1a6eb2ce513a1c92f261ab533cf7075f4d7b0fb32ad032e343dd41544ff66b81

Analysis

max time kernel
150s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
08/10/2024, 22:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
Size

115KB
MD5

7128fe39c0f51169acbbf8f33881b06b
SHA1

709b19abc274a0f134f60561d8bfd64fca8f2ed5
SHA256

1a6eb2ce513a1c92f261ab533cf7075f4d7b0fb32ad032e343dd41544ff66b81
SHA512

98ba998f8c5aca823afe77ab04ab453cc56ab2cccb57afbf92f16407a5b47f3e1febe3aa8b9d0bc8eeca3cabbadee8ab6e18a6e383723d08cddc4cdf8f315379
SSDEEP

3072:tYJpW3Unj1DXLaEAOwJi02tmq0wT0Kjr6d:opsUnj1DNPwMmrwTBw

Score

10^/10

discovery evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 63 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 63 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\International\Geo\Nation	WMscsAAY.exe

Executes dropped EXE 2 IoCs

pid	Process
2712	WMscsAAY.exe
1744	WmAIgwoo.exe

Loads dropped DLL 20 IoCs

pid	Process
3048	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
3048	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
3048	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
3048	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
2712	WMscsAAY.exe
2712	WMscsAAY.exe
2712	WMscsAAY.exe
2712	WMscsAAY.exe
2712	WMscsAAY.exe
2712	WMscsAAY.exe
2712	WMscsAAY.exe
2712	WMscsAAY.exe
2712	WMscsAAY.exe
2712	WMscsAAY.exe
2712	WMscsAAY.exe
2712	WMscsAAY.exe
2712	WMscsAAY.exe
2712	WMscsAAY.exe
2712	WMscsAAY.exe
2712	WMscsAAY.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WmAIgwoo.exe = "C:\\ProgramData\\lsswMkIU\\WmAIgwoo.exe"	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\WMscsAAY.exe = "C:\\Users\\Admin\\lsYAQYUU\\WMscsAAY.exe"	WMscsAAY.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WmAIgwoo.exe = "C:\\ProgramData\\lsswMkIU\\WmAIgwoo.exe"	WmAIgwoo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\WMscsAAY.exe = "C:\\Users\\Admin\\lsYAQYUU\\WMscsAAY.exe"	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
1112	reg.exe
1404	reg.exe
2884	reg.exe
1616	reg.exe
2504	reg.exe
2528	reg.exe
956	reg.exe
2504	reg.exe
2072	reg.exe
2784	reg.exe
2716	reg.exe
112	reg.exe
1268	reg.exe
2720	reg.exe
1892	reg.exe
2660	reg.exe
1952	reg.exe
2288	reg.exe
1920	reg.exe
1868	reg.exe
1268	reg.exe
2028	reg.exe
2188	reg.exe
3000	reg.exe
2968	reg.exe
2024	reg.exe
2860	reg.exe
2900	reg.exe
1140	reg.exe
2188	reg.exe
1532	reg.exe
1048	reg.exe
2208	reg.exe
2816	reg.exe
2004	reg.exe
2904	reg.exe
2096	reg.exe
1812	reg.exe
952	reg.exe
2676	reg.exe
1172	reg.exe
2980	reg.exe
2952	reg.exe
2912	reg.exe
1260	reg.exe
2844	reg.exe
1564	reg.exe
2800	reg.exe
2268	reg.exe
840	reg.exe
1724	reg.exe
1916	reg.exe
2512	reg.exe
2052	reg.exe
2724	reg.exe
2424	reg.exe
1276	reg.exe
2796	reg.exe
2480	reg.exe
2104	reg.exe
2008	reg.exe
2496	reg.exe
2460	reg.exe
844	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3048	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
3048	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
1952	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
1952	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
2396	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
2396	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
1504	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
1504	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
1792	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
1792	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
1652	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
1652	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
2068	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
2068	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
3060	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
3060	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
2768	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
2768	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
2396	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
2396	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
1504	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
1504	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
1780	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
1780	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
1644	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
1644	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
2556	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
2556	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
3060	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
3060	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
1532	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
1532	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
1272	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
1272	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
2492	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
2492	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
2112	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
2112	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
2916	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
2916	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
1512	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
1512	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
1716	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
1716	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
1524	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
1524	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
1268	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
1268	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
992	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
992	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
2160	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
2160	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
2660	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
2660	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
2680	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
2680	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
2124	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
2124	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
2040	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
2040	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
304	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
304	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
1260	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
1260	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2712	WMscsAAY.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2712	WMscsAAY.exe
2712	WMscsAAY.exe
2712	WMscsAAY.exe
2712	WMscsAAY.exe
2712	WMscsAAY.exe
2712	WMscsAAY.exe
2712	WMscsAAY.exe
2712	WMscsAAY.exe
2712	WMscsAAY.exe
2712	WMscsAAY.exe
2712	WMscsAAY.exe
2712	WMscsAAY.exe
2712	WMscsAAY.exe
2712	WMscsAAY.exe
2712	WMscsAAY.exe
2712	WMscsAAY.exe
2712	WMscsAAY.exe
2712	WMscsAAY.exe
2712	WMscsAAY.exe
2712	WMscsAAY.exe
2712	WMscsAAY.exe
2712	WMscsAAY.exe
2712	WMscsAAY.exe
2712	WMscsAAY.exe
2712	WMscsAAY.exe
2712	WMscsAAY.exe
2712	WMscsAAY.exe
2712	WMscsAAY.exe
2712	WMscsAAY.exe
2712	WMscsAAY.exe
2712	WMscsAAY.exe
2712	WMscsAAY.exe
2712	WMscsAAY.exe
2712	WMscsAAY.exe
2712	WMscsAAY.exe
2712	WMscsAAY.exe
2712	WMscsAAY.exe
2712	WMscsAAY.exe
2712	WMscsAAY.exe
2712	WMscsAAY.exe
2712	WMscsAAY.exe
2712	WMscsAAY.exe
2712	WMscsAAY.exe
2712	WMscsAAY.exe
2712	WMscsAAY.exe
2712	WMscsAAY.exe
2712	WMscsAAY.exe
2712	WMscsAAY.exe
2712	WMscsAAY.exe
2712	WMscsAAY.exe
2712	WMscsAAY.exe
2712	WMscsAAY.exe
2712	WMscsAAY.exe
2712	WMscsAAY.exe
2712	WMscsAAY.exe
2712	WMscsAAY.exe
2712	WMscsAAY.exe
2712	WMscsAAY.exe
2712	WMscsAAY.exe
2712	WMscsAAY.exe
2712	WMscsAAY.exe
2712	WMscsAAY.exe
2712	WMscsAAY.exe
2712	WMscsAAY.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3048 wrote to memory of 2712	3048	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe	30
PID 3048 wrote to memory of 2712	3048	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe	30
PID 3048 wrote to memory of 2712	3048	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe	30
PID 3048 wrote to memory of 2712	3048	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe	30
PID 3048 wrote to memory of 1744	3048	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe	31
PID 3048 wrote to memory of 1744	3048	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe	31
PID 3048 wrote to memory of 1744	3048	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe	31
PID 3048 wrote to memory of 1744	3048	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe	31
PID 3048 wrote to memory of 2736	3048	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe	32
PID 3048 wrote to memory of 2736	3048	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe	32
PID 3048 wrote to memory of 2736	3048	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe	32
PID 3048 wrote to memory of 2736	3048	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe	32
PID 2736 wrote to memory of 1952	2736	cmd.exe	34
PID 2736 wrote to memory of 1952	2736	cmd.exe	34
PID 2736 wrote to memory of 1952	2736	cmd.exe	34
PID 2736 wrote to memory of 1952	2736	cmd.exe	34
PID 3048 wrote to memory of 2840	3048	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe	35
PID 3048 wrote to memory of 2840	3048	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe	35
PID 3048 wrote to memory of 2840	3048	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe	35
PID 3048 wrote to memory of 2840	3048	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe	35
PID 3048 wrote to memory of 2844	3048	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe	36
PID 3048 wrote to memory of 2844	3048	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe	36
PID 3048 wrote to memory of 2844	3048	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe	36
PID 3048 wrote to memory of 2844	3048	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe	36
PID 3048 wrote to memory of 2904	3048	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe	38
PID 3048 wrote to memory of 2904	3048	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe	38
PID 3048 wrote to memory of 2904	3048	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe	38
PID 3048 wrote to memory of 2904	3048	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe	38
PID 3048 wrote to memory of 2756	3048	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe	40
PID 3048 wrote to memory of 2756	3048	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe	40
PID 3048 wrote to memory of 2756	3048	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe	40
PID 3048 wrote to memory of 2756	3048	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe	40
PID 2756 wrote to memory of 2892	2756	cmd.exe	43
PID 2756 wrote to memory of 2892	2756	cmd.exe	43
PID 2756 wrote to memory of 2892	2756	cmd.exe	43
PID 2756 wrote to memory of 2892	2756	cmd.exe	43
PID 1952 wrote to memory of 2748	1952	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe	44
PID 1952 wrote to memory of 2748	1952	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe	44
PID 1952 wrote to memory of 2748	1952	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe	44
PID 1952 wrote to memory of 2748	1952	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe	44
PID 2748 wrote to memory of 2396	2748	cmd.exe	46
PID 2748 wrote to memory of 2396	2748	cmd.exe	46
PID 2748 wrote to memory of 2396	2748	cmd.exe	46
PID 2748 wrote to memory of 2396	2748	cmd.exe	46
PID 1952 wrote to memory of 2240	1952	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe	47
PID 1952 wrote to memory of 2240	1952	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe	47
PID 1952 wrote to memory of 2240	1952	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe	47
PID 1952 wrote to memory of 2240	1952	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe	47
PID 1952 wrote to memory of 2056	1952	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe	48
PID 1952 wrote to memory of 2056	1952	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe	48
PID 1952 wrote to memory of 2056	1952	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe	48
PID 1952 wrote to memory of 2056	1952	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe	48
PID 1952 wrote to memory of 684	1952	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe	50
PID 1952 wrote to memory of 684	1952	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe	50
PID 1952 wrote to memory of 684	1952	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe	50
PID 1952 wrote to memory of 684	1952	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe	50
PID 1952 wrote to memory of 2868	1952	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe	51
PID 1952 wrote to memory of 2868	1952	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe	51
PID 1952 wrote to memory of 2868	1952	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe	51
PID 1952 wrote to memory of 2868	1952	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe	51
PID 2868 wrote to memory of 1496	2868	cmd.exe	55
PID 2868 wrote to memory of 1496	2868	cmd.exe	55
PID 2868 wrote to memory of 1496	2868	cmd.exe	55
PID 2868 wrote to memory of 1496	2868	cmd.exe	55

C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3048
- C:\Users\Admin\lsYAQYUU\WMscsAAY.exe
  "C:\Users\Admin\lsYAQYUU\WMscsAAY.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:2712
- C:\ProgramData\lsswMkIU\WmAIgwoo.exe
  "C:\ProgramData\lsswMkIU\WmAIgwoo.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1744
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2736
- - C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
    C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1952
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2748
    - - C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2396
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock"
        6⤵
        
        PID:1280
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1504
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock"
        8⤵
        
        PID:556
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1792
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock"
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1696
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1652
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock"
        12⤵
        
        PID:2188
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2068
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock"
        14⤵
        
        PID:2772
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3060
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock"
        16⤵
        
        PID:2776
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2768
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock"
        18⤵
        System Location Discovery: System Language Discovery
        
        PID:1072
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2396
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock"
        20⤵
        
        PID:2724
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1504
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock"
        22⤵
        
        PID:3008
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock
        23⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1780
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock"
        24⤵
        System Location Discovery: System Language Discovery
        
        PID:3064
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock
        25⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1644
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock"
        26⤵
        
        PID:2780
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock
        27⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2556
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock"
        28⤵
        
        PID:2736
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock
        29⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3060
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock"
        30⤵
        
        PID:2748
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock
        31⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1532
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock"
        32⤵
        
        PID:2208
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock
        33⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1272
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock"
        34⤵
        
        PID:1792
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock
        35⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2492
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock"
        36⤵
        
        PID:1548
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock
        37⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2112
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock"
        38⤵
        
        PID:2788
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock
        39⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2916
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock"
        40⤵
        
        PID:2152
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock
        41⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1512
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock"
        42⤵
        
        PID:1944
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock
        43⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1716
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock"
        44⤵
        
        PID:1244
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock
        45⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1524
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock"
        46⤵
        
        PID:2356
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock
        47⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1268
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock"
        48⤵
        
        PID:236
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock
        49⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:992
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock"
        50⤵
        
        PID:1636
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock
        51⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2160
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock"
        52⤵
        System Location Discovery: System Language Discovery
        
        PID:2800
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock
        53⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2660
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock"
        54⤵
        
        PID:1716
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock
        55⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2680
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock"
        56⤵
        
        PID:2176
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock
        57⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2124
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock"
        58⤵
        System Location Discovery: System Language Discovery
        
        PID:2080
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock
        59⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2040
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock"
        60⤵
        
        PID:2608
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock
        61⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:304
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock"
        62⤵
        System Location Discovery: System Language Discovery
        
        PID:1356
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock
        63⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1260
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock"
        64⤵
        
        PID:1172
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock
        65⤵
        
        PID:572
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock"
        66⤵
        
        PID:2800
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock
        67⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock"
        68⤵
        
        PID:1808
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock
        69⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock"
        70⤵
        
        PID:1896
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock
        71⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock"
        72⤵
        
        PID:2736
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock
        73⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock"
        74⤵
        
        PID:2808
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock
        75⤵
        
        PID:2548
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock"
        76⤵
        
        PID:1696
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock
        77⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock"
        78⤵
        
        PID:956
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock
        79⤵
        
        PID:2668
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock"
        80⤵
        System Location Discovery: System Language Discovery
        
        PID:2644
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock
        81⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock"
        82⤵
        
        PID:2964
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock
        83⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock"
        84⤵
        
        PID:2460
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock
        85⤵
        
        PID:1160
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock"
        86⤵
        
        PID:2656
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock
        87⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock"
        88⤵
        
        PID:1780
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock
        89⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock"
        90⤵
        System Location Discovery: System Language Discovery
        
        PID:2932
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock
        91⤵
        
        PID:672
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock"
        92⤵
        
        PID:2320
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock
        93⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock"
        94⤵
        
        PID:2800
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock
        95⤵
        
        PID:584
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock"
        96⤵
        
        PID:2268
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock
        97⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock"
        98⤵
        
        PID:2832
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock
        99⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock"
        100⤵
        
        PID:2808
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock
        101⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock"
        102⤵
        
        PID:2040
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock
        103⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock"
        104⤵
        
        PID:896
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock
        105⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock"
        106⤵
        
        PID:1200
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock
        107⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock"
        108⤵
        
        PID:112
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock
        109⤵
        
        PID:1336
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock"
        110⤵
        
        PID:2112
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock
        111⤵
        
        PID:1260
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock"
        112⤵
        
        PID:1512
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock
        113⤵
        
        PID:1044
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock"
        114⤵
        System Location Discovery: System Language Discovery
        
        PID:2808
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock
        115⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock"
        116⤵
        System Location Discovery: System Language Discovery
        
        PID:1504
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock
        117⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock"
        118⤵
        
        PID:1592
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock
        119⤵
        System Location Discovery: System Language Discovery
        
        PID:2676
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock"
        120⤵
        
        PID:2336
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock
        121⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock"
        122⤵
        
        PID:1348
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock
        123⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock"
        124⤵
        System Location Discovery: System Language Discovery
        
        PID:2496
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock
        125⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        126⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        126⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        126⤵
        UAC bypass
        Modifies registry key
        
        PID:1916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        124⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:1720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        124⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        124⤵
        UAC bypass
        Modifies registry key
        
        PID:1920
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\YsgcEsMg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe""
        124⤵
        
        PID:1384
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        125⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        122⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        122⤵
        
        PID:1540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        122⤵
        UAC bypass
        
        PID:2784
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\OAYMUcoU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe""
        122⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        123⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        120⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:1904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        120⤵
        
        PID:2124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        120⤵
        UAC bypass
        
        PID:2076
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\nyYYQEEA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe""
        120⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        121⤵
        System Location Discovery: System Language Discovery
        
        PID:2772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        118⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        118⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        118⤵
        UAC bypass
        Modifies registry key
        
        PID:2008
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\xOUsgooQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe""
        118⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        119⤵
        
        PID:3000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        116⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        116⤵
        
        PID:1848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        116⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:1984
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\fSscsAUc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe""
        116⤵
        
        PID:320
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        117⤵
        System Location Discovery: System Language Discovery
        
        PID:2876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        114⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        114⤵
        
        PID:1864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        114⤵
        UAC bypass
        
        PID:2088
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\PyAMkQUg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe""
        114⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        115⤵
        
        PID:2432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        112⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        112⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        112⤵
        UAC bypass
        
        PID:2272
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\nIYQIYYE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe""
        112⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        113⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        110⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        110⤵
        Modifies registry key
        
        PID:1952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        110⤵
        UAC bypass
        
        PID:2028
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\EmcckIQw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe""
        110⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        111⤵
        System Location Discovery: System Language Discovery
        
        PID:276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        108⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        108⤵
        Modifies registry key
        
        PID:1404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        108⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:1748
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\IeQsgUgI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe""
        108⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        109⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        106⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        106⤵
        System Location Discovery: System Language Discovery
        
        PID:2068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        106⤵
        UAC bypass
        
        PID:2152
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\CuUkYcgs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe""
        106⤵
        
        PID:2668
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        107⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        104⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        104⤵
        Modifies registry key
        
        PID:2724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        104⤵
        UAC bypass
        Modifies registry key
        
        PID:1892
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\HQUcoMQI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe""
        104⤵
        
        PID:580
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        105⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        102⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        102⤵
        
        PID:1172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        102⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:2204
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\bqcQAwkU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe""
        102⤵
        System Location Discovery: System Language Discovery
        
        PID:1816
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        103⤵
        
        PID:1156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        100⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2184
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        100⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        100⤵
        UAC bypass
        
        PID:3056
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\NaYogwcA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe""
        100⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        101⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        98⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        98⤵
        System Location Discovery: System Language Discovery
        
        PID:2776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        98⤵
        UAC bypass
        
        PID:1540
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Xyoggwkw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe""
        98⤵
        
        PID:2892
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        99⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        96⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        96⤵
        System Location Discovery: System Language Discovery
        
        PID:2700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        96⤵
        UAC bypass
        Modifies registry key
        
        PID:2480
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\YGYQswAE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe""
        96⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        97⤵
        
        PID:2124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        94⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        94⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        94⤵
        UAC bypass
        Modifies registry key
        
        PID:2660
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\MuIEQcEA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe""
        94⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        95⤵
        System Location Discovery: System Language Discovery
        
        PID:1772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        92⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        92⤵
        Modifies registry key
        
        PID:840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        92⤵
        UAC bypass
        
        PID:900
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\aeoQgAss.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe""
        92⤵
        
        PID:844
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        93⤵
        
        PID:2176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        90⤵
        Modifies visibility of file extensions in Explorer
        
        PID:872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        90⤵
        
        PID:2984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        90⤵
        UAC bypass
        Modifies registry key
        
        PID:1172
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\QsMQMsYk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe""
        90⤵
        System Location Discovery: System Language Discovery
        
        PID:1812
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        91⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        88⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        88⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        88⤵
        UAC bypass
        Modifies registry key
        
        PID:2784
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\QCgMIwwA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe""
        88⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        89⤵
        
        PID:1096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        86⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:3000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        86⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        86⤵
        UAC bypass
        Modifies registry key
        
        PID:2912
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\DYcEEQcs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe""
        86⤵
        System Location Discovery: System Language Discovery
        
        PID:1540
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        87⤵
        
        PID:2516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        84⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        84⤵
        Modifies registry key
        
        PID:2676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        84⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:2616
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\joUwksYE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe""
        84⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        85⤵
        
        PID:2176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        82⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        82⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        82⤵
        UAC bypass
        
        PID:1656
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\likwIogs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe""
        82⤵
        
        PID:2984
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        83⤵
        
        PID:1788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        80⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        80⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        80⤵
        UAC bypass
        
        PID:1684
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\veYowscE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe""
        80⤵
        
        PID:2324
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        81⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        78⤵
        Modifies visibility of file extensions in Explorer
        
        PID:572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        78⤵
        
        PID:2772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        78⤵
        UAC bypass
        Modifies registry key
        
        PID:844
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\eiMkUckQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe""
        78⤵
        
        PID:1244
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        79⤵
        
        PID:1872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        UAC bypass
        
        PID:1860
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\qeAcEEkM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe""
        76⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        77⤵
        
        PID:1160
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        
        PID:2840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        UAC bypass
        
        PID:2324
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\OawIoMgw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe""
        74⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        75⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        UAC bypass
        Modifies registry key
        
        PID:2072
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\qksQUoUI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe""
        72⤵
        
        PID:848
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        System Location Discovery: System Language Discovery
        
        PID:2348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        Modifies registry key
        
        PID:1616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:2036
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\VuIEskog.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe""
        70⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        Modifies visibility of file extensions in Explorer
        
        PID:272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        Modifies registry key
        
        PID:2504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        UAC bypass
        Modifies registry key
        
        PID:2884
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\RqMwggQc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe""
        68⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        System Location Discovery: System Language Discovery
        
        PID:2856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        UAC bypass
        
        PID:2288
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\xoksgksY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe""
        66⤵
        System Location Discovery: System Language Discovery
        
        PID:708
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        
        PID:1524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        Modifies registry key
        
        PID:2980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        UAC bypass
        
        PID:2360
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\JMcAgIsA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe""
        64⤵
        System Location Discovery: System Language Discovery
        
        PID:1620
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        
        PID:1100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        UAC bypass
        Modifies registry key
        
        PID:2188
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\DWoIYEIQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe""
        62⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        
        PID:956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        UAC bypass
        
        PID:2200
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\uygMgUMQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe""
        60⤵
        
        PID:1856
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        System Location Discovery: System Language Discovery
        
        PID:776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1160
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        Modifies registry key
        
        PID:1112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        UAC bypass
        
        PID:2004
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\SusUMgEo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe""
        58⤵
        
        PID:1268
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        UAC bypass
        
        PID:1016
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\egAkUkMc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe""
        56⤵
        
        PID:1136
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        
        PID:1316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        UAC bypass
        
        PID:1920
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\sywkgoMo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe""
        54⤵
        
        PID:316
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:2288
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\VqEokIQs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe""
        52⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        System Location Discovery: System Language Discovery
        
        PID:2836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1296
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        UAC bypass
        
        PID:1256
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\TUoMIMgs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe""
        50⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        Modifies registry key
        
        PID:2028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:2400
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\bYowYQQk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe""
        48⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        System Location Discovery: System Language Discovery
        
        PID:2304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        System Location Discovery: System Language Discovery
        
        PID:1808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        UAC bypass
        Modifies registry key
        
        PID:2268
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\fawgIYQc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe""
        46⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        
        PID:1456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        UAC bypass
        
        PID:1520
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\eqwcUQYU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe""
        44⤵
        
        PID:336
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        System Location Discovery: System Language Discovery
        
        PID:2352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        Modifies registry key
        
        PID:2800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        UAC bypass
        
        PID:2080
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\iOAkUUgQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe""
        42⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        Modifies registry key
        
        PID:1532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        UAC bypass
        Modifies registry key
        
        PID:1048
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\owssEMwQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe""
        40⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        System Location Discovery: System Language Discovery
        
        PID:708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        UAC bypass
        
        PID:3048
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\GUUIgsEk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe""
        38⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        UAC bypass
        Modifies registry key
        
        PID:2720
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\vaAIcwEI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe""
        36⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        UAC bypass
        
        PID:1540
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\JGsEYkUc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe""
        34⤵
        
        PID:1336
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:1756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        Modifies visibility of file extensions in Explorer
        
        PID:444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        
        PID:1096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        UAC bypass
        Modifies registry key
        
        PID:1276
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\DKAIMYEs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe""
        32⤵
        
        PID:2532
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        Modifies visibility of file extensions in Explorer
        
        PID:672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        
        PID:2052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:1952
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\REswcIcM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe""
        30⤵
        
        PID:1316
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:2504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        UAC bypass
        
        PID:2616
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\wYYAowUI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe""
        28⤵
        
        PID:1524
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        
        PID:1876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        UAC bypass
        
        PID:2836
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\kQgMQgoA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe""
        26⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:1596
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\cmcIIMYI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe""
        24⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:1360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        Modifies registry key
        
        PID:952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        UAC bypass
        Modifies registry key
        
        PID:2424
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\usAYsUEM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe""
        22⤵
        System Location Discovery: System Language Discovery
        
        PID:1648
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:1756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        
        PID:2532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        UAC bypass
        Modifies registry key
        
        PID:112
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\RGkwkAEw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe""
        20⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        Modifies registry key
        
        PID:2460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        UAC bypass
        
        PID:1580
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ngsUYQEE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe""
        18⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:2504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        UAC bypass
        
        PID:1488
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\hyAokwEc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe""
        16⤵
        
        PID:684
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        UAC bypass
        Modifies registry key
        
        PID:2096
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\LcQAYkEY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe""
        14⤵
        
        PID:1172
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        
        PID:2124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        UAC bypass
        
        PID:2428
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\OosksUYw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe""
        12⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:1160
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        UAC bypass
        Modifies registry key
        
        PID:1268
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\OgwcUEcI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe""
        10⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        Modifies registry key
        
        PID:2496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        UAC bypass
        
        PID:1060
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\EIEYEMQo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe""
        8⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:1856
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2716
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:2932
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        UAC bypass
        
        PID:1316
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\AqYUccQI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe""
        6⤵
        
        PID:1512
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3036
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:2240
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:2056
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      PID:684
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\HuowIUEQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe""
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2868
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1496
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:2840
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:2844
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  - Modifies registry key
  PID:2904
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\fyAwsccI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2756
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:2892

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "11423457289768312642087507928-15668754727708780401515804214-1224281089-223464390"
1⤵
PID:2092

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-616596550-468103966-1180785436138485648618534603601396309847-2136781939187740357"
1⤵
PID:3000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile13.bmp.exe

Filesize
161KB

MD5
321027f4d4f6b837e243e749dc61699c

SHA1
599b571474f8f4270f7e312a653d76f48089c08d

SHA256
cbc97fbb62da9b84b256dd6e08c89007e16477b4daa50aa74eb01481f6d2d41d

SHA512
ed215ef44a46583eade6479be391fc47fc35e8928074d5ddbf169b3942d515250ed2f072e8879534c4424661f7598209d6ec352ac44c542385a261c1d9f4e822

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile22.bmp.exe

Filesize
158KB

MD5
2078a072513b415fc7b3567e195f4c13

SHA1
5b887c772fac45c3c6b66f7aefa0f8e289ed9fbe

SHA256
49977eafd4ac35d70f8cb796417e0ab0a2cbfa9c3e50bf4df25f1b7ef805648c

SHA512
f7f4f781f86c2c73aa29ed6908a3f36d94a50497cd9971cb2314f7c4705eb802fced1acee8f337d004f12a50b99ec06d83a1bb8acd8a0d05cff1fb9b1d90b5e0

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile25.bmp.exe

Filesize
160KB

MD5
2f714d2c3861e0dce9bdaa9822750f6e

SHA1
0b3a90a34b6c56f28b5ed28f0de7e46a5ba18c5b

SHA256
288914ab9bc0796b7885b0f329ce11338eeb3dba1819586f27f9b6145e17fca4

SHA512
53afab1386607e45226106e6e98de42e5be533edbc161328592408dbcfcc838455fd0ede1cc17cc03013614c7235af2f6942a58e4ae4b6347eabcabdca05a9b0

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile30.bmp.exe

Filesize
158KB

MD5
2a7977773d3658cf2b0f63b5c7e54cbb

SHA1
f7bd3c23dc69c52ea8bfd785d91eff8468c6c08b

SHA256
433293040fa13323567f6f1a18724e6bb9e667453d18e7db64301911f68690b7

SHA512
d1f42a52b34a1579366d3afccfa0258cb65bb7716b752d0e3ad541b6ef3752668bf5a2fbebb3fdd52fd5346f8ceebc4f9c96f81b392fb55c5db5405ed3435157

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile33.bmp.exe

Filesize
161KB

MD5
ca4d6abb4759818066477f905f4ee4b8

SHA1
66b9d896e34293cd074ce7fb617d562587c4fb1d

SHA256
02e6c69b96dea4d4e09bfd84ba60e27f73ab122cd61b6254e32178fc309a000b

SHA512
982871a5dfe07c4ce386f317416ad5609b407be1aa8586db44b8bd9cf233da06f611b055e1a2c273e14a107e3ca5fc1d2ff97eefffdd9ae5c9d7f551e0bb856f

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
560KB

MD5
2e87af9975cc893cb5d225a0ffcf4d16

SHA1
9f00a6bad6fc8fcad8705374a6e882d6d839dffd

SHA256
bee16a4093b88bce4772b70cb57f7ece1c39cc11c1233b83f18b1112d164b286

SHA512
dee689c5181b7a0e9f96bc6bea83dc7b818dcaaadc51f3fbb4dd4ca99641ca633c7148750ff7ba3fa506cf5b2363b7cccb5e6c1b0d974f42f084c58616646eb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock

Filesize
2KB

MD5
d03c01df855f607fb98fff6cdcb91753

SHA1
135c08a6682dd6c8a63cf3aa33c930536d239add

SHA256
a556ffcf221ddcc816a1b2ae8487ff10613f468118bbdb76ee3eca6695df4c4f

SHA512
66c8fa21c1f69e2cf838c408c8b975e797c4328b56988f8eb9a92cb3b9cced98363994be0b341cdc6385735a823b4638158558d44c7a6e671ae44c5eeb5088b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\AEMS.exe

Filesize
138KB

MD5
f816be6aff6d94c69fc71da163a281eb

SHA1
0410dbc845aad803382f0b930fc730a8a0c592c8

SHA256
80bca4dd604b1bde554923bca9a3efcb19241eb33aabd6ed50ee5de72baf34f9

SHA512
0367acd8e34b26df4e2146119a1dd50829e927410fbe2d2c2cdc744ee5068b160e87bd354021524db2b15802c5e0966adada3ce6ccf24b16f822c24b9552519e

Download Submit
C:\Users\Admin\AppData\Local\Temp\AQII.exe

Filesize
553KB

MD5
679cd4248938941f9ebe4125bdc395b0

SHA1
6f7d16f9fed7ce610c718927ab1b8af0f0697819

SHA256
f963d544b6ed9fbdbda4de17cd5ac1f8840018247763b82b27fea420857aa10b

SHA512
218c709ad233969a14a2810ee1e37a7ecedf4b1a9e49b7a48d08385a8ac9945240148ee01e7f79127dee9b49bc00713c094a05a2034287e236a4951814af5326

Download Submit
C:\Users\Admin\AppData\Local\Temp\AQoU.exe

Filesize
158KB

MD5
72802259eb9be1bc469953c5efb302a8

SHA1
29eb804fdb144fdab619e64ffe0de7dca4c1bdcb

SHA256
36cc0c28d0f7100f54d9a1610dc4bb08f03ada5bf01b9dcbc5474e3482ee8524

SHA512
4ff48e62e44cef40e1ed0cb1d008262e0ae2d048507aee5c4c89828158d9d5a8fb002d25f568d7d9a6c0272d23f0d124f417e8909de7a8d1e75c2e9d49bf0ca9

Download Submit
C:\Users\Admin\AppData\Local\Temp\AUIQ.exe

Filesize
869KB

MD5
adb8d8e4a6ba642c6c19d119bdce62f2

SHA1
ce833f1e43b3a4c1d51224d49d988340f8e4f290

SHA256
e24bce8964d41cf615c34eb06412eea51072a4c0d5243f14df87b86a57895f44

SHA512
aaeb1f3ae8553b58058ab77fd194f44ca4634d0c9a40891131cc72c9aa06737d3271a073f7380399a97a164c3120b3f3014634ad6c4ae6cba4384d6b4218a6a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\AUwa.exe

Filesize
158KB

MD5
0a36f1f6d291b1614e19e79c9bae7932

SHA1
605465f342853060e7e1877e6709c7d2d4a4e19c

SHA256
4c01b57a89a0221e8fcafdde311b67a0ade98ec295007106942f8922d972d760

SHA512
3922f4006f236938fb6185725101cb0bdbe1ee8ddd7e4df404a4a8cf3447fdf6bc761a973f381d34a9277320ed896f03b9187bc2922db5e2edd19b7a9e7cd422

Download Submit
C:\Users\Admin\AppData\Local\Temp\AcYO.exe

Filesize
235KB

MD5
1055d1a7d758e182ab84d0eb7a85dc33

SHA1
a085f0c137f126eebc8692baa234adc10d0f68d3

SHA256
5821a1bac37fa80dbc62c849bba2a5e86f676d83762fc9efa4338948be4f3ce1

SHA512
6d5d55c912b473720f27c61adc7fd266f36ca667d73efafbc83c32a886479a23dca9c7c9a1bef23d8f506d803b03ae9ad8f9cbb95bec729ca9284a4f9bbd7c5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\AoIw.exe

Filesize
158KB

MD5
57bc0c292346438b6cdfa734d6049737

SHA1
2566555f0bf619f35c991ae7003b1036126199b9

SHA256
2074aa977cf2ca12527320264dd5eb4d0f9d15ead191856dad212ed2c075a35b

SHA512
8ac6670b2e344facc79dfbd2ce982d48ec2d90efded5e6f6b03a616e6c4b6067c067c74d483c897c93b46bd7b19541e5c6731e8c82d0426337fcfa3c6dc97254

Download Submit
C:\Users\Admin\AppData\Local\Temp\AoMwswIc.bat

Filesize
4B

MD5
2d46f9dbab4923fdf93175bff96d6da6

SHA1
ebd9b0adb6d004600f6c61703cdef53079a18858

SHA256
e60ade75c3218f1d8638ca565cbdb8108e781b72e67687a16fb95aa999f503b2

SHA512
f42f5c153e6c391803ed571c7e33266d6e682a44c15c7ab3e54b2aaf062892d94d1e5a72b826f5dab44c834ba76398be1dd7231e3a747345760929f4b60b362b

Download Submit
C:\Users\Admin\AppData\Local\Temp\AwAA.exe

Filesize
137KB

MD5
9ce5bd87a8a6c42f3d4509bb22ef7535

SHA1
6e95e22ea286fc617b39f8ddef65d5d9a0220d0e

SHA256
d562fd320ace3328b6e0837056e73e99900dd2fb2b7c563b28f1670a6606cc00

SHA512
6e868213b4c11ae2ce42ff6d56a6bdd5ce50740ddbc85ac68a830f88f0442c924400a7324cff1d404bac8a3bae35ed134d7a215ca173658944ab4b269376353f

Download Submit
C:\Users\Admin\AppData\Local\Temp\AwwgcIcY.bat

Filesize
4B

MD5
4898d053023938084880ff7f9c5fb213

SHA1
454b902c8a07fd449072d8950ea3df2bb64966ab

SHA256
457cdad097f4bd2362983299de33a19df5b966a7ba2d9c961ac6443c27229318

SHA512
56300b03ca41e0704bff8f8a2b5fc68a98304203a3039d1d688eabe32508a583cc6553c0cd4c8c6b218648f610a1d3cdc987248301fa69bf954d53d2483abc0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\BUEogMsA.bat

Filesize
4B

MD5
b35b9c7f6df764a34817e62fbbbb4bb3

SHA1
86223c857689167c66feb9b1e95f8ad2a9df39e7

SHA256
295315614a8720df297e9b2cc5ff5b71c6a90bac40376f451558f8e972cd500a

SHA512
098b16a01668ca1571810b0e2780048007bfe22aa14283484f4b20e2ad6c3a59ae4f243f2b572333e63ebe4ac3cce7ccb75ece4ab200aead860dbe3e7a76a777

Download Submit
C:\Users\Admin\AppData\Local\Temp\BsskscII.bat

Filesize
4B

MD5
dfecac240bf2a7784159fd3a80fc785c

SHA1
0fe8e1ca8c31c4c4e3576147c020cb08ba93b739

SHA256
7e0f6afbcbe17463ca359e9fb0aa45f81b4813cb9e39f990b887e23b9d626cc0

SHA512
9e9b1ac7b2a0393a60603f147bd8bd25bd42d87af9b51b607a3222f7b7b8abaae56d380a130e6c3d3b758b760489fadff24e0e3b654f92a14be66a7a995cb253

Download Submit
C:\Users\Admin\AppData\Local\Temp\CIko.exe

Filesize
159KB

MD5
614e464ede68dcd2c42c8686aa295fad

SHA1
774f5c607c23cc4132f5de585425b1b802fc1495

SHA256
4b98f4ea251c70ba23a611637ec67f9b55945ee10685eed349cf64cd9b07c931

SHA512
ab5313a1d51ae5d0928bcd70a63318898abf71676a26e4a74c7d366ad25646911a198e6ce87aa23b935235528fe8da767edf88a5499223819c6178d886543b95

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cckc.exe

Filesize
137KB

MD5
4a3cbaf83c255ed440831d8c88fc7c2f

SHA1
d4956aa5c71dc4568d9646173055f5f923f9588c

SHA256
7b976779560a8d0b5f4fcf0e02510f242585ce42424d01e5a42f87f4095ad4a0

SHA512
76f1140708ee1f9205ce22150fee2e4d8656c2dbfa0b68c4a65d33c9c24eeceb6613de3023e649ae7b691f6c8a34e2c8bdb050b954332d718db5284bfcf52509

Download Submit
C:\Users\Admin\AppData\Local\Temp\CwAA.exe

Filesize
157KB

MD5
234c3bb20d5b6e41abb0731662cacd26

SHA1
862289339e775d5dcf42a0c20969b891bdebf3a1

SHA256
f855fd1e4afa78a566a6c47496bca64c1441ed7c668bb5faa1e7e6c05c3afca6

SHA512
7170d1acbd0dc17ce76df7ff7613cfe23ce5d27fb3d185ecbd6b394f012ea9a264d38a808f236bd9328f182951e2453f5e0dd97d9f33b8ca8eade3294d7414b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\CwUC.exe

Filesize
160KB

MD5
c610572426a18b4168f4755ca4ccf981

SHA1
45dd6f80b99397ea57f3216e8bf16f7dc2ca9ebd

SHA256
538e4124c6ee16aaf1d89c567894b0f7559ef950a6a7fb22a42e60f7f3f2e9f4

SHA512
ea4e54ed5de156af80dec52eb44079cfb5616a590f35a4e8eea90114e090f2b76c984991c6df8ca0574a90ad7a5b606a8580b7a9f75d7e4c0e2e38dd76d1747e

Download Submit
C:\Users\Admin\AppData\Local\Temp\DAUAwsIA.bat

Filesize
4B

MD5
87169a8d673424eef61818191dc57be6

SHA1
3c0a3db41035b3e170c92b31aa27f06e362d5b3f

SHA256
9cd8d4c26b9ade65828b98753dd4fa69487002f63a47ad9ab2e343ee36fa05ec

SHA512
637640fa9ad8d9323e74cdf22d50788931edcd239c399117808aade4c9c839e6a334a252be6e67c8568ee8639738fd0c72b964ca381410985f597fffdc6d1899

Download Submit
C:\Users\Admin\AppData\Local\Temp\EUsK.exe

Filesize
266KB

MD5
d98e118e5eb2a68f73a83c8dad50f7a6

SHA1
b54d3b9b6575f3e4c5252253c41c9f210a34643d

SHA256
7c0e36b5ac6cfb2c21ff960aca24b67935c17eaadf8c54020fec6d0590f2fc85

SHA512
bdfe9d455cdd17dd5087901f10866431196d28437f44c466e24fe881bf0ee16dbc73e42c7bbda43aeb1deb346d51a04ba55347f816e743ec4b7882f1f4bd3ca5

Download Submit
C:\Users\Admin\AppData\Local\Temp\EoUq.exe

Filesize
573KB

MD5
bec8603de713c40bd7fbe4fde8ad7b62

SHA1
83de28d3e149a1ce8e3dd4dc68818a6dc7a03534

SHA256
94bbe7864df907653644370df4a0861aeea0c20a91ccc3882737c50ab1b29726

SHA512
cffeb4088aa19b2513098b2c817570f4ed8f1fb2abf57148a572881ed67756198a6a4f8b585be5cfdc70724a7a5f620a299db97258c7fd0bb116b2a6d044df58

Download Submit
C:\Users\Admin\AppData\Local\Temp\EowIggAc.bat

Filesize
4B

MD5
51b1ca1b95fbdf20e67b99a0537c0970

SHA1
7cc852500947782b564c6f9fde9eceff5f68ded8

SHA256
2525b4a6828001bb87f8f1bc6d9bdf3433bdaf341187504b785621f6fc6ac78e

SHA512
fffa462d5de35456708a9063575c4c1b3ea4f5b3d95a686a1757bf3747a8edcd49a03e3c4341017759d0b42b949a732b408e39f6ce4ec8c150be777b3204d868

Download Submit
C:\Users\Admin\AppData\Local\Temp\FQQwkIIk.bat

Filesize
4B

MD5
73d1ce84561603ef47f60749a1b112aa

SHA1
8d410c5148abc09826ab1e676d8d4ee34e731d16

SHA256
90766408d61f5dddac1d4c9056689233bd265e56647472bfc4bd82e9ce76546b

SHA512
c0c47d2be06aee43a7a443d0d03551407bdae096dbb8195deeda68e32564b7503ae2090aad64e597de2259aa82c2f2be734029b38c8c56558a2a82a36dd0cf63

Download Submit
C:\Users\Admin\AppData\Local\Temp\FaoAoEgk.bat

Filesize
4B

MD5
a876a2fc5743c6d5debd75aa47fb9132

SHA1
4832c0ba4ab434a62d92f4a79901f8db3b1978b3

SHA256
993130c7642794bc3d490d8e0441d1a37de4ab36f7c429a5cb83db47f631dada

SHA512
ddb49531d00905296f0dd0ca530160be7506a22457eccfa9c57dcf8cc0d82fb3808456c14d5e4f6868dfb0a072010a15a6221478c5cb71751d64912fa6e741e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\GEsK.exe

Filesize
1.4MB

MD5
ed11dd54fe19981e13244c9c086ed7ef

SHA1
950708b0dc67f43c10e8610a8b818bb398396977

SHA256
9432f86086f61b7d8fcbf9537c26b503f5f48b9abd8e049a8ca15c754c3e1c7e

SHA512
8f0e3f74f8acb40e8274905ac6a8f786399b65edecf042053f1dddc934f9a9a4bb44d9940f501b1425f329f0b206075a357dcb4cf1369efd022b974629d923f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\GMUg.exe

Filesize
159KB

MD5
c6f22c885266ba2961a039dc5cf780f3

SHA1
5b10068c8b54d2d265e5e7148f6becf33d142a3f

SHA256
63e32f62082a8e79318638fc9994c212b3ef268b0fda70a3eb2546ea3f24532f

SHA512
adc5186216a62aaccc36ef03d270030fc7fb30c14ff7171d75fbd31c95458599f60039b5edadb19b1ebf469d68c52015db07954bbaf508160d0642570730718d

Download Submit
C:\Users\Admin\AppData\Local\Temp\GgAS.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\GgoO.exe

Filesize
465KB

MD5
5f3e3ee929d6dad986887f77dc34b494

SHA1
6858511403dba6cef13fac6c5396f7915bf98885

SHA256
7928f610b6d01290dbc429e62d7d5132087e9b944c55ead80281449a2a6082cb

SHA512
3318571b6a1cb546e7d44ecb4ee22f898bde3818c5c3a7877b930d5e48a19a867d7c03d757b3824e83f0bd715c89c17fb7b3b676d217b7bb7d957a944ad3e929

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gowy.exe

Filesize
158KB

MD5
29f283f4e79d9eba02b7c87a50cd18da

SHA1
625b7094401a92a4002518eb647445583fac4039

SHA256
bd1ad8dcc71c24ff9b4c5c6f960fa7d38ddef6330fc37fb3bb8fac739bf3bb9f

SHA512
a03a10b3f95a34353876bd21950581368683c6422961a4fd7deb27960b8aa43c06eee051651e29517f17796a588e3089ba02bb17bcd3cdd267ead4b28be1a9ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gwws.exe

Filesize
158KB

MD5
673c7f9be9f2fa308a105a261d890a7d

SHA1
ce5f5a93d71d6b51e0691d2d8ceeef2c15775c4f

SHA256
00f5ebcf6540f23c30acf2d512351f0402700eb16da6d058016c911f1dac99db

SHA512
0208d3dad1204c901868fffac434b66c3bf7625da6762a4883e721e8a8e322376e463692f63dff8e6e807657876adae457f8d35ca6d87ddcddd1c36b0985738d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IAMc.exe

Filesize
158KB

MD5
d3c98a64aa262356d48cb7e00af9c401

SHA1
6b20f5153f136ee29efcd755540c79f1e926d2ca

SHA256
ef7b2bfdd750044ddc4b916aaa2abf880c94a331b252786900b98e40461c083e

SHA512
0d495df3e37918fdc9d558159a2590db61a0d99a10175953b740a6b44e280e0419e9034744784e894fb4f27e1e46fa4a722592529c45554b92e79b9f3e4d14d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IIckIAEA.bat

Filesize
4B

MD5
42e54c2a7de7781eb0b177ef431db880

SHA1
e98faf6176faff20edfba8f5570a9aca6cd043bb

SHA256
ab25b16ac536b193bcb19542abc9b3d3598cfd280f77b4fc73390010e8f5c1af

SHA512
9d250f6e6d069a5134ae734d83dc6a89f60734161f0fa25d57d8b9f5084f81b2c248eac0ed2e1ac3ba16e9b55db62265e60757cf8f4b6dea9be17b85a44395bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IMAe.exe

Filesize
148KB

MD5
28a0b91d522feb73c77fdc3f11b53048

SHA1
cb8b6a169cf905e36dd6370aa286b78855703611

SHA256
a6a969a2884047a8277bac992a07a9e7361e4c2eabab54728c61fd2beefb0c83

SHA512
90bb1b6b325df446a5932fbece39419a13d0f6223ac5076ace601845c819244d5a92183c0558e5303d7db476a095a436bd07ee5ed3367f15d571a6f17bc80936

Download Submit
C:\Users\Admin\AppData\Local\Temp\IUggQwsk.bat

Filesize
4B

MD5
04c71f821c92268d3a669b47d6cf4c87

SHA1
7f329dee86917ba8b53cb7152ae22b4078295483

SHA256
f97280fe6cc6457a38757d61c2d84d3f0f38e488f47380a09019225368c2d548

SHA512
d95d213f4c5aa4d95f983554b94dfb87d4d24acf4a998c3b1ee6b89c688376d21045dcc0d2fb7136befcd8c92477be526a39be1da92c1a391800ea361bb9e1f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IcQE.exe

Filesize
159KB

MD5
f03548b27536e4b355f86ee2d7b55c4f

SHA1
c55ff31bf621fcbb82da657c96d41adac68b261d

SHA256
becb85b560064c49e0498f7067d8c3e70069359c9436cbe521904a8adbeca166

SHA512
390c262365177528905b33a488005ce173ad6d1f89f11dc687f65fa16eedf0269e302c65a535779462f9ea39026539141d661c32239b9907f3605adac8e94f6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IsYK.exe

Filesize
159KB

MD5
af81c74bfbc896aaf20fc562e86c5a28

SHA1
34ab4667f53f50a027bb6724aa263b2a8803f45e

SHA256
32506aee449a3db73bff703955f5820a9064d3f1ea856f60a56d941ad6ef9e48

SHA512
c3941a6c7a2216851751c6410f9d932ee35dfd0ca462f601f988781eca8d1068cb009daa69ece7739b00047b63c6e7be2eb702e6b4aa8bd879f765331b0e9d03

Download Submit
C:\Users\Admin\AppData\Local\Temp\JeQIgwAI.bat

Filesize
4B

MD5
88ee73bb7a6239e7be605987490e1d15

SHA1
b33d1870cdf3213e49e77fbd4e15d103b3b100a8

SHA256
c208fe640d523f0154deb0f18eff7ac2c625abb8da811660f00eddfae52a1230

SHA512
50087e92626fd9d169984532c083d0b45bc91d90064146382f02773a407ac8c8874f16c2f09fe8d5a615d9e6229cd2a7b5dc71fa6ed604186a39c01c80211502

Download Submit
C:\Users\Admin\AppData\Local\Temp\KEQO.exe

Filesize
156KB

MD5
ce08f2df2df9d022ef0198bf82adceec

SHA1
0aa43d6172026a3a658ab60cebfb02a6e25bce83

SHA256
65d980d000457e31ee559cdde964f4504eac2436dac0a93672055d7484bd2ef8

SHA512
60848ed741a375e012cec994c6e78e0acde5b72c4c939cc29c5f79f244664b9b862166790cc52ddaa50c4a47c26bf0ad21453eb59a6da001c80bf3401ec1edd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\KQYC.exe

Filesize
158KB

MD5
8a7058cbc190d7f46836305cd47ae857

SHA1
faaa58702025bbc29951551a6debe08c194b1028

SHA256
6265f87a7b7758c165c1ebcabd63d586548a0cb195cc55883848e00c450ab535

SHA512
006e31ff888e305e7d7f34bcc7eca4f165a82632d95a6f6c60c7580c7ee9febeeb417504b8d5218e0ba080217771b31d2beb429891eff608afa813c9da60802b

Download Submit
C:\Users\Admin\AppData\Local\Temp\KUQI.exe

Filesize
718KB

MD5
b2341eccd620dddbe56a8b819da90b86

SHA1
7f710084cf9dfca8404433070d0630d06ffc835a

SHA256
8a9e056d42023e1d432ca9b6b6feecc621af89060b5fed040fc52167d47a1207

SHA512
a2dd010f82c56cbb662938aadcee602df75ef09fcbad8349f65e41bf7aee1b717935b9bc59aa8261bb26c6aac572fef2c234e88144d114d652628e22f360fb52

Download Submit
C:\Users\Admin\AppData\Local\Temp\KoQC.exe

Filesize
319KB

MD5
d9f5069964c6f6741d23b4ed30b267c6

SHA1
161bf19c15717208639e6d028afb18369172f6fd

SHA256
49cdfdf3802768c4354e0ea8eea7ab6f4e5ebe257df46e400a7ab20f90358abd

SHA512
ad68dec6fb08e182be1bb1a61f4a3d5de8fa016f1142fa4f98ad4d68e1e3c9c54c063f9f4906a2b1933ae50379e2047cc038708fef2646e366c9d0077ecceffb

Download Submit
C:\Users\Admin\AppData\Local\Temp\MAQU.exe

Filesize
873KB

MD5
26f20872dee9b0d6270889c37c17a9e8

SHA1
a0061777a546f26c1978acb21a822fcee702674a

SHA256
dffb60cdc74d4c84d847df17562e86797edb5f9e0d7b6063c8de515bd895fbaf

SHA512
3ff48bb7622020c8a4b569b5b5cdfd46f50493cc22c6e291651abbd6498342243f6b2bbeff200b9dbc915f4bf60b7f22f05ab646b92c6de8c0b86e5352870d7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\MIMU.exe

Filesize
159KB

MD5
6e95f2d7569703cfad1e8705e9abf6d5

SHA1
7520da95fd1fa892c48ca04893d075e3be6717fc

SHA256
c5646bf7bbd3621c21a5519b54229477e3ba5cc9598f3687863dc6f86fcf4f42

SHA512
d421ad76447d7336582a44e3354bf97ab633e8b51e5967418c2677b76d09b5f33ab622d0f4896164d09302e74429c61bca607828540152780b41524666dd3de4

Download Submit
C:\Users\Admin\AppData\Local\Temp\MMUU.exe

Filesize
811KB

MD5
caf8fc8de125448223d8d5cbc63fa8d2

SHA1
c412896fdbb4cb9ac561df6072ffb0e23cba2923

SHA256
0ce81dee35b1966a172f4a53d747e0351ecf1e24e6991a656d8422325944e4d5

SHA512
226622b0f0d84d9229ffe57ba18accea914bfd2ba4318fbd24f68bc740bd4b139550aa3ed395117df19f955f0939056a6eb308ac231ab741c3d7f86059363f0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\McEC.exe

Filesize
692KB

MD5
e7a50aca283111dd1f260b6211ff5478

SHA1
8ca5be9656a9fabc9e6073e6749a524d86441c5e

SHA256
f75b31a43eaf739faa1e889f365cd4e5a81e5adca0a6bb6383d84e52fa517903

SHA512
382cefd1abcd73602d26b46391f5977b2dfc00217eb79736cf187ddae6990982f822ca1f6b72aabd758f5ad4f29f73dca8d8b16523e115acffc2a855c724ab5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\McwC.exe

Filesize
159KB

MD5
634b93955c2204e29e84a05dd0adaf97

SHA1
0cf959dc168b6a2088409e1c41073f835c82bc78

SHA256
df45e9d39355eff190dd2e9e1a25dc8d801e25a0ee1ea4d148ff57dcdb045040

SHA512
01f648dab7adcef77a77bdf0c5209b04b5c03e106f3810d5bda18590d1c75696818839dc31e47cc5194a64a19659490fda13fab0d3c066650f65dfbcda956ac9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MgIW.exe

Filesize
158KB

MD5
4375ff82ffd6aa20349a84a1d6360ec0

SHA1
d73c22f3f3824ffaa8895f78878be2b45384ba1a

SHA256
648fd12a4b2e0bb5f90344473b99a294214f79a5e53c91b04e9b5105e0031831

SHA512
660ecb0fa8f11099feeadd35ad973942408cb9fcb6a46e15aec68336c7ab0c53705aa58b6538cde0964c4d505209e06b6a2c06767caae5495258f6967d1a71dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\NossAkkQ.bat

Filesize
4B

MD5
faa755ad53c7a18489014eadc84f504e

SHA1
81297c43fde0b63656fcd995214cd90702145e25

SHA256
d56823a769963bafd94947cfc9add95df7798927bbaf7dc7858abf9f876ce30a

SHA512
16bc5d61f463a1a518c8536b3a4d47fcdff4bf2a1dac7406978e4d986e985c21123e45915e51855c12dae666a1e42322b41c8d19fa98b9db03cbd0b1d2e91d65

Download Submit
C:\Users\Admin\AppData\Local\Temp\OIsK.exe

Filesize
870KB

MD5
e225ceca0dc778dcbe89cfb1dbd55be2

SHA1
090dac1e475e764e6ceabb35d4c969ad1ae3c578

SHA256
5dc064825fd66a0445b87f9c3a616ee82cc6b5f42b17226ef08c6547987068ce

SHA512
68df996a3d939c46ac55d794bf93cd4c3a6c79807b7d2d2d72419e7fa3474fbe2218320353615ea37af6f01b22e7c0bfa101574be561d6c3bd03b067989a8b47

Download Submit
C:\Users\Admin\AppData\Local\Temp\OKIgIock.bat

Filesize
4B

MD5
41c08f33437e0c1d9319c0571376ec82

SHA1
db0cb24beef58d124d22e312272d9a7802809f5c

SHA256
a0300db83d782dec11ea049fc97d94e050cdca7bdfb396548406437c96b96aef

SHA512
8a610e29dff93d475356e83ca6dfb6612b8620a8ba8f797dd82f618137845048ee783dc4c2cce0273da4e0af89d3b72961853ce128d44134d5acf108dc04a6b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\OSoggwsQ.bat

Filesize
4B

MD5
1fc6b0d0f7f5e092815a6259d3f3751f

SHA1
091450a070100d15b53d24d9403871e29907d6f1

SHA256
04ac696a69c1c9aff85dc112b1316049ff6a3e13c7026cf4b02afaa1041da1cd

SHA512
825e94947f7d5033ed59f215adbcde12990371727d16eef2219bdb62541badaa43a357502120ecaa81b67addd90663476899fcf548c8c7fd157ebaef55e58605

Download Submit
C:\Users\Admin\AppData\Local\Temp\OWQIMIsw.bat

Filesize
4B

MD5
f218094d0a8d8ca2f7af9d922b059caa

SHA1
16ea63b5d5ce86bc082c0abe1a612b7efb8bf8f0

SHA256
f3978e9d26aab01c58346ca7cfb2cc986f2078228661eb606f826a9127bb99ac

SHA512
a18aa36896bc66dc4c837bd9e68661b8a6ce29b4887c18d29edf87fa259158415de2d27b393c2701eed8546d0eea0ba421d3a65a1621bd0e0fbef3d524f22b43

Download Submit
C:\Users\Admin\AppData\Local\Temp\QAAq.exe

Filesize
158KB

MD5
5192b71f620644d550f46f9261df12e6

SHA1
ce2a5e6943e8a2f9ed41d3ddb12e7e24f9b99900

SHA256
8e7aeb20887c33f2882f11782654dcab5919f24895d4d83f7513a019dcd165b6

SHA512
ae114a46e1b0cbee619ec97e04402e18df987b52288c3658cbc426fc86d60ae3f66ddbcde3020df9db93f92d591cfc1972416ca5eee6bf224aa385fd724fc947

Download Submit
C:\Users\Admin\AppData\Local\Temp\QIoG.exe

Filesize
158KB

MD5
94caed07c8b36d494f10c7275466d4de

SHA1
c2f87715831f156fe7c01ed296ff77fa9893d793

SHA256
4ac0d2fd87874768cab2c0c16ddf0820529fa27890534cb5d9f5841f61ac534d

SHA512
17dac8398545203d5452b5126f303111ed3b60775b719bf02e79ce78b7d6c7a275c926063c7a7b15841a2e22dac07f37d13ac57804bf1cc1cfe599eb09234132

Download Submit
C:\Users\Admin\AppData\Local\Temp\QUMy.exe

Filesize
159KB

MD5
f122dcae7c530f026bf6aa354b5b56e2

SHA1
fcff70b444af5b7d2c6b69ab7b727b4d9dc0e9c9

SHA256
6ba7b8f44a285b8ae1c50236895e372cb2fce451796a9e9f3c94abea319b704d

SHA512
39085c585d37c906b13c6c21e248857b41e623f6c01d82a1d2bcfddeeeeaf9fe58d218023eedcbe8dc7a83cebd5f7763bcb2c746f2cdddb94f3f2770844745b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\QkAIQQYU.bat

Filesize
4B

MD5
d3f45b2508a892eb7537c9773ab79638

SHA1
f6bede5ff90d00ac943ee25432de7e03048b2cde

SHA256
06e7770ce666edd60d6eb0213520fd95483679055972d65f90c3bc5b73c9bab0

SHA512
b3ee90838c305712d7a0a9fcaebb02272d6b30c080706517073c636b38ba5e851edbff76f6f598d44ef1cfaec3bce9133ff8440e3a99602104e75971da685e46

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qsoo.exe

Filesize
159KB

MD5
e23e24cba310ba4a62b01cddeca65eab

SHA1
9667283409ffd09a8e97961deb2182cb031541a2

SHA256
12b692100148bc9f58404cca4a28635b5d573f3b07b32124fc86633b2c0544b9

SHA512
d0706acc37fe189b57c3fda3c3942a58131355e5d74904c7c86cc4c765b40da5afbaaf4986d8ff8cc367d8b74240a654df93ddf59375d3c7c796dc914a8524ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\RGgMUcQI.bat

Filesize
4B

MD5
508f7f02229b72592615a1c3ea80644b

SHA1
d8a0b38056611a8aa62694bced3400e6fa0aa657

SHA256
aaea82618c8e262961d5834a3a0fbb3d3529b683fbc411d6fe28a54eb90c7828

SHA512
164f082739b97c7496bbe7d4d2ec4b103ecdf7282d4f4d995b7c7595380b63017106cc01923d5f392163fcb31621e018b91a67e30a7678476c2638d0996b99ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\RkYQwQwc.bat

Filesize
4B

MD5
3afd16fada1184ab776e5017498f2b00

SHA1
64c21c2c4425b151a8f6fc68ac3c8af565234cd8

SHA256
566b0378dd5c59b13533b385f908a04b08438e6ad9188a1de55a71f9fbc39ff6

SHA512
0bddd0800e11a21029267b1c3c76e7ddce17a8933adb89e11697287ba40ff63a39d01aff22f8f3049e69a02794d9800c60031afcc3a449376afb6c9078d690ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\SAkcQYII.bat

Filesize
4B

MD5
2109c6da9673a751357c56c8b1d29246

SHA1
82de0f5e6f21721ce8d874bb3f396060469653e4

SHA256
89db5cd5ed756f664614d561280090740e05b266946fd1675421473f958edeb4

SHA512
0f92813bee644c35f7f96de157d1dc8cdf354ddca11ff4955bd9cc7e99664018fe77f679966563e103945e192e344ed2aa0918f089c52c5fc65188f73c21c430

Download Submit
C:\Users\Admin\AppData\Local\Temp\SEgm.exe

Filesize
158KB

MD5
8fcafc3cd40bac3cb6b291a121b5cb93

SHA1
75bae4ff1b0375fdbb652cd24d4ba2025401873c

SHA256
8a81ba19ca00fcf258a001ce652f6b73654aa4651a9a12308b11937eca0dde5d

SHA512
a15b68b81f406eed70e5fdfa34e4cfd92eea9a0db56721f3d48679ec042cd400159f915c1e17e875a51d427d0523ffbd37719d5a5b6003a4ac734737bc136b9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\SOooAsYY.bat

Filesize
4B

MD5
1df800a846f8c0b16362264e22982497

SHA1
384db58cf29606e51e4f39447fd1a5760c3a2a7b

SHA256
12b13ca1033520b6e47e3b6bc1f067c5aa313a81b786d8e3721d9640e8614c89

SHA512
0dcac185f851e35536af05edbe4f7e1635d742df6f2f757c5b9c16d306e2f1fd88efc9493ea76862b6305e4ab140edc0333a2fb83b70e35c8ed39e57075ec986

Download Submit
C:\Users\Admin\AppData\Local\Temp\SQMi.exe

Filesize
158KB

MD5
44a9d92f684a7e0758965eca53789e7b

SHA1
013da02eb1888a817d60358f66785a1a09c0c357

SHA256
7c9f7e4416b4d7a7493a514ad0c33740e70e8ef0bfdfc9baf1dc5e7042ed011c

SHA512
9580c8ab85717e1e3cecec0508f085b3b7ecedf550d56082d0d67cd8998980dbe985ca818cf17272f11c67159b63f025ea4e3abb6167bfdc282816efb0edb287

Download Submit
C:\Users\Admin\AppData\Local\Temp\SQUEYMMk.bat

Filesize
4B

MD5
14b33e69d616ff261962e68235300bf7

SHA1
fc510f7e72504cc43efbdbaa8dc19161fdc6caf0

SHA256
122c83de192345341aa8f8dfab2b3add59cd71ea325df743de19957a4cac6458

SHA512
9bf3ffd8db56b0e230470750c7ac54487661db3032141209d5b06def2aaec2f5b3d41e81abdf632ede1826a335a028dba3e0155bb1c3541d5ede38804f2b4ea4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ScUe.exe

Filesize
158KB

MD5
64ecaf1ffe218ac1f9dcef9f1a04a068

SHA1
1df43bf9486b983b13715ede9bb1bef9f8461f9b

SHA256
3b5784dd84245cbbb5a412ce12f8217b49666e812f71ad36d9ab5ae2703d9867

SHA512
8697b93ca6b2c9a97da521b912447d06ae449374e36fa072c85321b210520025eb2e890d91aee3c0c0af2b1b9917924b9a184fec7ba0ea45f0840f53cc34c3b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Skwy.exe

Filesize
565KB

MD5
7c6f1cedddab27aa0697768ae11cfc11

SHA1
4659ab1e9279939dd1ff8eea98d7dd33b02a6491

SHA256
c35dde74aceab2823f8915f712d4bcc4352a462550d8924660f72cb932191273

SHA512
f519df2da46f5856389698a18588380de1bcc826ec24893f2a87f7adb13c1616b844a5b0320376815493bd4a0153e45fe80ede93b3b95d830370d17b9af64c37

Download Submit
C:\Users\Admin\AppData\Local\Temp\SsAO.exe

Filesize
157KB

MD5
e0a4871a44f71c8a8b49af3ea7e197cd

SHA1
c8b2c97ae2b638de1aa82ed939e8fbf304aadb0f

SHA256
168d67fbf3d243adee311239dea8ef6821a1bb7cfacb1f937797cdb33cbd67d4

SHA512
fdb2ddb06e8e593a681171baf95a2fe16c8372af832ea026775f1c8d49b05fbb89ea2a5094ecd4f503d696bcd27bfb118e201ca83c9690f07bf8d6839e0a71a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sssw.exe

Filesize
158KB

MD5
63156254ac142dec564ddf0a4a8a9bb2

SHA1
f992c09336040a7bb38dd75c455b30c2730c1f8a

SHA256
3d4a58a328c07bca43f477a43d57138207e3125c50efcb0c4095426779c695f9

SHA512
fad17fc560c47b488566319a0dc0677f572600d2bfae693f098af2da72ff2733512319ed192f2b5c9e3de83347421d83d81010bc386331bc9be9cc924139576b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TMIoEwAo.bat

Filesize
4B

MD5
c75fe2ae7994666a8fe4e5bcd2e629e0

SHA1
659adf92666287f9a6f4b6c3de6fb0c13bace638

SHA256
f28c1d08c3080c0fab87424a325f95787c5047abc5f250eae5376ba5704593d8

SHA512
3144e7289c1632c33d7b8bdff435ff042e6195e4427b79cbcbb1f73d5f9da5c22c04a4cee111bafb749eafd949d48cdbcfcbea4ceb0c3a23e2d23700846a2e05

Download Submit
C:\Users\Admin\AppData\Local\Temp\ToocEAsg.bat

Filesize
4B

MD5
336564b5ca414e1b82d891063dd9f818

SHA1
c834d8dc536e69c82bd1b9bc0d04c2fef2f06b3e

SHA256
3af4506ab9bde97dbd6a0f9e923180fb92a35a1a12e9ad1bf4decc30a5d41c4d

SHA512
bdd70f4bd72349c913db3ca7140f112adafe9c76ed72f8ec490a905bcbcd4a10112e3c3bfb52a5559a96aede9a486bc159c1d4c9f97cc3844da50bebc6b300fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\UIcW.exe

Filesize
157KB

MD5
7bf8d259e3155e0fbb9a4ed7d1be48a7

SHA1
de3b9c638215ae4ea177b86058b41f81c4559f52

SHA256
9c93e1224b9cee92d2178d98e7591b7ed6d81782da3dd8ff084f760f87d1d155

SHA512
e07724c5501355f317c3de26bec9d34e0a4c22b9fcb746b2d4e822b897dff3541261a7b1741c7a2f739d28a990380236f32292c9260f8c4d28aa495cd9454d23

Download Submit
C:\Users\Admin\AppData\Local\Temp\UMsg.exe

Filesize
661KB

MD5
fa1da4bb6f5d91ba892e9a7ae14bc566

SHA1
7362a464b1142f974a8e44606a7722e9993ea409

SHA256
7995e8c8b81ae70b11c954e488e8e7e70d0313b49685a3e66de6019226fbd28e

SHA512
5e62ceacbf2d2b005800f61ba5e91aa86e288317bb3a3bf6e3705622658c55ac3ad914a64a87353ed0df14d83ae1e631be95b82fefddbcf4d46cb6275fa4d09b

Download Submit
C:\Users\Admin\AppData\Local\Temp\UWAkYwYw.bat

Filesize
4B

MD5
d6924c52a1ce1e8923354789e0c643f4

SHA1
bbd23dd45ffd1734cdd2185598b2592b3fb7cf40

SHA256
896833a09a873f7d388c43951c71934f03456edef197f11ace1436eba25c30cb

SHA512
e65f3f23251e2336ae3df047ef188ba38ec940f0c52ed057dd57eec68c85678fbda62548f94de7b29c9ef377f53f799e72aff5a8d86e37fbbd302e779e03d25b

Download Submit
C:\Users\Admin\AppData\Local\Temp\UcYo.exe

Filesize
159KB

MD5
b9de32617c6c336d3b86110ad9c46f68

SHA1
9354dc43d345d3729d23c9c4accf3fd45442dea1

SHA256
29119600305db3b3279ba405a6a034ce893fa80c18892312eb564c3851182e79

SHA512
3c7b3df331badf85f7094492979f34ff32df8d2c3d97c53ea60bb4abde7451c96f50de769d106c179db12eed0c7f22d9d9f7a322b4d82a0a5e820cca8ba363ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\UcsU.exe

Filesize
157KB

MD5
c2f6f7ded987baf53b282c4d03f95fcc

SHA1
c72d50d82d48d3593ce24eb511a81dc9e5fb9148

SHA256
5abf547cacbd645806d0994ecb552dcd93b62e2e0e6802af19a4b026545da54a

SHA512
8c0af1586bb798fadf774327cf3d3d5e53d078a98cea1a4af7fc10125dd0bf3fb16c0fec2612244ea14cf04a7023256940d754a163385ba4884173b23d0ee473

Download Submit
C:\Users\Admin\AppData\Local\Temp\UkcU.exe

Filesize
160KB

MD5
076f8a477ffe9ddd99ed6297cb0ef109

SHA1
15797e4cb3758a6bfce963e74e3f194c5fa83b0b

SHA256
a479ee2bd6c30bc02b090dd311e73916788ea3ea86812f57a34d3506a1e85e69

SHA512
f131677759fa6c34334f07a9bd290ec7b6e4c20fee3a3e3c02059ab0c246be938c23f54328ceb8ba0312971cff57e6a2529ad2aa9a5d2b26da3feab9059baefe

Download Submit
C:\Users\Admin\AppData\Local\Temp\Uswc.exe

Filesize
542KB

MD5
cd1a5896a41773354a263187936a6b3f

SHA1
61db31a92470f243febf3ff3e83fe1450b28fa39

SHA256
ade194c6260ba7bf558085026899bf72b2fd747bd4fbe2ebc3a7f013be84b897

SHA512
df7e7365f38c11ee9629decafb51f8ae967a4a8ea58c6f05977f9646c17110362dc753006fd3fc97a3ff10ca6e94411bee90fdfdef57080c2f8f8295d0ffa3c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\UwEy.exe

Filesize
157KB

MD5
722f0ce2e6f2995cc1c2458fa8d2aacd

SHA1
11adb2e029ee48a9512dc3c8eb31be32ef9c193a

SHA256
dddac5e690abb98a1b379aade38ae856754ece8536d0ef8d0e3a709338827dd3

SHA512
eb849c96a81947a3497833552115b1a1e5723a4c6931db3005c3e75ca5928db4251d3a17e0c39100d9cb78c09409a26f32e7d5801a98697cfcb98f2dc6cd6295

Download Submit
C:\Users\Admin\AppData\Local\Temp\Uwgs.exe

Filesize
160KB

MD5
04d2956f8e79c24addbcd8e6bbcfe000

SHA1
b22d29fca2d7cbeadefa48b76dc70a3d46e70b4a

SHA256
39c410bd0c5ffaaad8574b7b41fe58075fc23ecfc6c46f5192e6fb78e77f345e

SHA512
748cfa7c2ff192f34f05a07b19158d53bf6faafd49f55d9ef71a15cf97a2d13ff207163e5d282d21e15a8d2bb09593e8b119b3ea4e2c2e7f3154c19b5ca4da4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\WEoY.exe

Filesize
149KB

MD5
38910e2cc6598d98ff9d978c7443c8e8

SHA1
3f0d54b6fb8faacd6be0ffee629552140d222118

SHA256
af63b76bcea6b11ed3d59b5c5050ed443abd2d73e905e8b44a0f106808073a58

SHA512
e30db83a5ef3bae51140bf0c9f00d5436e040b99002b1b879d1c8c1428f87a1e0d8c277c76f5430ebd31d0eb96bbe871722a982ccf0b17b548633d6e5a217764

Download Submit
C:\Users\Admin\AppData\Local\Temp\WQkkMkIY.bat

Filesize
4B

MD5
00ac67159c63dcf719a2b17cfbf7be5c

SHA1
2f50eade3ce6749eca3298871159157374ef0bda

SHA256
d859a2bd201f148bba298eed492f71d57ef2c5f9ef6527f4682750a02aa9e664

SHA512
eeb20f0a8f1235f9ae4240007671e6805f02bed6aa0a0fe4c8ceb1e5b841d3cff682f5ba3a1417225e61a90d80463e1122ef8ab0583abec6b6960dd2fad4977e

Download Submit
C:\Users\Admin\AppData\Local\Temp\WgkU.exe

Filesize
2.6MB

MD5
1a4ac2cd5b491cfa9eafa809200f760b

SHA1
9482d189361a2974f1f8e749b49c9848951b194b

SHA256
bb3ed73c358e3a1012d06adda06d17235adc4e06a87d11cca5306f5e3e5f5635

SHA512
609df4258ce78fde90e7737d98a6ccc253968af63d0df71fdec407703c1c7f5a2f1afcbc45b5b5b2805acf7c30ddbfda65a8f9e6fb8d01c176076029ddb3df43

Download Submit
C:\Users\Admin\AppData\Local\Temp\WokK.exe

Filesize
158KB

MD5
c03c21dddb9eef9257577179cd7dac09

SHA1
32bef57c8cef9805e820dfadaa4c98c49fe6b690

SHA256
40e63993064c548c6ff0fbd12f15073641580a88b498da391f06f67925edd793

SHA512
d2aa7398bba17cdf0ceff79cbd4690470c0f319c72ac96d1ea297bc14ed94922826107a2d6dfd74c6ec5104fd767123300f9b41fb0a929d57ae7698c4cc7cf41

Download Submit
C:\Users\Admin\AppData\Local\Temp\YQAW.exe

Filesize
745KB

MD5
ff76eefb3007bfc0fe076343e9b24e69

SHA1
59cf96938a549277cc9b266dfaa8dec14ecac275

SHA256
253250b413ce46c21a0c233ac352c3d543c668741a4547f8956fd853cc0eb53a

SHA512
92da0a0a19eb28fc8a94cd8f3bf037de2f2f4774c6042ae152c8ae9c8202b138ad802871a23768ec88f07a2c76b104251e87cb6499af740c32e8beda18363c1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\YQUm.exe

Filesize
999KB

MD5
91b2e4180e33af860d09b6c64917ecc3

SHA1
a94673c27395d91345f63793e3c6366f6861f038

SHA256
24c3069559ee4bf1e7d133dddf95e41e3ba9d878d7c989300f569d1e2f3a0794

SHA512
f0a690f4e122a2ba98795b2180eb03432e673dd0bcd5048e4edd1b699c6b350434f16cc3b70a0932c5fb5e989335a0a49a6d3286dc8bae96567e13805df31035

Download Submit
C:\Users\Admin\AppData\Local\Temp\YawEMIcw.bat

Filesize
4B

MD5
377ca411a1bdc9165abbec9611b54d6b

SHA1
2beeb80ea11c5256bc0b884655aaf11fd6d3c4d3

SHA256
dbc65a923b236fbeb0cdd7b14a1da8d73c01bb9b958dd1ed74660d0d960e9923

SHA512
4c9dbfeae7bd8448451cb1b9c41948845bf9fb58402892bfd5df8a58589c675d274d1ca592687909a22e78a277b843647aea59f21db974535fd23fe3b369bd7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ycow.ico

Filesize
4KB

MD5
f461866875e8a7fc5c0e5bcdb48c67f6

SHA1
c6831938e249f1edaa968321f00141e6d791ca56

SHA256
0b3ebd04101a5bda41f07652c3d7a4f9370a4d64c88f5de4c57909c38d30a4f7

SHA512
d4c70562238d3c95100fec69a538ddf6dd43a73a959aa07f97b151baf888eac0917236ac0a9b046dba5395516acc1ce9e777bc2c173cb1d08ed79c6663404e4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Yowa.ico

Filesize
4KB

MD5
5647ff3b5b2783a651f5b591c0405149

SHA1
4af7969d82a8e97cf4e358fa791730892efe952b

SHA256
590a5b0123fdd03506ad4dd613caeffe4af69d9886e85e46cbde4557a3d2d3db

SHA512
cb4fd29dcd552a1e56c5231e75576359ce3b06b0001debf69b142f5234074c18fd44be2258df79013d4ef4e62890d09522814b3144000f211606eb8a5aee8e5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZMkoYEEU.bat

Filesize
4B

MD5
396aec8d658a3330deff093ebae030f3

SHA1
071ace4fac3f86860aedd87080f5ec778186a096

SHA256
aa3e57c3ded5f958581f4f7afa6bc0fc388b1b0cc95c2d7d456cefd02130f95c

SHA512
354517fa6612bb56bd249d3e1b9125a6121e57db44365c176344c508937a901edff533eba7593437b2aba1894e9f70daea266eda28bcbace0b8d069788baccf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZwEsEMwk.bat

Filesize
4B

MD5
6e619649d7f2c0dfc6f2685fda03cd97

SHA1
2124a8cac12e3a0de1db04f20c3d6d8d02703b6d

SHA256
8e009e83583eab5f96b7da4812caa998d7283c7d1db6a5de4b4b74760fc1b660

SHA512
4ac1c6e6e58ff6b4caedde3b4c46e4c553f2fd2ad72b1e8ff95a8b30af9be8bf1810475f8e0437b96df0d80429c84cb7ab0a9eeb03f4353634287a54cc83156c

Download Submit
C:\Users\Admin\AppData\Local\Temp\aIEYwYQg.bat

Filesize
4B

MD5
67a2822bfb29d245133a27ae8eaeb384

SHA1
e06bf49d5c453a50e61bdc2c6705f77b34d66843

SHA256
a2ffe6fcc38255c46fb48a8d46cddf6716edb8676374a319e3106ff5c9f07b63

SHA512
f85c5253f66b6c96c67233fd7a51483d29373e89f9fc3e23f855f0e7175d335be17bc27bead1b04e947d1c8a54d35e128db4e8fccb627c3d922e4976eed7a09c

Download Submit
C:\Users\Admin\AppData\Local\Temp\akcQ.exe

Filesize
157KB

MD5
5dedbdefdcd2a0c17a170ae0087dcf4d

SHA1
6045c78c96616ad0a881e837839e375c6c3b9a2e

SHA256
9f04a8e23a446edb53b3a32d9a16e2b16ea944d58c251f82c6d04fa883788bea

SHA512
b132cb5065ef349e0902610488f7677fd9c9962a941379adc8994ac284e3a998062c418c9638d4308b6815f03a303b6db211eeb07331a3f17b32e70870b1ad6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\aoQW.exe

Filesize
159KB

MD5
22cdad23600e86780d2ad577d39af08b

SHA1
60d6b293b1299df7b6c5a473123b25b0a9a864ac

SHA256
a49962b5db2642d58cf9523f2e368574989c266d72058e8982231195c3f8adec

SHA512
3cb3c6c775d4454f5868cbb77e344cf2cc00096aa750601fed2a542e28964354140e1dcfd87ce4d858956704394e3b130a460508fa27349a4be65133458f2f0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\cIAE.exe

Filesize
859KB

MD5
496ecd6d37f0ad359f5f1905cc65cdaa

SHA1
8800d0f9bfabe7f72443cd1a08c1daf11b9d3cad

SHA256
7a3db28f4ad20032077d271119ccf696ec70f8c348f51e50d49492d4fd23e7eb

SHA512
1317f90a56c9d3329df4c29dc0b7421a46441f5d1e02e407777bc27376e91fc79469125af60b9e16b526e7cba8cf77040d735ad7b0c5d7ef1ed828f039809d0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\cIsu.exe

Filesize
158KB

MD5
4b9e50b6403f9219300555a13dcef5cd

SHA1
f0a64d26a4830f9fa57a9293e0e06caad26097bd

SHA256
1c4eaa638d8d3e4be94072880a61e50538cc83128f7f43074a1d6bac5ee6c898

SHA512
ec69fa97fa0e2d79aee93f77b4d2c75a9552b78a9321e523f6e57cd29b0fa48aaebcf0351e4d751499d9463b4093254b991ed7fa61dd1bf00ccdc21181650789

Download Submit
C:\Users\Admin\AppData\Local\Temp\cOQIkMIA.bat

Filesize
4B

MD5
9d0b05a0209d2f86c456c2fbdfff5706

SHA1
a30b9bd15f86ada39912f5e5f7dd57bf013d508d

SHA256
1faf26f73acddcf831c1ecf61434f562a531fe692641a164bda748bea80e997f

SHA512
726131da6a728494281c0426fba260a03b1b3663ae0f2cd1ef9c919d2e3e6024295d937218dae2d190b77d2bf2cacae5350b0e130792275c95f7f69d60938981

Download Submit
C:\Users\Admin\AppData\Local\Temp\cQoi.exe

Filesize
159KB

MD5
b3497703de9a2c296a14393e6dcc654e

SHA1
8076817fd599f3f426dbf238489855d60041a084

SHA256
c6e312da46c5b3b8fa62c33c9fa22aca2eaa2d12bd337c0e04cfe9bb1ad1dd28

SHA512
41eb6a13f88839478188b96dec33b00b4e43b6183d47900885e2cd219bfd23fe13768bf0e83e9a4870a80e73f536ff3353405585ed7a1edc414c1c1efb5531e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ccQQ.exe

Filesize
534KB

MD5
42d77084897377a2da364e21517d2b41

SHA1
7e074509144eb99a65b2b5a2794696e7d71724f3

SHA256
18093ceeba488ec972f730fb7ea56b82a727dc0b50313746aa25fdac0501b361

SHA512
c2068a3cafb61babbb3d4a687c67cfb429b4d9fae262fb1b8f64484a47b2048fa50826ad8fbccdbaa05eea9f5c53d1f38fe93cd21350117461e2202ebcc45024

Download Submit
C:\Users\Admin\AppData\Local\Temp\dSMEgQIE.bat

Filesize
4B

MD5
0fa5eeb0e27bb2553245dcf274dba7fa

SHA1
3fb99d3fac9277263970f3570d99c0f67efa5669

SHA256
2632a9536617cddcfaae879382ee576b15270d41f976de027b1e2b1ea70c91ff

SHA512
d3a02a1b6a56951f7ba47fe20cf96d00bc4468e59508e982d5f9b06a0923bd85db0ef1140e10ad1b7984a410b27c6b9defdfc88605cb0c93f8648c420d01d0a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\eMYS.exe

Filesize
158KB

MD5
d060059f02614b5d226adc77b1f0204e

SHA1
4faff19610d93369d15d32dd7d4d13a2fe262355

SHA256
60ebc6183d684e799b35701116086868a93d71bf16b69ea6acd1477f5420ba34

SHA512
c515cdd6282971ae7fe5e02787ae9fa018d42eb3b328d377bc2149df17ad400e03c0d1ebc364f67365d203e4ffc493442dedb053ddf7a61063f5667c18b9625c

Download Submit
C:\Users\Admin\AppData\Local\Temp\eMkc.exe

Filesize
158KB

MD5
43654a5526c49a1d830aaff92a8553ac

SHA1
735eb3a2fd3c1864b380711a4e1125f914c52fd0

SHA256
7e9d47059a8b3012e933e115ac481ec75464acd7ebb1ee2e006efc5c25111ae5

SHA512
a0c8ae14ca37de4ef4cc681591a38b24fe834a66b840ad6a1afa7e32417320c41e120752cb75dc3adc978e5998890e1b7fa84f0f38e876411d1cd7af189251a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\eQEi.exe

Filesize
158KB

MD5
6c81fb8cc02f4f5d6af740aecad01dde

SHA1
fdb605398da9f68c9a9dcbb063896ad1978b09b0

SHA256
08db079a98133482626dd188b8fd2c8ffa28af41438ae1429e14184938aefc0a

SHA512
24fbc47374e06e092844be8cf0c0d101a63b0c6775f6539ec978cd94d6f0c7b5b32b56de5537d2beac61946adc7dc21403ecb6a4ed5f4738702b559b1c80d15a

Download Submit
C:\Users\Admin\AppData\Local\Temp\eaAsQcIc.bat

Filesize
4B

MD5
2115619a30e73447c30758b2d7c5c76f

SHA1
3a59e67cb0fbefedae37f7d1f120e63fb1530557

SHA256
6ce5204680e17fc89e394bc9a2cb96a7bfc81014e49ac1a223cf0a9ea19e9072

SHA512
3ffa6a6dacfe2f687cf250576f3651f93c5d207849fa03da8685197ae124a3c10bb9570c2fb6aac0db3c8ea5a10e6f78fb81ac4d44b127de540d7987b9768eba

Download Submit
C:\Users\Admin\AppData\Local\Temp\eoEO.exe

Filesize
235KB

MD5
2456ab3036eafe975759a5a6a6b00f6d

SHA1
328b1688ea44c10711ea84c8362f23991d99da9b

SHA256
0b8800bb8d0915cb7cb30ea5b2ede32a0ca0367dcc180aa949182cbb776e2ccd

SHA512
4db80329b6d00cf91a8ac92d0852cc491922d72838b3ce6b18120bb888c8a6a568abec90cbe8d00286ff3dffeb9861be2c908271309ff6894481bd5e80635b17

Download Submit
C:\Users\Admin\AppData\Local\Temp\ewcU.exe

Filesize
158KB

MD5
1a61aeef09c974e9d906c39d88e69f08

SHA1
a7f39b5c0d5d278838bb9448386fac4f1ad47200

SHA256
15890f6d823b7b8aaf18eb0af8211c37942e662eb1ee4ab891abfbf74d873f90

SHA512
e152f8f81ff5cb66e780c0bdf0567a89db75d07f124ff829bf682c33e082b55d15605fdcc0d71e463659ca78f6c6de6484bdc9c578b77ea3c58203878560f360

Download Submit
C:\Users\Admin\AppData\Local\Temp\fOcQIAwg.bat

Filesize
4B

MD5
a34c8b0d5b1987a7c2c3a4e9e6afa7ed

SHA1
4120c39644f8201fd3cfbca4e2edb19953073138

SHA256
1231594778398aa5c3aa4de6f18f9683d3f43701c427d284f26e3a50b6e12e97

SHA512
fc65a2ed3bc14976dbe72708cc48ce7203fc2b72a75a4c0e7f25841bd116bdd280b135ff5d37ecad5fb94f6728006c9567da0b89f9ffd30a78581c5e851d850e

Download Submit
C:\Users\Admin\AppData\Local\Temp\fQsgoAcU.bat

Filesize
4B

MD5
87864c3602f19b1b8ec0569e7ace8e80

SHA1
e590d19fbd235e62e356c2ef086faba250cdcda5

SHA256
9328329cbc97b06918fb0ce4307a74faeaaa5f55c3d627df9925425f61547153

SHA512
95b2afdae20588a1479840959e047cd1f8bbd0a2c191086ab2e5818f4f3970ce91382e31f9bf1e8ece376de9cd64a9e02bfbffc0b64bfd44b392b2251bcf5894

Download Submit
C:\Users\Admin\AppData\Local\Temp\fewMUIAs.bat

Filesize
4B

MD5
c57a83e5a598c6c35e4845339f25d320

SHA1
b37a7c20135b843c6748331469468ebb29cd5685

SHA256
d12a5062ee7e06c9822da8fea5487dcc5f1933ef5c74bc15742a2b48d38cc973

SHA512
7d1247dd1583db49a15dc1096ab8c4f3e398bfa3fe8fa654c57a5de251425e51579ccd3567704c54fe70066848b2b15a24f76b10b46b8b1f91589437597b5336

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\fyAwsccI.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\gkkU.exe

Filesize
158KB

MD5
cbee325747f52e7b2c976da769e7a22b

SHA1
f1ce18a2de884fa437a5eda0e08788b02ae3c124

SHA256
a07e303000a1ccc418b1c2cbdb4679f3e96079d6f6ea26c7f0f83e6c07b53ed3

SHA512
27fdc49fd277c120e1f99d27261cc656ba793a0d57f72cafcacdd1a687de1345688101cd254e175b4c5cfb77338c35974f1d0a8a08910277d713ae01e9cc8e6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\goUo.exe

Filesize
159KB

MD5
046ef24f250fe8592ce7d288a4968ee7

SHA1
b9ec4a66f4fefb0c0921eb0b4087eec386fe8097

SHA256
cb81b4dc4448fb7e72e4bd4aff2d2227c620fbcb3f75019c3a0902f658bf2f64

SHA512
a2257844ff949d1a0759c235be5886be3db2f0d4a63f1278632edadfaa650dd603f4cbfca495497452f372ac8d75132c1460b08c7bf4cebe6bfc4e772973039b

Download Submit
C:\Users\Admin\AppData\Local\Temp\gwwy.exe

Filesize
744KB

MD5
c9f34d66ff17aafe0ecbb449ccdc87f3

SHA1
5c33f455c91a482fd028c696687f4a3e57e1bdc2

SHA256
0ae2488724dbd2f0435302d739f8bfe87f15e832243ab0e35d4b09d923d0603d

SHA512
f1bd24ba12d10933241c43e965da551211981f2234f21f48819504157fd6d4ddf514fcf63b8d7dfeaebea208de4c9218ef77715294a94ce14de0badf55de3c5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\heMoEskY.bat

Filesize
4B

MD5
32ba92cbe59c5efedb7c070eb4346ebd

SHA1
f2ef71e9ecf82383179eab7470c4aa641e6a22d2

SHA256
e3938d10617438ca914db92a14f56de0e7339ce7f813f3d0bcf2a6e235125fb7

SHA512
3930c4a0862a7ae250896a3970d752e490849bd842e185ccaefa712ca2099fed0568f40dd9b021aec9fd937020854062775cc27ee8f76d9418e59af9f1d0c768

Download Submit
C:\Users\Admin\AppData\Local\Temp\iGMMgswY.bat

Filesize
4B

MD5
4bc96efed35ffa8abe08b5e578b838cd

SHA1
5210e5105ea9f41d725abdda413bb6ce355734c1

SHA256
545c38e539ea871662d4d96e99c73011239a9983187b61ae6b9f6c9b5a831b31

SHA512
4ea7275f8698209fa29910e90528325bd68a84f536df78c5d1c906b92f88b62739a34a284d53b002d70fbe7e1490dc70b19ffe0eb1648a7c123e2355f9f14f8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\iIcy.exe

Filesize
159KB

MD5
28889203463415a0f8c3b99960f71338

SHA1
41e1d60e0677add1148494a8eb8d27c31d893336

SHA256
c1bf3f44e5a3cc15f637a1949c1f095f42358de7dc60360059cca225de97849a

SHA512
0caa8596f3fc84e062f1a5f30582463ca5d296c7a26e413cb4893044690df7eaa138df69ee625ad068cc2c565537751e266167c37a1f8eace5f6a8b988b47d04

Download Submit
C:\Users\Admin\AppData\Local\Temp\iUUw.exe

Filesize
8.1MB

MD5
4f106214e1478c2844d5e82a9558e3df

SHA1
04e80c91858b6c450ebefc2519baa8e5f55b45a5

SHA256
96f7b95554b0ba7355d311f6cd32df13cc4a0ecab31a60dc2cbcafb7982cad69

SHA512
b54d7259d9150cf26f2255906ee7e054b0210699ae38e4ef7c980523f3ddd8de68c7a8805813f07a0c99c0701cbabd089461f42f3b1820a9d81ed38957d8e6d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\iUsQ.exe

Filesize
406KB

MD5
a527fd745c6489a4e17cae511dccbf62

SHA1
e9a46046a95d1ff76da652e711e72c17596bcfec

SHA256
5bc132c2a5e49d1aeff88a159e8ff1432686f32a565644bfcc221e3cec05e574

SHA512
2f85e7026bc2a28d6275e275fb122d9034d34c77f8370395446995fb6b54fbbb0385982b48dfe2f26a6e99bd72a2dabf453ee5818f30ad17389dd414eb8fb30b

Download Submit
C:\Users\Admin\AppData\Local\Temp\isgq.exe

Filesize
158KB

MD5
909374c966ebbdb2576cf712b4bc8e45

SHA1
08fe4692aca16b92ef278cd6c5936cbc36190bad

SHA256
f75144ec06b9de7933e29b30b45802e7a7b8ff793c3f5d21a18c813619ba7021

SHA512
6e1d57a9e54db7f68a4272756b4a2d120679915e23e0609e995f23e57a8a22e6ad52e60ed377dfd667d31245c32f88be7c146058648c06a6e2d1535887688384

Download Submit
C:\Users\Admin\AppData\Local\Temp\iwUC.ico

Filesize
4KB

MD5
e1ef4ce9101a2d621605c1804fa500f0

SHA1
0cef22e54d5a2a576dd684c456ede63193dcb1dc

SHA256
8014d06d5ea4e50a99133005861cc3f30560cba30059cdd564013941560d3fc0

SHA512
f7d40862fd6bf9ee96564cf71e952e03ef1a22f47576d62791a56bdbfbff21a21914bfa2d2cae3ca02e96cd67bf05cade3a9c67139d8ceed5788253b40a10b32

Download Submit
C:\Users\Admin\AppData\Local\Temp\kIUo.exe

Filesize
970KB

MD5
a56acdb84c96b8ffaf8cf1631fd9376e

SHA1
2d63a3a002025dca96154323b79a40c36a87f881

SHA256
0327fb220363dbaf8611a0acc0d716509228fc5e06a762971dc408537b9f9ed4

SHA512
ebb033cb71c4e6952fa692ea836774f8bc9c715f2643c63e3bcba2d29cab6c156c532306454502df9647e9bb4fd0f7ce22d9f695f99a5f7d1b2364be4512cdbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\kQww.exe

Filesize
157KB

MD5
d3a8ac6c45f96d3843d1cc89ddc9f728

SHA1
fee380e8d49bb24527238d261b79bca64c63d404

SHA256
7ed118fb252643515b29fe427113f690562cb6686dc3fa8f95b2b4f03c9c3ff1

SHA512
1e66f744746bdbe7a38cdfe96c307b394630ff09f24df60de95b5f9d229282c2e63faeac611881ea08ec27c00eb96adb71fd171d10f43250b2867fb8c327e40a

Download Submit
C:\Users\Admin\AppData\Local\Temp\keYkMcQs.bat

Filesize
4B

MD5
e4e2c8d7a731462bbfd702111806e189

SHA1
f50f8fa6e12c43bd7a075f2d01ca044b5e32e90d

SHA256
5c2ed8593069172e89e1e148d6fae779d82a35c1295c04a24ca00a2a38876f8b

SHA512
0b99420142c4ae61dc6eab455ae6466711e731438428b095e95682a9495c54062234f2e33c4970bcc872bec9fb6f97dac5c928cc19a9221126ee96529a804359

Download Submit
C:\Users\Admin\AppData\Local\Temp\kkIMgcME.bat

Filesize
4B

MD5
eb6476d55b5d56e9c097ae975c6b7849

SHA1
36b44bda488627d417f1d09f74eb5fdd5f2ab8b1

SHA256
300c3e81613f08f38caf82230aff5c7506822eff1f80a2e166ecfb571a319fcb

SHA512
881d4eefdaf5cbd87720eee3f2310d2657c7f8e3e5676635a3bbbd75a5043fbd9401cb066a277bce56218342380f9d019eaf38b7b13da44c5ed7b6d5850e7ece

Download Submit
C:\Users\Admin\AppData\Local\Temp\kows.exe

Filesize
366KB

MD5
6d4154a252c2ea9248fae1ffcfc6f8ce

SHA1
f92da07cb5946f59fc8d8143d3017abaebb8d4cc

SHA256
754e0fd854324c83a71150752400ece55d4b9a7304260c2c6a68d86a2c461b1f

SHA512
8ae093c726c865393eb1044fe22f5b55645ca18a92ba3776a752ed21fbafc1ef8c2e481332d4edf685a88625d1bc77c54a49d0e91cd812d14f170f09a9119bbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\mAIQ.exe

Filesize
4.7MB

MD5
28369c80d0f4608bcdc19b889fdc3307

SHA1
ac66593db7e0892ea403c60a1bf7c673b53aff04

SHA256
c96ccd9a13c11de2e94302b1e971cabe4f4684de2e76155f6d0f16dfc93aad5f

SHA512
f59b68b31678b7846913830498e75109cfa05486d1c3116e7239a6614c22e2f5840747b5c44b9bf5071f37e3fa5a93a8a541cdf7589463e2d6ba5e56149430cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\mCwIEYQI.bat

Filesize
4B

MD5
743646624c8a282c64c89b7ecd50f7f3

SHA1
5c529d0b4b6a300b59261531e86a5f5adff77f14

SHA256
9e6992ca5da9f4706aea5dd1d5048db8bc2f5bdb279d820697eacb2c1bae12cf

SHA512
19a247675a2c923c4495414db0948a19e57b81e0d24a04c882e33e72df298be4ab2e25b74ea554e3fe2f6698060e4d4cf610d9dd3d6e53aa799f9aa9ca06fb28

Download Submit
C:\Users\Admin\AppData\Local\Temp\mEYk.exe

Filesize
158KB

MD5
ac3eaf563400d1ea9bb8da5501a42e91

SHA1
5dfe4c4f725de20ee741a7045575cc3d11d5085f

SHA256
bf07aba97178a19963d09dc4167bc424109585846afe141d38d33245a3a14ba1

SHA512
9bc01e805a5a77bb40e918d9751f2e84b717be9b12b23d1f750a334f52a9eedacb54054b4eae7441847b8caadeb01680028a6313819dea26b87d98890501ca52

Download Submit
C:\Users\Admin\AppData\Local\Temp\msQS.exe

Filesize
158KB

MD5
3c20a4fd63827c87e30fd58f3504ac02

SHA1
594664dffbed79b4114a9ea5e2879a017737c507

SHA256
5da316536522f7fa8d663c92a433c95a92874b659bce7e65aa6702f3d8ef64e1

SHA512
de7f88004f2b16488829439346f643474855ecad17c6fd274d90c3317525bea9786268b603cbdf94425c93a5cbea6377060d3b6b8dfcaf20ae2068a3a7e3dd19

Download Submit
C:\Users\Admin\AppData\Local\Temp\muQQwkMo.bat

Filesize
4B

MD5
af218ae4fe3996948be334ea89e8505e

SHA1
1192979a00ad8987ea22b6b0d01892fd77777461

SHA256
2ec480954bf715e531bd9c5f2f3895bf68f689c6e37f62b40b5d6ccc09db2fa2

SHA512
34b81e66d4b272f3af3b03a6778aaf54f1d27d3e67309ce6f646b9cebcc2acbff019439c04983d5f02db2de722fdd5dbc0b1c5278c63b51cbdf7c09b7fa00ed0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nAMcMwcM.bat

Filesize
4B

MD5
4d475719fcb53df63d3a100f9601f0a5

SHA1
fad3bec840251251a837530e7b4ce41a3e839022

SHA256
106559341e2a265526489c48c91125a7f70cc0b14281bfcead40429fdadb78d2

SHA512
755612ce3ed5843ed0b492cc2ec92596e17f553ee9c4c6c0c541550082dafae16b5ec2087e30f65b2bd89e31230c0039c461a8f55fcff8c561d7835f901106d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\neIYUMkI.bat

Filesize
4B

MD5
aeafd7989670a5b6d69fb0f37bd10ea3

SHA1
4d4ed3fccf550fb03658df07d653e731a576aa18

SHA256
4916aae8ff467e2f0d967b2e9b3b0dec405a81654b0cbe4f8a43043bf897469e

SHA512
1da3eaa2a0e73f222c1d8f4f06c752d786a617552f217195ce29c60f0fdef3978342986b155cdc937ea1c798133fedcdf4741f83b8d4b305d054a4b27f422aa8

Download Submit
C:\Users\Admin\AppData\Local\Temp\oMsQwwMc.bat

Filesize
4B

MD5
658daae87c1ea2def23b2c7001b4fcda

SHA1
a0865812b2ae01a085e2101f86949bb8fd4b84eb

SHA256
b786fb9f6df017f268338f0bc8543a1defd4bd19a134d041e3fc49bb94282c07

SHA512
8dcf435d952e1b686beb3a39186914a746c20afe8adc4ad7fe7f9e36c8643eca1a55f1dd4a5f14c6253a946ae1d80d1cbde0ba7413faa16605d0bc9740d170e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\omEQcgIo.bat

Filesize
4B

MD5
11a1977b0fe011a287efe249f24dc015

SHA1
ee07cfa29c591e3acfe47a509e60f091bcc62b47

SHA256
ed944ac95609e5593e1c7a1b1630d9836f319c2d9956e3ad2605c988d868d463

SHA512
4acc6acd627c29b2802734e09591d2fe66748a04290f893f60f4f4e5641621bfe16cd74183818d809b27ecad9be4d6c5b0e51486d202242098d96dc6a5a013bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\pEgkIkkI.bat

Filesize
4B

MD5
17e5e13544eac3db1ab0ebe8fcdaf55c

SHA1
2a37e786adecd98144f2ea0755dfa3ad399d3fe3

SHA256
aa820c1d61f296d23fdb90ff1126768cfd8332d49bd623fd9f00b46952aa9df8

SHA512
c7e966fcf2d38c9439fd0909d831ba9966932268030b39436be7f3f378f4ce80435669002d25725333d695332848108b8bbda2a88cb1c843272402ed80f10e61

Download Submit
C:\Users\Admin\AppData\Local\Temp\pOcsoYkg.bat

Filesize
4B

MD5
13c2e17f916da167810a98ee57133a22

SHA1
e5c358262d67aa241bff761083f8431c3e794cbb

SHA256
10f7c883afc10705a94e5199e83156e53ac281435ed8db0aaaab68acd29bed22

SHA512
c6ebf6a57e950196a12bbb162caa6625f0a48d4697779d592647f21358c6da470a063b474a53c6c4bcccc98a0811417e13c818ccbbf34272d29d5a30c9ec0256

Download Submit
C:\Users\Admin\AppData\Local\Temp\pyIIUUEE.bat

Filesize
4B

MD5
bbd7ce901a129b51ccfb422492c19e79

SHA1
0ec584a2c7b9849768be23d550da9bfea46a3bad

SHA256
5659fb347d7e2d29706a053de04329fead4e5cd52b795134119d4b7cda1b0771

SHA512
39c86422f1d1554733f835621f5c61b16490f0e2a892b8afb1f523437646b132ed42b8175218018291a0e27b68c4551a7322e694d372132e5fc49e35b68b83e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\qAIMIcAA.bat

Filesize
4B

MD5
650911d15b1ebfaf0ce36b541136fd7c

SHA1
be5291206cff405325b6de702eed5843ce927f82

SHA256
949d3ca4ea9ceda42545ec59922c1d2029e229f4526c88a1bbd43a4bb8fe3f41

SHA512
8a09e8bff7fa6e1622a94570cff8ad506c3bed61cb59595d876c6a52638817e865fecf87385b4bee06a1374295ea77c462e3c25734761eeecf0d8ac0be36c23e

Download Submit
C:\Users\Admin\AppData\Local\Temp\qIwC.exe

Filesize
157KB

MD5
fd1c19a924739949565333435288b0a2

SHA1
30ad085009cee05bc72fb08077c9aab41f2064b0

SHA256
f6b31a80fcbce96b6efee642ee59e63e3e18a9e35f71eccc5a40791f3aa77947

SHA512
998ee133cc634616cecc6962a3cf5f4210b00447e1e2a099f0bc2e9fba4978b89968d65ba61b29c34587511e8eea56937542d78d3e9af1e27096cde8fcbc330c

Download Submit
C:\Users\Admin\AppData\Local\Temp\qUQS.exe

Filesize
934KB

MD5
944d514392a5874200e83c867e0b63e4

SHA1
cfa7d4e078358f267cf19c7104da581a4b9dd552

SHA256
755bd642778d91840ac7d68d5c57a18613e39ec0ffc34dd9795f6f7c8c95d382

SHA512
77ae47c992349718d3e67480b542ebd1eb58895413ceea5d2a49cb1614df3be7e3ce1d5f136cb54ec05b08af44199cfb0b3ff50ea54ab02d7ec73239a4f1a547

Download Submit
C:\Users\Admin\AppData\Local\Temp\qUwAYoQM.bat

Filesize
4B

MD5
28e220f966f868ec6b22052d1ca9416b

SHA1
8e9668f47ac700b73226000fada9e58196189250

SHA256
0a65e26a4e55ac9fde4ae1d027db173afc599b2ef99afa6045ee7a74c93e31e8

SHA512
86f89fc1f19f318f71142673db952da3bf895d5180562b0edeba6bff235340958ce77687d3dd2790e783ba6f58ae24ee614f1b4c784991b3230fa334510b145d

Download Submit
C:\Users\Admin\AppData\Local\Temp\qYEa.exe

Filesize
160KB

MD5
a4b511487d80e4c8315393c6025b3691

SHA1
f5c2be174dfbedd46efd04815dbf187e63e73f54

SHA256
080334b11166f83c3a2ec85419a12987f4637182a8f03f8f336b115e777fb3be

SHA512
f5efc96f4e13547590c97c8b3f61496434a9c667dfaa9c8e47c73b24ad73d839d1f5179db4b1a6b98e1c3eb94e0cfa4bce61e75cea1d11860eead66f17d995af

Download Submit
C:\Users\Admin\AppData\Local\Temp\qcwG.exe

Filesize
160KB

MD5
bb4b1b9e02739757e39489d9bced4e9b

SHA1
41eb4537082ae53e6a3e9cd6aa2d9ac5f1cdd843

SHA256
43bd92857c6734abcbb99ab02c4824e1f53dedd7e19ba42f0e7c1aae21d9b8b4

SHA512
3ba20fc81f403158f89671c391944cdd2705a7aac1e70fa1fc5d403dec1c467b7bf8506e4e5e446f12f070c3a68c94583a01171cea191cf08146ec2da1c5fb3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\qoos.exe

Filesize
160KB

MD5
f2cd341ace462c758311ba74349dc5e4

SHA1
9404e217952b9de2d8f31efdfd9cd46c0b1459cd

SHA256
0dca67b6fe5fa3bf14fd299b8ad4167ddfd3ca3e11b4ce55670e3d37b9546dd0

SHA512
ebdbf233eeee6ec91dc093334a7bcc185e0b7d9a542fe79bc2c91bafc8ed94ea4b0950a1eb2e3d2e19b5c3c2b61bfcff4892498270a25fee79105c0ad28f0d0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\quQAEUYc.bat

Filesize
4B

MD5
53facb99fa730cf16e3d55a3fde90cae

SHA1
869cec17d3f7152bb651d6983cc9f964634de11c

SHA256
81cea0e05b78f768f9b07f41135206b799bbe22d02e199c9c02499eb1d18e56a

SHA512
bf3b95421ad59b7adcafeee8bd82b0ef1b05125a36d6c3c94da23b404892c962e4fd4ad5a698cee0fcddf9def9a124b0dbd6130f558839aae745f150bd1cd786

Download Submit
C:\Users\Admin\AppData\Local\Temp\rQwMIwcA.bat

Filesize
4B

MD5
0764a67c0b0414fef72691ad837af4c1

SHA1
f3b6f6c338671ed82dccf3f71aae47042ea91552

SHA256
ebb8f79c7b01982870e729bf3d397e29352fa7c32b76edf1478be794c5df81e6

SHA512
cd1238b9e71cbbf20164c7014254cdd010d49b8b160b0fc580f65c34afeab0e3c6f9f0702911a82dc01125af2a07520acbc6be217823de49a1b371fefc905d45

Download Submit
C:\Users\Admin\AppData\Local\Temp\riQwAMws.bat

Filesize
4B

MD5
62be615a60f51cb6962fd6ada5814683

SHA1
19377a84c1fcda012d32e9ac6c4de9c6b3b2df3f

SHA256
b2bab78d70d22a4be6369a934aae122b0195d726243f81601d631ab10594ac3b

SHA512
fad989c1062cd45ad7c5738f37c14087dc312ba24d78116a2bd1fa75b52b2b7be016b4258d609711acfab21dea4d26c3d9a095e25afe816c9ba1d39557948cb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\sUUAEEQg.bat

Filesize
4B

MD5
ff400fe3334f0784dd5271ba31116fa0

SHA1
d8172c389c0626ec45b8fc9210772a8952b95480

SHA256
90e8e0986c4a8bcb9d8c25789a3476765a78b2ee974a4f94aa46bb93cc4840cb

SHA512
6134000e8e6c08da70dbcbf54289df352e54e9029ee610611dd070b23e38a81313ca7f8af643f8e72718bae90805b4c7e8aab6fd7e5f873b921045734cb9f8f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\sgQo.exe

Filesize
158KB

MD5
96317f7933577f7eed96fd7bf5ce2c2a

SHA1
c5dc3fc4d0dbf03aaa12dad02be59d915033d6fa

SHA256
970e8dbf3a10ceeadb1c7bb23c291e274881f98981ba5613a401a3ae2243dc84

SHA512
c4df57f2fc642b5a8c065daadf385caed91e2a37a178f82e494250b17755f41b8a6460947ff0347c19feaf15e945bfd9df67705fad1941f8c43e9b3970d864f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\sgUK.exe

Filesize
158KB

MD5
010571869148961e8f36deee980596be

SHA1
cac522c24d40fdae2c483ac5a12364ef992b6bab

SHA256
5ceec185e0f3f685d595e21a39679e72b1e2e250fb26a76d2352ee1eeb86a834

SHA512
dad38002a39c856dabf9da7df3cf75d6ab837f6b5869169f211fbd973d771df4d96463578005b21679514c78bdbedbc223e5365072c52ea9c39d29296d3f3767

Download Submit
C:\Users\Admin\AppData\Local\Temp\sgsi.ico

Filesize
4KB

MD5
6edd371bd7a23ec01c6a00d53f8723d1

SHA1
7b649ce267a19686d2d07a6c3ee2ca852a549ee6

SHA256
0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7

SHA512
65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\sscg.exe

Filesize
159KB

MD5
474b049c70c8aa62ea0b700372769c9c

SHA1
42b72eb37e4b75d2034be3d6b72c84780366cb9c

SHA256
b4a877eee4dba9e43c28f93d42cce261705a41e7d8e2c66053aadfa454d540e2

SHA512
d177cffa9879b0dfb589a078a93def7185701cef203186615f3403d00258ecf2f5943d2b0237a0c96c695720d44af900478014e9274ca335895db0d5f8aa1295

Download Submit
C:\Users\Admin\AppData\Local\Temp\sskMwEAg.bat

Filesize
4B

MD5
0f0557e36c9a3e7fbf1108ce247283d3

SHA1
93efa6423d57d9a357f212222150ed2cc97874a1

SHA256
4bbecc476c83777432406ce16d8674936b5c78590e455b5f1f26a74d1e63c0e4

SHA512
b027e65d1d28454160fd266b05e979764638af903f536b555606d02eba062d0ead659c5bc9341003fa4640625b3ce816a292974785d08d549db8bc1806665102

Download Submit
C:\Users\Admin\AppData\Local\Temp\swAY.exe

Filesize
158KB

MD5
523d3b7e064d80f32ea9673026d5ac81

SHA1
8a2c2c1c074cc34ede32755c4c2221b8d63b730f

SHA256
a1f9be0722bbb394199d88a4a141736a07de15e1a32063e130462ec4a4b357e3

SHA512
fa036d957a584b5d9348c2ab7cef266e8d5b11257a3982f2572b279a82c5f6669b49237db3b1c8e4d8b37037425e80dfcbac09ae82752c2e194aedc4be7a9955

Download Submit
C:\Users\Admin\AppData\Local\Temp\swIo.exe

Filesize
158KB

MD5
9e4716eff43da8430e7264b1a09abd8c

SHA1
e9eac55b51e7fb4a2bdeca5b987a0e3fac64adf7

SHA256
dc7b6f945ea095a47084214e7c0721916a240849292fcdaf3061d1b4a8959e1f

SHA512
6f79c1e1eba160057401819981841df2103535b7479b110cf67afca71098ca7217c4ad47df291b814142575c6476a486bced1119745be70c841a3f63551b99fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\tAMQogkA.bat

Filesize
4B

MD5
151c87318f4b1efb7b38f48b0f5684f0

SHA1
cd6a1b2ab9db3a5223b05a1495d21c347beed0b2

SHA256
fa716dce532007a24cf9f91276bdabd9387123b4d77d12093cf4293e12abea68

SHA512
e151836c5480ba6e826069fa8625492ca773749abaceb20b6e8b8fd11e6acb689e452e539116271f959b6c864b543f4c4c541f6dc0aa86a86e9a2bd06c26eeda

Download Submit
C:\Users\Admin\AppData\Local\Temp\tKgEAkMs.bat

Filesize
4B

MD5
9df80f92f47fab83979d77b011f7af67

SHA1
09d7ffdd84d522486673030d02f512308f28e4da

SHA256
ad021c04486e50bc9131145e670ed2b168c49ef895bb3064e8e125bf564ef6dc

SHA512
2b6bcce08e8edef6cf9b9cef44f77a0b99684326bb8c27db88643e75709ff610df9a8f861e0f1b75beb8824e9295980bf792cc7d0f66fa88583df99a3a72ec34

Download Submit
C:\Users\Admin\AppData\Local\Temp\tUssgQUo.bat

Filesize
4B

MD5
ce6537656dc3acb06d69b415163f7724

SHA1
b22a0e0428fa85711f705c693949b3e199b11f1f

SHA256
61b41063100024e1e8e9a9b1292711a789b5149af7d98493295ac36f79fab0ef

SHA512
61319db30dc4124e51deb941bebc818b16044042fe7850baff358bde73617ca4efa9a1ec0c4294d95efced8647d18a05141d308eb4657432aa2aa810be8774f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\uAQU.exe

Filesize
158KB

MD5
46b45f0270116f268ce128ed78604438

SHA1
c745ae73e2e264308a0c6d761c2b68bab69ea174

SHA256
0cbc950f84a82510a38dc0a74c8f848778eee67509b20b7e72dc9c70a2b04dae

SHA512
9eb79aad9e41601ca9a461c82f81341869568c3a2ca41339aded82d55b751cf18d1ca521edfdfad460a3c2e4c3f7c0dd6408b255fca465714ec170de9a3b9e7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\uQYE.exe

Filesize
158KB

MD5
d9fb350511731da95f89a6ae723b22db

SHA1
02b3821062597788f55377d9d6d905f1e2680c61

SHA256
33921ec8bb9d3ed0951d6965e03b5de3af0e80022d22a2daf20c10254a710264

SHA512
3c6e8eb80202b3044b710f2630d008eecf55eb1cd3bf2855fb7c587be51a6aedef3eaa1bb1e63a71af7fa13651f150b6503e798f599b715ff39528811ee676a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\uQsM.exe

Filesize
157KB

MD5
b5d36a4deeead98fee54dd6a9d3e0a36

SHA1
ba8de883a66899c47e7c3e862a84a2f3b887f98c

SHA256
eb4e1972f0874cd66090e136f93f511912ea1f485dbd8ece499ad51b661f10a2

SHA512
375fc498f9177169e0746df50fee232f0e6a1255a5460d5fff296029786865ce3a689344f135bcbbffde64106901ff999baebce157b856a174d745c92d97ff19

Download Submit
C:\Users\Admin\AppData\Local\Temp\uQsi.ico

Filesize
4KB

MD5
47a169535b738bd50344df196735e258

SHA1
23b4c8041b83f0374554191d543fdce6890f4723

SHA256
ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf

SHA512
ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ucAM.exe

Filesize
157KB

MD5
a5ee130c32ac00a80e35a1e6f419a4c1

SHA1
4f7d192a1de8509a9f6b07167e259755d09b79f7

SHA256
163bd7c538398e3f200889403b26384845db70da2f15709c357b3109ecf40bd6

SHA512
f30f04a1b920ab2e72fc1c478bc60850dab17ce34c7d6dc316b621c3c4906c27c332f082e30405358afdda11cdf0ad1b4b03e31d897bc5151350c7019636783b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ugEw.exe

Filesize
153KB

MD5
27551fddf983530f9574206b24d1a12a

SHA1
dd9ed9420ef1d889609ea63a504155927761cb3f

SHA256
8e193a36d9fa6409ffa3ca24af35a501b8239db53df02098e470fa4aca4f9cec

SHA512
a4100cfcf47b6e220f9bd76ddc8911f730add7607a3ae31f62c2be03265564eb9f7e3889dce0e2f4e2f362a48e32d5e03d1018cada0347f342a5467299d5b494

Download Submit
C:\Users\Admin\AppData\Local\Temp\uoIu.exe

Filesize
155KB

MD5
6203cbfbe600b62a48c8f73199cb47a3

SHA1
456a521503b4c412423ffe2a5d759c563642392d

SHA256
789655f2e9351f914c19ddf080f46b8cee874a4a388e2051305b27cdbc98571d

SHA512
cc42b0b043fdeb2e53def37174222e2f8640c39bcd1e0017f9fd67d50e56a815c1c0e8dbb88ecd452710c5db586d5a5bc9598ad038545d571cef51e984e489ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\usMcsYcU.bat

Filesize
4B

MD5
f61d3722a64645ca040d60ed6deb3c00

SHA1
4e109012a42201c9afb2a4aaeab1b4c00afac8ff

SHA256
0f02a8d4d3846697a98220e2cf7d675025e1875abc4bcdc5994c9032e5424128

SHA512
b6bc291ec9c8591bf48f359a451a03751f811cf2817ab6b7a9a3b035e7a16cdc59b0ebadc3e1060805412c1d644fa9787414e7dd694f50ac35a00d133129f470

Download Submit
C:\Users\Admin\AppData\Local\Temp\usYC.exe

Filesize
159KB

MD5
709da3f8ce76fc6734cf49fbe1519c41

SHA1
9ed7ebabf146d9a0fa31f75840ff1e7b461bd6eb

SHA256
a65e434f5b4600a9afbb86320a72e8ef80e1c4670bd8be1077c697758251608d

SHA512
b899420caf2bec45c2d4ec5ff1a07f71f6ae89c906cd8bb20bc5076918fd80f393281ece251eaa075c92537864d23613f7cd5e6094bac107848c9381892aafc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\vmgggwwE.bat

Filesize
4B

MD5
a57de6cda0205f5b381a536cdcf1a8a0

SHA1
990ece455887e63198888717364039fa422015ee

SHA256
e2d04596b16f728bd73e03629c138111f69e0ee2f4c5c020e6d08c14532ce959

SHA512
d883db95002bd4f023169376bcdd1e665e543ab5b6eeafb9ddb2f5f74782fb49d09e7911b98907266497fa90832d574ed0b8119d72ae75a8c2e931e25c2d8ace

Download Submit
C:\Users\Admin\AppData\Local\Temp\wEEK.exe

Filesize
138KB

MD5
34310d268d6ad5f7b76be065c1c13079

SHA1
dd33ba9b19e8440fb4375d9c068b3c281c579b63

SHA256
5dcea7656f6c69de6c9228be12ff9fd1c64f83bf75571c3f179d8a7a5e48b4e8

SHA512
c0d191c9a235d3526d64bf0332993245fdc826044133b54e895cd4b8efbf681821da8d2008e0276286c9a19cb914b5f3d3d0364c167eeda3a6643e160ba1127f

Download Submit
C:\Users\Admin\AppData\Local\Temp\wQMK.exe

Filesize
4.0MB

MD5
0ead4bb4d710192dcd53f6469ccb7ec2

SHA1
d7f66729ca1472367ecbc20e0e04ef410619ea1e

SHA256
f8daf0cd9bf24e2519d61744bb17030e24e01ecd3158d252f215cd3739955e4b

SHA512
6625f983955cc059e8c75344b706baab7678ebb306d2f80130137ed0de19d8b5c030f36a6c93bdb4b50d4ceccd04fd7e0a0a7785a8365827bedda7b9205294d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\wYIG.exe

Filesize
1.2MB

MD5
6e09a7014f75c9e3a6454ee7e546b8fb

SHA1
13c820975ee9b01a81412b3f8dd9b95040903007

SHA256
9facf6921badd4d2519f3ee1d91b948ed4b6982232deda6322ed2e6513534a61

SHA512
f2ec28b2f0158193ffd9b364db2c9e2a39bbf3e49c63ea4a9171737f13451b81b1b4b9e262929b92f40f1d93092324e2fc7c9a6cc3b5ec40909c2af5350d084c

Download Submit
C:\Users\Admin\AppData\Local\Temp\wgwq.exe

Filesize
134KB

MD5
373f6ad458d1655680870ee91fa29e7f

SHA1
c01dad4f8afbd3711ee5dc3c983a14b89cefae6d

SHA256
72afe12afb0a35a16d284b5718683aa8112c96d511b34a43fa12b8a35836a03a

SHA512
a7cdb259b420607ce10d4c028ba05b0388386ae1a69165e2251bd6f4ff77d21e7dd148df7136aad7a14bbe9f36cb17a4d5ca2a79c9150d7108f8b3179f009c89

Download Submit
C:\Users\Admin\AppData\Local\Temp\xwckUYYc.bat

Filesize
4B

MD5
c31082431262fae3a5b45a812f05ae0e

SHA1
02984381e3962df11f21a41425930fcd7bba3e48

SHA256
aafed41a92dd25ae1269f8873d0b04f526ce8b8a586fd8f8ca2cd40a326581a5

SHA512
dc1df1f3f010e29cf1b1d48ee5305c660afe5e409f8805bf7d6c7a0998c4266450485a55894127a2fbbc3f2240e4c6cc9b6c78c1934d7d49b4c2cb27cec41936

Download Submit
C:\Users\Admin\AppData\Local\Temp\yEEG.exe

Filesize
239KB

MD5
f190d4bb02017570369d5d2247cbcf23

SHA1
adda1a0e18c66c7ef912cae750014a38d15c6ce8

SHA256
93ac8c509bf1ba86455fe399d115c960a61891f76b5295cb1013e86c1c315561

SHA512
a2ca6073b1cf331041ddb4a2978cd57f1aea6dab0afb46573f6a091ed3555065422cb9392e06fc67ec1de8f618b91c690f7ceb77cbacd5642c7d8e1e0c985640

Download Submit
C:\Users\Admin\AppData\Local\Temp\yQMm.exe

Filesize
237KB

MD5
f263974f71446220790167c98f402479

SHA1
55323aba07a9299b2c6ef5813a64b2e9a03bb21e

SHA256
ab1b0f351004201585e165321490c124153bf392442fb8e6bd120f0450766af1

SHA512
ff6d8b1e0c5becff98889c882f5abecbb0c3aa09efea9e64cbad601f8f8933289b43c825ead3c6a02a1118e44fd7e5d57065ea36099de38b70abbb5c542b8b7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\yQMm.exe

Filesize
159KB

MD5
d680445ed5610f42c6407f17b3ad436a

SHA1
334eb66a1f6804ffc34e72d6502e1c96acba4f7f

SHA256
926de4982e06fa9b4c2881ef065b02dcba0711cbfb4250622d311cfb6e88ad19

SHA512
d9bf389a0155f54721a2f73ce2135345584cb639185c95b2fd96d9f603037a2fd06690a99ccfe1b65ca4adb18ad32ebfd6df8dc561dea9bcca757a71a37569ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\ycwW.exe

Filesize
566KB

MD5
41e70e6c52e2e3dc35d3120e1302f7d5

SHA1
c3242e811f348d757ad802d47893f0802b1b8d1f

SHA256
38298d710479de59846d68e4fe59f7745a97cb2b5a6412a1a41cf5eb4aba0687

SHA512
c6af109012c952ae92f2156faf19e363a026051ab78b4e0914b9844f1018a1b6d9e2c0be830e0f4f58ac24cf872ff4ffde597d7ae54d0b5162198e75db979f23

Download Submit
C:\Users\Admin\AppData\Local\Temp\ycwa.exe

Filesize
1.7MB

MD5
1d00174f502b0268583edc7b8e927bd3

SHA1
57a72d754528594446a11ffa52f21976d6efdc70

SHA256
fad49e65677fa252f168eba4048a798a87874f5760e7ce15d89eca3461ce6a17

SHA512
099b6c2ec8ae15a4b26e3b7173ef5c3739ed9291a2cc606397b74bfdbd5a0c540c1950a8eba1ec360d40e1a58c822deb0e3a555ddb127748a700253722a0c359

Download Submit
C:\Users\Admin\AppData\Local\Temp\ykgw.exe

Filesize
159KB

MD5
d0467b898de46d1f751aff423e4d0e71

SHA1
5ab430665d9f038f0165faf8dfec3b3f7f23e362

SHA256
e806f2520102950708007e945add7971cd5bb18043b2d5f539682794a189be16

SHA512
8de31df3cc8f0bcbc7af3aa0bb33b802f8afb2306455900f7ca13e994559061a2f9007aed365b76926917693f983c87850487c33e8d238803f32b589ab50bc6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\yscI.exe

Filesize
159KB

MD5
d4481948ee37ed27f8c14d5759224def

SHA1
79a80c05adc782e15fdd77e1cead331eb4878bca

SHA256
c5596f347603cd9f3ac0a80fe96d3f4848117b5b483ecac91dc678ee60c2dbc8

SHA512
f0ab7b6b678b92c772816c00e2d7947408dcd7a997282bbb2f0e8fc988ead57ace0f5f4c5b8e530bc928444c864815834facde805d98a50e58cf31a6a9996813

Download Submit
C:\Users\Admin\AppData\Local\Temp\zAQgIsUY.bat

Filesize
4B

MD5
0d12fe7d1e4bb1bd222151b9dcbef7f3

SHA1
a5b6dd94813994ca04cb77d017378ce4f056bea6

SHA256
a72f40ab8a0616b4c0333015ebeaf68090e67fbd6ee463fc72f853e10af69ef7

SHA512
02289961864551acdceef2704aba8c5ba287dc973a52c3e04f1840c5f03d5c4297efa4de5ea4554d6586ad1adeeead46b781c16559ac70b9c4c7a8dd18a2f984

Download Submit
\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

Filesize
145KB

MD5
9d10f99a6712e28f8acd5641e3a7ea6b

SHA1
835e982347db919a681ba12f3891f62152e50f0d

SHA256
70964a0ed9011ea94044e15fa77edd9cf535cc79ed8e03a3721ff007e69595cc

SHA512
2141ee5c07aa3e038360013e3f40969e248bed05022d161b992df61f21934c5574ed9d3094ffd5245f5afd84815b24f80bda30055cf4d374f9c6254e842f6bd5

Download Submit
\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.0MB

MD5
4d92f518527353c0db88a70fddcfd390

SHA1
c4baffc19e7d1f0e0ebf73bab86a491c1d152f98

SHA256
97e6f3fc1a9163f10b6502509d55bf75ee893967fb35f318954797e8ab4d4d9c

SHA512
05a8136ccc45ef73cd5c70ee0ef204d9d2b48b950e938494b6d1a61dfba37527c9600382321d1c031dc74e4cf3e16f001ae0f8cd64d76d765f5509ce8dc76452

Download Submit
\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

Filesize
507KB

MD5
c87e561258f2f8650cef999bf643a731

SHA1
2c64b901284908e8ed59cf9c912f17d45b05e0af

SHA256
a1dfa6639bef3cb4e41175c43730d46a51393942ead826337ca9541ac210c67b

SHA512
dea4833aa712c5823f800f5f5a2adcf241c1b2b6747872f540f5ff9da6795c4ddb73db0912593337083c7c67b91e9eaf1b3d39a34b99980fd5904ba3d7d62f6c

Download Submit
\ProgramData\lsswMkIU\WmAIgwoo.exe

Filesize
109KB

MD5
003c069194ec3e27474ff5c9b31bdef4

SHA1
14fd5174246b547d31e79e6e233e0fced811f5d4

SHA256
6420d8998d69d986d9c2d422ad9e516bdba0ee0d60e6aac648e3d3acfb739fc2

SHA512
3ad8df9d087d09d691e8bb8e468afc6ab97bbb263388e3e03d578477b9b1c7efcbcf8cf3a3f1b5539a24a118d4535515310ef245064920898ff25818788126ff

Download Submit
\Users\Admin\lsYAQYUU\WMscsAAY.exe

Filesize
110KB

MD5
c5d750844c552eb76d5cfea62d79e577

SHA1
146fea7c4eae2105a27331ecdad575f6a47b5d92

SHA256
a0e0568835b65bdebcbf397f6630dca1309fc179dcc7661031fffd35e02dc2e3

SHA512
0577afca82418b6c7ee35569364ec7c31869c7702ce226f37adaa0a5f861bd3c1dd5371c343348e98bee34d513ed3eb6b5244a573ede0cddf296356527dee610

Download Submit
memory/236-1008-0x00000000000B0000-0x00000000000CF000-memory.dmp

Filesize
124KB

Download
memory/304-1649-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/556-98-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/572-1786-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/992-1141-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1072-207-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/1172-1706-0x0000000000170000-0x000000000018F000-memory.dmp

Filesize
124KB

Download
memory/1244-749-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1260-1718-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1260-1627-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1268-1031-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1272-391-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1280-76-0x0000000000810000-0x000000000082F000-memory.dmp

Filesize
124KB

Download
memory/1356-1626-0x0000000002230000-0x000000000224F000-memory.dmp

Filesize
124KB

Download
memory/1504-107-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1504-259-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1512-700-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1524-763-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1524-916-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1532-370-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1548-409-0x00000000001B0000-0x00000000001CF000-memory.dmp

Filesize
124KB

Download
memory/1548-408-0x00000000001B0000-0x00000000001CF000-memory.dmp

Filesize
124KB

Download
memory/1636-1118-0x0000000000260000-0x000000000027F000-memory.dmp

Filesize
124KB

Download
memory/1644-304-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1652-151-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1696-120-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1696-2169-0x0000000000260000-0x000000000027F000-memory.dmp

Filesize
124KB

Download
memory/1716-1314-0x00000000000B0000-0x00000000000CF000-memory.dmp

Filesize
124KB

Download
memory/1716-785-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1744-1489-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1780-282-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1792-129-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1808-1828-0x0000000000270000-0x000000000028F000-memory.dmp

Filesize
124KB

Download
memory/1896-1895-0x0000000000120000-0x000000000013F000-memory.dmp

Filesize
124KB

Download
memory/1944-678-0x0000000000170000-0x000000000018F000-memory.dmp

Filesize
124KB

Download
memory/1952-63-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2024-1774-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2024-1850-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2040-1584-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2064-1920-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2068-173-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2080-1491-0x00000000000B0000-0x00000000000CF000-memory.dmp

Filesize
124KB

Download
memory/2080-1490-0x00000000000B0000-0x00000000000CF000-memory.dmp

Filesize
124KB

Download
memory/2112-410-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2112-481-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2124-1402-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2124-1513-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2152-556-0x00000000000B0000-0x00000000000CF000-memory.dmp

Filesize
124KB

Download
memory/2160-1239-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2160-1119-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2176-1400-0x00000000000B0000-0x00000000000CF000-memory.dmp

Filesize
124KB

Download
memory/2176-1401-0x00000000000B0000-0x00000000000CF000-memory.dmp

Filesize
124KB

Download
memory/2188-142-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2208-361-0x0000000000160000-0x000000000017F000-memory.dmp

Filesize
124KB

Download
memory/2356-885-0x00000000000B0000-0x00000000000CF000-memory.dmp

Filesize
124KB

Download
memory/2396-237-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2396-85-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2492-432-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2528-2087-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2528-1975-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2548-2165-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2556-326-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2608-1558-0x0000000000120000-0x000000000013F000-memory.dmp

Filesize
124KB

Download
memory/2608-1559-0x0000000000120000-0x000000000013F000-memory.dmp

Filesize
124KB

Download
memory/2660-1338-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2660-1217-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2680-1424-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2680-1316-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2712-1315-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2712-14-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2736-32-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2736-317-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2748-54-0x0000000000260000-0x000000000027F000-memory.dmp

Filesize
124KB

Download
memory/2748-339-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/2768-216-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2772-164-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2780-295-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2788-459-0x0000000000160000-0x000000000017F000-memory.dmp

Filesize
124KB

Download
memory/2800-1215-0x0000000000120000-0x000000000013F000-memory.dmp

Filesize
124KB

Download
memory/2800-1760-0x0000000000270000-0x000000000028F000-memory.dmp

Filesize
124KB

Download
memory/2800-1216-0x0000000000120000-0x000000000013F000-memory.dmp

Filesize
124KB

Download
memory/2808-2074-0x0000000000170000-0x000000000018F000-memory.dmp

Filesize
124KB

Download
memory/2808-2075-0x0000000000170000-0x000000000018F000-memory.dmp

Filesize
124KB

Download
memory/2916-565-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2972-1987-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3008-250-0x00000000000B0000-0x00000000000CF000-memory.dmp

Filesize
124KB

Download
memory/3048-41-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3048-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3048-17-0x00000000003E0000-0x00000000003FD000-memory.dmp

Filesize
116KB

Download
memory/3048-22-0x00000000003E0000-0x00000000003FD000-memory.dmp

Filesize
116KB

Download
memory/3048-11-0x00000000003E0000-0x00000000003FD000-memory.dmp

Filesize
116KB

Download
memory/3048-12-0x00000000003E0000-0x00000000003FD000-memory.dmp

Filesize
116KB

Download
memory/3060-194-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3060-348-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3064-272-0x0000000000170000-0x000000000018F000-memory.dmp

Filesize
124KB

Download
memory/3064-273-0x0000000000170000-0x000000000018F000-memory.dmp

Filesize
124KB

Download