

SHA256
e882ab26198947b636b5a3457620e4be2c99a9c79c1cab6de8745aa7851247cd

SHA512
3c03d288c35194602c9e63dc5faf65590ef17da491de525b72f82f1a49024e0a0d156c74da451017d219e3e2e6386f41fe690a3f3bfc82adee0f5a62f160ce5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\vaosAYQU.bat

Filesize
4B

MD5
7ce92b492e4b33a5e77e151f0134d7d6

SHA1
8cb5e8c5fb484f2c8f45beab13e417cb2ef91bb2

SHA256
71bc48e3d7e93dda5348fb8accb775c1468523fadd49fd1111738f5133cecfed

SHA512
7319d882eff21ae254b868bc20f0d0a9347a6f2913030aad53b8092f65b975db71391239ae4afba8bd624c8a914c3a578f6e690174e39afd615fcae21d1430f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\vywsQAgE.bat

Filesize
4B

MD5
c6c72f09a674752e2752f1eb3f7ca9ea

SHA1
29bd1807dd96ce2e36c9eb191d818903f8cc0bc4

SHA256
23278f80c7ea16973556db569a92b6d82b7e3df8d7d0edfa7cd78d03ea9fa486

SHA512
c6134d4907357b582214dfd471c34fd126e02eeb37e280ce81e0a65db18672672cff5f4a5c0226ca6b65de1e231727a9df7680e88355182b1024a473022d9284

Download Submit
C:\Users\Admin\AppData\Local\Temp\wMUw.exe

Filesize
159KB

MD5
5d4ca856df66b212491487c5551f1e3b

SHA1
4e64f06d11c2969c7c65b6dfe19f03da3217e14c

SHA256
c57e048b4ef431f981dfe0a2abedf7b673cb6d0eabb1c1721d5f8dd1007e95bd

SHA512
a583872ac78fe04f6d14b0bcd6dcd41a53a3dcfba863343489ec680c0d67eec67fb086f15c7aa2fdef66075c3e65ed635a27702d66f578c39f61f16e5fbdd5d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\wgsY.exe

Filesize
149KB

MD5
d2b26e70cfc04c61269326f3fab16e21

SHA1
3e90ace7e56467e32893c2148bce6bfbd5e5a6bd

SHA256
7362076c26052cb155cd3a55c128f54a18e4bec8e5dee6f1594a5ed88060a268

SHA512
22d8f9fd6a7bb06ab36650c47526797f31ba960097c5fa2276cfc8dadce56b4e111117cd838fbf6dbf8b6917889914dc2b4df8ca09470b4b14e7b4973827030d

Download Submit
C:\Users\Admin\AppData\Local\Temp\xqMggEos.bat

Filesize
4B

MD5
74728021eb3eef5399d9bd79c8d355f9

SHA1
bad332fd91347a32cfb66eccd7bfc1029477d057

SHA256
e8f5d4f76e14b9b0e4b91deb6155778984a027c5ccc9fc9a49e663f22789f2c9

SHA512
de48205af94b031878e7905b8f1383e64a8d19084b5528b7c21405070f89492b13b4b1af91243c986b58f967157cf2d9dd1e5abf701d595a6ae213ddaeca9c50

Download Submit
C:\Users\Admin\AppData\Local\Temp\yEkE.exe

Filesize
913KB

MD5
a93d5e6a3ba28389730abe03ac66a99f

SHA1
baeab3e659bcb0876de622366479cc44f13b1cf3

SHA256
05039b83b362f45994a52d2df110ecc5b5c8e03ef36e079705d1e51a4f3725aa

SHA512
fa7e836df56621aed21fa9f59eea7fcc44e0bfc616922e6bcd8ea8a25422bedd8c539f9fb049874aa28a292a98568d9fb42a61aff3f61e1c2bcb01fabeaff18e

Download Submit
C:\Users\Admin\AppData\Local\Temp\yQcC.exe

Filesize
159KB

MD5
2b398a9e44755e3ae3946df12bc8b456

SHA1
af3bc6583ff199e0209a1c3e2d23111c97dceb57

SHA256
a9710660fee7e629a259b7a50951ffc292a6b2c46c18fcf7d00252f79acf144d

SHA512
5944591c71965f865b60f29ca2c126fef14239c824069f7a3d6abcba76c1c07dc3e32c8e2284bf09a062dd91cf7fd14b34ec4761bde210836ab0512943d0e034

Download Submit
C:\Users\Admin\AppData\Local\Temp\ycsk.exe

Filesize
555KB

MD5
0420ebf9478290743fad4344ab720c93

SHA1
4c5e6b224e1f49c119eed420ec5cb36ebf2b78e4

SHA256
009729ea1b33b11d5e330e99c5708aebe30323d898f00fc2c73a258a797f0740

SHA512
76bbb0a64445542e9344f69774af88f4587721f8eba6a0c704d5547d1eb1ad648fa38e6a85f8ad3f8e319b8f37b204534d7e045f391082b8174bd2302fb6ce41

Download Submit
C:\Users\Admin\AppData\Local\Temp\ysEoAMsI.bat

Filesize
4B

MD5
61ecd0aef2fa56f1459c103cbffa4a90

SHA1
0ed2d96920676fc203ca1a8d2e59a79e5dab08b3

SHA256
661f7514c35f7883f727e17208eda8ab130c3f0e997ca0fc1db023d76de6b048

SHA512
7659d8969cc4fa93e7a512f03f0589c427ab4fd12e65a8c63c4db2671cef1b7d0330ebf2791b6972241ff348d069d1068a9cee17836e6311d9f2d9519f8fc467

Download Submit
C:\Users\Admin\AppData\Local\Temp\ysQG.exe

Filesize
159KB

MD5
0dcc0e5103ad340fdf9eeaff58fd4751

SHA1
12e05c4f7b866b14751b5b4570420073c38b2a6f

SHA256
e3be0ef72728fe36824c0f090e8388de6b8580c10389276562f223892753a8ea

SHA512
672be41296463fe5891e93202c3a6ce180bf87b10dc7586265291d8d97fc21af4a40499ff843c851a9aa16a35ca432e817f36070d44d59a1d9eff4268ff66a29

Download Submit
C:\Users\Admin\AppData\Local\Temp\yskg.exe

Filesize
158KB

MD5
f8344cafd6fd40a276bc60db8f81a1d3

SHA1
438c0fb3e72e4630cb0220cb03665846eb9ea93b

SHA256
b429b1fa335b1daa631018bc7c0fa3467fe4459bc7b734fb1a0a94f7d07d09f6

SHA512
c5fcf98380b13912e2460dc5dd9ced1b06cf9bc29444c38c238278cd835f43af7e90ecbb750b2415deaf112145b0fb97ecfafdade0ae4cfdfc05c2a9c5b6a20b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ywQK.exe

Filesize
159KB

MD5
f7978d798f71e200ef81361eb91b2761

SHA1
793a8ce60ccb1834fa22ff48ef5334cd9cb05131

SHA256
72161be035c92ceae992dac8bd4f2fffaa1f8459474f70c1f503d51dcbc87841

SHA512
4f16ab5eb6cfc5d21c274f6ed60e47bce00c959cc47f34ae94cb2d67436f7a86a77805b824b9ca46cc0443c888ea7461034ba07241c93bd8e10acf948f09c15c

Download Submit
C:\Users\Admin\AppData\Local\Temp\zkwMoUkA.bat

Filesize
4B

MD5
e33204772aa115c21efd72ea0688d806

SHA1
6096f41c5cf2757269cefc1b26dab22b237aa7ca

SHA256
55a98afaf015ad8977f643fea6c09859c9441cb929946d690836d4d921a20679

SHA512
d01e680c01924ab766f357707bfb5766d4cc029f960f830fa1fe77c5c2699a75b1c74f35f5d09b56c752c45a26c1a2dbdfe077c77b46fbcb1b82f23e42d70247

Download Submit
C:\Users\Public\Music\Sample Music\Kalimba.mp3.exe

Filesize
8.1MB

MD5
d32836911ad28a3f0ea0ca82401dcdae

SHA1
ba8f253efd648ab178be0cba6926f3cc89662098

SHA256
889f01f75019b05f88b3cb977011b8e0be13c27e7919a0c38be451818a7fd5ff

SHA512
5fe14ba71cf7f71316b62e905fc8429b5fc868c53d56ebdb1745c29ccc3366bef668d27c6a2e247110205a57a93e1874c6bcdeed327b3085f71ad832bc4c6bac

Download Submit
\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

Filesize
145KB

MD5
9d10f99a6712e28f8acd5641e3a7ea6b

SHA1
835e982347db919a681ba12f3891f62152e50f0d

SHA256
70964a0ed9011ea94044e15fa77edd9cf535cc79ed8e03a3721ff007e69595cc

SHA512
2141ee5c07aa3e038360013e3f40969e248bed05022d161b992df61f21934c5574ed9d3094ffd5245f5afd84815b24f80bda30055cf4d374f9c6254e842f6bd5

Download Submit
\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.0MB

MD5
4d92f518527353c0db88a70fddcfd390

SHA1
c4baffc19e7d1f0e0ebf73bab86a491c1d152f98

SHA256
97e6f3fc1a9163f10b6502509d55bf75ee893967fb35f318954797e8ab4d4d9c

SHA512
05a8136ccc45ef73cd5c70ee0ef204d9d2b48b950e938494b6d1a61dfba37527c9600382321d1c031dc74e4cf3e16f001ae0f8cd64d76d765f5509ce8dc76452

Download Submit
\ProgramData\mQsUgEIE\bUowIcYE.exe

Filesize
109KB

MD5
92e9390cc23d45341ad10b5b76183fcf

SHA1
3dbfef828fa0fea2611c6a5b36b44779464a59d9

SHA256
6b8e5cbb9bd13812c9f4327407c617f7d5f3b5990aedd595561d08bf9d295cea

SHA512
56a598b30c4850ce6a131cfb448024f3f6904426224c87dec557fe94c0b04c73078540ddb91499b9284ca87c4762041f5ab65507b7a657e3c4e77d6d1b12ccb9

Download Submit
\Users\Admin\NEgoocwg\KSUAUIUQ.exe

Filesize
111KB

MD5
38e1006c395938025447972bc8cbf51f

SHA1
6e23273535cb5a0f0fccaaabe1a5f53189cd8575

SHA256
7f103499e2fdd6fc6531e2978d5af12a47ae7439c1ef4103ee046363ab16230b

SHA512
4592da76133c83b553bca1cce5f9a523d0160095781abd68a2c75df3d9b80d1a3acc738c93ecfcd0cd8108ea225ce7cbca126456293b3d65f583fe91ba95157d

Download Submit
memory/112-805-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/532-109-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/576-214-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/576-968-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/616-261-0x00000000001A0000-0x00000000001C1000-memory.dmp

Filesize
132KB

Download
memory/700-634-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/700-553-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/704-782-0x0000000000160000-0x0000000000181000-memory.dmp

Filesize
132KB

Download
memory/704-781-0x0000000000160000-0x0000000000181000-memory.dmp

Filesize
132KB

Download
memory/848-380-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/848-379-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/848-1039-0x0000000000160000-0x0000000000181000-memory.dmp

Filesize
132KB

Download
memory/884-366-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/884-333-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1068-269-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1068-238-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1140-381-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1140-414-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1200-438-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1200-405-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1348-356-0x0000000000120000-0x0000000000141000-memory.dmp

Filesize
132KB

Download
memory/1348-355-0x0000000000120000-0x0000000000141000-memory.dmp

Filesize
132KB

Download
memory/1400-122-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1528-612-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1528-719-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1572-153-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1608-237-0x0000000000160000-0x0000000000181000-memory.dmp

Filesize
132KB

Download
memory/1624-332-0x00000000001B0000-0x00000000001D1000-memory.dmp

Filesize
132KB

Download
memory/1624-331-0x00000000001B0000-0x00000000001D1000-memory.dmp

Filesize
132KB

Download
memory/1656-98-0x0000000000130000-0x0000000000151000-memory.dmp

Filesize
132KB

Download
memory/1656-99-0x0000000000130000-0x0000000000151000-memory.dmp

Filesize
132KB

Download
memory/1692-54-0x0000000000260000-0x0000000000281000-memory.dmp

Filesize
132KB

Download
memory/1748-309-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1748-342-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1752-783-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1752-917-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1980-294-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1980-270-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2016-357-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2016-390-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2044-215-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2044-247-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2084-285-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2084-318-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2124-404-0x0000000000160000-0x0000000000181000-memory.dmp

Filesize
132KB

Download
memory/2124-403-0x0000000000160000-0x0000000000181000-memory.dmp

Filesize
132KB

Download
memory/2172-5-0x0000000000390000-0x00000000003AD000-memory.dmp

Filesize
116KB

Download
memory/2172-459-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2172-19-0x0000000000390000-0x00000000003AD000-memory.dmp

Filesize
116KB

Download
memory/2172-0-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2172-41-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2172-503-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2188-85-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2188-55-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2216-100-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2216-131-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2236-562-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2236-494-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2248-144-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2248-177-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2288-224-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2288-966-0x0000000000130000-0x0000000000151000-memory.dmp

Filesize
132KB

Download
memory/2288-967-0x0000000000130000-0x0000000000151000-memory.dmp

Filesize
132KB

Download
memory/2288-192-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2356-611-0x0000000000160000-0x0000000000181000-memory.dmp

Filesize
132KB

Download
memory/2376-458-0x0000000000120000-0x0000000000141000-memory.dmp

Filesize
132KB

Download
memory/2376-457-0x0000000000120000-0x0000000000141000-memory.dmp

Filesize
132KB

Download
memory/2540-684-0x0000000000200000-0x0000000000221000-memory.dmp

Filesize
132KB

Download
memory/2540-685-0x0000000000200000-0x0000000000221000-memory.dmp

Filesize
132KB

Download
memory/2544-167-0x0000000000130000-0x0000000000151000-memory.dmp

Filesize
132KB

Download
memory/2544-166-0x0000000000130000-0x0000000000151000-memory.dmp

Filesize
132KB

Download
memory/2572-32-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2572-64-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2680-906-0x0000000000120000-0x0000000000141000-memory.dmp

Filesize
132KB

Download
memory/2680-907-0x0000000000120000-0x0000000000141000-memory.dmp

Filesize
132KB

Download
memory/2716-168-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2716-201-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2732-552-0x0000000000260000-0x0000000000281000-memory.dmp

Filesize
132KB

Download
memory/2732-551-0x0000000000260000-0x0000000000281000-memory.dmp

Filesize
132KB

Download
memory/2744-31-0x0000000000270000-0x0000000000291000-memory.dmp

Filesize
132KB

Download
memory/2744-30-0x0000000000270000-0x0000000000291000-memory.dmp

Filesize
132KB

Download
memory/2748-191-0x0000000000120000-0x0000000000141000-memory.dmp

Filesize
132KB

Download
memory/2748-190-0x0000000000120000-0x0000000000141000-memory.dmp

Filesize
132KB

Download
memory/2772-428-0x0000000000200000-0x0000000000221000-memory.dmp

Filesize
132KB

Download
memory/2772-908-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2772-427-0x0000000000200000-0x0000000000221000-memory.dmp

Filesize
132KB

Download
memory/2772-990-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2804-26-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2856-429-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2856-481-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2920-493-0x0000000000310000-0x0000000000331000-memory.dmp

Filesize
132KB

Download
memory/2920-492-0x0000000000310000-0x0000000000331000-memory.dmp

Filesize
132KB

Download
memory/2964-308-0x0000000000120000-0x0000000000141000-memory.dmp

Filesize
132KB

Download
memory/2964-307-0x0000000000120000-0x0000000000141000-memory.dmp

Filesize
132KB

Download
memory/3068-284-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3068-283-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download