38f8ab30ad8b455fb43a8ac3f067270df8a694aa25a1a3f1fe1b25e0175ac99a

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20/11/2024, 13:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
Size

110KB
MD5

92f7d5f7ac3f057a1327549922c438b5
SHA1

7121142f80d0abfccf9a99f6d3e4fa071a760075
SHA256

38f8ab30ad8b455fb43a8ac3f067270df8a694aa25a1a3f1fe1b25e0175ac99a
SHA512

05bd1c7241a0594cb069ea63bac206c181516b5efbd137cc1f7101521fc6ec8989997993edd2ad97ecacc654e6cf2406b872ce0f459b5bf147e535b4da91186e
SSDEEP

3072:4yn7YTtqpeACe2whxxQHmOVM8kfebUb/7BXmMP:4OYTtqJCBIxQHmOVwfeS7BW4

Score

10^/10

discovery evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\International\Geo\Nation	XasgIMsw.exe

Executes dropped EXE 2 IoCs

pid	Process
2384	XasgIMsw.exe
1788	bCkkIsQY.exe

Loads dropped DLL 20 IoCs

pid	Process
1588	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
1588	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
1588	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
1588	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
2384	XasgIMsw.exe
2384	XasgIMsw.exe
2384	XasgIMsw.exe
2384	XasgIMsw.exe
2384	XasgIMsw.exe
2384	XasgIMsw.exe
2384	XasgIMsw.exe
2384	XasgIMsw.exe
2384	XasgIMsw.exe
2384	XasgIMsw.exe
2384	XasgIMsw.exe
2384	XasgIMsw.exe
2384	XasgIMsw.exe
2384	XasgIMsw.exe
2384	XasgIMsw.exe
2384	XasgIMsw.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\XasgIMsw.exe = "C:\\Users\\Admin\\nUcIwksQ\\XasgIMsw.exe"	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\bCkkIsQY.exe = "C:\\ProgramData\\bWgUMcMQ\\bCkkIsQY.exe"	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\XasgIMsw.exe = "C:\\Users\\Admin\\nUcIwksQ\\XasgIMsw.exe"	XasgIMsw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\bCkkIsQY.exe = "C:\\ProgramData\\bWgUMcMQ\\bCkkIsQY.exe"	bCkkIsQY.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico	XasgIMsw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XasgIMsw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
2012	reg.exe
1700	reg.exe
1992	reg.exe
388	reg.exe
3048	reg.exe
2580	reg.exe
2748	reg.exe
1752	reg.exe
976	reg.exe
1548	reg.exe
2788	reg.exe
2240	reg.exe
1480	reg.exe
2832	reg.exe
2908	reg.exe
1580	reg.exe
2728	reg.exe
2912	reg.exe
1960	reg.exe
352	reg.exe
1964	reg.exe
752	reg.exe
2548	reg.exe
2736	reg.exe
2764	reg.exe
960	reg.exe
3012	reg.exe
2484	reg.exe
756	reg.exe
1932	reg.exe
2292	reg.exe
2028	reg.exe
2576	reg.exe
2812	reg.exe
2456	reg.exe
3044	reg.exe
2164	reg.exe
2460	reg.exe
1012	reg.exe
880	reg.exe
1708	reg.exe
2176	reg.exe
1968	reg.exe
484	reg.exe
2472	reg.exe
900	reg.exe
2736	reg.exe
2028	reg.exe
1576	reg.exe
1572	reg.exe
2736	reg.exe
1092	reg.exe
2864	reg.exe
560	reg.exe
2420	reg.exe
1580	reg.exe
348	reg.exe
2824	reg.exe
848	reg.exe
2484	reg.exe
2332	reg.exe
2196	reg.exe
2100	reg.exe
2364	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1588	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
1588	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
2848	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
2848	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
2468	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
2468	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
2984	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
2984	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
376	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
376	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
1796	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
1796	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
1936	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
1936	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
2636	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
2636	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
2804	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
2804	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
1220	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
1220	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
1084	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
1084	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
1340	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
1340	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
1500	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
1500	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
2316	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
2316	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
2712	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
2712	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
1652	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
1652	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
1188	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
1188	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
348	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
348	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
2648	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
2648	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
1892	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
1892	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
1320	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
1320	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
2240	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
2240	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
1576	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
1576	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
2276	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
2276	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
3036	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
3036	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
1488	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
1488	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
3008	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
3008	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
2108	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
2108	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
1668	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
1668	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
1992	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
1992	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
1892	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
1892	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
2208	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
2208	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2384	XasgIMsw.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2384	XasgIMsw.exe
2384	XasgIMsw.exe
2384	XasgIMsw.exe
2384	XasgIMsw.exe
2384	XasgIMsw.exe
2384	XasgIMsw.exe
2384	XasgIMsw.exe
2384	XasgIMsw.exe
2384	XasgIMsw.exe
2384	XasgIMsw.exe
2384	XasgIMsw.exe
2384	XasgIMsw.exe
2384	XasgIMsw.exe
2384	XasgIMsw.exe
2384	XasgIMsw.exe
2384	XasgIMsw.exe
2384	XasgIMsw.exe
2384	XasgIMsw.exe
2384	XasgIMsw.exe
2384	XasgIMsw.exe
2384	XasgIMsw.exe
2384	XasgIMsw.exe
2384	XasgIMsw.exe
2384	XasgIMsw.exe
2384	XasgIMsw.exe
2384	XasgIMsw.exe
2384	XasgIMsw.exe
2384	XasgIMsw.exe
2384	XasgIMsw.exe
2384	XasgIMsw.exe
2384	XasgIMsw.exe
2384	XasgIMsw.exe
2384	XasgIMsw.exe
2384	XasgIMsw.exe
2384	XasgIMsw.exe
2384	XasgIMsw.exe
2384	XasgIMsw.exe
2384	XasgIMsw.exe
2384	XasgIMsw.exe
2384	XasgIMsw.exe
2384	XasgIMsw.exe
2384	XasgIMsw.exe
2384	XasgIMsw.exe
2384	XasgIMsw.exe
2384	XasgIMsw.exe
2384	XasgIMsw.exe
2384	XasgIMsw.exe
2384	XasgIMsw.exe
2384	XasgIMsw.exe
2384	XasgIMsw.exe
2384	XasgIMsw.exe
2384	XasgIMsw.exe
2384	XasgIMsw.exe
2384	XasgIMsw.exe
2384	XasgIMsw.exe
2384	XasgIMsw.exe
2384	XasgIMsw.exe
2384	XasgIMsw.exe
2384	XasgIMsw.exe
2384	XasgIMsw.exe
2384	XasgIMsw.exe
2384	XasgIMsw.exe
2384	XasgIMsw.exe
2384	XasgIMsw.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1588 wrote to memory of 2384	1588	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe	30
PID 1588 wrote to memory of 2384	1588	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe	30
PID 1588 wrote to memory of 2384	1588	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe	30
PID 1588 wrote to memory of 2384	1588	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe	30
PID 1588 wrote to memory of 1788	1588	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe	31
PID 1588 wrote to memory of 1788	1588	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe	31
PID 1588 wrote to memory of 1788	1588	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe	31
PID 1588 wrote to memory of 1788	1588	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe	31
PID 1588 wrote to memory of 2756	1588	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe	32
PID 1588 wrote to memory of 2756	1588	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe	32
PID 1588 wrote to memory of 2756	1588	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe	32
PID 1588 wrote to memory of 2756	1588	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe	32
PID 2756 wrote to memory of 2848	2756	cmd.exe	34
PID 2756 wrote to memory of 2848	2756	cmd.exe	34
PID 2756 wrote to memory of 2848	2756	cmd.exe	34
PID 2756 wrote to memory of 2848	2756	cmd.exe	34
PID 1588 wrote to memory of 2912	1588	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe	35
PID 1588 wrote to memory of 2912	1588	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe	35
PID 1588 wrote to memory of 2912	1588	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe	35
PID 1588 wrote to memory of 2912	1588	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe	35
PID 1588 wrote to memory of 2812	1588	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe	36
PID 1588 wrote to memory of 2812	1588	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe	36
PID 1588 wrote to memory of 2812	1588	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe	36
PID 1588 wrote to memory of 2812	1588	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe	36
PID 1588 wrote to memory of 2752	1588	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe	37
PID 1588 wrote to memory of 2752	1588	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe	37
PID 1588 wrote to memory of 2752	1588	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe	37
PID 1588 wrote to memory of 2752	1588	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe	37
PID 1588 wrote to memory of 1056	1588	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe	38
PID 1588 wrote to memory of 1056	1588	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe	38
PID 1588 wrote to memory of 1056	1588	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe	38
PID 1588 wrote to memory of 1056	1588	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe	38
PID 1056 wrote to memory of 2748	1056	cmd.exe	43
PID 1056 wrote to memory of 2748	1056	cmd.exe	43
PID 1056 wrote to memory of 2748	1056	cmd.exe	43
PID 1056 wrote to memory of 2748	1056	cmd.exe	43
PID 2848 wrote to memory of 2664	2848	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe	44
PID 2848 wrote to memory of 2664	2848	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe	44
PID 2848 wrote to memory of 2664	2848	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe	44
PID 2848 wrote to memory of 2664	2848	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe	44
PID 2664 wrote to memory of 2468	2664	cmd.exe	46
PID 2664 wrote to memory of 2468	2664	cmd.exe	46
PID 2664 wrote to memory of 2468	2664	cmd.exe	46
PID 2664 wrote to memory of 2468	2664	cmd.exe	46
PID 2848 wrote to memory of 2804	2848	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe	47
PID 2848 wrote to memory of 2804	2848	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe	47
PID 2848 wrote to memory of 2804	2848	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe	47
PID 2848 wrote to memory of 2804	2848	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe	47
PID 2848 wrote to memory of 2788	2848	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe	48
PID 2848 wrote to memory of 2788	2848	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe	48
PID 2848 wrote to memory of 2788	2848	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe	48
PID 2848 wrote to memory of 2788	2848	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe	48
PID 2848 wrote to memory of 1228	2848	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe	50
PID 2848 wrote to memory of 1228	2848	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe	50
PID 2848 wrote to memory of 1228	2848	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe	50
PID 2848 wrote to memory of 1228	2848	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe	50
PID 2848 wrote to memory of 2056	2848	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe	52
PID 2848 wrote to memory of 2056	2848	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe	52
PID 2848 wrote to memory of 2056	2848	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe	52
PID 2848 wrote to memory of 2056	2848	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe	52
PID 2056 wrote to memory of 2300	2056	cmd.exe	55
PID 2056 wrote to memory of 2300	2056	cmd.exe	55
PID 2056 wrote to memory of 2300	2056	cmd.exe	55
PID 2056 wrote to memory of 2300	2056	cmd.exe	55

C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1588
- C:\Users\Admin\nUcIwksQ\XasgIMsw.exe
  "C:\Users\Admin\nUcIwksQ\XasgIMsw.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:2384
- C:\ProgramData\bWgUMcMQ\bCkkIsQY.exe
  "C:\ProgramData\bWgUMcMQ\bCkkIsQY.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1788
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2756
- - C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
    C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2848
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2664
    - - C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2468
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2204
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2984
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock"
        8⤵
        
        PID:484
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:376
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock"
        10⤵
        
        PID:2792
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1796
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock"
        12⤵
        
        PID:2512
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1936
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock"
        14⤵
        
        PID:2836
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2636
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock"
        16⤵
        
        PID:2600
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2804
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock"
        18⤵
        
        PID:2072
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1220
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock"
        20⤵
        
        PID:2052
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1084
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock"
        22⤵
        System Location Discovery: System Language Discovery
        
        PID:1288
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock
        23⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1340
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock"
        24⤵
        System Location Discovery: System Language Discovery
        
        PID:1800
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock
        25⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1500
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock"
        26⤵
        
        PID:2608
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock
        27⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2316
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock"
        28⤵
        
        PID:2056
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock
        29⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2712
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock"
        30⤵
        
        PID:1728
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock
        31⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1652
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock"
        32⤵
        System Location Discovery: System Language Discovery
        
        PID:2116
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock
        33⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1188
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock"
        34⤵
        System Location Discovery: System Language Discovery
        
        PID:1944
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock
        35⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:348
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock"
        36⤵
        
        PID:2840
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock
        37⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2648
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock"
        38⤵
        
        PID:2568
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock
        39⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1892
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock"
        40⤵
        
        PID:584
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock
        41⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1320
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock"
        42⤵
        
        PID:2936
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock
        43⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2240
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock"
        44⤵
        
        PID:1628
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock
        45⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1576
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock"
        46⤵
        
        PID:2084
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock
        47⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2276
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock"
        48⤵
        System Location Discovery: System Language Discovery
        
        PID:2460
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock
        49⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:3036
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock"
        50⤵
        
        PID:292
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock
        51⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1488
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock"
        52⤵
        
        PID:2076
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock
        53⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3008
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock"
        54⤵
        System Location Discovery: System Language Discovery
        
        PID:2576
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock
        55⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2108
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock"
        56⤵
        
        PID:2656
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock
        57⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1668
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock"
        58⤵
        
        PID:1968
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock
        59⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1992
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock"
        60⤵
        
        PID:1084
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock
        61⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1892
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock"
        62⤵
        
        PID:2576
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock
        63⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2208
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock"
        64⤵
        
        PID:928
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock
        65⤵
        
        PID:1140
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock"
        66⤵
        
        PID:2424
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock
        67⤵
        
        PID:1036
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock"
        68⤵
        System Location Discovery: System Language Discovery
        
        PID:2680
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock
        69⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock"
        70⤵
        
        PID:400
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock
        71⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock"
        72⤵
        
        PID:2552
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock
        73⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock"
        74⤵
        
        PID:1616
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock
        75⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock"
        76⤵
        
        PID:2456
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock
        77⤵
        
        PID:1472
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock"
        78⤵
        
        PID:1968
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock
        79⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock"
        80⤵
        
        PID:2704
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock
        81⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock"
        82⤵
        
        PID:1328
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock
        83⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock"
        84⤵
        
        PID:1880
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock
        85⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock"
        86⤵
        
        PID:2500
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock
        87⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock"
        88⤵
        
        PID:2664
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock
        89⤵
        
        PID:796
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock"
        90⤵
        
        PID:2808
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock
        91⤵
        
        PID:2544
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock"
        92⤵
        
        PID:1128
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock
        93⤵
        System Location Discovery: System Language Discovery
        
        PID:2332
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock"
        94⤵
        
        PID:2892
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock
        95⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock"
        96⤵
        
        PID:2648
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock
        97⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock"
        98⤵
        
        PID:2176
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock
        99⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock"
        100⤵
        
        PID:2272
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock
        101⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock"
        102⤵
        
        PID:912
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock
        103⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock"
        104⤵
        
        PID:2316
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock
        105⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock"
        106⤵
        
        PID:1100
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock
        107⤵
        
        PID:1424
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock"
        108⤵
        
        PID:776
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock
        109⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock"
        110⤵
        
        PID:1292
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock
        111⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock"
        112⤵
        
        PID:2096
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock
        113⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock"
        114⤵
        
        PID:2672
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock
        115⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock"
        116⤵
        
        PID:316
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock
        117⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock"
        118⤵
        
        PID:348
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock
        119⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock"
        120⤵
        
        PID:1728
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock
        121⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock"
        122⤵
        
        PID:2612
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock
        123⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock"
        124⤵
        
        PID:408
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock
        125⤵
        
        PID:664
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock"
        126⤵
        
        PID:692
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock
        127⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock"
        128⤵
        
        PID:2812
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock
        129⤵
        
        PID:1880
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock"
        130⤵
        
        PID:2876
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock
        131⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock"
        132⤵
        
        PID:2264
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock
        133⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock"
        134⤵
        
        PID:752
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock
        135⤵
        
        PID:388
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock"
        136⤵
        
        PID:2692
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock
        137⤵
        
        PID:448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        138⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        138⤵
        
        PID:796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        138⤵
        UAC bypass
        Modifies registry key
        
        PID:960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        136⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        136⤵
        Modifies registry key
        
        PID:3048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        136⤵
        UAC bypass
        
        PID:2704
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\WWMEkQEw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe""
        136⤵
        
        PID:1820
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        137⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        134⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        134⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        134⤵
        UAC bypass
        Modifies registry key
        
        PID:2028
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\aKMkYUIU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe""
        134⤵
        System Location Discovery: System Language Discovery
        
        PID:2052
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        135⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        132⤵
        Modifies visibility of file extensions in Explorer
        
        PID:976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        132⤵
        System Location Discovery: System Language Discovery
        
        PID:3060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        132⤵
        
        PID:2840
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\jEoUocUQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe""
        132⤵
        
        PID:2576
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        133⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        130⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        130⤵
        System Location Discovery: System Language Discovery
        
        PID:3012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        130⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2420
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\JegAAogM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe""
        130⤵
        System Location Discovery: System Language Discovery
        
        PID:2164
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        131⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        128⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        128⤵
        
        PID:2440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        128⤵
        UAC bypass
        
        PID:944
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\pWYwYEgM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe""
        128⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        129⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        126⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        126⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        126⤵
        UAC bypass
        Modifies registry key
        
        PID:1708
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\xOQoMsII.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe""
        126⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        127⤵
        
        PID:112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        124⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        124⤵
        Modifies registry key
        
        PID:560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        124⤵
        UAC bypass
        
        PID:108
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\iCkUwscE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe""
        124⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        125⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        122⤵
        Modifies registry key
        
        PID:1580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        122⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        122⤵
        UAC bypass
        Modifies registry key
        
        PID:1548
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ESssIwwk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe""
        122⤵
        System Location Discovery: System Language Discovery
        
        PID:2676
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        123⤵
        
        PID:2160
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        120⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        120⤵
        Modifies registry key
        
        PID:976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        120⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:2648
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\EOcEQQck.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe""
        120⤵
        
        PID:948
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        121⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        118⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        118⤵
        System Location Discovery: System Language Discovery
        
        PID:2420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        118⤵
        UAC bypass
        
        PID:1888
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ookQggcM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe""
        118⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        119⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        116⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        116⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        116⤵
        UAC bypass
        
        PID:276
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\AsQAIEYc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe""
        116⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        117⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        114⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        114⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        114⤵
        UAC bypass
        
        PID:1056
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\LiokEQQw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe""
        114⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        115⤵
        
        PID:1408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        112⤵
        Modifies visibility of file extensions in Explorer
        
        PID:108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        112⤵
        
        PID:560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        112⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:2168
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\FKsEIsYA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe""
        112⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        113⤵
        
        PID:1472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        110⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        110⤵
        
        PID:1540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        110⤵
        Modifies registry key
        
        PID:752
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\VcYEMcIw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe""
        110⤵
        
        PID:2160
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        111⤵
        
        PID:1008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        108⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        108⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        108⤵
        UAC bypass
        Modifies registry key
        
        PID:2764
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tegMYsYs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe""
        108⤵
        
        PID:1320
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        109⤵
        System Location Discovery: System Language Discovery
        
        PID:2480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        106⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        106⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        106⤵
        UAC bypass
        
        PID:1340
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\fiUsgQoY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe""
        106⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        107⤵
        System Location Discovery: System Language Discovery
        
        PID:2756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        104⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:1680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        104⤵
        
        PID:316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        104⤵
        UAC bypass
        
        PID:2288
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ocsQQUMk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe""
        104⤵
        
        PID:1308
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        105⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        102⤵
        Modifies visibility of file extensions in Explorer
        
        PID:900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        102⤵
        
        PID:1792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        102⤵
        UAC bypass
        Modifies registry key
        
        PID:2292
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\GEEscgIM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe""
        102⤵
        
        PID:2996
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        103⤵
        
        PID:2608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        100⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        100⤵
        System Location Discovery: System Language Discovery
        
        PID:1088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        100⤵
        UAC bypass
        
        PID:108
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\IsgUoMIw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe""
        100⤵
        System Location Discovery: System Language Discovery
        
        PID:2904
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        101⤵
        
        PID:400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        98⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        98⤵
        
        PID:772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        98⤵
        UAC bypass
        
        PID:1580
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ggAUcwUE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe""
        98⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        99⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        96⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        96⤵
        Modifies registry key
        
        PID:1932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        96⤵
        UAC bypass
        Modifies registry key
        
        PID:1752
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\VSQssAQg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe""
        96⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        97⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        94⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2196
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        94⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        94⤵
        UAC bypass
        
        PID:2552
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\FCcUYUok.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe""
        94⤵
        
        PID:3052
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        95⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        92⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        92⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        92⤵
        UAC bypass
        
        PID:2124
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\dqcgYYEc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe""
        92⤵
        
        PID:1840
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        93⤵
        
        PID:1032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        90⤵
        Modifies visibility of file extensions in Explorer
        
        PID:408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        90⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        90⤵
        UAC bypass
        
        PID:1856
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\vYgcMssE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe""
        90⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        91⤵
        
        PID:1028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        88⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        88⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        88⤵
        UAC bypass
        
        PID:2028
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\keokkwkI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe""
        88⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        89⤵
        
        PID:2052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        86⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        86⤵
        Modifies registry key
        
        PID:1576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        86⤵
        UAC bypass
        
        PID:2840
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\QYocIYgM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe""
        86⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        87⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        84⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        84⤵
        
        PID:1472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        84⤵
        UAC bypass
        
        PID:912
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\COcwgEUI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe""
        84⤵
        
        PID:764
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        85⤵
        
        PID:2432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        82⤵
        Modifies registry key
        
        PID:2028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        82⤵
        
        PID:2160
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        82⤵
        UAC bypass
        Modifies registry key
        
        PID:2484
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\GKsoMcUc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe""
        82⤵
        
        PID:1548
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        83⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        80⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        80⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        80⤵
        UAC bypass
        
        PID:3020
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\CCUUYIUc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe""
        80⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        81⤵
        System Location Discovery: System Language Discovery
        
        PID:2764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        78⤵
        Modifies visibility of file extensions in Explorer
        
        PID:928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        78⤵
        System Location Discovery: System Language Discovery
        
        PID:612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        78⤵
        UAC bypass
        
        PID:2692
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\FYsAUwEk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe""
        78⤵
        
        PID:2440
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        79⤵
        
        PID:1404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        Modifies registry key
        
        PID:2736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        UAC bypass
        Modifies registry key
        
        PID:2576
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tsMsQowc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe""
        76⤵
        
        PID:636
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        77⤵
        
        PID:1820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        
        PID:1428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        
        PID:1756
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\RWgYEcYk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe""
        74⤵
        
        PID:1772
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        75⤵
        
        PID:2984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        UAC bypass
        Modifies registry key
        
        PID:900
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\TQcooMcQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe""
        72⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        Modifies visibility of file extensions in Explorer
        
        PID:388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        System Location Discovery: System Language Discovery
        
        PID:2072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        UAC bypass
        
        PID:764
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\YKowwgYM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe""
        70⤵
        
        PID:560
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        
        PID:1792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        UAC bypass
        
        PID:2784
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\KoMssIwg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe""
        68⤵
        
        PID:2948
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        
        PID:2548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        UAC bypass
        
        PID:808
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\gQUQsAwQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe""
        66⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        UAC bypass
        
        PID:1700
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\SOYAMQws.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe""
        64⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        System Location Discovery: System Language Discovery
        
        PID:2756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        UAC bypass
        
        PID:2948
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\IqskMEwc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe""
        62⤵
        
        PID:1244
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        System Location Discovery: System Language Discovery
        
        PID:1012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        UAC bypass
        
        PID:2692
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\LecsUsgE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe""
        60⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        Modifies visibility of file extensions in Explorer
        
        PID:388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2484
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\HOAYMAUs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe""
        58⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        Modifies registry key
        
        PID:2832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        UAC bypass
        
        PID:2708
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\BcgUMIAU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe""
        56⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        System Location Discovery: System Language Discovery
        
        PID:2248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        
        PID:2432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        UAC bypass
        Modifies registry key
        
        PID:848
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ywosQAQs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe""
        54⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        System Location Discovery: System Language Discovery
        
        PID:2288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        
        PID:1100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        UAC bypass
        Modifies registry key
        
        PID:388
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\IMcIcQgE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe""
        52⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        UAC bypass
        
        PID:2620
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\qkAUIsoQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe""
        50⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:1288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        
        PID:3024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        UAC bypass
        
        PID:2264
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\AWwEgwkM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe""
        48⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        Modifies registry key
        
        PID:2824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        UAC bypass
        Modifies registry key
        
        PID:2736
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\FIAQwoow.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe""
        46⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        
        PID:320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        UAC bypass
        Modifies registry key
        
        PID:484
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\RCUEMckg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe""
        44⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2456
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZasoIIAk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe""
        42⤵
        System Location Discovery: System Language Discovery
        
        PID:2664
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        System Location Discovery: System Language Discovery
        
        PID:2332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        Modifies registry key
        
        PID:2736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        UAC bypass
        
        PID:1340
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\FCkYEsAI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe""
        40⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        
        PID:536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        UAC bypass
        Modifies registry key
        
        PID:1480
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\yMAgoswM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe""
        38⤵
        
        PID:1548
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        UAC bypass
        
        PID:2512
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\MukgEQoE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe""
        36⤵
        
        PID:2612
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        
        PID:1820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1700
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\KGMYEMEM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe""
        34⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\YiwcAAUg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe""
        32⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        Modifies registry key
        
        PID:2012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        UAC bypass
        Modifies registry key
        
        PID:352
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\LgAsQwkM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe""
        30⤵
        
        PID:752
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:2160
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        System Location Discovery: System Language Discovery
        
        PID:1228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        UAC bypass
        Modifies registry key
        
        PID:1960
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\REMowUMk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe""
        28⤵
        
        PID:844
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        UAC bypass
        
        PID:2976
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\nCwwIYkE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe""
        26⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:2692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:2908
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\xKYcgooM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe""
        24⤵
        System Location Discovery: System Language Discovery
        
        PID:2896
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        UAC bypass
        
        PID:1680
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\MiIMcEQQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe""
        22⤵
        
        PID:1780
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:1188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        UAC bypass
        
        PID:1856
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ygMIgwgg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe""
        20⤵
        
        PID:960
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:1792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        System Location Discovery: System Language Discovery
        
        PID:2012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        UAC bypass
        
        PID:1932
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\wsMIoMUU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe""
        18⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:832
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\sSMAswMc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe""
        16⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        Modifies registry key
        
        PID:3012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        UAC bypass
        Modifies registry key
        
        PID:2364
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\TYMAssIY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe""
        14⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:1760
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\HgwkMcoA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe""
        12⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:2892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:1580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        
        PID:584
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\FqcEAocw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe""
        10⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        UAC bypass
        
        PID:892
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\niUYQgMU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe""
        8⤵
        
        PID:2432
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1328
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2580
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:1496
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        UAC bypass
        
        PID:804
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\cyswcgsA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe""
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2104
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:776
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:2804
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:2788
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      PID:1228
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\icYYAEMg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2056
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:2300
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies registry key
  PID:2912
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2812
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:2752
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\imkIwAQE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1056
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:2748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png.exe

Filesize
153KB

MD5
d5e63ec91be1a6df7b4adc5353ccdfae

SHA1
01e66b657aac4d6bd17b3f7eb32a1eb80bbc5f8f

SHA256
ae4588ec7e609d77d47616991263a0f5e69ea9041f384cf8bb07f47c6777566e

SHA512
9e1404de1e18879070302aab7e3af8af22ca3ea07c78ef980ec4f63a658cc34f6fb5317005a278c17a8bad1bc20deb2dc5b3aa66e5818bae9a3a88c7a254d5b2

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.exe

Filesize
144KB

MD5
9201e3198c8803b936d6743472215ecb

SHA1
f9521f116bdf5ed3f82ffff3a93d75dc76c1a740

SHA256
6477127572332f0dbb81f47d25387a20a91939188e187e9bf63c7ded60343e21

SHA512
90d68f48c42a846d1c18c29abd5bbe7448d8b156a1c32fae573508dc7fbe595f6af5189604eb2b86ceb274b3d14b9cce7dd6b54eea99a4a28c81ab29964d1b13

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile19.bmp.exe

Filesize
157KB

MD5
7161bbccbd3d1c8a1e2a98b84a4289c4

SHA1
9b6acf19d49c82cd52a8bc4128755b91cf73b9e1

SHA256
53059b40074861a5012bd099038a2f712134dd550d62075e1453475f24f63ca2

SHA512
0d282b61f12698b7e2b077cdbebdb13955c58b99cc9d8d3bccf6125a79058eacc0e37db168151fe82e8c514499176cd78d6e9457170e1948bcafba3d819715a8

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile21.bmp.exe

Filesize
158KB

MD5
c782acd709edbe001f8c5123476a0c12

SHA1
8d8a44f65b41856e47d8bc1d0742a620e14d3923

SHA256
4a5af7bccf3b75dc6caf7f69b6e5568a5fab5d616ab44c7a4da19f8ead6a8254

SHA512
b4be5bad778beb5476a909467058a95ae043ce286f17146c27264cada0d30ccc6aaa494cfc2f540347a2ddb36e7f8701eb15d45b1c1b3d7662fc99601a815259

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile32.bmp.exe

Filesize
159KB

MD5
61a07a408083dd132ac9bf00f77be015

SHA1
bd05e50ef85d15f840e78fe1358cbe53dc4573a4

SHA256
4f1d6fafb0e03ba6f8aca7bb235453610fa9a5a7975c48fa1aebcc5d1f889ad9

SHA512
2b52ffdfa3cad53351c583ecf5327ee7f39901510a4b6b9ae149240eddc458b71a8e95521a661a93b7eab0534f299e2f631aa7d747fd9c0d738e501a4f0ade75

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile35.bmp.exe

Filesize
159KB

MD5
ae110ae06b686f25e320283b9367e373

SHA1
d795e20a4b7239ec5b4a59b1dc28585c440c4285

SHA256
e3b8cde46faf06f1c0121d4f90ee5d81543d16f47c097f683793f4d8b09862cc

SHA512
b8ee58c793974644cfe87fd5b2e67212d700e426a0cdce9f935e32bc897dd513dd757aa14b761fce9c55c09fa6d76e0cf6a5ddfba34a486bcb35972168ff60a1

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile43.bmp.exe

Filesize
159KB

MD5
eca711864f18d597870baedab1aa6a26

SHA1
e081f657d8b28876bf6fdff6c19bad63465da81c

SHA256
cbce14c3293aac0d0109a8ba824face1cdd06438399137368469fb1f5c5ff44a

SHA512
2558cb52ec5a235a277743f3ee8f7c98fce6a4014ad6c504248e562cf27fb965064c1b3a5983ccf41c60e4703e631e977205ead0d3ea0b4aa2d13b5fe5a5869c

Download Submit
C:\ProgramData\bWgUMcMQ\bCkkIsQY.exe

Filesize
110KB

MD5
4bdf2b71abf07f8123b28f8f3c7448d0

SHA1
7818d1a8946c6026fb947a2cc64711570aed9aff

SHA256
c36272e5006723e17eb45e33a911ab96c938cbdbe088db907255c588c7c569b3

SHA512
eb946eb30bf46c888f71a14979c249fee39502028ee2523f8ba1b5d2fa53031b6c95743ad9b1a311af6ba3d3ab1b99cf32f73da3dc7e8fdf767f9869775e093c

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock

Filesize
176B

MD5
f3489c18d9a2de4a86bc2a10c70572c5

SHA1
52a2330cc05ca0fecb31ddda3db2748eb680b124

SHA256
5acb672d97f4adf4ae8d31b3968a1a17dfa66c35d74a1da262f14c12615d3f56

SHA512
067fb84bde0731bbbdbc616fe49572d5082c6abf3e2f09b5d0ca46ee1c872e485f6a37c9a2729f15c02e772355deb4c71db13a23cd9742e47747a398bc0ab756

Download Submit
C:\Users\Admin\AppData\Local\Temp\AEMG.exe

Filesize
159KB

MD5
2ea7fe19529b2ec7a6e8807532532eab

SHA1
848e56a8469b0837b72cd52a3bfa7148482f6a41

SHA256
13e4b952a0dd352f40342c840b4df07d6da630615a2e730140c04952fa7bdf9b

SHA512
e7b3194689f8543b73437134b4c46204f3e190abea4a10ee9955e17a7f0d4d6d6a5759ec93b4f9b7f4c34ab0e0b27aff5aa11b6c50d746cf6e8650aee9b264f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\AQcokIok.bat

Filesize
4B

MD5
42b1558a96ebcd9363410f9a2f9c69e7

SHA1
f3b22e76aacd73d2ef9af0f5fda1a18f0135881e

SHA256
38a35728cd793ad8470a7d32886488e47f3b7d6f25c6e623ae847f3f6ea38940

SHA512
47c5dcb6335a2f1ca5fd6a2e160f1772b9ac22ee57dfd2c5a52d23da6661ba3bae2be3520052f057bc282ac7c496d5f1d3514297707283ccf482f5c71fc33adf

Download Submit
C:\Users\Admin\AppData\Local\Temp\AUwE.exe

Filesize
160KB

MD5
3957fcac9b126b2bd19082148c8a104a

SHA1
a688801a08348a345ac7dcb800353c8e93750010

SHA256
0b65d20682763d12313b4d80c9f0af8aa2258f1f04f0db8e83fef5aca0f47918

SHA512
9f35f76e5c08f837ec826d9af022ccd34936643c9664c050e42b01c0ca43fe2a54e9c99a3dc5481e7a2edaee343a7c68428f673f95bca9b2259c42fe58378709

Download Submit
C:\Users\Admin\AppData\Local\Temp\AskcsIgQ.bat

Filesize
4B

MD5
9cf6f57fe93b892e76440579571cea37

SHA1
4546cce566d5a0400a95db457a76f0bc94c8f765

SHA256
26c933589a8144b9fa5f843f2800aff6b72002098b015aece7cc7b374a8e8a0f

SHA512
aa36ba16922bc78dd4297f843b422bf018c98496ce3378fd369d6cfef4e047195c97144d66e82ae4a06f9dad4644d115a61a5437b6c8797ff22862bf4b770127

Download Submit
C:\Users\Admin\AppData\Local\Temp\AwIy.exe

Filesize
871KB

MD5
b037b584b7e15030722a9a47f1e19649

SHA1
6e0844721d1fd8405d4397dd2c8b6b8086289bf1

SHA256
bb216209120f803387db5d77f857a67b62419852b54054b4cb2e2d9e6e04b7e4

SHA512
289ed3b13d2967acd4ea779719a6fb73ca16da259f7757f8847acb9f0bdcef963549c3de6bb8b5fa6227b5a4ec4529ee988901caf3defe4c00a1a678cc461fee

Download Submit
C:\Users\Admin\AppData\Local\Temp\BSAIUwQs.bat

Filesize
4B

MD5
c569585fd784486013a9e21eca77fd70

SHA1
40c56c3f31536fa450f2073dbaeb1fa058451f33

SHA256
94022dd3d367e45f0c159ca28c8fe531a6f17aabd2ad8a30eb9240da99666c8d

SHA512
3bfeb6db2e8cad24bc0a12d741e1113fe90df9ad99c1f02cba406b9de5025d2f5218ebac24f951b0192553d4fb5b06c5f53531b6f86e28f899d81942b4e4350b

Download Submit
C:\Users\Admin\AppData\Local\Temp\CAoQ.exe

Filesize
155KB

MD5
983be92d34fa5b7cee09cbaca433dc97

SHA1
cb39bb6b58fe024e5b3a19e2a4ba867f6c7f376c

SHA256
c45ae36ee42d8b3f19134a131bb54ae96b9b4a7db6777b15b038e2456ffe2753

SHA512
5cef51f037d8bba3f7614b48488749c3a9fdac1ff468ac5b6aeab888385a62cad16c3c3e72f8d539fbd0faaf91633d143a8e1b7c97e5b2646d00500a441fed98

Download Submit
C:\Users\Admin\AppData\Local\Temp\CQYE.exe

Filesize
157KB

MD5
f55e36321e0e2c5b3c0dbe266ce791fc

SHA1
fe6d7313ca2169cb8d33e06b9a52369279cff1ab

SHA256
8a6cce3816881ab112d79e27ffdec75f58b1a755502c34efee76aa314a7ad413

SHA512
2fc13b4e033b7939ef25484b42c1ed9df46d2dc9cdb0b78e46695e12299b237bb98213563afdd043d3ce3c18c873928e0f61f68c14f1c6ca9de126975369c9e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\CYMm.exe

Filesize
156KB

MD5
0dbeb2c61afc3d6bdb610b7081400875

SHA1
5fe3bd6eb7abd90933f2aa69092e0fc463a16c79

SHA256
776bbb97bf6ad2b8a3eabb8b2fd3c9d9a199c4957115d8b1aaa8cc811d7d971c

SHA512
d5f2dcb2f2c884de173e292065027841718180ea63ef560059249cf8c2c4e0edaebaacc9444d4df58beb1d8c1b7071ec5158ebf5d4ea93df4c392b236f6d6d90

Download Submit
C:\Users\Admin\AppData\Local\Temp\CgUK.exe

Filesize
159KB

MD5
e3a4d91701749ba6430a02b7dde72190

SHA1
d28c186490fad9e63cfddc5ba70291278d96bdef

SHA256
b6071d744ef4d6e3f768a09d8ee957dc17dd3d4b472e1ffd26c7b13090d45c77

SHA512
b8cf0eb0a2dde25727b2144e99dab5ac0f8a8141f044aeeefe0fc4d5a87ae5675a923551faf27d4867bccbd659ae995aa7e62df4af639669d0867dc14e7a2430

Download Submit
C:\Users\Admin\AppData\Local\Temp\CgUu.exe

Filesize
160KB

MD5
dabc76c812432c47c3db2e1d1feff2c5

SHA1
2f11b11849bc6ab6f9a0f620debbc3741ea25154

SHA256
95997b59971378f7fbdc2ed4ac90a0150510792faf7858a9d0001bedc1bdb004

SHA512
f58c2400e402f45590162e6101578a7250d66c315f4c8ce096682b95bf86ce13dea010560b0c7fa63799367421c99f0947ce8f60014713ac2c769f7c2b893cc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\CyccIUoQ.bat

Filesize
4B

MD5
5ce8604b9de9cdad6255574d18006456

SHA1
a4da3c5c80007b3fb951d5914f7bdc2d46a33cb0

SHA256
52d29cc685f675ba8b56518f092e70fe255e1bf84ac2c70d1120b663e45177e5

SHA512
4f41d0c093cc2f93364874403fd5bb62c94a5a2b09569c24b580835ed3417524c47e66983e03a1b84a7cb138846aa8cdb0ec56ff372a4285725ae97a29460e2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\DcwMUQQU.bat

Filesize
4B

MD5
db37b716ff912308cb489d3e03883758

SHA1
5885908f9b1f478e9ac179d383cb6c540802bb5f

SHA256
5f3edc5e6bb8768e4cc778e45cca1b9ba8224bd4791a2e54a38d775ae4f20bf9

SHA512
eb068d3e5d301908ad464887a59310c16152c89a88162d11597d0c240dd772e6e9e39fcbe521cd5a8ff062a86bc164ca4afba3d6150968f315ad03e9b434dd71

Download Submit
C:\Users\Admin\AppData\Local\Temp\Eggs.exe

Filesize
557KB

MD5
18fc6641ee0af58356e860f9a12765b3

SHA1
7305d4c19ffe0e005a71ff5e062193c12c1d03e0

SHA256
242d11ed4131c49da41d4dd9f1fbbf3ed1188e4fdf94ac578ad0327799923a3e

SHA512
4d4a6fedb504139e8314e7dc8a664be230212d3ce18602ced58e5738acd2bac641b3122affa738dcd56d85f4d48ff112745ef9898182ac4efccaf92290af55d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\EgwM.exe

Filesize
565KB

MD5
6a4ec398d614eb5b882042e56e85d970

SHA1
c2eb8d3dd4f6ae0b81bc01c58b28cb73c1799d11

SHA256
e8943bd0acc7cef7dceb619cf99156df9d585efffc9d4b55ce323a9c761fdbd5

SHA512
09414872178e0ac20bceb759d3c2e317dddc6ec98d262e750469d83d65498754d63f2aa7475b4b3c4d5be64df302794fce96b8b2e21dd134df01fd74729e498e

Download Submit
C:\Users\Admin\AppData\Local\Temp\EwQK.exe

Filesize
157KB

MD5
6af6f04da84ed9b7b87c474ec822d2b2

SHA1
71ff5076a8dfdd6be77329335225af32f2e9f06c

SHA256
beaabb005671a6dd3c8b4cf132933f39d31c2fc1c77a01b7a9e5cd6aea5d26cc

SHA512
96758cec380276e042f2d5b84cc24b4e358b6477776c7260262e24f7045f912943aca7e0ba820cb19b5d1bf95ce88a5d21b40406d99ef3a94eb6aef08243dc08

Download Submit
C:\Users\Admin\AppData\Local\Temp\EwwskUco.bat

Filesize
4B

MD5
467ee3d0d05110b783afe2dbfebad6e4

SHA1
1f0024d4faa4d162400ba7f3c21ae8c779d744bb

SHA256
9de3926915abf9ed8b6be4277e10c22b37dc96196c9a6ae5d17da5ad92fd381e

SHA512
d4694183b8d8f2c3a7519e73c101aa0b8a9336022a4d39c5cb90e687410eddd89e33cf53f043bf630e6195e3844dd4a5b2d24910321c38595250b9255790771a

Download Submit
C:\Users\Admin\AppData\Local\Temp\FIwEUMAY.bat

Filesize
4B

MD5
3e7232cf5386d72be0f915e99da4d3e3

SHA1
345729ad2bf5bf02ba70b146d7d60b6018dda353

SHA256
c27c4dc29e9bfe908607b7a940c58925e7ad6670b01c6ac36b61178aa8e8d477

SHA512
a8b1ecaf2dd1c7bffd343e7873b6df52184889954fa279378844950b68aed2ab84449a4e6050532d1d5949f4b0ad493254d3f38f207ddb9d214f5b0c38841feb

Download Submit
C:\Users\Admin\AppData\Local\Temp\FWAgUYQA.bat

Filesize
4B

MD5
ec1b69a304ba5e101a0d82ea4af74da8

SHA1
88057413b06fb92bf73767f65fdd72754740f514

SHA256
37100dac41c5fac86bd14b7ef536bfaf0fbb3a55a2384b9c9661ea40504c3d29

SHA512
601a7ac5f33d3ec7f79e841e376f7ad07610d04d7e9418efe61a6019f7e6cceed67a12184ec3a822acce41fdb7e13c5ab5ef04abe33a07cf2c79ed9138fc38be

Download Submit
C:\Users\Admin\AppData\Local\Temp\FgoUAsMI.bat

Filesize
4B

MD5
327e0b1731167036bcdc0c1f5335953d

SHA1
83747aa29584f89c1bbb30afd08d8010e7cc64a0

SHA256
5055f57c2295bd80f73fb90c127ddaca1e236b2a55ea21d8e8c06a2c0d021ab0

SHA512
34096982ac0e80efe58c61cd03dfab7a5eb4ae93bb6219ed52ba743050a1bc488fa5a3df6dd25bbcb7c68ec588d7b7ab05c576edfd79a42f33a949af4b08276a

Download Submit
C:\Users\Admin\AppData\Local\Temp\FoYgkkAY.bat

Filesize
4B

MD5
74945fb6c7978dab8490bb6feac06dee

SHA1
046082b4fef3b36c3b6234b1a3e3e4dbde945c1b

SHA256
907d98999194ca690666eaa130f7991eed9c8d68c6f1b604173f486fd511f7a7

SHA512
09c674816f68844a42f201fb0b0673c544c148fdf45d5808e41dc39932c4a0d90f8b999c5f639f079ac6be3faad4d922c63adaeede0a54b011a55369e8c21b41

Download Submit
C:\Users\Admin\AppData\Local\Temp\GEoO.exe

Filesize
161KB

MD5
d875a765b5f68923df1c7513f715b6ca

SHA1
e8250718b3da8c4bbba394652329eeea7b59720c

SHA256
8e75b135a3da6a1343ab24f8e96bf3f9079730cad83174cf3b7a11c4111ce129

SHA512
5fc166b192f452f9f8acb5c2e0a2ef585ce2d5feb3f6d552d22405085d5dd6ce774d1e648d9875c087716372353d0473f5fc7cc20808ae214f9c68002b463a76

Download Submit
C:\Users\Admin\AppData\Local\Temp\GwUU.exe

Filesize
158KB

MD5
8b4748d2e9f6b5bdcdbc93fce8cbde1a

SHA1
2eaa8924b872fe4f90fa3222f315cfcb08a5dd19

SHA256
0a78f613aec349c7515e13be6935626be70f3c7f8483f301a40d901953b922b1

SHA512
70b26dc58422f38bc79ff21ea90e6b68c06cc260b8de3adf4f58cf10206c1092cd6892abaa68a9536b3f83b5ef9efb9d0f5cfe42d4b90b37c9709be9f90aec4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\HSIQMgcw.bat

Filesize
4B

MD5
a564423032d5358dd9bc2ae7bcdf5580

SHA1
843e78c905bad6e0e94990655776f3133f48158a

SHA256
7ee6a0d43ed8ad58bb998d9203accdcbb92db17c7d7782d23cd858d249f547a0

SHA512
2339205fd5bd9b77ebaee3416bc3aae1c2c00d63304693ee3aa7e2dc267c66badc1606d3ac621d30a0f7075fefbdaa359c3505e785bd7ff394582f1b4de45ebc

Download Submit
C:\Users\Admin\AppData\Local\Temp\HWAoEosI.bat

Filesize
4B

MD5
242856d4272ed9015fd7a39d450e70c7

SHA1
744bdc9c4fe277c06e2ef790de001f334e61268a

SHA256
b6b954dddc8f3216f63e719e3a5218dc7b75194d6deeb712ea39c2a1efd7e48c

SHA512
5e5cc416408494de4bf719ea2f7626985e93c2d43b252af1f1514c95efb2ba0ab5b3053b6eb4a2e288545716cee28c669171cce8333e4c65bfa5172ac0dd64bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IUwY.exe

Filesize
160KB

MD5
a16cb04c0f2bb8f758caad54f90d95e1

SHA1
da01d6a8c9335d6625352b9f50778aeef5aeb6a1

SHA256
210e31dc1830534466bb6b09a29205d072da17433ebff65adf30adaff65e9a19

SHA512
d5f9680fc9ed5b11f4eb4f40b111f32899c4e03d003e43be131324add5e6b341d9794d895b719aa15cbb1a7ae33c7c6f1a98f9ed0f1701cbd21281cd98513dda

Download Submit
C:\Users\Admin\AppData\Local\Temp\IggcsoMc.bat

Filesize
4B

MD5
f6301b3005086bc5facb0315574871f5

SHA1
94e2f72b4422dbae7dcac5fea2e8321d9cd73f17

SHA256
50b19fe5e5bbb695b69178a424fafd109c9f5066b7888b3b8d2a33b4588488e3

SHA512
5093325501fcd5d5224ae14f2bad8ed59558371335726550673f36fe840d507adc1a6c99926c73dbba56c06df562ae0646ab4efa7d85a23490ce29385d005eaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IikgUIkg.bat

Filesize
4B

MD5
75d20dbf6eac5e4ecba7cc2c5f494c22

SHA1
8fa7f50b6212639e333b2ca235dae51a28ed5b50

SHA256
0103c56d129062652ae79a5c3246466903cacef9d866e8fc748caefda54cad32

SHA512
8146ee462103c112b27ef0294a2a8a74ec335a800a99887af202b32bc6682fd4fa8a061e7025d06a9884fa52ac6fb5e001a1642b12091e06ca80e741df53303c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IocwwMII.bat

Filesize
4B

MD5
8a6e3117cc01086007649aeb5c49c2ee

SHA1
1668bd18e920f67bdf0050997a6a54ff876523a4

SHA256
9d0af47837e854b80bfd3bae6d12270365aeaa2812f307d4f9c6bff0f24a6bfb

SHA512
d89cd2c24f64274492ce9af37967f6c1e6fbacfe225494c936062df3289564b5681e8a61e60d20dc3c326d8d8bd9919b5d5a204641d6ee3ecb0e23a8b1a974a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\KYYwAwMc.bat

Filesize
4B

MD5
aa8031572decabedd497419353fa8b73

SHA1
352e0e45be380871b615a8a8ba64a3251ded8ef6

SHA256
9f3a01c905becee6904cad9865a906985345377706231679e170ad0d9c3250be

SHA512
abbc8088cd8e84f3ca86886e046fc7fd12cb2162ef721a3e16297d29ba4e4a93bff7a94cbab32940ecdc1f8e2e609cba3c8400caea56cdd3ecb6f2a632031106

Download Submit
C:\Users\Admin\AppData\Local\Temp\LQsoMUoc.bat

Filesize
4B

MD5
ab2e3d4accd112bc8b2d4f5ce5abf58e

SHA1
115d166a56cf642b2b13165c47e974102e5b80c3

SHA256
890f28698abea047ee31e3c17ad8267d36307d8b4c45b0ec3b2d63eb037a19b5

SHA512
d7f21a29a673f61f0ee599522a7b9f745e391aa1980a54b5cb3814e059b3bef56d45e52361dd3f779bf655a18bfa1a1e932f3d20e1d8f3f126b652c9def2506b

Download Submit
C:\Users\Admin\AppData\Local\Temp\LqwsYIMg.bat

Filesize
4B

MD5
976d91b6f245884cb379573b9ca225d7

SHA1
c565b7ab3c5b402a64c5ec4e905c7876affa00e0

SHA256
9bb99c9d8ae9607e0affb95309d4aafb80faa9b3576681d8d21f49ced3070b5d

SHA512
a2e990355ae960b9f939de027d0560490a0e7c867f6d9d22928908ba67c55e4d188b9e457e81937e30ac505e850d5acab1a2de814ad516891d1ffd751c399fa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\MMMY.exe

Filesize
159KB

MD5
063f908a3128a731bd84342adcc68a10

SHA1
05ee42388a46da0893b3204c0e1f72dee5968587

SHA256
bb43d3ef6f2b57637e0e5a968d8ac96bb76d23f9147040cfb2a8355fd8ff38b8

SHA512
802fb1d8ee1d3da53c5d841f3bcbc23785b1be789fc47c816374f78ad3a055fb9419f15d28a10cc991afe83c1071dd15d111952458bf42d2dd4089b5defdbe68

Download Submit
C:\Users\Admin\AppData\Local\Temp\MUsG.exe

Filesize
159KB

MD5
b56c2e364ad50f6e9cf3a77feb5531f7

SHA1
7f863c9fe81b10234c85d1ec48fb2a3d4318b8a5

SHA256
1f6efb16e9f1f14a94887b9458627c84435a8f438570e7b19763a302a723e740

SHA512
4bda13fd5ef7b36904db7dfbab3c3104f4a795ab0c37890f93dcb62ae84821822db69d0e8b8846759a983543f30b71e6d58dc7c4bda21c8fac1ffea89f3f2d81

Download Submit
C:\Users\Admin\AppData\Local\Temp\MYwe.exe

Filesize
161KB

MD5
4a835c2b6a7dabc318c7371e379dbd47

SHA1
35915c9eaef67cc6d43f1413204497d4accaa132

SHA256
22c6ae2b89308a9c2fc98414cfe19275601650209f7705ae105f19a683da73fa

SHA512
b21c15ed1042a24b24acb2159348c1571a2b3a79af8cdd8e24b9d56f1c7cce5e4fc3647991f22c235537897a9caad43a571acb6772ffd9a35fc0fd55ab0dc747

Download Submit
C:\Users\Admin\AppData\Local\Temp\McES.ico

Filesize
4KB

MD5
f461866875e8a7fc5c0e5bcdb48c67f6

SHA1
c6831938e249f1edaa968321f00141e6d791ca56

SHA256
0b3ebd04101a5bda41f07652c3d7a4f9370a4d64c88f5de4c57909c38d30a4f7

SHA512
d4c70562238d3c95100fec69a538ddf6dd43a73a959aa07f97b151baf888eac0917236ac0a9b046dba5395516acc1ce9e777bc2c173cb1d08ed79c6663404e4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\MgsG.exe

Filesize
159KB

MD5
1c98503c5d21caa47c26746c9db76f52

SHA1
75dc1b66673821cc9eba62ce4fb508ae2fef7275

SHA256
2091133182abc43204fb1c75eab1f8c70b4bfaac265d67cacaa35cbfe4c0bf29

SHA512
2c09f7e81478ec415091d68b2b5e69df2fc680c0ea2fac489c6af87f7a5e3ab0297e6716ee046044bdc01464b6b355c5c7f4f2ff71ad13049458b29a1a6cd115

Download Submit
C:\Users\Admin\AppData\Local\Temp\MoEA.exe

Filesize
159KB

MD5
eb5fb0ec064fef3bf9d3d7a7a26e2ea0

SHA1
76946eb6d33fdc7c644abb65d1688046e135d0a6

SHA256
d5e6f1826b09c7e8162272893dedaaa770f995dd7182aff6bb5a2daeb3259c95

SHA512
a063c6f92c945b021bba753314c7dddb46eef1645c8c0816bbad0592d1451e5f186460f59e9bfe7bb7bf073369c07de7e9ca9a242bdd922afd97a33d4cec0dc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\NiIgkEQI.bat

Filesize
4B

MD5
a906d59944d79297ab89ca6c97575e52

SHA1
a0c28ababad4efb31b334172a2e29c19e218fc32

SHA256
9f5c9c295db9874400e8ca7b33e44c1ae4551cc07b9ea149efedfbfb415fe9e7

SHA512
7d3a61bb92a3ab1f969ba2c1a9d12296c1cc41bfc4fd28be8d7ddad9d404d501ff93280acdaa103107f28ed1d21d25544c8519743ffd46bd72095b47a63bfb25

Download Submit
C:\Users\Admin\AppData\Local\Temp\OEIk.exe

Filesize
159KB

MD5
87681005629f21de1cb9c487e654d1ba

SHA1
ad87bcf3d168a1699b21d1d2b6decbb8279b2b80

SHA256
84b182d229513c2099ad12c6abef50b8f96d61840a17dda4a1d7b68c85fec697

SHA512
b552554b1df66325077bf698444872690962d47ec5c2076b29ccef7a5794b2fde3d6749793c5f184843a4cc0cb48dcc61c26bbd9757a70201e4553feb20f469e

Download Submit
C:\Users\Admin\AppData\Local\Temp\QEYw.exe

Filesize
158KB

MD5
91e8ae995fce0423e6098837882b0bb8

SHA1
a234404f01f0dbc7fade99085a5c4743dd167c4e

SHA256
6f3fbff4723d3b8bee95a680132725edf5a4f430d48adf8c317576be99e56ba6

SHA512
4b58fe7e1794967cc6756c037a6ace19954093521175ef79d70cca20a774a2cb06de2a483380940625c1287b1cecc253ba5e0a99aa8e110c54ece7e9b064c7b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\QIgoEooU.bat

Filesize
4B

MD5
f4693a2ba6120dd24b81c33bc5ecef23

SHA1
7b0fa416c6b8593d9f175c3a3165436a927f8f88

SHA256
8c28b87cdd68b49e3963ae8cd52237d12c715650c8d3e355afb1c22ca1bede84

SHA512
7960a526c68b88eab7a9440efb402e0335cc3ba2a95a1d1e43aa027ec481632a5aebb3e7712cc221b97682ade4d7f0267a90e42f0f81e7109e70e1df45f0b13b

Download Submit
C:\Users\Admin\AppData\Local\Temp\QQEk.exe

Filesize
158KB

MD5
c93e04a7ce47bfe5dcd9bab145908d25

SHA1
29c48a007cdb01cc7758b79eae26ca500c87ab59

SHA256
85fa019c7d2abb0758840e44a4a6391585bb9ec13a15a21f70d7e09749ff1cbd

SHA512
727f9b044cb79d096f6ff8bafca60313284bddc41bb90db814ca2635d74d354545baca1ac591c41a11b13b23658a1a66014bbef6815cd48eef9d4e1e068eb583

Download Submit
C:\Users\Admin\AppData\Local\Temp\QcoG.exe

Filesize
158KB

MD5
49cf8cbead1117771f64e8309be14177

SHA1
bd46297eab1d048dfd46b3e74468c9e37082f796

SHA256
32e5b247c837d30dbcfa8c7f8f32a30bd10e306d212459d053012fdd6e59c2ce

SHA512
90b10ae24a68d09c75a8ff0a5638f23da5d2f995abe2cf3608a343bd7f024dfc2f0274d2175370028d152aad444013e8584534c217a2023b8f2592ebe0d37d69

Download Submit
C:\Users\Admin\AppData\Local\Temp\QogM.exe

Filesize
157KB

MD5
60de109fc8d4a51fa40db25e84c03d98

SHA1
fc808148107defa89c31e8cbb21efb2d0c3f585b

SHA256
8842d82a6b23fb30f01e3c2ea8e6610c7d6b46c63a0f574b1940b1638bfbafa7

SHA512
09f649c6a9669c925df4306f429f0629d0f8a0defef17a90619c5166ada95e036456be7e00b9c21cc3208fabeaca9b1a7779c10face45638a9c549d9c764e0ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qowi.exe

Filesize
158KB

MD5
b686f2368f8a91c6965b663e00d34231

SHA1
c535ddb1dbc5ba15a5f101125835230cecb291dd

SHA256
607b0d690f952dec574903646746c33d88a8e8177b00a091ce161e8587cb8a81

SHA512
19d5cda4d5d683af78c60db1a3cc75916090d105d3df622adc493dd0f09542ad3d1920193138e4fa1d27cf88ea4ce8599c6a16c7b52bd88f3019152d3ba406be

Download Submit
C:\Users\Admin\AppData\Local\Temp\SEAg.exe

Filesize
159KB

MD5
3afc426f1091feca52467eec703eedaf

SHA1
15e546416c16f7c6eb74b5b0b3448460b2c9f63d

SHA256
00b12a885d9060cf4b69d987d78a2b01cd5cc04f8e9804d4349fd104cf469d57

SHA512
2108d27a5a0fa2f9d9893306ef9b424fe9079a494af1597461718e9ea314fa06cf3f50892181562ad25121b4a8f8c375a6f4a4f5555f6d6c49ae918fef32fcec

Download Submit
C:\Users\Admin\AppData\Local\Temp\SEIQ.exe

Filesize
658KB

MD5
5d039a0d15c84ae2ab6fbbb311da3103

SHA1
5be9f306a49dfe848c021ae2888a92b547a97980

SHA256
c34c12d9f8d980163f07f7e0b46a24bd4526a8bf91f33ca07a478d78b2308d38

SHA512
5b56e7d103d28973923116ee1a73e447c9fb2a071f6ed0a168f92b00882246c372147303c2a39345a2a2d6aac02ba498099dedba5a469548931af6aef49e1bd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\SGAAwgsk.bat

Filesize
4B

MD5
826f4db0576ea445ed82261998b4eb7a

SHA1
7d670e0ba6e6844022b003f78a0624496ca1dfc5

SHA256
539e9727d7ae41a9d16e9e7072a016280d2f49479bd0ef7e78922f5921403233

SHA512
c119926145e35de0c8351d5e6309d3dc8a109312293a05f56c050cc59ae69395d269f1f0e85476bfb4ea8c43ba3a76e06302a3223ee5ae239b85bfbd1cade8a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\SGwsQQUw.bat

Filesize
4B

MD5
26fd81e1c68bf7fd74c45b1b118e9771

SHA1
4ccefb1741b22ea55fed1a35f71c566e3cf1c5bd

SHA256
f3ca63b12de0d6aaae42f12cbc663b0d7d427ac82f860b00895c2424b07d751a

SHA512
561f752bf61d2f90258b90c0de5411cb3c9d9026f9cfb11d27e6ffc27f29fdb63aa949c724f10015195208face3932a862c76fba493ae2bad69f189da605b88e

Download Submit
C:\Users\Admin\AppData\Local\Temp\SMAY.exe

Filesize
159KB

MD5
e6da2d0689072394e93375c490d37bd1

SHA1
ed4efcfd29d67b2af541ce3fe08335cdcda6f2c7

SHA256
a444ca67c08717d45969a3e0cf6011610657292ab0975dd977c85dbc54c039bf

SHA512
b7093b42c5de21ebd3e1a695d76c2b154b30f6c41a219dd5d5836f4534640942c21d6858b74bac4d3e1f256e70a34aacb386941ab9fd8fb1ee17856669f7c25c

Download Submit
C:\Users\Admin\AppData\Local\Temp\SQww.exe

Filesize
157KB

MD5
3fde5b157b4f88129996532e5a5e814b

SHA1
8d456588161ef08285acdfd42feba1c600ef561b

SHA256
066ef842e5374310cd3aa8d0abb245915fd5d022ca07c69b4cf3e18c94ad291d

SHA512
670820f772cb733ef2b4281409376a119eb7cc0e700d05449fe94622e400e3222188246f5a80cd63d3285ba10cf6f95e64745e47c1e0c1b6ec71664768a33338

Download Submit
C:\Users\Admin\AppData\Local\Temp\SSUIQMAU.bat

Filesize
4B

MD5
8963eee7dee59675ee72e10f8231a13f

SHA1
18f525783ded7352a60ea78ac62bce23ef2923bf

SHA256
df2d26e5acc8fb95ad1ff374ac96dd0a515c3a7feed25edb136e12381f7be2f1

SHA512
76a6ebbda5d3c7201bb28fb3c8e2886cfe4a759ecf7bb84da6037225b07981bf66b3ef7af3ac32c19614466e3848b43698d5218c1494a1ef8adf3558264690ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\SUsG.exe

Filesize
1.3MB

MD5
fb11e20c075f92355fedcc29c308fb54

SHA1
c253f8c97c09b80d910654abff34f7f002863d52

SHA256
83779ec7f9f91a8d0dbe5eeebd5807a949ca55ed0fa066ca2a45b800edfc5515

SHA512
cf7b41a7cf59e8ed73daab367638c3843895ddb9cf0c5bd796da2b3947cf538ead0bf5efbcbe577a9f497ec29cae06911e485638609f1ad8b49b66e2d7529fd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\SYsI.exe

Filesize
159KB

MD5
f3051b659acf743409fdfd9d5334809e

SHA1
0d229e866ef9821b742aed7aa244fd07bc185581

SHA256
55b281063cb3ad2543e6f173bb2810fa4d2f45dd14e25d8da47ccb59b3fbbf63

SHA512
103be53d98f38ed7ad7893b55367f4f36c6a9b16ecfa8637dcbbafe3afd4736dd6c88bcdb1f3b8bba3307728583845fbb4b986ad4bf71e90789593d240b62696

Download Submit
C:\Users\Admin\AppData\Local\Temp\Soca.exe

Filesize
156KB

MD5
7dbce2cc01a4ee3fa4070a9bcacc4330

SHA1
75ea1481f9f38239dc134983de394ab7a47a2621

SHA256
fd88a6e9c20642e3cdd6cbd999674f711cd9b000a57ed5d0d6e5fa7ce2cbe18e

SHA512
85b4122339f33eac06902ea3e1b6983f12e010308cee2d479107a1e37e701063e49768a04422913cd9896d743eacb82ee164ef06022cea74066ef000aac270bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\TcoQYwEQ.bat

Filesize
4B

MD5
a51acaa44f8c5a2dfa0b6e509281c528

SHA1
f0e6765f00a8d52dbd07ea804890f154ba04308c

SHA256
b618db5312a831f38a6487d920c5940814057fe332de83bec606510ba4b54c71

SHA512
c31a848975f521a23a4d9265656fe1b12feaee312f84a048bb4801dc2e5a45b44c2a45f81d1313b37f102331d2a782eaab7936c958aff14d2ebf0e46368e11fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\UEss.exe

Filesize
159KB

MD5
a9dd34526fe5e0845bc03785161790c0

SHA1
9ef8e376291cf4e015e7d2777687a3172107cc95

SHA256
c3b2d677a02dc828fa9bf3f69eb81aebfec2752e7bf8fc74ea8deaf4a0d87a80

SHA512
e97c13688e5db7df007cf52a273a86d6975eb8f3ea41aa97f31c378442b0c2bdccd934b758035407e7cb8b4ef48112d8478360b001632648f139161ea422abda

Download Submit
C:\Users\Admin\AppData\Local\Temp\UMUA.exe

Filesize
158KB

MD5
cd3b34cd30ab3bc4593387202dbbfb42

SHA1
b4b8c528d663187965bc5ff6fade0a5373d6df4e

SHA256
1dffe17d363ecfaf53dd9f9ba4a43438053a64873a970ecbf2eede694939e4ff

SHA512
4edc2c398f1753b50b969f3b8da769e0eae35b2341d1f99f5ddb9120ad9f614b34ecdb4bdb5f5d7da2c85f60836cd324fc0e42243a4b17c5097b8c1ad8c8a20a

Download Submit
C:\Users\Admin\AppData\Local\Temp\UYUQoUAg.bat

Filesize
4B

MD5
3b12343f2f69630a7fad85946782c823

SHA1
045bc631a0e021c4f5d934251096d89e9de19884

SHA256
5ca81b448918d7b2f61628c1091dbecd52a99c4564b0d32be4e079e5bcdc275d

SHA512
7460da98f8c813cbce4aa1c5c40fa40cd17b3da40b9213b1f239d41151ececfaf44a52057f0e2971a85ffac7f0e60d9ad677f9705d3c1734066f72f7e66dd1ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\UcMO.exe

Filesize
138KB

MD5
d0b7f008dfe35349c1ecd9cd681e24fa

SHA1
d81a5cbc002afe2cc7f1aa48f078fa06f9ad5a54

SHA256
c6c344f1ad499dbd87edf038c6760e292467995f5579c7dd0d673131245ad0af

SHA512
f4c625abf631f6c1f26a77bd00a381c9f240f8da33c92473502448a1867e522bb91be156a128f790881ab8dcf47dae9c749b9725a38093be5f3fdbc47a89474e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Uckc.exe

Filesize
135KB

MD5
57d56183a56923c1b6c22bea51c2e85d

SHA1
b85dceb00b60c800ab2413980e18b2427a75b0f9

SHA256
d7110b52097ae4b7c592eac6c559c7a78af502f88a335b4a3fa6370569fdeca0

SHA512
b6b46474652e4ed188c3f673af9e9dd4b9c20bb04b61d874f3ca544622d08b947e08b3766d30f6467c49495896bb88580681f99702e45bdcfd250e8b14e025e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\UocMwQcM.bat

Filesize
4B

MD5
79a1066ef34dfc2b6e4d8ae8be59dd5e

SHA1
324a85d56c59a3e02b3938ca9cc1dd80d942361c

SHA256
bb4baacd3b278e3d4a48a8bcbd5e9f95a453216ac39d0515cb0d2d479697b8a7

SHA512
d2f16faf9a4e9ce7b5ae7f5b3663a04286013bc5f9da9f4497dd4a280922e4788b58a0baa3751ddb1e184dc49d191de2c3c13f168aad3b22737a25f2f208b03e

Download Submit
C:\Users\Admin\AppData\Local\Temp\UowU.exe

Filesize
444KB

MD5
f34a072e48802271fb8f5bb5819f5c0b

SHA1
43b32fff2f084b21b7194daeb20b08d0126b2360

SHA256
60d9382fb419154879d91b6ce2ad5c4c7d00694c6b681707a20dd02e21e652ca

SHA512
c6e62968a47eba703a60eb3b7461a131645473d10a4ae8252a5e13d5d1f109d20fabe8d301e40c1d0a53cea1f1ade30c0cf5c9b638eeb534c2064edf8012ab3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\UskA.exe

Filesize
692KB

MD5
da1122ec222fab4598640bab6ab6eeb9

SHA1
931a7c15a6bf66b96eb434cd74848888f86201a9

SHA256
0342920c32bc6e1c70a2e33671b2e84107fee7912b5ec2f60c2d0a20def34931

SHA512
ba5d9e0c943e5f0bec955f0352d49bc89f55fd7dfc985aec54af2a852d0c7f35042849cf02e1912eedc5aab7e10a573ca80d517972e03eedc901f58314745c57

Download Submit
C:\Users\Admin\AppData\Local\Temp\UwYQ.exe

Filesize
161KB

MD5
289ad70b89f916a6500bd3c9cca46701

SHA1
20e2c96f26876b63aaa4a18fd12896d6ed963ff5

SHA256
500c9855513672f8a78fb5d06ce0d835bd34ead53baf35cdbfcd8ca0f0d0262b

SHA512
f7ef957fe4bbf6ffbcddce995f07d293969c86e171307aec9b98af3db1105f1c761dd10f2fdb1472c175b441bb2ed3b74f3117a1dda6a5920adcdb0e764f1447

Download Submit
C:\Users\Admin\AppData\Local\Temp\UwwW.ico

Filesize
4KB

MD5
6edd371bd7a23ec01c6a00d53f8723d1

SHA1
7b649ce267a19686d2d07a6c3ee2ca852a549ee6

SHA256
0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7

SHA512
65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\UyUowQYU.bat

Filesize
4B

MD5
71eb57e7f71ecae70870212eebcddf1e

SHA1
6a20a8270c1b29afbc687bd449b686185c36b739

SHA256
c2510c9aadf3c42873586672edd2e43154c085595a2fa8b47b5421d50bb207ad

SHA512
807e30378eefca77c1a01eaa7e22c6410165df3cc3d339bd1d9a1df7c0c14ec272538b8002ccc48dd8774603ffaf9df4325f8361cc7a4758ab6e02ab5cf3071a

Download Submit
C:\Users\Admin\AppData\Local\Temp\WocO.ico

Filesize
4KB

MD5
47a169535b738bd50344df196735e258

SHA1
23b4c8041b83f0374554191d543fdce6890f4723

SHA256
ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf

SHA512
ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\WyEwAowk.bat

Filesize
4B

MD5
ace4b7d39ff08ca0e03db54eefbe8621

SHA1
e0fc640932ce776acec26d3b9aba8e5ac0c993c7

SHA256
5e767d7a10bd4ed5b7247a013c1c5cc47bf7edf9c1240ddf5b0ca768a23f5714

SHA512
62fc7642dded56be5aac140a1a01032fdde4114aba83bca3ac4f50dc7a737e1badabc0f1cf383449b4893a7f3d4d3c21c304eb2c05442b0a1b7d9cf7a1ddfd8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\XCMEgkwU.bat

Filesize
4B

MD5
5c0b6c1c5b42784bf9fd6716a766f01f

SHA1
674aaf5a6525ce235da49a5742086fcd2cfbd639

SHA256
aaeaa478cf1c03b796806346aa4b7f000719106b0de3d855dbf0cf94db970bee

SHA512
a8c04fd73f529d2595570e3297b337ae89108db0eec4c93bc8dbe0f7744910a869c9d8204eaacd5169c9dc56d58bef8e7888121fb54bd8808e28b93b2a790e32

Download Submit
C:\Users\Admin\AppData\Local\Temp\YAIE.exe

Filesize
160KB

MD5
8056d67ebcc3e464262ee9e1aab62a80

SHA1
5c082db2c225ee4f698cd20519b4860ea660ba71

SHA256
685f291e44aa3fb5bb404beeeeb0ea36503ade2084c796c235d26691b9706085

SHA512
334a99ad5d603416b00cb5aedc5b7d86ac06d486774896504084ae81a42016a1870b76fba9f46db17589e4d22047fbe933c9530c9ff75ff6ed45397ddce99d2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\YAsC.exe

Filesize
157KB

MD5
7a157b8e72974450af7ed4ab592c5786

SHA1
dca1b1c69f646103f74a4785d0444cfdc189d554

SHA256
abcc8614c2724a340819a32f466556002aa146a90ddf9436a5712131f9cd4ebc

SHA512
05f7a81fef791331c7983ed917ac533da8cbb5ff3439f51f653248c2d6c0a498c33e61b173acecf8efd546863d3bfc808f9fdd9f3ae97faa8f272a9c9ae370c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\YEgAYkwM.bat

Filesize
4B

MD5
c482e8ab2be7e97f774be40cdf02f167

SHA1
09e4fd33dea174af1fcaad8a3d69808e23067fe5

SHA256
f964afe665d2c79a7e106ec91c67565f374fe67fa335214f35fba863d243da00

SHA512
1f98f7cba9fed176bab0324a38104ff787c117265e1c0d5ff662c21c27e4281b00bf868a8c0800deccc79f163f7ea22e8fc44243ab73aedb05c8accd29d5d1e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\YMYy.exe

Filesize
159KB

MD5
9bcbe7322dbfca65f9e24e4aaebf4a35

SHA1
41e1b9662b2f80af495f1e40234fad9bbbd18359

SHA256
e584b8a7afd0e1b1daeb4edf7aaf135387112ce94b74fa1c0c9b795688989b54

SHA512
bd812cd2263b26a3c856c35067e4a1551ad05c126964f4aa3829410ea564b4aed498d8f539d24bb9427d03c86e3f49b60eb92ee621256b59dea435816a6fff3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\YYwC.exe

Filesize
149KB

MD5
b800e26e4bb6408878829f206991bb5a

SHA1
f0ffb6cdff8d23ed6eb481d7974135a86d0702ef

SHA256
3a8b9157a32756401611f92cfd21f90d677430e43f9b63747e79a795fa0208f0

SHA512
621dde57b9e19bf12118a0f88a26e64c642dc88decad3e6d1877837e4eda33ce654fd7088f628294b4f3b939f5911f98ff108e3a7ac5e6039db0369962c48e35

Download Submit
C:\Users\Admin\AppData\Local\Temp\YsAw.exe

Filesize
847KB

MD5
a69f942599e62bc0419172e3ed231397

SHA1
40abb51937f2ae042ff30e68915708c216255c2a

SHA256
a83461b7dd0df10926452a47c9383b9a7f2ae8873656c1ee03083d42225f73b9

SHA512
edb39cf30793172c450c33617dca14e922bcfdb4134d60de1cc82f6accda174f970fc68004f761d0ab1a0c7b45629fe6af06be9791ee2a108c743da255e4190f

Download Submit
C:\Users\Admin\AppData\Local\Temp\YuMkQYEg.bat

Filesize
4B

MD5
be8f6316d5fb89b80bc7f61620e8141e

SHA1
9fc0eaf4704471291e464f5fded673fe9f6c8d2e

SHA256
9d0d1056db427d06520fff282f370e7dd202654723ff50ded6e9e4c9f03c1c79

SHA512
36b9adbed81bb98ee8c7f705b03f231c9e3376797d7179e5703429e6605dcddc41e961d49fbce541c706699a53713eedb279a8ce831e511d7281e970597cf679

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZQwUgoMA.bat

Filesize
4B

MD5
d161772d5726ef5deb7fe17aa9eeecbb

SHA1
a78aa6d46ddac8c63fd01749d3423004af74ecac

SHA256
e1aff99e6f8a598c978e05cccf43a8686958f67ddd8ed489593b48d8a2ba790c

SHA512
1dcf1e084e1a17e77f26b15cad50a8bac4456e1459060875b99c4c927faf9d18b927bf4d25fb0fcca14da328b8f773be37a326fd693addc0affff91b32a67eda

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZggIIAoI.bat

Filesize
4B

MD5
46d0885e6a9bca376afbedfdf84cb2ae

SHA1
05263a2ceb37b4c09e0bd04505999fbb570b80dd

SHA256
52c6e46edea129e8153e4892f65beac39503e9d9a0d5e56106f4ad06bd80e6a8

SHA512
fa954e076fdd91934fdfd865ae9667590ae957633180b1c2e64e61e99868485b84ccdbb0adcbc8610f4aeccc61a3d6293f60b4a61b3753a1480a4fbc9c51d5a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZqoYIcEk.bat

Filesize
4B

MD5
d2515f201e18b28635773a2ef80c2e5e

SHA1
eb0360ffd9c3d14d7bd36c5a422b1f0d1948e7f8

SHA256
8804d4210763d2d0e21ab970a5009e752dd49a197516cdacab0cb13e8c85bf80

SHA512
f25d13dc2462b8097822d7d61a1188cffad844e3deb66217ad80f7122ce528690448992df3ecfbdf73c2ca0135b1ca8e892e7160ea9e6686e188d3911b94b0be

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZsogwkEE.bat

Filesize
4B

MD5
158dad9b72d80b4cc5ffe33f9c869406

SHA1
39aec2d65aef543c46e45f95502a8275f8175fd0

SHA256
d16ab4232967e32a7f38cb929ee1f07d212822724800f3753fb1788763cd8ea9

SHA512
71f8374391d74445d2300b5f9e9fcc447e7da5374c278f4ac4b8b5baee53c3704d8f3f40e0eb3dfd69f68b96be98a445b1f54a8993d0ca4a692161995acee6ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZwEkIIQY.bat

Filesize
4B

MD5
31253e53c27df1e83c85808d4e34bde9

SHA1
ffdb5421c71d502571e01f530014853e412844f6

SHA256
34d338b7f6c10d37863ba82891fc0eee5c7d1a136a80429296867ed7a7f17da6

SHA512
e6ec16f71d900f1b5097325b532fc40956b1ea63211e5acbb6b9177d832dae29c397697b1c5b317333f9d517fd9bbb5190217670a1251090c9389218f66c1b34

Download Submit
C:\Users\Admin\AppData\Local\Temp\aEscEcgg.bat

Filesize
4B

MD5
b7c4c1abdae246dbb99ef83ff2ff4014

SHA1
67cefe0191f011555beffe52d8b4a0082e2a8b95

SHA256
a34753645d78f54899e60e6b97518d779fddbb973295c47d47cf83c7aadee421

SHA512
bf3c16a5a3a0b4662b1b5a4e55b92b043b14345cb5b82477402df7d6618803194117b53091212abcd94906dcd91bc5fa3fe36112839b6b3454fbedba190e9507

Download Submit
C:\Users\Admin\AppData\Local\Temp\aQIw.exe

Filesize
238KB

MD5
6df8c056dee79acb6973f3207f815df6

SHA1
4b6516fa29619671a565f8770b3c26edd2e5dedd

SHA256
10a76c641f27ede059fd0a840ddabe039b845fa84d3c6ad341a63a7840ea577a

SHA512
715ccfb615d8fc52034b0d7e452661617baa58340e17800f08322003bff9a4f2e52c020b9a8e9c2729a6e0e6b08ba2c1d3aa55f0224add3ea899001b3792b34f

Download Submit
C:\Users\Admin\AppData\Local\Temp\awQs.exe

Filesize
236KB

MD5
a1efd85b915ba3e067156771152949b7

SHA1
f4ab8cdd95287abc3077f38704c6dcef547d672b

SHA256
a42d22b49bcd7f3a1fa125dd8627c0a2fc93de05d036afa275079d5d99fab14a

SHA512
857842c2166e5c0f00941d4e5587826044b335149b68377d33d2cc77aad7d259fbbcc723c5e9641db85828aab89c65ad3bbb3b3b79f1613f1f41c2eed6d68401

Download Submit
C:\Users\Admin\AppData\Local\Temp\ayYMUkAM.bat

Filesize
4B

MD5
c7077b75e18ffec50ca672d2cb1f06a3

SHA1
014d29e08fa8df24eb01ac8f0f1e1a8780f88e85

SHA256
0eeb77ba81effeb7adbf1e6541590f5c751a963804ed818d92ecd57310fa2b77

SHA512
7167b105cdb28c862a7305d0aef503ecea83c61ad3e6f1bb27a08d2ae2b1527959ad12a2982ca2bb528f30fbb034403dca4bea45e193878d32297548a955a524

Download Submit
C:\Users\Admin\AppData\Local\Temp\cEYcAUcI.bat

Filesize
4B

MD5
60f32f271a85026569bb69d060b9a64d

SHA1
f983430cd61ff8a5e98271a2e5149c481c349e79

SHA256
44671d4e4be3bad5764079302efa0eddf35eb393ba266f00e11c7d70756152fd

SHA512
49b59c01f888cc18dcdf7251a53ef412a3f228a6312b46dfb300cbfcb188af522c44f8721b0862bbda9dd80b443379e783a7b196b4ad4ef330b71c78c198877a

Download Submit
C:\Users\Admin\AppData\Local\Temp\cQcQ.exe

Filesize
1.2MB

MD5
d77b78119c975e600b86ec3c656d6b0c

SHA1
0984e0869fd2531c7bf03cfcd5cdc7d5cc4ede6c

SHA256
c4d8c04fb2aba4e6a7c96e8e19fd67a233fdd932df4382f8e2a0c3ade3bdab2e

SHA512
32b2802df122d00490fb869698bd11106f0fb72dd45a0a91a69b1bdde746a3d71cbbd9be13d46e9637547eb1f21ae4410503e505c1787c7bf0e9b4592b92dbbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\cYsy.exe

Filesize
157KB

MD5
9eb2da65c43765901b8c7921bd51bb98

SHA1
d91f3f37bbf972f4795dec02837b530eac5f61ac

SHA256
3f0a1dc492332daa314327dcdd5d50dec229d8e9d888faa7732a4299354e8109

SHA512
fee15dfa0c29caa0dadbb07f22903523070124b7e12997c13cab30868126f6426f22a134bb42b0070058c27027eb4f0a7edc48648ece38b713cd5338ece515e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ccsa.exe

Filesize
140KB

MD5
4abf5ab1740372e913bc01a1cf47586e

SHA1
e436df1e78407969765c54de0f97bd4f319dd5f2

SHA256
3545ab038d583504e131fa96c3356d1c7a6f1041b65c09fc7e7fa341508ac49a

SHA512
ff013968b132d64695720731598bf5c5061a70afa81c3d300262bec3a2643b9ca42982e388ac23bb62bc7fafb63dbecf3865cafa5961c99b1f4143c2f89545e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\coAS.exe

Filesize
157KB

MD5
b6999837c1c8eeeff1f32a2726580058

SHA1
5d1690af7dc754715dafeaed0d1e0cf5b107941f

SHA256
41ffb45af3405eeb9ecfd9357f182cd73275f9b4db71a2b8d9c77fc513dd20c5

SHA512
4ccafc8d117779112022678d98e841834d65132fc77223f7f5dc4ab8c3edd8dd19c7186f94b15a0caa627bf411e6266e40c94549e8fa7f48d8439d65f50a2c16

Download Submit
C:\Users\Admin\AppData\Local\Temp\coYM.exe

Filesize
158KB

MD5
5a032ae89f6be5ad1df070b9ef5792b1

SHA1
d1a687a3e92ec4b4761d296a801677badbbc7de6

SHA256
672e0c12c27393a79ec5f404b496a80a73a0f80c0fa67f04453c80a8b407da2c

SHA512
bdffd1726ebb760ba27f494f9fadcdc57d38a34990dbc7790ff29ff90f6831db756e36c833ab5737d7f5707cc0507721a6b62dbd78c15b0e4d88584fbe79521f

Download Submit
C:\Users\Admin\AppData\Local\Temp\dSAQUcoQ.bat

Filesize
4B

MD5
9c26ad2b3cfa8690056993b99a59893b

SHA1
f506d0569c4d45567697a27d0b99da382ce294ff

SHA256
0538997612675948c2d4866e710fbc09c2f0feaf100be9c843c1d75c8fce293c

SHA512
120df281dcc2cf7e1d9c4de90dec2ae4501b79c469a1a456bef8042ae5cc097cb130410dd1f05bed527dff5643c0cdaa2b330cf22f1e49750e43360bbd82df94

Download Submit
C:\Users\Admin\AppData\Local\Temp\eEcm.exe

Filesize
156KB

MD5
bf8e491d6a7ff20660b5acbc17a90917

SHA1
75051b9213ba8b9296d76faa3b1cf77979f20b5b

SHA256
c5329d0275d03b60ca11a84166eb1c211d3751a205bdf8864fb5f95471f87269

SHA512
09da2b09d295ca033e9b58790800b6373e541fbf565ef245e6847341ab0837e34bdb16096ffb3cb371e2c063015ac56ee367109073abd17d1afbb8bc3cb8af3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\eIME.exe

Filesize
936KB

MD5
595c1a1e7f457ffed3b963fb8a2435a8

SHA1
5f62ef224bcb1fad34a2750faa2dda66eb6ce309

SHA256
560a1b3a53869982c78635723b04bab0b6e8f8f1ad3d5ac43e59587e8e5cbcc7

SHA512
86cde36bbaf66fc41fb637ff23e5a36fe7550994dd5abfc01d1eab6a5bfc51a72da01d8e2816b487dd4dda6039c77510f123d2129235f23585da496150372a4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\eIkU.exe

Filesize
716KB

MD5
7c658c75c90fb3c10680d12257c4940e

SHA1
eb253d67cc84a0f5219fbe4c927d48079f1f96a7

SHA256
c3f170179442c787d881215b2956501ba95f3640724e3da130edf89465fe096c

SHA512
1fb5260ad548b588cb344fcec2414d5b038656f2f21be355fbf5310d6c3d2e95d8144807192ebd212bb7150b0238b786f7da0cfc41b02157a33589b46a7efc48

Download Submit
C:\Users\Admin\AppData\Local\Temp\eMUY.exe

Filesize
159KB

MD5
1da6d1b2fdcb80ae20a576729b3b747f

SHA1
82a61f48a29e9847539c4b63dcc43a6f65de2568

SHA256
9b882820d1346f4a44481e11e1a2823908f61727f567536d7db96d1518d322d5

SHA512
3296ec8cc9b391e4803e342876afa94d167d476c4601349854caa9a4b589cc34c313ac0d3fbd7bde3c8b1fe85367684d8a8b50f1308285924a37dc8dae3c877b

Download Submit
C:\Users\Admin\AppData\Local\Temp\eecookcc.bat

Filesize
4B

MD5
f684203d98d7127b30c9b4c5d6788cbd

SHA1
6f86011a9aaed56c22cb3226a1c8f700fb9ec3ec

SHA256
58ed061cb153631a715226b7e55d1df050949e724dfb2e4455498775e7d13f68

SHA512
11904659c00ba63819147c4c3d43c9746eb5ba7c9d0bcc256b19374cb913714e7d41e80df5cc3d7c4e39351b708009bda0391e3fccabe2f1087b794c2f25e7ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\esoa.exe

Filesize
157KB

MD5
2d57612fe0a0e71f7ab55a8c4d5339fa

SHA1
794ffc77e351f6d466afa842df07c7bdff2d0c32

SHA256
cb6ac85e11b2aa9649fa264a4eb0513b93a4a841a28dd1c9834353011b55bef8

SHA512
4fbd041886455e305c1e35e3118fe60bece3fb5820114effc2f81d54ed1fbc0caa4b9a1cc496b47c70967a571c7e64307a1358061f5c67579362a2b79ed5cf96

Download Submit
C:\Users\Admin\AppData\Local\Temp\ewcG.exe

Filesize
808KB

MD5
3b8fa4cb2ce63d2bda1511391b320dfc

SHA1
293c10f16f1768d3552cecc030515b233183eca4

SHA256
53af85eaeff31874d3311097e330cb67898193105e5a0592e6799f7d343ae473

SHA512
d6c95a0c7798d1fe5a26dd7a4639f51759c281db376afb1f390a4b697e8f4b44e4e09c74a160c284db3b9561665a46147a0ff070b957b582b9ca3da6ad228870

Download Submit
C:\Users\Admin\AppData\Local\Temp\ewsM.exe

Filesize
140KB

MD5
2f9e8430cd17f556c5fab443d806b769

SHA1
449bfb0778ab8515ccd73b130d3ccaece961e4c7

SHA256
916e55dfdd6250e0764fb16381847fd9f796751b06c9a747a032ec3019d06c88

SHA512
9a7782f27941747f9c149ee05ce46ffe04a9e1ccb264df3462e61c1fba63f4faaa6f33f3c66710bde94bfda1787c79908db85785f29849e28c88ecd1b2417da1

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gAAK.exe

Filesize
159KB

MD5
7f4e9598bf9ca50a5795afb57053143c

SHA1
b24d2d55755a8d1d5fab45bbf5b92f6aad24f957

SHA256
082f7d99a1f9ac22409133619d2811e76917fe66f4b9e59564bab437a15e411f

SHA512
1cb141a0a9db7a8bfd990ada547aff5403bf2dc71e92e9294f00386cf69e87ac8b3e03dc2992a29b5a1851df8e1a5d501b64b6249d79556eeca38bdcb7b37cd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gAYI.exe

Filesize
158KB

MD5
fa4bb6f3b17bef4c1fa35e75da1da06e

SHA1
c6e30cd1ad147c4b0d8593fbbf558fbf927640ca

SHA256
6b33a1c4542f20f76338ed24e2d40d9684ec63839697d7d18926c7dc8beaf8bf

SHA512
cf444a623efd97ad28ac3ca6aa2539f83a6460c0cf53c196c82a5d61fd83565fe68601937b64a4035fbffeb9bb768e0cf2d6ebe185d4f4328cd0ed40203e49c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\gEYQ.exe

Filesize
1.7MB

MD5
9f1f91177690d6fbe1aebdd8de36ff22

SHA1
939af3cb97968084574811c38705a83e620e591e

SHA256
64e606813391890830e676e2bb8e5378f2ce069d238be5b286f6710905e379d5

SHA512
dc7bb516ea2e8067c2a5ec376c4b20b0e3ae8de4aaa9014cb6d0df989b087f24fe420935288a371c1c23335f1d6bd51c5cc110198d2c6abb4578545bbc3cd29c

Download Submit
C:\Users\Admin\AppData\Local\Temp\gEsk.exe

Filesize
157KB

MD5
557297a8f3e6ce6adcc9794337fe685a

SHA1
c2635ac8e3f272cf72ecfc2013fd04c6ed5d7d40

SHA256
9400f107a5abe87ce065e5c323ed80a30b5b0c8e98551b6edfb2f82864cec8ea

SHA512
668cc0649d09d94bdca18b3a11ea8009f438333ee4df93ac6ec08a735927d0306f4a0627356e64f9b76b0153dff0c882c8ae76373b405dfa6f2038645fa96016

Download Submit
C:\Users\Admin\AppData\Local\Temp\gMYS.exe

Filesize
159KB

MD5
5eb5a20e6b3e96cc4fd7f554959e4ec7

SHA1
4d96fbafb78355f74baeb4ec42dd60123127be69

SHA256
c4f3ebcbf177b1c208aa0406fb15ce4c7382a46a4647b523e672d1848fb5ed89

SHA512
4c8e90aa6031ceb4521bed2bd8bb2012b128deb4cae1b8d45c609ebac440faac1233e02249edd896ef72a0e225e72060e2ff3357ef98f065dabb4fa522ea5f69

Download Submit
C:\Users\Admin\AppData\Local\Temp\gOkIYwkE.bat

Filesize
4B

MD5
6c83310b4198a552687698451833d8e1

SHA1
32878dbfa7d15450f313b024e37a8de248a6ef4e

SHA256
43b5675f19612b05a95025418e550b38a777ccd5dc9224372fe76f22bb9a5e5f

SHA512
a5616bcad4ff8256eb916314dc737b874348afd90aa11f43ed4da00e19d5db0d705a636cc0ab0757c6f3782a388e2d917d35be3524aa5e2215aa209425168aec

Download Submit
C:\Users\Admin\AppData\Local\Temp\gQYO.exe

Filesize
868KB

MD5
3a84ada31ceff1433d6328c30298f65e

SHA1
99de140c0201de7847cafa1b2205f5068cb9e51f

SHA256
71dc7f7dddff30763e9161edbf5e48dbec4800931df84e9a469fe9d22cad4d1b

SHA512
cba00d2fcfd0c8b23752d977b06fb4baefa4d7e3340cc28f5ce8be41d558f244696f6cfe91d63cdff6ace4406aadcd32243945438b13bbffe3f4d1b91c904d3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\gUwU.exe

Filesize
743KB

MD5
c18c1aa49b7e328abe7a651bffd91a56

SHA1
f662303590ecdb37fc0ad6847c02037e22a4a3ac

SHA256
3474b9cb5846843b858e195198f18df99eae5a62233cbf88106491c10a70ba62

SHA512
f2d43088615a6ff47a45e76053d044e8eb0e32568692afc9106a4d3121fce65e589ead15e3c8d6f66bc19c351ca597e465be738f2893b4eb5203b0b8c289c7de

Download Submit
C:\Users\Admin\AppData\Local\Temp\gYIq.exe

Filesize
555KB

MD5
b60e29ff24825a68fe0ebcce5debbafa

SHA1
0705d36b0cf7e132212a1e93d145fc497c9462bf

SHA256
7b8fe6ab22ba81efb4f3bd8b57be10c3b43c62e180a63828063f0eb7d0f6b756

SHA512
be1a9f2f03e17573691082de665040a2e0162bb0a8aada06d0070ae36fd31aea5311536b3863a119a1267b30abb22c47d86b93f6cb40a717b5c0a2bcfd9aa412

Download Submit
C:\Users\Admin\AppData\Local\Temp\gYoe.exe

Filesize
159KB

MD5
400ce2dc97c9bee6116851c5df1127c9

SHA1
7b8953ee3f901f6ed6ff721508b49f24590e9ca1

SHA256
40e447620112bf7e9c3910bfc3aa53b2db14a4d3741312bb4453409c3461f806

SHA512
6d774f3906cdc1e2d4267a8631a7770501106116ba40b59353d561fe046115184eaa7958b5a0e3f20a6aed9cc4528430b53d405ff8ddc49dc4b13a7f94c3ffbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\hcQAEYYI.bat

Filesize
4B

MD5
f4a1113484cff4e6ef4c84fff575b857

SHA1
4b1dd092ca540a4a5584b8e8c08720a189041621

SHA256
2c13fe57a3a1695fbd8a4ead8bd740111d736e5f5d94a1d00a50b029f4fc8e7d

SHA512
bf065f73c189e2d72555a34d61e26700fd12a1038f858804d8d6749e26bb6566f0f482cd249cd457a368604cf75ea899a7f54069b06f0cbfc32d5d6dda6d2478

Download Submit
C:\Users\Admin\AppData\Local\Temp\hgYEscUw.bat

Filesize
4B

MD5
6b50ed6847d9b21b1e26282e0bc2f3c8

SHA1
d7882290088c1e82a315f97f1fd7737b02f6b75f

SHA256
c0fd4e5c7e782208262b7c6ca8c790cb9a21412db97eb0833ef5b9f1f3adfe50

SHA512
21203e7cc7e324ede9a3ca79368ac0a769fd99d3c22a75f41eafca1b8d814951830f2309c4d5bdcdced4d14fa1d393dcf4c92523d72d08180c046ee1de660e8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\iIYK.exe

Filesize
158KB

MD5
a186915c5f90b2d1acec7691969d15cb

SHA1
89adc025a14c8c6ea84bc56bec24b5fb48865605

SHA256
ae47b17414187c04f0bc4e828df38b4f063bf52a057f39f9a59c064aaa1a34d5

SHA512
a02ddcc3d069de1449760e51b2d4852fc25c09334cd3dfb4a4b2938088270938ca9d3808bb16a57db2a4af5c027a84fcd000ca2b8013de712685fd1f267b7c81

Download Submit
C:\Users\Admin\AppData\Local\Temp\iUEQ.exe

Filesize
157KB

MD5
339727061e1d6a204c1023b1d29985f4

SHA1
e4d61fd14b3193367a2b807803f0174ab837b24a

SHA256
25fbecd3f245c2b7686cd6004c119ed63f0c770f0c033c139ac98d6b3f0e6035

SHA512
37eed265240919e5a2f64af3d79d49357897345676428825bc4c84a868dccbc546dc5e0f2c459476678d43f5eea4faea5cf96d0ec8d760a7f48df88629c0c9bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\icEQ.exe

Filesize
159KB

MD5
d8f53798848ee6dc89f04eb051627c64

SHA1
aebd5e1196019ddf5661c921324cd518ec01da1d

SHA256
a77e76596ed1f8b8210db6ab9213d2368fc2e76d12e49e9dd0e07fd9149fa44a

SHA512
0d44e16a912faca3e9a99946a8f8ae44bb044a5332f3b2c29c9926797c807e65f2ceecd6106e25b6884e6c8758eaf16ec6d92b2e4752d79598e9652f161767ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\igwUoAQw.bat

Filesize
4B

MD5
3a68bdc811bcb0cb0a6874f2572d728a

SHA1
deb4aac027e4518d7189491552e1c7d1e25872fe

SHA256
6d5153029f99681ad72f4dbb41daca0290b4acb8eb4a760b679cbfc2242df5e5

SHA512
07687b378cc4f2c88e3664ab81c7a2384f9051082759f4030eea76389a25ec4c718ae77d751a52716eba8189bd44a72ddcf6e03d72c5f7cf74323307b80231cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\ikIo.exe

Filesize
157KB

MD5
26821bfaacdd4d54697154cd7c0e1c7f

SHA1
1e84e6440e39e850331739ea1023d4783bcdbedb

SHA256
c3a9f406a742c66a3ab8ac309fb54510cb80b7de953aa79dae17a570dceb46ac

SHA512
ac9f8c6892048de394d936b196d54b00290dff1edb99b57418680f97c5a7316b45b6f67b4a0c1c176057f600bc6ebccd6a11dcc202789e722a2c72789308f254

Download Submit
C:\Users\Admin\AppData\Local\Temp\imkIwAQE.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\iwEg.exe

Filesize
1.2MB

MD5
584d345420ef60a73f5b9157ce07b257

SHA1
c2995a3c0ac6ad02fdc502616530026265e4e856

SHA256
2cebb0cd4278a81da0d4e435d06fdf240fca5eb6710f586429f56cac1a141b41

SHA512
86a49fccf9ffd525e03d3af5a433ad4aa0663893b85cd52618e52bf856faf246fd3aff52d887d187e3ad07f55f4c27b29be464d5211e4a721c066d9fb01b75ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\jAAQgIkY.bat

Filesize
4B

MD5
52963dd980dd2aee2afa270f9c2eafd7

SHA1
024d4e11918934046c4a7f971211da38bc96b53b

SHA256
b682d794f08d56800f324adba4c9828fe7c067a5999ec7bf29904fbd09e3b998

SHA512
95f67ef4a90eb5a3444503b079dcc61062480ce2ae2ff4e7ed875fcc50c89ff4679f397a6d599e835d5167fdde261d50b9b0bd55bac8c876fa3c1e62b3932986

Download Submit
C:\Users\Admin\AppData\Local\Temp\jYooQYwk.bat

Filesize
4B

MD5
630e93b8a5b7a2f7520f91ca37c6036c

SHA1
065ce5e0a27e200641a10a414dbb727b95c1a589

SHA256
b22c771b9d12b3410f47d7cf37b13722deee1279c4a4e695314ce96aaad24f45

SHA512
285cf20228d57f3860f5c33570f56e5b8a5d3fadbd756c69ad132b30d0e827e78d7898dc1b0c86d71bd9cf8bfa7849b4ba6b95c13a56e62a90ebc68b78a5739b

Download Submit
C:\Users\Admin\AppData\Local\Temp\jmkEwQEU.bat

Filesize
4B

MD5
bcbf810f8e9cbbfb9fdd01c1f0b4eec2

SHA1
ce9b8d967878dae82452fd52ea8d0d335ec3d7f1

SHA256
9b1829e01292a1491f9391e337ccf2d5abd8a705338ab78d37d09e76153c5751

SHA512
0c76f020e00b5e17f79e0bd7d43b5fd39036e5f78c02cfdcb23be9d4cf41821b94614c50c60a494e301b5766ad2dcd445870a88c64843aa952cdacace1fd6d39

Download Submit
C:\Users\Admin\AppData\Local\Temp\kIEk.exe

Filesize
147KB

MD5
042ce57f5ea4d53cb57676d6b9720412

SHA1
8f71f4590da58c0f780dbb7a2f3710bac8751b8a

SHA256
16006c451c4381ca4433eb6c2204ddde5cb785b4029357040166df6e10bbb51d

SHA512
29c0e8c06d2bac99aa9ea4b1f625597bb9f647fd7808eee3a6f7441ac63fb13640724029e426ceb57f68f143807ea42db47105b9246b1120e9dde4e2edc5ebd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\kQoC.exe

Filesize
871KB

MD5
df8683c5a09efe5acba04bc5fbce3af7

SHA1
8040083581bf9037723f524e46c154b479dd4eea

SHA256
9ee5d843454305684034301781c8a3f3597f0d493a700d4bfec98757506a3e98

SHA512
e8f2394463805efd549ff412f67a37f3d38388425afb722c589ceabb270cd116abfcdb71b7d33b45391c1f2f33c71ad98498e80542955543d586ef0cbc974eb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\kUgO.exe

Filesize
159KB

MD5
a691d5f979da6fe9e94488567143c9eb

SHA1
ff2926a3beca48630de57ae1ce4f0deee6ff6f69

SHA256
02d222b4b4e7989ad687a590e34d0fe37b587751166b4c6295cc87043b71982a

SHA512
96348a88f1306d901ebe933662b24f529a7ca97c7fe161c45861900143111ed4e7c969fc510583a6ec91378bd4a4b7236af51bfeb05b60d272a02591811e15c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\kgAe.exe

Filesize
158KB

MD5
d7193a1999feb9ab80e4a22e4db1fbc5

SHA1
25dbea22149cc1ba07954a47954d59f6a0e6dddf

SHA256
f6b5d5e206bbc8d7a73c5ee031686649faeffea4d6d86710c80785a273f29d61

SHA512
6ae88b4241232ff338e81f5bb56f3ac2685d85968c9558cbaadd5c0220c088ed05b6462404d199e8a60650cbed5d6077b55df1aaf8a59174c3d0f47bf2709caf

Download Submit
C:\Users\Admin\AppData\Local\Temp\kgIy.exe

Filesize
158KB

MD5
876ea2326be448f6034c888e50680bac

SHA1
764d80f46d0384f2555b08d8b083e18dd4d228fc

SHA256
c2309fd0fb5fa8be32f6a535532309245b0c530dc1ab717b839a29ee540f7a1e

SHA512
6e0400d72d6ed3761a9ddd84a58a2baf3620348103531611ea004daca8b693b9bff98138f9eafed27a98685197751f7d3d66060775a2b25f5b36e27bd9408255

Download Submit
C:\Users\Admin\AppData\Local\Temp\kkoE.exe

Filesize
158KB

MD5
b3c76d19bf095f175cbca0146fd2708c

SHA1
f0ca23eb1e9244d0cfa6d17547af6b3cd6616956

SHA256
c1233cccc97f49b4685e93ec1672c7b4a47e4c192480cb6a2f284977037bcfb5

SHA512
8546d27b0dfac834bbb3263725176bb4042d1ec71b3387e42826b26abe15a64ae181dd2f363cc7e08142b498e3154de0cc58102f1e2e6f372a999ed47b3b391c

Download Submit
C:\Users\Admin\AppData\Local\Temp\kqUkYQYI.bat

Filesize
4B

MD5
6e5386e75ad64a3ccaf497087964d34e

SHA1
6fef74d300c80da542cbeb5ceb54751321d0603f

SHA256
252a03dbfca4f25c7261f5710d047a443b4634a6ef93451f05f57240428f4dea

SHA512
40d99c3b6ebf70eeccfdf1dba3fdb47b790d91533bfad9d21a447b713c00977dac4d29e480db6c5dcba967bf5ad8bf3a7f4c933aeb10c456d449e387b88532d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\mAUO.exe

Filesize
159KB

MD5
248ddbdc65acfa8cbed950724a59b0e6

SHA1
625c9a8700b8e12ac7bca608682e2ddfa4b0e416

SHA256
8515fe3c4def0b69ef84fa8257afb3a429941268970945d5bd8f5b1f1348fdaa

SHA512
f1401db0bd96f9fd38ede34d1e0190dc7e00bc56a69b8749b8515281a1c14a592d19ae4cd7d3d4f76c0221df311461ba5642b6fac014746be0fac123a3fa902e

Download Submit
C:\Users\Admin\AppData\Local\Temp\mAcI.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\mQgo.exe

Filesize
157KB

MD5
15c3a07b518be2eeb6b5a15f14053585

SHA1
74a1206bc4d5fc6b0bcdc26b9ef42ac79d1e5abe

SHA256
483ea72f5ab640f274cd4354170ae2694cd2b4eec60df0e79ee46caef40552f5

SHA512
195ffb30da3c3bcac87b371a4ca8b3e96a9d4752a63de0eaf7d56a33bb67db77663243c70a4dcb922f7bd381e7041ac72656625d5e55e1d4d6eecb2cff29279a

Download Submit
C:\Users\Admin\AppData\Local\Temp\mSoIkYAg.bat

Filesize
4B

MD5
7034988329ed8749dc019e1c97f4b717

SHA1
f3140992b9972f01b09b3d891fc15e2aec30506b

SHA256
783053e4273eeae2485ad58260b8298f1847aad858a951a4505a6845341cc12b

SHA512
38375d7abd0ab81a629d6c9e3a5a3bf69fd24594b35881a912776aa85f2f354236b1006aa62eeee6cf6b57ec1366f0590b259a169f61c29cd4dfb545f0438044

Download Submit
C:\Users\Admin\AppData\Local\Temp\mYUG.exe

Filesize
565KB

MD5
df3fd7316d3d4623c7a427e23ef1d6a4

SHA1
4b8c60e5e22d14fa9e5884584e3a95acc6d596a2

SHA256
b74f073d1068bd1adced6eb99441c552bf9a1bdd5f4811b6e9a3f77e82d569c3

SHA512
3d5832b1389ee7365f7b28213f234ec4acb231896e94dcf74246f3e9e0a73d8fe87cd6ffe6b881e2baeb107407b3ad1b7bf1de6e14f06bd809d4b35d6c38a617

Download Submit
C:\Users\Admin\AppData\Local\Temp\mcYMssMk.bat

Filesize
4B

MD5
9f9d7de937cd730b221b56ded104dab8

SHA1
f93e2b219b0d714ab503860dd8f7e906c12aced0

SHA256
b1c7464b6459b93389cd8e5dd5adef27f06f304e82f4a78bd839518170c4bf48

SHA512
7474b398d3c1d9fb0f0c6a8f96d843de4006dfd21d57331ee72f47ff9954c3c5bd522bf955106f28e4e7ecda3d93ac302428a978cecdf4dc61a37d7a52fc8762

Download Submit
C:\Users\Admin\AppData\Local\Temp\meAAcgYU.bat

Filesize
4B

MD5
6c6cabaf9b34a48d83d8a08f6be07b94

SHA1
5b2cc8b028eef94f25c71dbd4e794ca39c80f0c9

SHA256
158514c54530c9c1a9a4667474b06546f01a038949f8879d0a5219777a5faac9

SHA512
f86a261f69cfc80469fad2b2ceebaf18999267b6a17195e993436348b2a6923bdf834afcbf397e9f7b3ced279f821bb9b418ced637a0635bc8e0f466dac4b050

Download Submit
C:\Users\Admin\AppData\Local\Temp\mkIG.exe

Filesize
158KB

MD5
0503ab5d77f045a7160a3cbd13b8e822

SHA1
f484f9e205cdebd3218ae6374b35665f2a6ec535

SHA256
21c12da317bbda75ea8fe3ab80cb4fb015fdf0e05856367d2f7deda0812224a6

SHA512
43758c94c77d9f3c066e7f22b803238a4c6bb7a5993f0d85b7a61bd362432848b83a92022f49dc4e3634b991e2647d821248438f90214eedd349774b340c68a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\mqkkcUYI.bat

Filesize
4B

MD5
69a4ac5b49d8a13906eb8974d57f2efe

SHA1
a2fb6cf016fac9c0b564bae7d8ad4f8b3db56760

SHA256
b201672931a2b15d261bdc9d061d4c8f833397aab4eb2223292ae14efebb7110

SHA512
078bbd0dcb5286de3be4aacb51ee5d3c5102573ec3c68395c5ba5752ba20e5ea5fac45c5f3cdae26b1384f339613f508181f8b27f69d6ede537d3abe8d7535b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\mwAw.exe

Filesize
160KB

MD5
f7d236061decacb3b14b2c1db9309c20

SHA1
81b7018495b206dd8be55cc90f82346e80d7a9aa

SHA256
2c29b322b2f0ab66c620898982129f069a69027965d84d9bdb075221b157597b

SHA512
2d80cde975d6080ae5a2cccd555fe772b47bfe010fd70a3b3b6ec273e435c3c1dabeeb6f7ab4c03cbc0ee5ef9ccdb30482505efac573d61bc54739b5940807ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\mwgU.exe

Filesize
157KB

MD5
758f63ca74b124b7f0c64eba835bfb4b

SHA1
2c579c363409e513e11b10cc90a56f799a14ff6e

SHA256
ab1564c46a44fbd1fcb56843c8ab381e0bf649ba58113381573135d119ca971f

SHA512
e5b801ced603ac604c631aad5a535121b063fc952dc37d02d00406a4e5c6acf19b84963f3e1c7e3c232c44fb42c52f72597888e051642112b004824b9b1252b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\naUUowIs.bat

Filesize
4B

MD5
150496af1400d569d676e4f6b01c954d

SHA1
bdcac7efb1570eba60a594950b9b34ff09cbb756

SHA256
fa4709fd0c04873836bc526ba00f7c68cd151fb131b620b6781f926ed1b4b7fc

SHA512
f60e1136a0910fdee3f4853b2dbb6ec8b76c405fedbe76957b268972d91ba9d24be9c7cb2e7cb3b6bf783196c10eec55eab3ef302f280b7d88360f2c02fbf45a

Download Submit
C:\Users\Admin\AppData\Local\Temp\oAka.exe

Filesize
158KB

MD5
e2429b535b4be9b583a472d675a205a7

SHA1
46d4be745647aa6aa1d41f25a28ee3755aa76a9c

SHA256
62624d3ba6bf431d88b78b8d45ccdd57b835f23100a1fc8a900c4090af047663

SHA512
da0612759807460bc8822d389b8ae2aad6ba1ce49625b938e35e45054c886b1b2b8d9f2961b9f03e2e52baf43cdd595b6a7f5b1175ea8ae3aa31ce169a17bb1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\oWAQYook.bat

Filesize
4B

MD5
5b6bc325848f6eba7fc31d0846535f58

SHA1
fb22d89b8aad0bcb1fe0b7b04033b75e41e3b2df

SHA256
8cd15cafb4f319403b9de87409336690106d9e3dd8534bd3a0bfdaaa780a2d86

SHA512
14aaa277e6da0bb33d34f52b801a9832765076e8db952dea1a6fb8c5b29e037ead38dd7bb804fe1ff6067e4ab273a5fdb37947274a26aa4374178c113510b2ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\ooMc.exe

Filesize
158KB

MD5
e96aa90e8fae21f26c12fdfdd55e0641

SHA1
88619bed319a7b154ef45f0d87e68379044e5a05

SHA256
3a714cdd5698ca13f39c93cbbd9f5b89386b459ea8977359a3d0679fcf90363f

SHA512
cc8ccfc5c4d57bdd8683308be217e966899c65d81df075fd94da68f498f26fb09fe8629ce28a71c593fedefa21d586689cb69a8e3ee3e869ab4eb8ef3825c564

Download Submit
C:\Users\Admin\AppData\Local\Temp\oooA.exe

Filesize
613KB

MD5
bb552ab32030f697d6cf969e71e251f9

SHA1
0763aefd62e3a9c9788374afa001b1e9f4b33c5c

SHA256
cb5c91a7268c94ef5c1966c9b73a99e6037f1320060d9d752e84e987866b948c

SHA512
e7259342a174f4938e82abd302557c99ddc433cb72f7e92fcd0f3519524b99e5d7ae271fbe34ca5bda9bca163054d2b6fa26ce226f9660cae3a4207eacf49d30

Download Submit
C:\Users\Admin\AppData\Local\Temp\owUQ.exe

Filesize
1.6MB

MD5
ca74851599439a4aa5dc5ec5f9be6052

SHA1
6e35aabd595b8ae937a411c1f0b023847d500e4c

SHA256
496c606c97aeb47283919dd270929bd960c89fb988126aab033a5eb9c7f3304d

SHA512
990abc00b7b3ec744262a29dbb5869fabc585150a62ff19cfb17bac8bbf8f152e97bed8650ac77fa10ab091f283352dc08bfecfe36e49f305db8ec0c42b70120

Download Submit
C:\Users\Admin\AppData\Local\Temp\pcIUoAcM.bat

Filesize
4B

MD5
097f9c630f23421fcd1f84bc8a3c3aaa

SHA1
825131f158ebd9681a51b8377bdd4d9e95c467db

SHA256
549104d56bc82a507a8efbe807faf4e1a2e0d62f8b0539173eec58feca4006f9

SHA512
e64616393c1653d54e737772fb3fc1c664ba811a500739909a6e2701b3251a2594741781308bf904ceeeda1d7adc6ed36e40a1faea94d71962aa5b65ce5e250f

Download Submit
C:\Users\Admin\AppData\Local\Temp\pioIokMw.bat

Filesize
4B

MD5
31da0fa4dc34ef013dedf7c6925b2bb6

SHA1
407abdcde941024e324358c116fd0ce349bdba38

SHA256
72f0f8236b72b33b309970a9ab6068847dadf9b065abf06c7136f25a01985bef

SHA512
08aa6daab0131468937e59d9989e0817bc6a379a3a76583652f07a9f5db969dd734e6d1f38a750045acfcd9cd46a58d258817bd80d9150dc82336157c420c8da

Download Submit
C:\Users\Admin\AppData\Local\Temp\pkYwMAMM.bat

Filesize
4B

MD5
2a7546ca185a5879c7e14327bdf56bc1

SHA1
12eac40c1b65c19942a85c005310de61c22473f7

SHA256
2be658a6243c86f0ae98ac682f148968eb6f1674174e44e579a52b39f38c121d

SHA512
2a9a08dd867c9f1e7545575c7978659ce31d6bdea2c3429beaaf1088efb57f1a92c2e65ca8bdb6190ab00e12ddedae6a712873882ea5ff68ce310934271aa3cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\qAYc.exe

Filesize
157KB

MD5
9e08e24b08489f42a0ecea9e812f2ac5

SHA1
22572afc8855dae29eac05635a18b891f8698e21

SHA256
fb8b8b8bc52cda1de187c3954c2e47443bfd3e4b36424f37642fea3b1e94bf3e

SHA512
f2a00bd4832237df6124a7dfb6db8afd5ca893124d3a7deb29d1b536878497a0b799030b10a6c99332bc28f23cc18283c2e6749436d19b7ff138883b75e5090e

Download Submit
C:\Users\Admin\AppData\Local\Temp\qEIu.exe

Filesize
236KB

MD5
7fbc55bc1fd394118e3814d7a1b15db7

SHA1
ec7b7bb4bb5bde657fbb48f3afac4441a9d7041c

SHA256
0ae10c8d76400f5724e812ee83a19d1b6e1d67dd14b8c158583be0aa474adca2

SHA512
1a8efb89c2e959bf978a3e83c39cb5c675602063360a57173779986bd2d36f52ae2b3a4206a6ad7ec672b7960c1d88582bcfa802c40b71c7a16c9a66947469fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\qIYg.exe

Filesize
744KB

MD5
203e1c466c930cd7135e2798fd55c899

SHA1
0f6ec28ed0463afb9a45bf77688409bd01975736

SHA256
908eb5a464f4ba1d53a167250d72a646586b3d9679b59b8ce2c5a7ac86f7276d

SHA512
9e22bacb011c237ef247385658b3c0bae46e4e4097c1862778abc4134964393fa211e9dcae4bdf0518ba8cbf4919ea29e9e96ec65222c908aa0ea96d5a86ba2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\qgEAggEU.bat

Filesize
4B

MD5
4c63298f726c83696765d53ed842bae4

SHA1
b169ab3a3cb61028840defca91d6dec2c1e35f62

SHA256
a25d30d5eb29d9c4c5ab7749f57c3a178df9207e94f7d9c4d3f2f602671cc12e

SHA512
089212c5ef7e2f315083c30a2080dbba8ea737b087ac5eb3692615ddc8f017ae3511e4a3bef38f7fd4ea8103e3374e8f8c7b80371454f9b018b13ab7aa4d9451

Download Submit
C:\Users\Admin\AppData\Local\Temp\qowY.exe

Filesize
969KB

MD5
917d809fc0a6b03765437ec9ab107fcc

SHA1
d0b618c7a3402b64be114ef60bb6c19185ede663

SHA256
42d073b24e99c3f1651b8c15a5f5964bfa8505c112c89bf1e869dbc5d7578b27

SHA512
4e59a09ea86fb17acaa6f6e781dc3e73d58063dba2e20bfdf2a8560a9f56bd29832e6395e66b268c7840ee5349e0b13e85a48ef1e986c2329472f496b559662b

Download Submit
C:\Users\Admin\AppData\Local\Temp\rWkIYAwg.bat

Filesize
4B

MD5
f819338de20cb8c47af5ed9c274e3f23

SHA1
8ff260f45116eaab01ab1cf62177c55a02e4fa72

SHA256
5ed697864639fa7066fbbc21c91cc73ecd66273a7fa05a428b9ad46a4e22d3da

SHA512
931d93fbc5f117feafb0304dc99b160f50f8be03571d0d492f13860dcbef73a6f29d86094f99aa64d1f86ae9df89feca943cef4b4022d0a4ea6402b5e0c390b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\sAsYMIIk.bat

Filesize
4B

MD5
c67b65cee9eecfd33ec891ae2666af3e

SHA1
835fa24dc98e7ca076469d0714c5139bc1e9ea2e

SHA256
6e27c629b95cd74b6a217a9a2a407d71554093a32cc0a4fb894964a7c8979691

SHA512
e4c267bce887df646667071d9318076f2b9c4e24e29b9ff62a2616cdf5cbc9eef3278b1fc2da40b90252340086624e9b18fd2c63a9c03ec288336ab3c06b0a99

Download Submit
C:\Users\Admin\AppData\Local\Temp\sQAw.exe

Filesize
157KB

MD5
e72e041129f360bdc5f8c4ce03a2363a

SHA1
a4ce4968582eaab2683da949cf23262de62161cb

SHA256
9ca55a91a4d4c9ca7f0d6906fde48563d48fcd921929a635827727f7ac10e896

SHA512
48baa830a69272ded665e35b8aa4a7a6b1ea34f9ac7109ddaf078166e0300a8c931884d35fb00ac393b1e6e881f4ee5be5f7bd289ad1bb3c997425f58c5992a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\sgAe.exe

Filesize
159KB

MD5
2b9b13eac07c9d00ef4eeb6be5c463f6

SHA1
66c536ab763b49aaef74f2859d3719293aed2594

SHA256
fa4df4613db2971dfd9d72f7f98fa93bd26ecc2305712e4f671f2080f5a27e25

SHA512
ff08034859a9cf36cd5400892621f9a53a3bbd1410cc889b845be2df8670065bf80cc8fc46a1bcefa2b376b195daa5e15cb5ba07f091cd55538f1e3792f7b881

Download Submit
C:\Users\Admin\AppData\Local\Temp\skYIYcEE.bat

Filesize
4B

MD5
e24a242157f53860bbe925a1878768ad

SHA1
86fa1cf64bf39eaab37b6b8c9fb28330edc6cd76

SHA256
67ece58d7b7461741e40863bdf596da1b365476aa737e1d46a25e35ce256efcb

SHA512
2a6b4a0c1254f50681bc53855095486bb954a6ae4e91e836e18b792bde1c3b8f46439c8f96d8f53466d77aef54f0ae73151c73fc0bebce6c78f7fa43850dca98

Download Submit
C:\Users\Admin\AppData\Local\Temp\tkUsgUsQ.bat

Filesize
4B

MD5
10f29e13ce22c9d6f7ee17839402a73d

SHA1
5f3a64695b97d056e7ec6984cd49402c52dd1075

SHA256
be4ddd80864456b3e7f36ee969548217a6cb6e34571e3797176c631d554a4912

SHA512
a73b8bea2f3ac26404026dec42af18522d8b02d10bb3ad2c0f759c40f6b1e9932efd9137f6ba51968c5e9e11bdf1fe00fca4a5ec2edbe7b1fafb4957aa3e28f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\uCsEAAYk.bat

Filesize
4B

MD5
fb353642e54cedd7f7ad5b6496b1a4bd

SHA1
b4b775ca3f6aefcebf7ee45d1c175dffb8aded5f

SHA256
953bb0bfc02b510c53f0314f7f5c726a0802b72078d30949c6bd412c3ae0e52b

SHA512
d97b0599d2ea24bd6db32facd07e7250d9ac8ae7b5e7e296fe5be3c1e0a373219c69dd83cbdbe3fd3870f18d5e9cc4e1338181a3eebbe10c1c83c3038ce9bd35

Download Submit
C:\Users\Admin\AppData\Local\Temp\uQcM.exe

Filesize
158KB

MD5
fbb89ad944d5439007fdb2826a33df3c

SHA1
fd7aa572c32c59905108cc8d621a1abbc1cb61af

SHA256
d64b2db8ae8259c4aff88d927ec4e7fbc53579909d86b28afcbb9f815c115088

SHA512
9a4671d972a4136516ea13d4bfd9eae32aa34c3c636e9c9a423084e3662ad09e61102a5b073181bc22e39983c5d296cde94a5d702705fe6daf57d66f3ee8ff1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\uacUgMow.bat

Filesize
4B

MD5
7ade1f48a2a7ef3c646a569f679944fb

SHA1
bc8f1afe8aea01a94ace6bf1cf60c0698f63af35

SHA256
672715cf04d40a308afeee068749b2d4a1e776d28de65d9a6c6adf063a9a2cad

SHA512
b0342521a1cde19936a7e60fa08897997fc6394e01c3a7a2a95e1d25356c551242db03b4bc666a3a70ae2a8dc28b5e5e949839984e7c956850c2cf2cee68c838

Download Submit
C:\Users\Admin\AppData\Local\Temp\ucMk.exe

Filesize
1.1MB

MD5
6ad40151dd82d39687261b1b99b1f2b5

SHA1
bf422d3c20952febbd7116363d7af1c1a5acbf60

SHA256
894221238ee767bd3e2e9a272853b2d16d00074c9500bfe09310e3fdddabf2c6

SHA512
14d3634f2ece6412d4dc59f59f73acbccc31240273c97b75cf98e1aedadca650887a3519e79b86cb98459bb5bcb8c8eb61a229cea5a6ba5f0298107f12144c3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\uccg.exe

Filesize
157KB

MD5
44f388f26f65ca76d428e94b0d860928

SHA1
4219090fd8633b8876b7f85a80fd3ddad38d1a41

SHA256
6d5d4b78d3f1b64da6eb1374be37dfdc3f5fa08bdbb19093e04528cece46a8d4

SHA512
87fc1665a3b646c04f28e67101004110cf764a4e188ae30c7f5f4c1897af74e92784a39898329092c9aa7850e1a5ec275121722db56ec8adef3ca8c893910dce

Download Submit
C:\Users\Admin\AppData\Local\Temp\uoUK.exe

Filesize
236KB

MD5
e3ebb1b032887e1dd1bd0613027740c8

SHA1
ea33aaed68fda2e1a5b040f299b04be4d27d1bfc

SHA256
cc5b71a12fad1a95c7955766a31a936fcfe72a24e7499e1c3328e0e51d8ab1d2

SHA512
33a81420f64fe63eb9c74cfe808691956c41c7f48741ba8a9a0b91e56ec505b218e28af16a59cc6fb82edee425c9cc6894d4b20cd659d39bd8d9b17aed310d7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\wSgggsUY.bat

Filesize
4B

MD5
5b3df133ce47a35ff65ca823c407c8b7

SHA1
be910e60ddcac3b10dc49fb427a66afbe53693fa

SHA256
8885bd36f2fb547b7e56b40f6dcdf67edb67a9047b9762546d5a3b756cef42d3

SHA512
8b0fb2e4a01e3a96f99f720b26a13949135ff3f22a2d3fac37bdd3ef1a9af0f4b8f31aa67c07ed37c6ec8d2316c76749a65068c8c89feba81d4dd1f08bd4fb59

Download Submit
C:\Users\Admin\AppData\Local\Temp\wsgq.exe

Filesize
510KB

MD5
e7de81b91415bb4e7a64f95e918c0ac0

SHA1
422f24e7af474dd1ddcd2386a1afe551dcb13a6c

SHA256
347c52327cb99e9c08b202a6713fd26a71b414aab3bdc583d747c849a98f3e55

SHA512
3ac3b456645de6440eaecfbfcbb54352d3b8a407ceba02c98c487788747e1dbaaa117a5b9c386251fb7c34c00a4ab26517948d1c39a1e76e0f51937cea591d61

Download Submit
C:\Users\Admin\AppData\Local\Temp\yEoa.exe

Filesize
159KB

MD5
9ab6f39b09be8ef7e35672ca916847fc

SHA1
21d8a30c2076ee1747db70da254509d0f78805ea

SHA256
16044b6bf8494960c5e873830efc460f8a949b582caf5ba796b2839d742d1173

SHA512
ad68fe4651a0821b89823fb9b76d3771e30d1b0dc875fcf7672ede84439f3805e7b30b1e6611024b55af6a50072487b8ce37e90d5e6c44008e2d9c6ad7827d64

Download Submit
C:\Users\Admin\AppData\Local\Temp\yQMk.exe

Filesize
159KB

MD5
95322b0e7c5420c9f5720aa6b69e3f5e

SHA1
ede2306e025edfa833251b65622f21fe7709aa0d

SHA256
2b69c67f11c046ed20db8dddf038bd2c4901d52935839a9df7e89d3e6968ea55

SHA512
e9ba514b1430984b443e04feef35b5e185f96b65ab11babff8e09650c93fe0266573ea669e06475eaded11f89d3d6248fead2eaf2ef619c612994c8897e78048

Download Submit
C:\Users\Admin\AppData\Local\Temp\ykIC.exe

Filesize
4.7MB

MD5
f7b0a9e71a8e6a8e311986d92a7fb8b4

SHA1
6baaa4dfb14037f6d17c167b02c96ed53b1ed3f8

SHA256
df2ff9f285ff35d837bf2433cd8f84f930835bfd6feee9e763fcf95c79043edf

SHA512
8545268e80a468a15aa488ac843069ba5304ad5a1d638a4e8815a1910f1fcb405a6b8b5c409cbdc3005b996fd2ee812f2a802c28befbefc7ab5e327ef5fb3029

Download Submit
C:\Users\Admin\AppData\Local\Temp\zEQcMsoI.bat

Filesize
4B

MD5
b6b71ffda0bb142048d4fa7cd1ed1f23

SHA1
40fe07a85943e3e718c555bd67e027318d0fe27e

SHA256
981db7dc1fe2aa48945e3d4e2068401f96cac952847237f73274ed479fdee62b

SHA512
d379dadf59782db49033abb2fad9d43f452ad5b2ee1b9c2725c490f1ec0573b15ed3c2aac79a67aa03ab5427c005f762f25b0e7c35f39e25adff6b729b4234c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\zqosMQUk.bat

Filesize
4B

MD5
e9eb31ea01192cb5b53a6a50dce0e966

SHA1
5ccde78ce0c8a8811571bdc11b4b21dcf0b9b642

SHA256
84a6d32046e334706dbbe8d048128becc909e4153516763e474274a523705c67

SHA512
95212d928e8d2649ae3812493b0e54af85b48657f164b0d9c386dc59fa057564bfc037de77e0cda4b632b8d7f3da1e96ee73bc0471bfefe22530b77ab662a78a

Download Submit
C:\Users\Public\Music\Sample Music\Kalimba.mp3.exe

Filesize
8.1MB

MD5
a5c0d6e054cf3371590f9082368c3e6d

SHA1
00083d2298c8e754ec12b0a13a0af03e229c7bb5

SHA256
e49dfa0a751832b6e35c2f44a46f63733e2b2b95a706b3e671a365a4d388d0be

SHA512
14b3c7eecac9ec0060226ae34003898ef98a22cf032033036f01d36e765156e733fd74ef06a86cca39e0b74b920e65d7d78e27a1b5baaf78c7056897bde011b8

Download Submit
C:\Users\Public\Music\Sample Music\Maid with the Flaxen Hair.mp3.exe

Filesize
4.0MB

MD5
f7b688345871b511005cff0115cb8737

SHA1
31d49c133f8fd673738dd3fca642f4f4f5853b08

SHA256
d6a333af9be89aaa1ed22f8d7aff540bde8f185dd093bcefca617c766264c25c

SHA512
06fd3d0b15b3e4aa4b860778e62b86ff3377df9b48857b452bc80b35536447f73cf0f397c91bc0ae82a4287d256887c590f374e6ce11fea351759b78ff77ff5e

Download Submit
\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

Filesize
145KB

MD5
9d10f99a6712e28f8acd5641e3a7ea6b

SHA1
835e982347db919a681ba12f3891f62152e50f0d

SHA256
70964a0ed9011ea94044e15fa77edd9cf535cc79ed8e03a3721ff007e69595cc

SHA512
2141ee5c07aa3e038360013e3f40969e248bed05022d161b992df61f21934c5574ed9d3094ffd5245f5afd84815b24f80bda30055cf4d374f9c6254e842f6bd5

Download Submit
\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.0MB

MD5
4d92f518527353c0db88a70fddcfd390

SHA1
c4baffc19e7d1f0e0ebf73bab86a491c1d152f98

SHA256
97e6f3fc1a9163f10b6502509d55bf75ee893967fb35f318954797e8ab4d4d9c

SHA512
05a8136ccc45ef73cd5c70ee0ef204d9d2b48b950e938494b6d1a61dfba37527c9600382321d1c031dc74e4cf3e16f001ae0f8cd64d76d765f5509ce8dc76452

Download Submit
\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

Filesize
507KB

MD5
c87e561258f2f8650cef999bf643a731

SHA1
2c64b901284908e8ed59cf9c912f17d45b05e0af

SHA256
a1dfa6639bef3cb4e41175c43730d46a51393942ead826337ca9541ac210c67b

SHA512
dea4833aa712c5823f800f5f5a2adcf241c1b2b6747872f540f5ff9da6795c4ddb73db0912593337083c7c67b91e9eaf1b3d39a34b99980fd5904ba3d7d62f6c

Download Submit
\Users\Admin\nUcIwksQ\XasgIMsw.exe

Filesize
110KB

MD5
a2f06de85b2b002b1874f97361b9e6f3

SHA1
6763abeb6f932d40fd2f4bfe61f9d454aa2f9064

SHA256
db5983ab1596695ff0b478b37a7e5cfbdd333c6f4354655073e0055acce5a252

SHA512
7ae155f80e1fa2cffbbccf88517e9f67c61bf65cef0a92bd7495a1a03f532e8ce156c5e588c1a0f6d311010130c3704dda5bf1b10849ca3a248d46d83722a13f

Download Submit
memory/292-1128-0x0000000000120000-0x000000000013E000-memory.dmp

Filesize
120KB

Download
memory/292-1127-0x0000000000120000-0x000000000013E000-memory.dmp

Filesize
120KB

Download
memory/348-436-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/376-134-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/484-102-0x0000000002270000-0x000000000228E000-memory.dmp

Filesize
120KB

Download
memory/484-103-0x0000000002270000-0x000000000228E000-memory.dmp

Filesize
120KB

Download
memory/584-650-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/928-1714-0x00000000000B0000-0x00000000000CE000-memory.dmp

Filesize
120KB

Download
memory/928-1715-0x00000000000B0000-0x00000000000CE000-memory.dmp

Filesize
120KB

Download
memory/1036-1785-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1084-1563-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1084-1564-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1084-266-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1140-1716-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1188-396-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1220-244-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1288-257-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1320-745-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1320-672-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1340-288-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1488-1248-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1500-310-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1576-821-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1576-929-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1588-43-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1588-12-0x0000000001BF0000-0x0000000001C0D000-memory.dmp

Filesize
116KB

Download
memory/1588-0-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1588-13-0x0000000001BF0000-0x0000000001C0D000-memory.dmp

Filesize
116KB

Download
memory/1588-30-0x0000000001BF0000-0x0000000001C0D000-memory.dmp

Filesize
116KB

Download
memory/1628-820-0x0000000000130000-0x000000000014E000-memory.dmp

Filesize
120KB

Download
memory/1628-819-0x0000000000130000-0x000000000014E000-memory.dmp

Filesize
120KB

Download
memory/1652-375-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1668-1406-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1668-1501-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1728-345-0x0000000000260000-0x000000000027E000-memory.dmp

Filesize
120KB

Download
memory/1788-1498-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1788-31-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1796-156-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1800-279-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1892-658-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1892-1640-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1892-1565-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1936-178-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1968-1499-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1992-1573-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2052-235-0x0000000000370000-0x000000000038E000-memory.dmp

Filesize
120KB

Download
memory/2056-323-0x00000000001A0000-0x00000000001BE000-memory.dmp

Filesize
120KB

Download
memory/2072-213-0x0000000000180000-0x000000000019E000-memory.dmp

Filesize
120KB

Download
memory/2076-1225-0x00000000000F0000-0x000000000010E000-memory.dmp

Filesize
120KB

Download
memory/2076-1226-0x00000000000F0000-0x000000000010E000-memory.dmp

Filesize
120KB

Download
memory/2084-906-0x0000000000170000-0x000000000018E000-memory.dmp

Filesize
120KB

Download
memory/2084-905-0x0000000000170000-0x000000000018E000-memory.dmp

Filesize
120KB

Download
memory/2108-1404-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2108-1334-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2204-80-0x0000000000120000-0x000000000013E000-memory.dmp

Filesize
120KB

Download
memory/2208-1738-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2208-1628-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2240-843-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2240-723-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2276-1040-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2276-907-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2316-332-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2384-1407-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2384-14-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2424-1784-0x00000000001B0000-0x00000000001CE000-memory.dmp

Filesize
120KB

Download
memory/2424-1783-0x00000000001B0000-0x00000000001CE000-memory.dmp

Filesize
120KB

Download
memory/2460-1030-0x00000000000B0000-0x00000000000CE000-memory.dmp

Filesize
120KB

Download
memory/2460-1031-0x00000000000B0000-0x00000000000CE000-memory.dmp

Filesize
120KB

Download
memory/2468-89-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2468-58-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2512-147-0x0000000000170000-0x000000000018E000-memory.dmp

Filesize
120KB

Download
memory/2568-513-0x00000000000B0000-0x00000000000CE000-memory.dmp

Filesize
120KB

Download
memory/2576-1312-0x0000000000160000-0x000000000017E000-memory.dmp

Filesize
120KB

Download
memory/2576-1627-0x0000000000120000-0x000000000013E000-memory.dmp

Filesize
120KB

Download
memory/2576-1311-0x0000000000160000-0x000000000017E000-memory.dmp

Filesize
120KB

Download
memory/2600-191-0x0000000000120000-0x000000000013E000-memory.dmp

Filesize
120KB

Download
memory/2608-301-0x00000000001E0000-0x00000000001FE000-memory.dmp

Filesize
120KB

Download
memory/2636-200-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2648-535-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2656-1405-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2664-57-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2664-56-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2712-354-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2756-32-0x0000000000260000-0x000000000027E000-memory.dmp

Filesize
120KB

Download
memory/2756-33-0x0000000000260000-0x000000000027E000-memory.dmp

Filesize
120KB

Download
memory/2792-125-0x00000000000B0000-0x00000000000CE000-memory.dmp

Filesize
120KB

Download
memory/2804-222-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2836-169-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2840-427-0x00000000001B0000-0x00000000001CE000-memory.dmp

Filesize
120KB

Download
memory/2848-67-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2848-34-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2936-721-0x0000000000260000-0x000000000027E000-memory.dmp

Filesize
120KB

Download
memory/2936-722-0x0000000000260000-0x000000000027E000-memory.dmp

Filesize
120KB

Download
memory/2984-112-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3008-1333-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3036-1137-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download