f4364fae133e48bde2659e5903e133371af5e97b3cc3f84a9671a79187a7d42e

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21-11-2024 02:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
Size

121KB
MD5

0ca1478489d45ef50ea00cc65e30f283
SHA1

ac3541c33fb0769655b4e3e475d4381b140ba37c
SHA256

f4364fae133e48bde2659e5903e133371af5e97b3cc3f84a9671a79187a7d42e
SHA512

fd88962164d83e0f23a49cdf54e914b7d613075a5289c94bafb5e5616b8ebcea048357281a6e37f4233d148295080915f01f66ab8a5b90f99d443b07f5292c0b
SSDEEP

3072:uAoxPqClJjfiPW1z12uNe+HA/40UugLSckJwd:3oxPpdz12uNS4eaSckJwd

Score

10^/10

discovery evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

DqoUgksk.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\International\Geo\Nation	DqoUgksk.exe

Executes dropped EXE 2 IoCs

Processes:

BmUcgUgg.exeDqoUgksk.exe

pid process

2376 BmUcgUgg.exe
2300 DqoUgksk.exe

pid	process
2376	BmUcgUgg.exe
2300	DqoUgksk.exe

Loads dropped DLL 20 IoCs

Processes:

2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exeDqoUgksk.exe

pid	process
2692	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
2692	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
2692	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
2692	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
2300	DqoUgksk.exe
2300	DqoUgksk.exe
2300	DqoUgksk.exe
2300	DqoUgksk.exe
2300	DqoUgksk.exe
2300	DqoUgksk.exe
2300	DqoUgksk.exe
2300	DqoUgksk.exe
2300	DqoUgksk.exe
2300	DqoUgksk.exe
2300	DqoUgksk.exe
2300	DqoUgksk.exe
2300	DqoUgksk.exe
2300	DqoUgksk.exe
2300	DqoUgksk.exe
2300	DqoUgksk.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exeDqoUgksk.exeBmUcgUgg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\BmUcgUgg.exe = "C:\\Users\\Admin\\boEEIMsg\\BmUcgUgg.exe"	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DqoUgksk.exe = "C:\\ProgramData\\zyUkcMQM\\DqoUgksk.exe"	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DqoUgksk.exe = "C:\\ProgramData\\zyUkcMQM\\DqoUgksk.exe"	DqoUgksk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\BmUcgUgg.exe = "C:\\Users\\Admin\\boEEIMsg\\BmUcgUgg.exe"	BmUcgUgg.exe

Drops file in Windows directory 1 IoCs

Processes:

DqoUgksk.exe

description ioc process

File opened for modification \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico DqoUgksk.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File opened for modification	\??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico	DqoUgksk.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cscript.execmd.execscript.execmd.execmd.exereg.exereg.execmd.exe2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exereg.execmd.exereg.exereg.execscript.exereg.exereg.exereg.execscript.exe2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.execscript.exe2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exereg.exereg.exereg.exereg.exeDqoUgksk.execmd.exereg.exereg.execmd.exeBmUcgUgg.execmd.execmd.exereg.exereg.exe2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exereg.exe2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.execmd.exe2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exereg.execscript.execmd.execscript.execscript.execscript.exereg.exereg.exereg.execscript.execmd.execmd.exe2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exereg.exereg.exereg.execmd.execscript.exereg.execscript.exereg.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DqoUgksk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BmUcgUgg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

Processes:

pid	process
2588	reg.exe
444	reg.exe
2920	reg.exe
2896	reg.exe
1500	reg.exe
3040	reg.exe
1660	reg.exe
1872	reg.exe
1384	reg.exe
3064	reg.exe
3064	reg.exe
2396	reg.exe
2008	reg.exe
2232	reg.exe
2700	reg.exe
1824	reg.exe
1540	reg.exe
3056	reg.exe
1636	reg.exe
2632	reg.exe
1772	reg.exe
2940	reg.exe
2756	reg.exe
2340	reg.exe
2004	reg.exe
1444	reg.exe
2000	reg.exe
2692	reg.exe
1196	reg.exe
1784	reg.exe
1992	reg.exe
2536	reg.exe
2548	reg.exe
980	reg.exe
2412	reg.exe
972	reg.exe
1180	reg.exe
2412	reg.exe
1640	reg.exe
764	reg.exe
2760	reg.exe
2908	reg.exe
1732	reg.exe
1916	reg.exe
572	reg.exe
2444	reg.exe
2004	reg.exe
1404	reg.exe
3024	reg.exe
2536	reg.exe
3016	reg.exe
3068	reg.exe
352	reg.exe
904	reg.exe
2828	reg.exe
2412	reg.exe
3016	reg.exe
2352	reg.exe
2412	reg.exe
2800	reg.exe
2692	reg.exe
2744	reg.exe
2900	reg.exe
1596	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe

pid	process
2692	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
2692	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
2952	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
2952	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
1928	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
1928	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
332	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
332	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
2316	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
2316	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
1604	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
1604	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
2888	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
2888	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
2656	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
2656	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
1852	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
1852	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
1260	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
1260	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
2196	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
2196	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
1612	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
1612	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
2392	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
2392	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
2840	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
2840	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
2784	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
2784	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
2248	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
2248	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
608	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
608	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
868	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
868	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
2688	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
2688	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
1396	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
1396	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
1680	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
1680	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
1648	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
1648	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
1916	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
1916	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
1604	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
1604	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
2636	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
2636	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
848	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
848	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
1896	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
1896	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
3028	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
3028	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
920	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
920	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
2740	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
2740	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
2296	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
2296	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
2192	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
2192	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

DqoUgksk.exe

pid process

2300 DqoUgksk.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

DqoUgksk.exe

pid	process
2300	DqoUgksk.exe
2300	DqoUgksk.exe
2300	DqoUgksk.exe
2300	DqoUgksk.exe
2300	DqoUgksk.exe
2300	DqoUgksk.exe
2300	DqoUgksk.exe
2300	DqoUgksk.exe
2300	DqoUgksk.exe
2300	DqoUgksk.exe
2300	DqoUgksk.exe
2300	DqoUgksk.exe
2300	DqoUgksk.exe
2300	DqoUgksk.exe
2300	DqoUgksk.exe
2300	DqoUgksk.exe
2300	DqoUgksk.exe
2300	DqoUgksk.exe
2300	DqoUgksk.exe
2300	DqoUgksk.exe
2300	DqoUgksk.exe
2300	DqoUgksk.exe
2300	DqoUgksk.exe
2300	DqoUgksk.exe
2300	DqoUgksk.exe
2300	DqoUgksk.exe
2300	DqoUgksk.exe
2300	DqoUgksk.exe
2300	DqoUgksk.exe
2300	DqoUgksk.exe
2300	DqoUgksk.exe
2300	DqoUgksk.exe
2300	DqoUgksk.exe
2300	DqoUgksk.exe
2300	DqoUgksk.exe
2300	DqoUgksk.exe
2300	DqoUgksk.exe
2300	DqoUgksk.exe
2300	DqoUgksk.exe
2300	DqoUgksk.exe
2300	DqoUgksk.exe
2300	DqoUgksk.exe
2300	DqoUgksk.exe
2300	DqoUgksk.exe
2300	DqoUgksk.exe
2300	DqoUgksk.exe
2300	DqoUgksk.exe
2300	DqoUgksk.exe
2300	DqoUgksk.exe
2300	DqoUgksk.exe
2300	DqoUgksk.exe
2300	DqoUgksk.exe
2300	DqoUgksk.exe
2300	DqoUgksk.exe
2300	DqoUgksk.exe
2300	DqoUgksk.exe
2300	DqoUgksk.exe
2300	DqoUgksk.exe
2300	DqoUgksk.exe
2300	DqoUgksk.exe
2300	DqoUgksk.exe
2300	DqoUgksk.exe
2300	DqoUgksk.exe
2300	DqoUgksk.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.execmd.execmd.exe2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.execmd.execmd.exe

description	pid	process	target process
PID 2692 wrote to memory of 2376	2692	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe	BmUcgUgg.exe
PID 2692 wrote to memory of 2376	2692	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe	BmUcgUgg.exe
PID 2692 wrote to memory of 2376	2692	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe	BmUcgUgg.exe
PID 2692 wrote to memory of 2376	2692	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe	BmUcgUgg.exe
PID 2692 wrote to memory of 2300	2692	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe	DqoUgksk.exe
PID 2692 wrote to memory of 2300	2692	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe	DqoUgksk.exe
PID 2692 wrote to memory of 2300	2692	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe	DqoUgksk.exe
PID 2692 wrote to memory of 2300	2692	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe	DqoUgksk.exe
PID 2692 wrote to memory of 2760	2692	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe	cmd.exe
PID 2692 wrote to memory of 2760	2692	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe	cmd.exe
PID 2692 wrote to memory of 2760	2692	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe	cmd.exe
PID 2692 wrote to memory of 2760	2692	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe	cmd.exe
PID 2692 wrote to memory of 2848	2692	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe	reg.exe
PID 2692 wrote to memory of 2848	2692	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe	reg.exe
PID 2692 wrote to memory of 2848	2692	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe	reg.exe
PID 2692 wrote to memory of 2848	2692	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe	reg.exe
PID 2692 wrote to memory of 2828	2692	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe	reg.exe
PID 2692 wrote to memory of 2828	2692	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe	reg.exe
PID 2692 wrote to memory of 2828	2692	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe	reg.exe
PID 2692 wrote to memory of 2828	2692	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe	reg.exe
PID 2692 wrote to memory of 2804	2692	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe	reg.exe
PID 2692 wrote to memory of 2804	2692	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe	reg.exe
PID 2692 wrote to memory of 2804	2692	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe	reg.exe
PID 2692 wrote to memory of 2804	2692	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe	reg.exe
PID 2692 wrote to memory of 2772	2692	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe	cmd.exe
PID 2692 wrote to memory of 2772	2692	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe	cmd.exe
PID 2692 wrote to memory of 2772	2692	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe	cmd.exe
PID 2692 wrote to memory of 2772	2692	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe	cmd.exe
PID 2760 wrote to memory of 2952	2760	cmd.exe	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
PID 2760 wrote to memory of 2952	2760	cmd.exe	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
PID 2760 wrote to memory of 2952	2760	cmd.exe	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
PID 2760 wrote to memory of 2952	2760	cmd.exe	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
PID 2772 wrote to memory of 2664	2772	cmd.exe	cscript.exe
PID 2772 wrote to memory of 2664	2772	cmd.exe	cscript.exe
PID 2772 wrote to memory of 2664	2772	cmd.exe	cscript.exe
PID 2772 wrote to memory of 2664	2772	cmd.exe	cscript.exe
PID 2952 wrote to memory of 2500	2952	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe	cmd.exe
PID 2952 wrote to memory of 2500	2952	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe	cmd.exe
PID 2952 wrote to memory of 2500	2952	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe	cmd.exe
PID 2952 wrote to memory of 2500	2952	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe	cmd.exe
PID 2500 wrote to memory of 1928	2500	cmd.exe	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
PID 2500 wrote to memory of 1928	2500	cmd.exe	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
PID 2500 wrote to memory of 1928	2500	cmd.exe	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
PID 2500 wrote to memory of 1928	2500	cmd.exe	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
PID 2952 wrote to memory of 972	2952	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe	reg.exe
PID 2952 wrote to memory of 972	2952	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe	reg.exe
PID 2952 wrote to memory of 972	2952	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe	reg.exe
PID 2952 wrote to memory of 972	2952	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe	reg.exe
PID 2952 wrote to memory of 1104	2952	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe	reg.exe
PID 2952 wrote to memory of 1104	2952	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe	reg.exe
PID 2952 wrote to memory of 1104	2952	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe	reg.exe
PID 2952 wrote to memory of 1104	2952	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe	reg.exe
PID 2952 wrote to memory of 1636	2952	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe	reg.exe
PID 2952 wrote to memory of 1636	2952	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe	reg.exe
PID 2952 wrote to memory of 1636	2952	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe	reg.exe
PID 2952 wrote to memory of 1636	2952	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe	reg.exe
PID 2952 wrote to memory of 376	2952	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe	cmd.exe
PID 2952 wrote to memory of 376	2952	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe	cmd.exe
PID 2952 wrote to memory of 376	2952	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe	cmd.exe
PID 2952 wrote to memory of 376	2952	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe	cmd.exe
PID 376 wrote to memory of 1544	376	cmd.exe	cscript.exe
PID 376 wrote to memory of 1544	376	cmd.exe	cscript.exe
PID 376 wrote to memory of 1544	376	cmd.exe	cscript.exe
PID 376 wrote to memory of 1544	376	cmd.exe	cscript.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2692
- C:\Users\Admin\boEEIMsg\BmUcgUgg.exe
  "C:\Users\Admin\boEEIMsg\BmUcgUgg.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:2376
- C:\ProgramData\zyUkcMQM\DqoUgksk.exe
  "C:\ProgramData\zyUkcMQM\DqoUgksk.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:2300
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2760
- - C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
    C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2952
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2500
    - - C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1928
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock"
        6⤵
        
        PID:1932
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:332
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock"
        8⤵
        
        PID:2084
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2316
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock"
        10⤵
        
        PID:1200
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1604
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock"
        12⤵
        
        PID:1480
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2888
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock"
        14⤵
        
        PID:2784
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2656
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock"
        16⤵
        
        PID:284
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1852
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock"
        18⤵
        
        PID:2668
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1260
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock"
        20⤵
        
        PID:1880
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2196
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock"
        22⤵
        
        PID:2452
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock
        23⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1612
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock"
        24⤵
        
        PID:2956
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock
        25⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2392
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock"
        26⤵
        
        PID:1512
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock
        27⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2840
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock"
        28⤵
        
        PID:1956
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock
        29⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2784
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock"
        30⤵
        
        PID:2124
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock
        31⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2248
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock"
        32⤵
        
        PID:2040
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock
        33⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:608
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock"
        34⤵
        
        PID:1880
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock
        35⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:868
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock"
        36⤵
        
        PID:2188
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock
        37⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2688
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock"
        38⤵
        System Location Discovery: System Language Discovery
        
        PID:2036
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock
        39⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1396
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock"
        40⤵
        
        PID:1260
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock
        41⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1680
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock"
        42⤵
        
        PID:2152
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock
        43⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1648
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock"
        44⤵
        System Location Discovery: System Language Discovery
        
        PID:592
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock
        45⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1916
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock"
        46⤵
        
        PID:1848
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock
        47⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1604
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock"
        48⤵
        
        PID:1260
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock
        49⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2636
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock"
        50⤵
        
        PID:3036
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock
        51⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:848
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock"
        52⤵
        
        PID:1840
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock
        53⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1896
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock"
        54⤵
        
        PID:2688
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock
        55⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3028
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock"
        56⤵
        System Location Discovery: System Language Discovery
        
        PID:2964
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock
        57⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:920
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock"
        58⤵
        
        PID:1516
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock
        59⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2740
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock"
        60⤵
        
        PID:2828
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock
        61⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2296
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock"
        62⤵
        
        PID:1764
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock
        63⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2192
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock"
        64⤵
        
        PID:1920
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock
        65⤵
        
        PID:1196
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock"
        66⤵
        
        PID:2668
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock
        67⤵
        
        PID:2564
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock"
        68⤵
        
        PID:1988
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock
        69⤵
        
        PID:1848
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock"
        70⤵
        
        PID:2736
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock
        71⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock"
        72⤵
        
        PID:2316
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock
        73⤵
        System Location Discovery: System Language Discovery
        
        PID:2236
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock"
        74⤵
        
        PID:2480
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock
        75⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock"
        76⤵
        
        PID:2616
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock
        77⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock"
        78⤵
        
        PID:2748
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock
        79⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock"
        80⤵
        
        PID:2592
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock
        81⤵
        
        PID:848
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock"
        82⤵
        
        PID:2472
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock
        83⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock"
        84⤵
        
        PID:2772
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock
        85⤵
        System Location Discovery: System Language Discovery
        
        PID:2604
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock"
        86⤵
        
        PID:2976
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock
        87⤵
        
        PID:2532
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock"
        88⤵
        
        PID:2916
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock
        89⤵
        
        PID:2480
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock"
        90⤵
        
        PID:2284
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock
        91⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock"
        92⤵
        
        PID:2772
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock
        93⤵
        System Location Discovery: System Language Discovery
        
        PID:532
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock"
        94⤵
        System Location Discovery: System Language Discovery
        
        PID:604
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock
        95⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock"
        96⤵
        
        PID:1988
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock
        97⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock"
        98⤵
        
        PID:2572
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock
        99⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock"
        100⤵
        
        PID:1872
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock
        101⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock"
        102⤵
        
        PID:604
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock
        103⤵
        
        PID:1772
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock"
        104⤵
        
        PID:1896
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock
        105⤵
        
        PID:1188
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock"
        106⤵
        
        PID:2244
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock
        107⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock"
        108⤵
        
        PID:1564
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock
        109⤵
        System Location Discovery: System Language Discovery
        
        PID:2796
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock"
        110⤵
        System Location Discovery: System Language Discovery
        
        PID:2248
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock
        111⤵
        System Location Discovery: System Language Discovery
        
        PID:2308
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock"
        112⤵
        
        PID:752
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock
        113⤵
        
        PID:1300
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock"
        114⤵
        
        PID:376
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock
        115⤵
        System Location Discovery: System Language Discovery
        
        PID:2784
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock"
        116⤵
        
        PID:1444
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock
        117⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock"
        118⤵
        
        PID:2808
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock
        119⤵
        
        PID:2352
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock"
        120⤵
        
        PID:2412
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock
        121⤵
        System Location Discovery: System Language Discovery
        
        PID:2776
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock"
        122⤵
        
        PID:2952
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock
        123⤵
        
        PID:448
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock"
        124⤵
        
        PID:1604
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock
        125⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock"
        126⤵
        
        PID:1612
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock
        127⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock"
        128⤵
        
        PID:2812
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock
        129⤵
        
        PID:1480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        130⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        130⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        130⤵
        UAC bypass
        
        PID:1252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        128⤵
        Modifies visibility of file extensions in Explorer
        
        PID:992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        128⤵
        Modifies registry key
        
        PID:904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        128⤵
        UAC bypass
        
        PID:332
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\qQIQQwUc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe""
        128⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        129⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        126⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        126⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        126⤵
        UAC bypass
        
        PID:1620
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\yQsgooEI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe""
        126⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        127⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        124⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        124⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        124⤵
        UAC bypass
        
        PID:1720
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\rMMYQAQc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe""
        124⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        125⤵
        
        PID:648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        122⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        122⤵
        
        PID:1516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        122⤵
        UAC bypass
        
        PID:1608
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\VqYssUgs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe""
        122⤵
        
        PID:1184
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        123⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        120⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        120⤵
        
        PID:1216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        120⤵
        
        PID:868
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\XkIcUYcE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe""
        120⤵
        System Location Discovery: System Language Discovery
        
        PID:1084
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        121⤵
        
        PID:832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        118⤵
        Modifies visibility of file extensions in Explorer
        
        PID:380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        118⤵
        Modifies registry key
        
        PID:2800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        118⤵
        UAC bypass
        
        PID:2040
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\nKAUQkIk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe""
        118⤵
        System Location Discovery: System Language Discovery
        
        PID:1912
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        119⤵
        
        PID:1876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        116⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        116⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        116⤵
        UAC bypass
        Modifies registry key
        
        PID:2444
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\QAQAYgMw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe""
        116⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        117⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        114⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        114⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        114⤵
        UAC bypass
        Modifies registry key
        
        PID:2692
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\EkAAccAU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe""
        114⤵
        System Location Discovery: System Language Discovery
        
        PID:2336
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        115⤵
        System Location Discovery: System Language Discovery
        
        PID:2192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        112⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        112⤵
        
        PID:2124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        112⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:2288
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\gCAkgAIk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe""
        112⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        113⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        110⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        110⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        110⤵
        UAC bypass
        Modifies registry key
        
        PID:572
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\fYggEAYM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe""
        110⤵
        
        PID:1044
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        111⤵
        
        PID:1104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        108⤵
        Modifies visibility of file extensions in Explorer
        
        PID:972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        108⤵
        
        PID:2500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        108⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2412
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\dikokwcY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe""
        108⤵
        
        PID:3024
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        109⤵
        
        PID:584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        106⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        106⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        106⤵
        UAC bypass
        
        PID:1592
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\huUMoIUk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe""
        106⤵
        
        PID:1004
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        107⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        104⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        104⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        104⤵
        UAC bypass
        Modifies registry key
        
        PID:1444
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\vwMYAUEo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe""
        104⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        105⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        102⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        102⤵
        System Location Discovery: System Language Discovery
        
        PID:2088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        102⤵
        UAC bypass
        Modifies registry key
        
        PID:352
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\dWgAMYgY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe""
        102⤵
        
        PID:1432
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        103⤵
        
        PID:1512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        100⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        100⤵
        Modifies registry key
        
        PID:3064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        100⤵
        UAC bypass
        
        PID:308
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\QEgsQMAE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe""
        100⤵
        System Location Discovery: System Language Discovery
        
        PID:1272
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        101⤵
        
        PID:1848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        98⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        98⤵
        Modifies registry key
        
        PID:3056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        98⤵
        UAC bypass
        Modifies registry key
        
        PID:3068
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\SMEQgYEU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe""
        98⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        99⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        96⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        96⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        96⤵
        UAC bypass
        Modifies registry key
        
        PID:3016
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\wGcIEUUQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe""
        96⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        97⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        94⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        94⤵
        Modifies registry key
        
        PID:3064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        94⤵
        UAC bypass
        
        PID:848
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\PksYEAYM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe""
        94⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        95⤵
        
        PID:1548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        92⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        92⤵
        
        PID:972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        92⤵
        UAC bypass
        Modifies registry key
        
        PID:2412
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\NwwkQwso.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe""
        92⤵
        System Location Discovery: System Language Discovery
        
        PID:776
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        93⤵
        System Location Discovery: System Language Discovery
        
        PID:3032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        90⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        90⤵
        Modifies registry key
        
        PID:2548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        90⤵
        UAC bypass
        Modifies registry key
        
        PID:980
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\lUcQIkoM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe""
        90⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        91⤵
        
        PID:2508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        88⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        88⤵
        
        PID:1848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        88⤵
        UAC bypass
        
        PID:1824
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\XiQgcgAc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe""
        88⤵
        System Location Discovery: System Language Discovery
        
        PID:1480
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        89⤵
        
        PID:904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        86⤵
        Modifies visibility of file extensions in Explorer
        
        PID:612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        86⤵
        Modifies registry key
        
        PID:2352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        86⤵
        UAC bypass
        
        PID:1252
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\DeQAYkUo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe""
        86⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        87⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        84⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        84⤵
        Modifies registry key
        
        PID:2536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        84⤵
        UAC bypass
        
        PID:448
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\agUAkkIA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe""
        84⤵
        
        PID:2444
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        85⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        82⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        82⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        82⤵
        UAC bypass
        
        PID:2636
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\gOgcAgUA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe""
        82⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        83⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        80⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:2820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        80⤵
        
        PID:1252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        80⤵
        UAC bypass
        Modifies registry key
        
        PID:2908
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\iUEUkwkE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe""
        80⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        81⤵
        System Location Discovery: System Language Discovery
        
        PID:604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        78⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        78⤵
        Modifies registry key
        
        PID:2588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        78⤵
        UAC bypass
        
        PID:1928
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\sgAMgIYU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe""
        78⤵
        
        PID:1872
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        79⤵
        
        PID:776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        
        PID:1852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:1600
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\xOEYQsMY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe""
        76⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        77⤵
        System Location Discovery: System Language Discovery
        
        PID:2840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:3016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        Modifies registry key
        
        PID:2896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        UAC bypass
        
        PID:2032
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\PiQQcsgA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe""
        74⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        75⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        UAC bypass
        
        PID:936
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tgAwMkQo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe""
        72⤵
        
        PID:1456
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        
        PID:888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:3012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        UAC bypass
        
        PID:2876
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\JGsQYgco.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe""
        70⤵
        
        PID:2160
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        System Location Discovery: System Language Discovery
        
        PID:3032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        UAC bypass
        Modifies registry key
        
        PID:1540
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\NswoAEMc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe""
        68⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        System Location Discovery: System Language Discovery
        
        PID:1972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        Modifies registry key
        
        PID:1872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:2704
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\aYoIcckM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe""
        66⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        
        PID:2352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:2512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        System Location Discovery: System Language Discovery
        
        PID:772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        UAC bypass
        Modifies registry key
        
        PID:1824
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\SKgQoggE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe""
        64⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        System Location Discovery: System Language Discovery
        
        PID:1432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        System Location Discovery: System Language Discovery
        
        PID:2320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        UAC bypass
        Modifies registry key
        
        PID:2700
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\mqQIYswM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe""
        62⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        
        PID:1380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        UAC bypass
        
        PID:688
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\RggEMYQI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe""
        60⤵
        
        PID:604
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        System Location Discovery: System Language Discovery
        
        PID:2360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        UAC bypass
        Modifies registry key
        
        PID:3024
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\POAYYEgs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe""
        58⤵
        
        PID:1484
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        Modifies visibility of file extensions in Explorer
        
        PID:832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        
        PID:1764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1596
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\dmEwgIgs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe""
        56⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:2228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        UAC bypass
        Modifies registry key
        
        PID:2536
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ASgcUAUs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe""
        54⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        System Location Discovery: System Language Discovery
        
        PID:3024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        UAC bypass
        
        PID:1564
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\AIkoEEYU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe""
        52⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:1224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        UAC bypass
        
        PID:2968
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\caMwcYEI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe""
        50⤵
        
        PID:1548
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        Modifies visibility of file extensions in Explorer
        
        PID:352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        UAC bypass
        
        PID:1616
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\KKoocgAw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe""
        48⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        System Location Discovery: System Language Discovery
        
        PID:612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        UAC bypass
        
        PID:2412
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\NYEwQAIU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe""
        46⤵
        
        PID:572
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:1084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        UAC bypass
        
        PID:1708
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZMUsAcIk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe""
        44⤵
        
        PID:2984
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:1524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        UAC bypass
        
        PID:2088
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\JackUMss.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe""
        42⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        UAC bypass
        
        PID:2508
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\LcgAUAcM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe""
        40⤵
        
        PID:1168
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        System Location Discovery: System Language Discovery
        
        PID:3056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        Modifies visibility of file extensions in Explorer
        
        PID:800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        
        PID:476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        UAC bypass
        Modifies registry key
        
        PID:3040
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\vaIQcUoc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe""
        38⤵
        
        PID:280
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:1388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2940
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\iCYkIEgk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe""
        36⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        UAC bypass
        Modifies registry key
        
        PID:2412
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\uqsEokQY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe""
        34⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        System Location Discovery: System Language Discovery
        
        PID:572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        
        PID:1780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        UAC bypass
        
        PID:560
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\sWcEkcYU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe""
        32⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        System Location Discovery: System Language Discovery
        
        PID:2276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        UAC bypass
        Modifies registry key
        
        PID:1772
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\UsAQocEU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe""
        30⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        Modifies registry key
        
        PID:764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        UAC bypass
        
        PID:2580
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\HywEoYgs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe""
        28⤵
        
        PID:648
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:1388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        System Location Discovery: System Language Discovery
        
        PID:2000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        UAC bypass
        
        PID:2728
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tQEEIoQY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe""
        26⤵
        System Location Discovery: System Language Discovery
        
        PID:2760
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:1188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        UAC bypass
        
        PID:2524
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\LEoQcQUk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe""
        24⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        Modifies registry key
        
        PID:2412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        UAC bypass
        
        PID:692
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\DewssEYE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe""
        22⤵
        
        PID:2948
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        
        PID:560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        UAC bypass
        
        PID:2844
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZYEAIsIQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe""
        20⤵
        
        PID:900
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        Modifies registry key
        
        PID:2900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        UAC bypass
        
        PID:1552
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\aQIYwsAk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe""
        18⤵
        System Location Discovery: System Language Discovery
        
        PID:604
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        Modifies visibility of file extensions in Explorer
        
        PID:800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:2428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        UAC bypass
        Modifies registry key
        
        PID:2008
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\AAYcoIMc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe""
        16⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        System Location Discovery: System Language Discovery
        
        PID:2596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        UAC bypass
        Modifies registry key
        
        PID:2632
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\EScswMcY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe""
        14⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        Modifies registry key
        
        PID:2396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        UAC bypass
        
        PID:2320
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\DKowcosU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe""
        12⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        Modifies registry key
        
        PID:1196
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:752
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\PeMYEEMs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe""
        10⤵
        
        PID:2572
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        UAC bypass
        
        PID:824
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\LmcoMQgc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe""
        8⤵
        
        PID:1848
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1120
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1784
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:1868
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        UAC bypass
        
        PID:1736
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\PYwkkcUU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe""
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:604
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:2260
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      Modifies registry key
      PID:972
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:1104
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      Modifies registry key
      PID:1636
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\EqEcYUIk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:376
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:1544
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:2848
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:2828
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:2804
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\yqEIEUMg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2772
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:2664

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "17162371841494223096-125642802-1209247099-8414205565168800551612889674-394187639"
1⤵
PID:2320

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-278480003-373089577-874234379-1478847412-314461852-18948357321655035940-825701566"
1⤵
PID:3016

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "422776847-1742500916197514323512726447371413315486-123200106014594842151806553205"
1⤵
PID:2888

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "11228380551968493973219385968-1940376932-14288869851473730713-1807626814-1804702136"
1⤵
PID:2192

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "50589591796052352-1655878680390226675843341969-1947642622505323602-1580293595"
1⤵
PID:1872

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-14345254291756107324-99743355745564472-7142158193739641529076536021703939661"
1⤵
PID:1852

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "311139763-14693251748507159091998356411799788336600409758-16143159021675752772"
1⤵
PID:448

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1774436424409706715-422466363181403880550037561410522963811062892739660976081"
1⤵
PID:1548

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "764681783-709700483611346546496853231752738483532735696-1255503096407078121"
1⤵
PID:2924

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1328116438-517952762624640687-13981575971975637411696985622-1610450086452529283"
1⤵
PID:2548

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "65399285-11293655149457386452069699196-1992447334-272844712-33194598537648517"
1⤵
PID:1988

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "9097349662013002146-98975217021473632671979738820-4296666221536090425-216225107"
1⤵
PID:776

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1518541861-13429836232646866201660828988569084479-1844842119-1611381168193909940"
1⤵
PID:1896

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-16229684841696444723-145875444-1850351059-670003051-1039140969-1027713622621453907"
1⤵
PID:2248

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile11.bmp.exe

Filesize
158KB

MD5
7869b2ba5f57653a3b19a95822c74a3e

SHA1
695f35e734647e3ec1b225ce7287247408b0b30e

SHA256
a3642197fa350239e73041587ef4fa059fc4317b2faf3e89713f60b769262b83

SHA512
3402240eadc28a8239091a8c85135f7585cd6ced1a974d6bfd1a2a220464b77aada5c52dd61fd12119b1dc1c52fbe45ef54d0a5b0bc13a31cb29adc80b3bb2cd

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile18.bmp.exe

Filesize
157KB

MD5
a08965e8372c9dd866e922beb4b4a311

SHA1
1b958927c43b74a9e21e895bf3e2f19d3f6cab41

SHA256
2e84418fcf5b09bd0a5eb111476820db9ebc5e9b4bdd93ac37cdcf98709c6b4b

SHA512
84c10ac1a69cc1c8011adcba5a9afe9d3253638bd77232a8bb26d84ae2a18c3cc825a77e45fd8030c739b67cd1552a65f04815c9419910f7d6e9ea0aa1d25c2e

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile21.bmp.exe

Filesize
160KB

MD5
0c4d301a652a6f41d88cb32f08f267c0

SHA1
716953f5d0e70c6cea14751cfacc9a2a01d79125

SHA256
6d1f61c237e1d4451095fe17e1fc441f7bfdfd05da179d4904ef2cd30995e746

SHA512
2a8a0a647a3008731d1a0d116b77a776239e221c84874c7e76ad2f75574a1780e837874d744ff06c06eee61ba40e9a5d8b1d4e5ce1f25339e896b10a43dd88da

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile30.bmp.exe

Filesize
159KB

MD5
3fc070e6249039d24007898c3ed44852

SHA1
c106e7e02d721531f57f2992aa2212ca9464d030

SHA256
18ce9921c9d1277062e0a2fea93731f80c79daaa222c29b2dec41a5e5bd931f9

SHA512
a874a19a66747ea747bebdfbc123c5efb45f826bffb8c56284def42ce9245f5db641b55d48fc3e25fb1083e182212aeac6b4b82238536c80e6e8e2c6effea6c9

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile41.bmp.exe

Filesize
157KB

MD5
e7465fd38e1c8c14a57d1f34608e06a6

SHA1
4703916d36e41ce26d3903197eb62ab65d38876d

SHA256
04c386a0e2bc4b3b360df7c30af094c03fe24e07b3d4b47d3118a939a7822ddd

SHA512
a03fafe1be678cc411f5030922829d503324d7d144f05e5ef3a43e5c00ddac7bde8f1862647e9d7ee653640a753d75e3cfe600c4a1fc42d2db7515d228118513

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile44.bmp.exe

Filesize
158KB

MD5
3dc69b668daa4ee7e3edd3358dadbe65

SHA1
e69b2c4dd2fef3a008dc10c10cdb1e0486089cf7

SHA256
8f53eb5f35f5e34847fbb8c3d638ca25ce5e409b3c2aec36c2fbbd0540c16155

SHA512
1ab87035383e27e3b2d1c8dbb012bf3f52bafcc048cdd00ddba97ae470d7093baf2874fe9b682aee66e44da6c354d3a094a023cb65ac3c89c7011a033d114adb

Download Submit
C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\vcredist_x64.exe

Filesize
569KB

MD5
d26c3c58dd70ea1e8175bfff4fe2a6ca

SHA1
75ada046d33279be05fa6ba43a739d663f4f2c67

SHA256
2c12c4b52e7a9e60445fd094e008e4788b505c642769a67e82419fbaae61d705

SHA512
e0e70ddfba80a39c21f403a06e062c4651fc059cde13c0bb0cbe46a8883d6901a11a26e7e9d5b3cafc449dc609d93b1d8322105da9d2341d4a156df5dcf10112

Download Submit
C:\ProgramData\zyUkcMQM\DqoUgksk.exe

Filesize
110KB

MD5
bb379acae02c91861fed2a20a2c00951

SHA1
0efd39c138acca2e265cda1f95242840f75ebe4b

SHA256
9e2de6a8eee39b9655b12c77df5cec3f9c9637aa68f365fdf4c80860032f86a7

SHA512
6154db20af99c148be9dc1cf819f5ea7ec88371dc9b67f0de67de7b1b8eeeb2879d71233111f3d9e13242beca5ccdcaa2b515b129517827ad3a84cdddbd24e5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock

Filesize
7KB

MD5
4b542ae8cefb03050e85a1d80fbd2780

SHA1
d4d056dfc313af8b736b2613861f22e2cd873dc8

SHA256
e9b3ecd633671ebf77e56953405e5b33cf95d0d303f5264a10e9d9dd9c8375ee

SHA512
8200a285dc446ea5ab581a9a98a83a1923362ce700d450bc2122ab7f88b19137a5b1ddae621610ef4c89477418082007cac725c0ddf17968393d1628cd02fb19

Download Submit
C:\Users\Admin\AppData\Local\Temp\ACossAQU.bat

Filesize
4B

MD5
1c3ca8e525c0e6a47cc8489cb3155365

SHA1
030a69a27001427fcc92e1eb9adde7a291992ca4

SHA256
9441f1f4e68eea4d5d49849ec7a816358c3e42c3acb52902ff5282ddef3b6a4f

SHA512
fe774dc60b324a26ea7e0c9d207e6314be9bf9df7d7ff3ee41df29739132392cecdb567d3f25c100723742588f60e7efdeb1031c2b57e004bd3a289ea93f302f

Download Submit
C:\Users\Admin\AppData\Local\Temp\AUsa.exe

Filesize
275KB

MD5
914fc145cbc29068fb6afea11ba8e43e

SHA1
f1f1eead9285e0be98f8ac4286b994debfa0cb2c

SHA256
a18d2385473dea3be7a22fbb8f5612393aa066b5bc6afe08882856ef6130fefd

SHA512
fa0478a34b95a586c0cfc16ccc1e1e857a6e6e56a8e79d2b1764fa80dfa284ff32a5dddf2552234fe50d3db70b7c545a4416966a75a13de037fb2bbf84986188

Download Submit
C:\Users\Admin\AppData\Local\Temp\AgQc.exe

Filesize
158KB

MD5
b07515254a0254b43d0784b6c20b41d8

SHA1
2e8be38844db1653a483a42028fa5187008e3692

SHA256
81942fb4201a5128046a044965b72d5b022d353655f8eb347a367feacb9b6354

SHA512
7a7010522ab69069f8563e5dd56556f2faa155bbe7745a36894df4c76db8e4c09755d5850bcc92ba660bbb6d58fffa92c133857a8eaad0eadb0413b72f68f860

Download Submit
C:\Users\Admin\AppData\Local\Temp\AkMwoYkY.bat

Filesize
4B

MD5
4be8c7adaf4430dd905e7e699c5da29e

SHA1
eabaa98a7418c37b9bbdaca50d285ce5f6635954

SHA256
b6c6f8d4c1ac3d4d31cad1a87f96b14f041e5e33505f8e9ce39cfe0ee6a806f9

SHA512
0bdc3d5d83bc70a75f1d63e7cafff613e75f81f97bdd02636e7b7c47585a240086b6ce7cc562232f838deff484fa188f74ac5bc93ade45722bd979b202551c72

Download Submit
C:\Users\Admin\AppData\Local\Temp\BOwQEwEI.bat

Filesize
4B

MD5
2aee2231bba7991ea3ffb55989328e03

SHA1
5965d423403cdea55a9951fd66f98bc831e4470f

SHA256
76d56c71d438eed1b9be98d71cbcf3469b5afc475d69a48289b37defaf019c9f

SHA512
4e97624fc1defcdd1c39611d87bdfaf09ca8fb028ba469148b1771d3dfa6f9c65610fab72ae994484b478f2e85c2c183175f137b7eef8b87db42a61b8d5654bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\CAsO.exe

Filesize
160KB

MD5
6f5a0631315d938eb4233af7e37a6293

SHA1
f2f192475964edde60c9962883d17fc008b96aeb

SHA256
a692ff7ba7889e3be98556cda3c57422c0cafa66c7caf7bb3562bc511fdff0e3

SHA512
b40749b52f8054ece5b66879b96480b9ba56d7ec19b8a12d28597703721196a51aae803aaed360da5f0f783669a51c39bbed284a1960e02b34bad1be84df932c

Download Submit
C:\Users\Admin\AppData\Local\Temp\CCwEEsgU.bat

Filesize
4B

MD5
c9d6b7ab8e48d44dea004d3b4d87d027

SHA1
595e80350a86f968bbb43a2570715b62104f6a13

SHA256
a2981b79c8d3a7a7200f2d89e8a94a892b1c62e4f596aa5259fd473e6c76caa0

SHA512
4f1b68b190103fce43981efca72b1514bc47f9bf51fac948a472b8a1e605f8f3ec6298a7b8c151f6d12d0ed910c1c494aeb9f343167f3138e351e09a0fb6b2c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\CIsu.exe

Filesize
238KB

MD5
fb5c6e1d0dec3938eb7da461861438c2

SHA1
bcaacddb722f7c5734201d2bc8e0ad71e0c3de07

SHA256
5d22ebafee0d9f50056ef5f7e5d2e0b2d193d41d6f77f7798a22560425472cdf

SHA512
45b2b0c89239133eb8ac9de12a432dae881fbb48cd0c0cc8c4f2cb5e768aab4c7eaaee3e70f6f9b501739a697db0c0b0351177120d77c3e3144eb950f9f40798

Download Submit
C:\Users\Admin\AppData\Local\Temp\CMow.exe

Filesize
158KB

MD5
d72f5ae43370f1700fd1cc5c58183fed

SHA1
156916304432991c245221ef6de2a5cca433abb7

SHA256
3ffd088d337bce46cc14ec5ff1004799c6bd6391640d936f8f9cb104e28a6a6a

SHA512
9ef191b7f57d15f02c823e7e4b8d5a6b7befbad7ceb6fdcbd0b84423e3e06da5581b046241ebd05dff3cb3178ae17c60a4cd879462ffa1343fcd39619c7fcfa4

Download Submit
C:\Users\Admin\AppData\Local\Temp\CgIa.exe

Filesize
159KB

MD5
626b5cde3969205ff6fb1dad8dc6f27f

SHA1
15b51fe5e285349970dbd90e2ec0f810066360c8

SHA256
610fb0e2113a0ab78748d393449ce61fb193e648745682e6c1bd997faf15722b

SHA512
204889053b5885f37c4e4cb955fa48fd3159ebe5eec710a9a1614906e5dc4d1ff5a325be9c80c164463fd72014c41de6f159524da45f800343af4309f013f095

Download Submit
C:\Users\Admin\AppData\Local\Temp\CgYC.exe

Filesize
157KB

MD5
dcd7f29cb7c677bb807b68176afa528a

SHA1
2423aa6c9cf9838a5f86844fdf9225390f55a0b1

SHA256
efc14a453204c8862dcc549411ff5d524e4ff8ea3a5b6dcafac33db5ea597fbf

SHA512
1f40f18f90aa599baef7f4b5250c2176a56c340019fb6f91d649432afe20dff5c9f514e2fefd3d567bd341eb821f63af3c25a4fe044a4815cd0d6fa58ab5dbb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\CqYwIMkQ.bat

Filesize
4B

MD5
50ec53ae1e0ce6b81ddd532ce4f774c0

SHA1
05134519582c297c5a2e58de09c596904eadf346

SHA256
fa2c5636492d51b5c4dfd0e68c4a46ddb61571e984317ed14bb2e234fa493a85

SHA512
574756df3ecbc7edcd932e9a04e9635ee842841b606963095bcacb8a3803ac340a7247df7492801af659b0fac5bec65438e3585418815bcca9eff4a6df6abbd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\EAAEgQEo.bat

Filesize
4B

MD5
6ef469390d90564eb5b5988591d5cabb

SHA1
e5d09ce913c24ee5f90bbcbf5987bc766bb106ab

SHA256
de63cfdc218d66d526e1829f0341fed1c7057fbfd51c0de41b10983a861a7e76

SHA512
6c39b8bbfe745316b00940056fe2262828d611c09d591c62ccd244c9d123aef104d9736cd0eadf3e2029ec4339022cfc9a992b597e59fd7cbb78dbab65b929f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\EAsgQMII.bat

Filesize
4B

MD5
297db6b5afc22bec95119892fe1abd6c

SHA1
cbf4be52b9f87928ae8ce2f91d1711b1b6da0456

SHA256
f840c863b28ddbf1e5c950511be2abcaa74af11006bf592b69639b1c6f2eaedd

SHA512
54a2abbfcd51c9b503a95c7a15e988d3780bc0df92885d2562dc1141f70e59f6116cf787082f2a0d94014fdbb0eca172018cac427fb0807845dd249f531b7db1

Download Submit
C:\Users\Admin\AppData\Local\Temp\EYgC.exe

Filesize
157KB

MD5
5d935adc77389c849c9874137bb7272e

SHA1
bc4e94a314134b1683c9e3ccb124e4250c4c9379

SHA256
2c817538b2d254a157e22c4dd659743bdc9bfa2c11ff41c9ba6135d3c87a30e7

SHA512
21304f133886b94026d43de7d12b0d91c137d14abd0d09e9a36208621d464bc31ccd00b902146be1c4e59bbe9ea930f8cf5fffd764b5391f8fc41402e0a23159

Download Submit
C:\Users\Admin\AppData\Local\Temp\EggG.exe

Filesize
157KB

MD5
0f2c87412429265fa876b75856fa0cb9

SHA1
a7469ba40904755fadf9633c6e02d089641412d4

SHA256
96d09fc75c5be895b2cb259c080b68c93958b57aec7a501ab78624911ad8249a

SHA512
09ae886ec8164967e75785f356c8ec3658e699f294b7ba328f4d32c6ec168c24c0b075a89d506da13ad54e40b411caba7d3c12b54df149e98a9ddf87fc3429fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\EsMq.exe

Filesize
157KB

MD5
07b2f5354978d0289ebbe0b2b8386dd3

SHA1
0b0c5258c899fa0fe140795c29ccc8d0c8efdca4

SHA256
1efd8eca895792456697bc1c30d50ddf5ae5c5342e30a8f1d09d5095d54ab5f8

SHA512
fc1f0b7d2cf8e4ca5a7b17411e646977f7504bad2d6f09c746a719d5fd6633d3f28181fd8fe9c16e2c5f4b7c6c8e2b2ac5840a0bfe49b72071577a4412bd5b7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\FqcIMMAw.bat

Filesize
4B

MD5
77fdd65e353e2dea834970ef85e4f27e

SHA1
d0dc989500bda20784f123fd88b395cc0841f200

SHA256
2428c739ecf4ee5d0475ab254f3b5f964d568b98a9481f9435ad227474cf3a8c

SHA512
61b98b717a5c148e580aec3078ec206037775578af2fc2ddda5663789a412eb234ede0da326e2a36aa47cb01fbd255225e2c2da9002fb07cfa90351f575847f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\GIEIwsUU.bat

Filesize
4B

MD5
63a66588c96df63fd0169173e468e5e8

SHA1
b09445eeff69ad2db304476eb45dac8d95d410dc

SHA256
cf9fed702df95b0659286d91e245fad89483e7bd794d235a7c5a9a3167ec4bb9

SHA512
94893d0c45f57287e5bd247096f3b83a4149d819930341edcc03f21ef513b798f1ca43896244890dd4c15f54c06c6676809eaefaf237df2faf83f177bf65ae4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\GQUo.exe

Filesize
158KB

MD5
2115464d16ee1a24c523dd8c205b727b

SHA1
fef3a472f9cfe721c935f95f3c8a159c4d665fdc

SHA256
1b0f628283f5444269be9cdfb3d5ae61b265a70ce1cc95e722d3039b03bfeb31

SHA512
a2402897a519e615ce6ab5b61ef53382d4dc52ef7bce87987a1dcbf781ba2508ce09d47fbff45e5710da0a85b95625d6f21e52f4608da431dd209680d5effcae

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gcse.exe

Filesize
159KB

MD5
3d7686092c48cf6e4d55952c7d74e252

SHA1
2bfee2c5d13fe5cf6046f9568ccd566cb4d1f3a6

SHA256
1a587a3d3dd9278069d93194475262bbb2a7d77f62afe0cf92ee5301d0309806

SHA512
c9d8f47179e42ed1afc6c3b0d9d3be56b9325e44b8cd410c378a8ed2a049040ab3490e01652b1d78f8b97ac34340baf3c4cce3c53bf892cd1382421098d417e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\GkwQooUk.bat

Filesize
4B

MD5
9cfbda333cef182eca505591d4bf65c4

SHA1
451a482ed9d5e7126df42a7e30111e8e66c10c4e

SHA256
82d1aeafaee5d8368a3c667f4dd94a733945c4f9e3d7018b6b3a173c85eb98ce

SHA512
e8e1965b5facf0f544c41230f50daf5cd622a8b8ecb979eb69c19d791d1d08ee76fbd6235adb15992195f4a5043629afc23b989ce5750f7f6d7c121160473793

Download Submit
C:\Users\Admin\AppData\Local\Temp\GoUS.exe

Filesize
159KB

MD5
530f83e2ebda37f9eddb95e108b2b8dc

SHA1
13fbb953a05acb2fd9a0b2a3e9364a66183f9356

SHA256
28e658742f2742d7d6490d6ec5c9f2f0aa1e60046cfd9716711278c5cafdf1fb

SHA512
e433b2b46d7cac2ad6f113b6bb179a9e564c2b69cb6d98cf7428d522e142ea7e394c9fef0a591d21d8464809a30b445b0e846a4dd790e446b611e4d437609ca7

Download Submit
C:\Users\Admin\AppData\Local\Temp\HCYoksIo.bat

Filesize
4B

MD5
f4fc360e8afdd120d721ebc4b84333e1

SHA1
eefe7e6aa2ab8c11bc722fca1f1162a20b045b4e

SHA256
50a599d8b2971e34135691b434991dcc55fd7d1a77861db78ff70fd467957859

SHA512
8019bb2ae5c0a1854249a60bdc4bf0b6fcc97a0eeacafde6a0f86d20f7cc34b2b5606a08ff2eba7f50ce3bffc2ba83fffb281fc9f8c4d7740eeba332173cbede

Download Submit
C:\Users\Admin\AppData\Local\Temp\HGoYEQEU.bat

Filesize
4B

MD5
9a5a640d2fedbddd212b13283fc56503

SHA1
8df12b999077c26f61b2ae4251f9985a284f6e5d

SHA256
44d0eebc894191b04b4eed4c6028de6c0711fc0b17984254c1fb8add7c7f4863

SHA512
ed07963e89e36ccf777c4e9c222dad3d2f2eede1f3a53f2bda566c7278650e3a56b90ef0475b15eebd0a27b62ac1cbbb65a53ed21c45cdf93e8c0c8b7598493d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IQoE.exe

Filesize
1.1MB

MD5
b2e8321900bc94b82e02bf6957b01593

SHA1
049fdb29416f3936f7202fe492d3a0bfbd715089

SHA256
4cf7f480bcf225d3ef33ee74fb610337079efe13be9bf0e306dbd119256c49f2

SHA512
4a278c4486f341051901139e481695a2f0063da98af81ebe5a1365c8d760570848546a7299171a733646cabf8d42cd3c4fa9b9d218951c00deac4f14f7de460c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IkAQ.exe

Filesize
157KB

MD5
2694c601d754bb27612d7861c0079d0f

SHA1
60cddbf44a4d5f3420c525ae1eee41eaf71cf9b8

SHA256
90ff360e3634b9fdc3aa50b6c33350e5d003ccdcfc122a2a2d336aace56510cd

SHA512
4b67ad3157fdb2f492f48681584771c805364e2d564f1e307d3c6629d12071b47f6a2c24f014037f1bdee3e4024d090d99484116717e90d4d6ee6e5bec193c65

Download Submit
C:\Users\Admin\AppData\Local\Temp\IsYy.exe

Filesize
553KB

MD5
cea09d2c7266218cb01bb5bae82c5c7b

SHA1
53763e873f5c34634fe7dd705698d044297fc1ab

SHA256
8d0d81a147e74ec1a788ebc14a6287cec967d52df8a7865489a09cc922b9cc29

SHA512
06acf5cc699b445a82fb1fda1dad62fccf03719835e4e26c3c05b9b853f4d011aa7a6bf2c81f806a92f63cda0efbde066bc89e92891f09185d98fd2333b2ce52

Download Submit
C:\Users\Admin\AppData\Local\Temp\IuowcIMc.bat

Filesize
4B

MD5
1ba89c2f52f42f1097811c3ffaa5d861

SHA1
f4910c3b1a270e08408893bb10539259af73aebc

SHA256
2866926a827ba56dd8fdf6102a110f45259335fe7edc2ec732d26025f5acf8a6

SHA512
fa0896852422604eaa8a41eaec7a763ac07200e8fff051d7df42e5c5e1e5428fafbb8cf3862b2d62e3d1067d75457de6d3ac73a77e6b69ca6512a0851c559450

Download Submit
C:\Users\Admin\AppData\Local\Temp\KEcS.exe

Filesize
159KB

MD5
8497a21e475c4fb50bbb2989e211f6b5

SHA1
6fa0d0e039a6779429b5e9a354c3e8ad874f1760

SHA256
fcb365ae841dd88c1cb5c11303813fb568bc78e7659dc3f5ec89dac97c39c8fc

SHA512
c38466612499d3f1eb333d5c437a8def6552b8fd875e70f96e58faa613366568e0d22d00efdf07eae25b7636692283857a320fe2d3c93a141fd39d81f43dfbd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\KIkQ.exe

Filesize
871KB

MD5
ff176658b870c79d2b00e6f1e31b343a

SHA1
5fc7846aec2011b2277906db2ca8cfbce2a072ea

SHA256
799e6e0b4e0141be70a0c5c3363d677ffa3d1e63c13c30eb2198c87691c98115

SHA512
7a1232f046996d723dd9e57bdddcd9377dd8666692891cc57ec1013eb851e9b3185956e7e2fd30893fbbd8cfe29dd4f0ecb26a08631d2d91d5240626d3910a4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\KYcK.exe

Filesize
715KB

MD5
deba39d5a7cfc4b2583bb1c7c382d262

SHA1
92c523516bf138b8dc4a251d529bfee62909045a

SHA256
2740f73b9b7ebef8159f064576f2b080c4d7444396726410551ea75ee2bf3e0f

SHA512
021a8e6c7e158d3d705d6e68b4bcff30c0f03846c4f293aebb251219ddcbb791d50377f961d988aa8db4407e3eae1971841a864de1f5552d33926d8ca8f29e52

Download Submit
C:\Users\Admin\AppData\Local\Temp\LaUIUkcg.bat

Filesize
4B

MD5
01541bbd8f12c835e147247cbcf3fe58

SHA1
c3191a345222b8f0db6748b6794fa1a2c2888666

SHA256
c606a8ad06801c604954d3903a35e84834e9b8b0f66fc669bd542566951f498f

SHA512
4e4b54c549ad602d0602904cc28fc87249705f675faf56406da2b25d9a2f2275c796f5bd71bb85cb567dcf1354130469191ea2584785a388de2775996f12fd8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\LegYMEwE.bat

Filesize
4B

MD5
1cb8e9339ec4804fc6f3f9586040d09a

SHA1
a0df8790d3ecdbacc9cdfdedbbc4e199e22c3e76

SHA256
43f1fd5671cf95418871fbfe81f5921486b6a3a4cae013ac97799d90fbca69ae

SHA512
509a38a39e423dc3fd9f29400ae4c1b49f170f85fabc9b7f17254da046a596fb401373d7739c175cbb33b5e9d6478335f0e5d2c701c45407e99ad8d92c7d1e49

Download Submit
C:\Users\Admin\AppData\Local\Temp\MQcA.exe

Filesize
467KB

MD5
f6bf6724de787f09b1683f2d313519e4

SHA1
d8dddbf4f20637797b56fddf6522eb37c4027955

SHA256
47d1fa218eb340c9b388a3e5efac7df9074b1b59ba89c6b63816f43f3bc461cc

SHA512
e22a9a6a5c19b42b20a20264ad96857c26c8afcc08ef80bd3693c6e37653fe06ae1f84f9c0a694e6e2e60204dac3b5a79f43cee981716df37937f76f884e48ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\MwkQ.exe

Filesize
158KB

MD5
74c3ea7534829de38d6fb05dc758e463

SHA1
9bae9348d519a66278529781504bf6b0988842d5

SHA256
bdae6e15da3828493e49acca39788aa1c308903b2bffef9d76e0b976b84dc50c

SHA512
6d8e64b25eed554f4fc0006c11e20ae9d0d2ea14e302e7bb158a7333c751d30937cd9e3121d0d008ae7d42991974f6c036d8951f25f3585de16d63911f7e4323

Download Submit
C:\Users\Admin\AppData\Local\Temp\NIwYIEoY.bat

Filesize
4B

MD5
8093f4e48a3c2b9eb03cc10702756fd4

SHA1
8ca47f7458f1b4fa6cdfbc815554e00e8c0b9f2d

SHA256
619ea3888b608b3d7c24e5f9a5241a3324843bda06bc9eeb68187a0b51d28174

SHA512
0c70e17ee365abea16bc2673fe71d4864c136da04f537927b0b007ee8a09423d1ed75174644debfdb848065a1f773b5b7624c9da36a4231e1b5ed1ec0827fddf

Download Submit
C:\Users\Admin\AppData\Local\Temp\NKsAMgAs.bat

Filesize
4B

MD5
29fa2c0bcf8a14d1ad94a64df71c7e0a

SHA1
c369a88bdd736fa782924b09860d4fb53e622144

SHA256
785d454eb10a5597c3b3b39f093412a479712ee3ae97f2c30a0c9e51d5d27346

SHA512
f7865f4a0b1f158efc6b9ccedf110823f2116a6d3825aae88316de919434b1b8603bc705db807578d405e254743e1e1f3371f8c2758b7933bd017bef56641a2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\NgEUgwMU.bat

Filesize
4B

MD5
359b2b28e581f96721bbbd39345aada8

SHA1
38452a36fcdbb92609a6b6a3c483cdcef86e72ac

SHA256
4b6b6b07b01cbe6eab090309c4f7e686d924d8d36dceef83cba383efa9379325

SHA512
d296a77c689ca28524c452f321a3218d706727ded1a8b42623b5890860667d0fac9eeac015366d0c7e2ddf80b42d7cf99b9262d34a6fd939fd9874bce73fa0f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\NmUYYwAI.bat

Filesize
4B

MD5
b4f7cb3f4d70deb66832cd6efc0f068d

SHA1
3e9c5488601506e49d63aabe5792fb970dd8a343

SHA256
a863bc6622fe60a33c1bd311ae9b8aefd75b7f8a7bd577e439c6217d62897afb

SHA512
e450b545d8bb6f2a39f21be30011c572de7d2e0fe53d0e79d12a4326e93b968ca09b0040f4566bfec3fbfeed417bed2f1a07271b7298afb5e918ea16a89061e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\NuggMosU.bat

Filesize
4B

MD5
5d343d6dda3983f235e019403a9e78e7

SHA1
edf102b525bb820b6dd8a67de64263b0ecadfee4

SHA256
9bab280463edf274e1ef81ee9ab66fda3681ec2ef3ab70ff93cbfb4379ac2b10

SHA512
cd01fe95d85783d10a20eaad63e565f18081ee33154810c78570ecd0a9b779a301f3db7f947ef945d1f1559c5c5c0e75b04e0ae9a2fcfb662b85a5a4a60983d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\OAsI.exe

Filesize
138KB

MD5
5262759179265c04111d89aef6e09d4d

SHA1
ca25540f62e2f8a3a9c7c4618d17322e10a6b13a

SHA256
831a99b1ffa526f2e4f1786ce4527f09b621b2f31a938a34eea3585f14a07f35

SHA512
f308b30678a677b53c97fa85c3759b7eac442ee5f208c7cad91b71dbbe1a69086cf00bd931392d31d2afab454fa46319dc2c8708a519114b6a7f1e313a4037a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\OMAq.exe

Filesize
1.3MB

MD5
9185da42e9f1b982deb2e3814dafa360

SHA1
343cf0dd75e0bfd06b78304a976bd382572b4544

SHA256
a0f5dc125d5eb9f0450257d66a080274d91a59950afa7a47eda014cd4eebd446

SHA512
a5ec5234b9feb1ffbe4b1502773401f6a6fcbecd08ecbf1957efdc3af39072635ff86adaaa006ac4188f51217fa08da2c40a96f5c218615c3cd51de875112b19

Download Submit
C:\Users\Admin\AppData\Local\Temp\OcMMIgsE.bat

Filesize
4B

MD5
ca3b02d0b5b5bb9e86a3bc6e71b2143c

SHA1
5f2944f33405fdd6ca3616020b5d9426848c9dd0

SHA256
fc4271b82938df8cb7ea3531fbdb6a7cdac54f5fd436dc797dbcee7ede481778

SHA512
fabc8730d34f93ebb9978cbd78432bd13efaa572a1a7b03bbebe9dae5b218f907ad61ff7fd4c5d4e43dc29a4d7ddc186b4da5247d684d630289e2226230c60cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\OkkA.exe

Filesize
160KB

MD5
03b128568b1a00fc86094c53ec0c1962

SHA1
bd18a9a371c1d00baa533ee37e4b0dc054a0adad

SHA256
4b44b48c8225fc1ec72304aaf0d6ee6c96b909257d79f8a7753fdbd5eb86b371

SHA512
7fa1d5f0975eb6dd937c93964979e1b225515549c3eaffbe96b6b717184d8a587e1c4be40d34a122bbaab4039404cdcefb53f86f3e91162dc6fa78a67dfb182f

Download Submit
C:\Users\Admin\AppData\Local\Temp\OuUMkoIE.bat

Filesize
4B

MD5
f9ed208edc6012e08cddfa98bfa8bb3b

SHA1
d0316e63e64be6022d2ca30c6c3c559ca6e91e62

SHA256
79174b18960c6d419feb6c6892073e89e5c5e8f0741d1c1f9746fa878e97d94c

SHA512
57f941b45a97524558d06d4c4927135488847a3ae0f4e3f1f6a8d5faa3ef59c5044713f9e1aea11952835276ac24d59e3e0e03a2293884c526402daa36fad529

Download Submit
C:\Users\Admin\AppData\Local\Temp\OwIK.exe

Filesize
148KB

MD5
934a0d2800d8bba6c4dd542fd1268284

SHA1
7ddc8d3bc533210a8b762a92003c302e7169a5ac

SHA256
c6f49c186cd78f1ee887ea1d400ec10ad4a8e31c75d5972cd6606bd11821f117

SHA512
13c8153e36bd53e001cb5efa966775eb14109c877e2ff96b305cd35c87667b9e3b3daf2dbefc6cfdf0f6283e88d215e39ba9e204f02059ada8b35d56dfd31b22

Download Submit
C:\Users\Admin\AppData\Local\Temp\OwUkMUUQ.bat

Filesize
4B

MD5
689bbfbbb39c68c371735224a56b311d

SHA1
e3aa3a6de21a3aa211598cd6f84d95c2031e82a6

SHA256
817cf2b6c4e505f3be00b82203f75ab55a824ca139f7d02590e3140591406f19

SHA512
0fc6252c5732d7ca99f3b851c25dcc22db06b8d4cd4b15baadcd1efb7eff0f40991b56fc1691e82b6e20e97dd6679df92dbdab671c5addd3bd22ece81c0e3086

Download Submit
C:\Users\Admin\AppData\Local\Temp\QAgAosYs.bat

Filesize
4B

MD5
85cd6aa6a9dfda057f2f240bb1a3b096

SHA1
e3ce38e0ef847204d5b9b28c6faf2149b718e873

SHA256
f55fca11f1ab4dab37efd1efac28f59225937602c07e66b89a114169b4901f40

SHA512
29cbfb0e394b2994e2dda8aa7fcd7bb53542ed73bb21632b6d3072c3b3b4aa58fdee4d44fe630af060a542055a71ba1b870b9dc6fb2736f643ad858ff80a048b

Download Submit
C:\Users\Admin\AppData\Local\Temp\QEQs.exe

Filesize
160KB

MD5
b78dc6a8796ca6b0d88edb3e5f272863

SHA1
a4b6826946a379070749ecff44278af67b3ec020

SHA256
92c4b6b7982eff527e31e679f776928f13b0154c90388b6891b08fa779697a18

SHA512
69c0f992f53307d18bf7f422911bc8bae1d94adbabc63bcba9f0e5138669e8064d86d79b8c013b8f75f84bd2e98d55305ad769790074adb60151ab3b47a50117

Download Submit
C:\Users\Admin\AppData\Local\Temp\QEoU.exe

Filesize
137KB

MD5
1a98f88184c826fb71455f1365eb0a7b

SHA1
b8768db206b386ff9db28113feea5fa3fe31c29a

SHA256
0df624d4bd59457d0e6c046b4688d3ea88a8009ccb8f509bb1ab87caaca64a7a

SHA512
95f2854e4f1f4aa418280d06a24f4fe8792aed3d2476a4c22a535b88359aeee16fe9c4634c047a3a3c9a29f39e00b6bfdc313f8971980bec4d644a6350ede4d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\QIgM.exe

Filesize
159KB

MD5
f882618ca03efec832d9d1728a242650

SHA1
62361ad0dacfe987d3a2a73057d9f3fc04b11623

SHA256
164b05e1289048d4c796c0d455c347d0169533671cb375b34fc554936259c283

SHA512
47c267ef09a8a64a91341e5bb3fb66244580463aa5d42e65ce4b19cb13dd6a2a68bbda6965a0940f6088b4b3ed79e6638ead94fcdcb15664763b271fbde86657

Download Submit
C:\Users\Admin\AppData\Local\Temp\QMcC.exe

Filesize
1.1MB

MD5
e04867b3b8b16d9f9f129c0ec459f115

SHA1
2bd175e65a41dba5f9c53cef286ec0723427ea93

SHA256
49408a2e702170143ce72a085957389a81f5370e01f09c74841412d69bf1736a

SHA512
8f532821760372d12238b7603c6616b34b159aa76bae2325d812540ba0dadead98325322b0444336e54019d1020126617bed6571309dd1daf05f729f23d81e6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\QQIM.exe

Filesize
157KB

MD5
94aa3a3b81e3d5a6517e98945e22787d

SHA1
62979a64b4dfb16ea2458ddaeab53ca20a55f892

SHA256
28bbf00a7d6f3e01b5593e72c1fe99a675c325ae32e6a409b9f28317ddec1437

SHA512
ea4672cd50335f8f6b2df65cf5da195fc8203c56c58067cead7aef658db9aa27a08692de08413599a3f3b7f177ebc4412dca466b07469c3e2c2649c3c6d2ea30

Download Submit
C:\Users\Admin\AppData\Local\Temp\QQUs.exe

Filesize
158KB

MD5
902039e5ec8d2983728f877943fdc2ed

SHA1
dc8e97fc1c3b0f8be0ba89296def792620e0d6ff

SHA256
3c73d7a6ea2ab759cee0e8ce30c495b736985e027423104bb8374d9559403439

SHA512
22a71c353ed9d18e50db958da0a8ea3c1e401b0aa7220de58b905289b3e254de6edeab616fc7a7d3db4e78b51b818ba44f6ebd22ca5edd4b4b40e28800174153

Download Submit
C:\Users\Admin\AppData\Local\Temp\QQgm.exe

Filesize
4.0MB

MD5
a76d7cec274f24e1d25f881557fa7b0b

SHA1
b3c8558045ee8563f9cc18df572ab9af48c3accc

SHA256
da297679602dc2f260148b1e4451a60febb1c3b3993326bdf9c99f2f770e45e2

SHA512
cf3dc83456324f5e96106e194b278aa18773864f053db1a26aeefd85732b4ea3dfa7d209ab19ce1f62ab54d75e791b8461679fa9904fbd3b4de7dcf21a28abf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\QYAk.exe

Filesize
410KB

MD5
a83db3ff83d2c65a2fe86fde858a009c

SHA1
e55214d3dbf4769a75d7582361a611407050541b

SHA256
67a8d8f46fe6458814af5adfc77dedb53027ced90110e1f5599c959626a1de5a

SHA512
166a34858ca6f6834ac4ec3f13e4238f8c7e2fda6ae59fb7808a1303f7119849315a340e2ecde5c87fe30667927ff10404bfd4ea17f9ee655017d70fde1fcb08

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qksg.exe

Filesize
155KB

MD5
2022bc402d078f4ff96f88f236696abd

SHA1
7f12eaf598f095c07abab0125a51fb70de7dff2a

SHA256
e7e34474c28b59188e9ac2bf0d50c06ff97adb89169abee6f1d9d1a6700e2439

SHA512
ffe415898f776bd0396cfbad011739425bfbed697d4c14b9c1e72f98821ce919fd52181e821def0921c8187f8954bccba116768c4c2dd0d028b89406cfe3f348

Download Submit
C:\Users\Admin\AppData\Local\Temp\RsMQggsU.bat

Filesize
4B

MD5
87b0aa6d4f74bfe4ec7a811f61733f0a

SHA1
761ebd1778b33dda5dd0f30d2e30c2ab376978be

SHA256
0aae92a891b120c9b199dd68a771ff6f44820c7719b53d2f2a3179eb804f3eb3

SHA512
d42bb94aca993d0d7c45351639ad49942bab27c086085fddf82bd7b534b0e36321b5e5492efb16faa6ba64ea9975274b6d70696671b909e720613fdf9822171e

Download Submit
C:\Users\Admin\AppData\Local\Temp\SEYc.exe

Filesize
158KB

MD5
cdd1562eddfbceae683dea5054d976df

SHA1
d40bbfb7f35b47c2e1802d864062f15c93e6e919

SHA256
68a6088453216dbc858220092b1630f406e09e9d9ac77d4561530b46f16874ef

SHA512
176735b70e616e1a76b9fa3dee0d6a1df9c93f26f2ac0e8a9584f4c01c235e5bfbf765ca9d29f2fcb278950fc32a3f7be3981ebda876efdfae3c148c70564057

Download Submit
C:\Users\Admin\AppData\Local\Temp\SIss.ico

Filesize
4KB

MD5
f461866875e8a7fc5c0e5bcdb48c67f6

SHA1
c6831938e249f1edaa968321f00141e6d791ca56

SHA256
0b3ebd04101a5bda41f07652c3d7a4f9370a4d64c88f5de4c57909c38d30a4f7

SHA512
d4c70562238d3c95100fec69a538ddf6dd43a73a959aa07f97b151baf888eac0917236ac0a9b046dba5395516acc1ce9e777bc2c173cb1d08ed79c6663404e4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\SQQI.exe

Filesize
401KB

MD5
eec61a6e60c0b1724fd58d2a6e0526d5

SHA1
e9d5049dec1b445eadd9cd9ac9fe8c9496d2be4f

SHA256
492dcf7926fb5938b455fd2acf15fbbebd56a52a4b1c1af63d6d9bc36c22f4fd

SHA512
a91d632a01efaf29f7ed8ef9c62a97981322cf4c1403c4d57f5b31b98962336f312f47cb579379881dc790ee83934cf11a8de0c78d9f4938fa53756180365e8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\SYAw.exe

Filesize
158KB

MD5
fe2fb905c06e3505d2d897ac41429138

SHA1
abeaa010a18a64c26b2e7d1da104e235dca82f68

SHA256
6c83a374d650ea51f63aa62889139733aa032aebeaa211bfd7040e52cc2a7aeb

SHA512
495f462662af05092055c66249db2fa43e054dbd11b573b929b7af99d0dd625d375ef8876193b4bafec3c58487c6a6061972090edd0a6bdb6820bf3ab2533363

Download Submit
C:\Users\Admin\AppData\Local\Temp\SkIcIQEc.bat

Filesize
4B

MD5
08073d1f7c101d463e58e578c773b972

SHA1
2ba454c0da427d1ae0fadec3eafb00504979a536

SHA256
bf2daf6d8a5c84c842eead5d08beb93fafcce159ca7f6e20d05b56d9cd429c7a

SHA512
a63169c97cb8b1b9e20b32adea47ec33f57b0561e7e628ec9a4abc1d601c5ce340bab42f8c2a6c94810df8ecd9308ce9b2772833bd0e4ec705fd87e8a435f4a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\UAoU.exe

Filesize
159KB

MD5
be9e2e0643ab4d44d7591ef294a9cd25

SHA1
ceb6dcb496fcd4667b83354e263b98d148c90248

SHA256
62398c8724193a5e9ca1b71d9e4dc0111a64590abeecda86f34eed48d64072ac

SHA512
9b021828bc9d83f6ec59626ccce79289372fb9b5f8cc9b925fe61e4229f85f0bf8ed87878d1cc458d1315e900dd68ab04865f5a927f2a87873f2f79d5f7fa500

Download Submit
C:\Users\Admin\AppData\Local\Temp\UEIi.exe

Filesize
4.7MB

MD5
0d59b23d0facd9618f7c2fa1b2f0c1fe

SHA1
c7475399befa34f657315c6d251eb8695d8234f9

SHA256
434cdf0379cdcee0b4bcb2a05c611f0c58f7e1349891fd0ae4657a243c5174e2

SHA512
5b9ca294c7c14d2d548b6642b9564ef4ff47c006b78863d6633485a8f5f22f5904bd3d80ec9867c9548d39446f39067074898fa42654fd4b3f9dcb224f60b2aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\UYcO.exe

Filesize
659KB

MD5
56ee559dc69dcaf2b9a323178736d988

SHA1
2144bb2cd3572029c73a6dbaa1032ab981a5f4d2

SHA256
a522928f7d7f9144d4ad87568ac063e7eb2c61f3473f25684bf4bc3007ac9572

SHA512
ebec66ede012f77d9bd69b85d69be690468e2dfd0d4dadf658d4185068516613fe26169299b45db80f33e99615f8cb18f56523a451b14b031be84952c091a63d

Download Submit
C:\Users\Admin\AppData\Local\Temp\UcEM.exe

Filesize
159KB

MD5
500a5af511b02bf971e7d89318d4f3fb

SHA1
bb9d765dac5b767c38bca10cb519a5834c74df83

SHA256
e393069545fe1d74fc95bae58c2a9f81a5912ae4fa37bcdde3ec359d04c8d214

SHA512
965f795da18fce3bd08634448c0f8e1f4a7739741453acbde238c36a2f8a76c3ee15355a29cdcba0c54271e5231bea62ddafc5612c9d302874c35823ab0c9258

Download Submit
C:\Users\Admin\AppData\Local\Temp\UcMk.exe

Filesize
158KB

MD5
30af6b0cdefc635d0a51ac96fb6c8be2

SHA1
8aabd9106fd49c39a1add4cf2cb1a61a0068ae26

SHA256
2ec1a9b0e4b03d61df6307bd14c27cad83e6b5072761fe3a22610f7ba61a10ba

SHA512
30fd22dbb497c4f2d5ca83d90640ea25ea157da4118b1c2328d88dfc2740d706baf1b5ad236638a793dee150135b2b92f2ede449e32aeb2202322011fc2b9eaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\UwwYkgUY.bat

Filesize
4B

MD5
495f3b0412bf687c0d741212715fa800

SHA1
8508144040fe825f8a1015e03905ac8fc5ff12c4

SHA256
c0cba2aad7d402b7078e67a22e05af5ca146e945631d755825683112e6341401

SHA512
7f52105170db502a18951aee38355a64d3738c1219f84680e48c332f05eb7c37b005954affe14b7573cd5aa0de7c0c0e989c5cf83fed8a327aeec98f06b88c04

Download Submit
C:\Users\Admin\AppData\Local\Temp\VAwMYwcE.bat

Filesize
4B

MD5
c5d67ac7628950df9845ace742134c1d

SHA1
3d40e2debb27a157f4685c557fc56e53aff5b177

SHA256
f034fe7daed29fa746b0f44a0028b48401d5263cf1dc5fc959dc3df14f492849

SHA512
15e61f73ef6bc23f437f4f95ad844ed7eed80d28a5f143d04bd57fc49a85f1bd14ee0514a287889d765c0766d5db9301bbf80cd058fc7189e735d0677ff616e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\WAoO.exe

Filesize
663KB

MD5
974cfcfe03337ac0d958c4eeaf209001

SHA1
22c47bda5b540a101831b4d55705ec97eed8588a

SHA256
f8de37efa9f9efe5670257e0397532489a84e6e66fd84538e83a01b5454db6d0

SHA512
92774ab60ebd74b73283ed4bfe6e226475a5d7bd1d9429b5813c3792ed8de77445d38ea42f26ea4e71bc5768c30024a890df88b855a3eba8161f7bca66763f60

Download Submit
C:\Users\Admin\AppData\Local\Temp\WEEM.exe

Filesize
160KB

MD5
2f163aab2effe2f8d21e4cc25073f2aa

SHA1
9ecc83b5d66eb98ade3e34d32737f7b6b9a9f2cb

SHA256
dc6c3bb1e18b411e62cf8ceaa21b862eb1261db82c7df94c2d984ffddc01f5a4

SHA512
cb57f44d28c3b6d498a4db0caa7a3b0d1c29f62a44b173a2fa2aa6a487959fa8bef655436c38b43e72f61e91f53191715a5f3aa8d0d72bfefbbb85a0c3dcfc3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\WSUokoQY.bat

Filesize
4B

MD5
29a631a2acd5a4b7b0c4204ebe7d7bf5

SHA1
2875983276b8b68348b1b37c292f26fc89a848b8

SHA256
d97338e49e1b242ffcde56f51a730513efa2d14a11745d912369439294a9262e

SHA512
51bcee808cdb8cc032b7ba5b5912494827ee1f539760769328135e265e14965e74e17aa45b7f4955c3940d9311d7cb07024d853792e141e41ca68f1d0f016efb

Download Submit
C:\Users\Admin\AppData\Local\Temp\WcYs.exe

Filesize
888KB

MD5
6f5ccfcc6943f72476a304bf26499631

SHA1
b9a382861e647a117ca19bde9c6934d7e905cd9e

SHA256
3aa23026dfdac72067bb8cbb99846fd90e3c02fcae7ac8f68788762fd7a8f635

SHA512
1408a763eee0542dbdbaeab9bcb961565f64f6ed9e65599c611ee7b7bf547b8cddf4021e56a67d71a4980b1a54b8c330f043cdaba8f608b9edd3fe8bc54d347c

Download Submit
C:\Users\Admin\AppData\Local\Temp\WsAM.exe

Filesize
692KB

MD5
4f695261936411c033a9cb0d2d574241

SHA1
2e521709446a63fbd1a60273561afdc9e422e106

SHA256
8d1aadb7a6dc816b41d530dcc4322104f1e151d602d8d5262216902582831e23

SHA512
acfa58dbe7ee0f0483980995c03a08929438f5d6bffc3061471b915f4cf5df52124eb235782f91d0c456af7fa33c78569c61cd99145bbad34a1685f4aeb50cf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\WsEu.exe

Filesize
567KB

MD5
d65eec4e391c59a5c6715c9ef3791cf4

SHA1
0f2e7a850c9f8bc2e6bb260a97abe67b2a221cb1

SHA256
19ae8c7f6e833a8c12c4b1050b7db9f7390f4f46549243319fbd5c274a0ef8e6

SHA512
70f3ee8b9629a1ffba7531e8a924948c80a089514130b9f95d1085e213abf26a40ea7212a0d3a4c160364f7266c06b8a06a95a32efd604b230ef1ada3e31aeac

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wwwi.exe

Filesize
745KB

MD5
1a306dc6399fb40ecebadd403c2d4d5d

SHA1
86ca384c79327b794bdb1db30e6b68440c365c0a

SHA256
7695838ade7944ed4ee676d181c71f1276ba919ba62db8794a64fd6b6eb08ee3

SHA512
8bb3f01dff0602ac613a85f6f169674b745d0092953f3dce5181fa5fb6ead861d8b7bb5bd93c1badd6e1ff4d06c6056a15c0ccdf275792dd971807bb0d9ded8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\XecgUsAE.bat

Filesize
4B

MD5
37f029fd7de8749239cfec03738e6d67

SHA1
c57f5a112992297e3e212c5cdf3ebf975a3d3682

SHA256
1e6f6aedc6f25307b4bd8ecea81a88b8417c0fcbacfed175980e9d5813e9c558

SHA512
b3451078a7e43ffee19c570358d9355350fa3bb0fafd43f387db46aa3da24e4e6dd42619c8f41a943692c36a2fecd3c857974fc693fe51b080de4214d45774ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\YQYu.exe

Filesize
262KB

MD5
b40394352c7a68fb7d58f5bf87cf25ee

SHA1
091c121cc9cae47e35001d07703cb19839241ac5

SHA256
3008912493f32a0e05cc57c4b1927576d7ac0c8ef93c2441c14e0271afe88473

SHA512
757de4dc5bcadd7dcff847d15d94d318a853b47837e5f036efe92d8dd5315fae371957b8b56db3a34bd0611abccf0c27750f8ad9e4d2b1e037a8c23d58b7806e

Download Submit
C:\Users\Admin\AppData\Local\Temp\YYAU.ico

Filesize
4KB

MD5
0e6408f4ba9fb33f0506d55e083428c7

SHA1
48f17bb29dcd3b6855bf37e946ffad862ee39053

SHA256
fee2d2cfa0013626366a5377cb0741f28e6ec7ac15ef5d1fc7e286b755907a67

SHA512
e4da25f709807b037a8d5fb1ae7d1d57dfaf221379545b29d2074210052ef912733c6c3597a2843d47a6bf0b5c6eb5619d3b15bc221f04ec761a284cc2551914

Download Submit
C:\Users\Admin\AppData\Local\Temp\YkUS.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\YsIW.exe

Filesize
159KB

MD5
7ed7f5a6ba1ef61fe752c11069aaffc0

SHA1
8862f1c75517ece886e54b0c453f7df55d160231

SHA256
fd514d94645b98a3bd6c33f0db71cc5270b259d6b315d37d23d55e7724fa6118

SHA512
29c6b84c919a0eb0b687a28565f716f36a450697adbb66c9a759f72593c1fc2df7a88a81c99b2b00789c646a9aec26c7de0c69ec7906a95d2b8a97b603740058

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ywsi.exe

Filesize
158KB

MD5
575740a195827e635257f56812737976

SHA1
d1762f53853fc34f7333e5445931c6e590149d97

SHA256
b3f6eb651245d3d7a545d04e058281f2ebc5c45f341f2d913677cbd741254670

SHA512
4991701e80cd75136032dd6e6d4f115e5b3c310b7745245cfe4229008e9be4ff308413f13d4532670470ef66c2df7afa2b5f9412ebc92752f702c4f8ecc94e63

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZOEAAwkA.bat

Filesize
4B

MD5
b2324a253e53725887657bdb4208f48e

SHA1
fb9dfa3c90d95fcdc0d4c6d58fd890d02e36cf9b

SHA256
8e323e1af332687b60dcf02f872a9ddc0d43bfbfbadaaa3df0bac931d093e36b

SHA512
fdf7cc8e9e1e858f9719a1c0d16e77f9a3ad31a90d1b762b3db01dca72e154bcc2e9cf657f904df1486795733099ad7a1817ff5e390fb7d686f4eb07dcde9617

Download Submit
C:\Users\Admin\AppData\Local\Temp\Zykogswo.bat

Filesize
4B

MD5
42ad24fb9a58f115637ed14ee70677a3

SHA1
4fac521b29dd69b3a8e993c947f9542cfe36e38b

SHA256
a1cd2a36ce241332f07af5d4ab8a33f97daa4da780cadd146838dd762828907d

SHA512
0d2c285f6d2d3662b08da1b92b3e42ba6020b316e07093a3c2c340f27f624cbd6611f2c0b42a4c3e016c71967279f315248497800c53cdd98ad3a4f3fe7a82d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\aEEC.exe

Filesize
159KB

MD5
36d254bfe0084a5fbabbb87cb16913fd

SHA1
069e6214b93d3324a356257d248f9d63811d0073

SHA256
d7eeccf75ae6e75f8a37511b049a186d65b93f31c8919b22d80dea9220e5ed63

SHA512
d8698637c1d1326b2063b536ff8706f90c273998d001a90a534a825caf3b53dc092cb132732d27e2eed7ed8c76d2d17ed6300bd2490bfafa2a46a86849193e9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\aEsE.exe

Filesize
349KB

MD5
99800603c851dbd4f25d0805fbbb67df

SHA1
25977d3bc210813ba26be5c653f8183153a53a41

SHA256
4b4da3f7644baf4bcdd6765f84fbd94b151590138ee9657788a5572d8d1710c7

SHA512
f523a23bf95ba94f069c212acb08d35810017a2d8c3719c61343d0904d4ce23e5655f2f4626ac9e903392bd87743f70c170745e3504e7b6e14c143dfaafbfbfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\aIUm.exe

Filesize
160KB

MD5
e2e1bb944741f3bc99ffb4277b93eefc

SHA1
0e0764417084ac74ca397c19ee6f8f08a362d182

SHA256
d7f62d353bcf903252861b03e73f407f32555599b7a62b0e6f61d90930bc78bf

SHA512
c97ada63078e8a7efd74a2002afefe285d500eb2fe14a02f741dcc2553b07703fb0a58cbe97f3296521e1b5ef16bc5ad3f6e2c266c627541459c42a29e760d7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\aMsM.exe

Filesize
870KB

MD5
4192ce4f7e8efd92e19de77373b06ce1

SHA1
e70571a0885a13ca95fd927ee5fdb2526b162d47

SHA256
97dbff958d4beeda15ec2f5bf129ba0e52f5443cad5d8a5d4f0f019ec179bc98

SHA512
29c6f6f3c4f0eba68463558358594dcbc1edfa616a48a1567d5d7fa25a4472da256e9352801d0765dd2b56c1579da52052c431b839cb2d18f7f2446ff7bd68a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\acAYUUkA.bat

Filesize
4B

MD5
bab52ead8777e08f19c2b9027aedbeff

SHA1
4fdd687fd3b10f5ab1c6874090108bea2c07ff29

SHA256
a63ccfcfe0a2ced3276b77a68bca8adcd802123ad9021239163ac8343684d8fb

SHA512
54eeed2806ea5c9d4355f5e6b09c108e96d7811629ce195183f009a44ea523b4366aef5002fd7785c572c1437cc554ba3c8490a6be6f57c2dc76a7c3677970fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\akMe.exe

Filesize
916KB

MD5
29ca9b587c2576c727c76403951a3b3c

SHA1
8bbc57791deb340d3cf212842d677fe6c29d8d6f

SHA256
4fc3748ff4b46987f6351c2335f4657e84e30c7e2fea1524e16d83fc5f219de0

SHA512
92cff47e2e72195ab2b941ef3113edfadf5661bd99653454a2798916348a1e2de5e0ee05adf95e71e73aded9d8b78a74b1c25ea7726e63b32af5f32037bfb76a

Download Submit
C:\Users\Admin\AppData\Local\Temp\bScEQQcc.bat

Filesize
4B

MD5
c23831e005f3e143a9ea7e2ebddb2a19

SHA1
930c5e705b2ba6e69b20e84f004f969c5d4e967f

SHA256
d8b88dcbe74ce02f8f298c6ba83ace011ee28dea360d13e044c8e92a1af2cc78

SHA512
9dd1563c874c81387f5eaed78ed8cf765aab4aec014c8e6290faa453bd6dffe5d8174295c111201da8e7056decdde37510f23bb2d69f4426d0e4a8c9b30d4c26

Download Submit
C:\Users\Admin\AppData\Local\Temp\cMEa.exe

Filesize
159KB

MD5
ef3fe60400ff2cfc07f8f876886ed55d

SHA1
08e0fa369a7b9aa7fe4e9df71e3335b476336301

SHA256
3e136a6c4cfa784359eb4ff3e0dffe95636ec980edc7866f1199a44054360a3d

SHA512
df0c7c49af960e28ce5a3f5e32fe8fbda70d5f0e7cf91893a8beb87942d3c50ee166c7651d2a431f7589161d61363fd494b10af786b7c9fa0762549d968add7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\cYEG.exe

Filesize
159KB

MD5
1017a077a639f125182f0d9129b4819d

SHA1
3d147f7393fb8b5ef5039697257b6ea0dd5244c0

SHA256
dec7ecbe461e6cad809b344b2de9c88e09af1409a0c8a6915e797a1f0d9ad11f

SHA512
c510b636c701c18a64cbcb2db849dc980acf127bbdf15adddb50fabbe67f604715c63b8ca070fc6f8fd4073175ffb73c6d5594d0d7a40beacf2ae9642a79be0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\cYIE.exe

Filesize
1.2MB

MD5
4b5c684c39e22292afa23e4d0665455e

SHA1
68fe9470e9cf54e3186e58b23c9abd7b32afcdd8

SHA256
74b42a6273a5fd8e8051a24178c9147b042b11402bed8f67ccbe562fe2933aaa

SHA512
9c799323bacda278b26c4bd7fd147d09130d17ebc57d76fd5027dda2bfd4c9672af992d12b8f84e9f9185a694afce6c02871ba83ed0389496fbf666aacebf0bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\ccUcQAok.bat

Filesize
4B

MD5
7c74ef72c6ea38d14d4b93e670c8e487

SHA1
9778b71adc31a51835e76fb8c05a15591192119c

SHA256
4ffdf2a665440bfb950113dcb856176ab97e9b0e19b7450445edf40fbb397bda

SHA512
b583309f7e5bd09c6590717c999dd64bc2f60ee18f3c76275ce241d44d22bdd9a0575af6cc715a93e1da53ad2cda0523cc77c2b5701fbed02dd6611711b01e7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ckoQ.ico

Filesize
4KB

MD5
964614b7c6bd8dec1ecb413acf6395f2

SHA1
0f57a84370ac5c45dbe132bb2f167eee2eb3ce7f

SHA256
af0b1d2ebc52e65ec3f3c2f4f0c5422e6bbac40c7f561b8afe480f3eeb191405

SHA512
b660fdf67adfd09ed72e132a0b7171e2af7da2d78e81f8516adc561d8637540b290ed887db6daf8e23c5809c4b952b435a46779b91a0565a28f2de941bcff5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\eIEy.exe

Filesize
157KB

MD5
a80318a410d4725ebdd8f5d51db29438

SHA1
0c16356bd719978370db2c015f3ba25a9171492c

SHA256
c7e4b99cb98b87cb67ac3ab55ac7cc11ff23effad90b15d05571d5686ce2f0c1

SHA512
1298865e37d37c45bea66ab7b5c57e8103b6a65689c54b218140aec6d6fc85f6256ead6d83e1c22a6b2ef94093cd758ed0366960e9892f6d090232470097262b

Download Submit
C:\Users\Admin\AppData\Local\Temp\eKMkYAEs.bat

Filesize
4B

MD5
c11b755ae0fc48988c7acfb29239d82b

SHA1
c95729b3f9452c77bface206168b2cf246a7fe28

SHA256
3196cdcd4d78517587e6502b73f1d1ee1d4bfad86535625e1e28e3799c44b5e0

SHA512
236cb28dcb222d2514be6cf40909de7c33a8ac40771dd65fe6777d876451f36d401ea11c75a3d40b0dbd13ffcccd847139364c5f35ad564da04250aa61c8fcea

Download Submit
C:\Users\Admin\AppData\Local\Temp\eMMs.exe

Filesize
154KB

MD5
85fc07fd0415a069fc23221ea82af387

SHA1
0050892e6c3543fcdeddfea5d6b2fcfc1a400d23

SHA256
6ae8eb53595ad25667f7005a8678bc9429a33fc884a4940a713023d2ea800176

SHA512
5e006699cbb118736376840daf741d12c3aa074dc9a85b028ecec5c5b029cfc6aedad7cdda84f5d9513ba02f6f91299583af65e0880c4c001a1c0dd8bf2d0156

Download Submit
C:\Users\Admin\AppData\Local\Temp\eMYW.exe

Filesize
157KB

MD5
a51d1280daa1032e9ceaf70afeca3825

SHA1
09b8dc5074b5a8d1659f8a9d27acb149ee75bd1f

SHA256
fb4020ed6347d1b52a40bd82e6fb1ecb91676d27dafa93cd84b57a37c2d3db33

SHA512
e4dcb384fee926c93b282bd0605a3cb62f882dd6edf78bff131554bc43fcac201188a7adae94d33285924e0cf468044d57c5f49ea0fe62a01944dd50517e356c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ekEe.exe

Filesize
8.1MB

MD5
862c5a21ef45712f153b73c1d757548b

SHA1
03b17468c940f4648eea80496ff2d05788134796

SHA256
45955a621d2096e7a0a9a9ad7111b271f2f4beef40a2c0f39e6c7912f861ebe2

SHA512
5111c7551833f29d2b304b8778910b53cdcd8a9f7245ed067d6318de57804bc2471e3ba4e31c0509fb6da8cba8d8c77284e12dc3634183ef8c2f0c5722539cb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ekUi.exe

Filesize
159KB

MD5
26b327d3f9534a01ba3411ecfe98e904

SHA1
9a23ad36ffcddf2a36c22e5cc509aafc6f40eb80

SHA256
6ac88acce9284349dd69b6092dda4548ca334dd2aaa824a9f3a9dc8917bc15fe

SHA512
4b0498f10159deb03294657b8fcccd46124d04d02662276f8bbe16fac7d1d219abe79d45e9f8769bc0e9e02666c2b721605a231bb3a408d0da3d41e9ca87ad60

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\fqMYoYYw.bat

Filesize
4B

MD5
4d7a5c09fca931d8d9e93d57e82b3445

SHA1
f5b7e6c2faee9560cf03ce7390364e5c39b47bb3

SHA256
de2d44501e06212b3570295b7129084b962a8459b1ba0e1be9e34dea58b6eee5

SHA512
35ef17533b01630ff3d43d557dc2eaecd54a423e3da55ed8929bc6c6d7a905b44228bf359a720facc2d0a84ad36fbcf0a7968104ca5bf0b38fd2a560facd1714

Download Submit
C:\Users\Admin\AppData\Local\Temp\gAwU.exe

Filesize
159KB

MD5
d152d45baf46588f986f18cea2071ad1

SHA1
ef8361003ac11416e050d1afe911d152058495e0

SHA256
537c0e9564812a9982c10a20fbd002944a87bb18374de934ff78b7ee8522fd8f

SHA512
d68bb3af4f24d9236ab0bd850192e6514d919881d3e7218bf7cf381957d742959ca6d514ff0acd30d13639b697f48d886ec0d573489006b22ee5df2892ae39dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\gMce.exe

Filesize
202KB

MD5
4a44fd3c398928c1d14e58772c385c24

SHA1
a79225c68203ce1778e2ab1a95223568596c841e

SHA256
7a51f51c9803669052a9b82cee8c1cc58e8b8c1e035280497cab17c735a08147

SHA512
1630931abd6d7cef7466cfdd473184d09134887854b8e0797d57d9bfc458e7491d6cb2027d8886331a2eb0cf6cd76a3b9b98d3a0e042859e575262e7a935bb44

Download Submit
C:\Users\Admin\AppData\Local\Temp\gQQS.exe

Filesize
158KB

MD5
02d2532e84f9977357d5ab374f110f17

SHA1
5d787fc499bb65acca97df595c15926843bdd08d

SHA256
23ae20b39734cf9d40f13729ffbf6a7275a21d1972dee1953a7d265523a376a8

SHA512
cc6f6117d0a25a837ee3113af02090a4e4f31b6d76e008be44363d0e63c05ac80a2c1e7fd1ac99cf260fcf9149222eaf3eaf26bd70278be66cdf6fa1ce36e420

Download Submit
C:\Users\Admin\AppData\Local\Temp\gUYo.exe

Filesize
159KB

MD5
25eeb7b69d423b7e52854abf3cb7cd5c

SHA1
380a07499d59352625569ed35c1cd868dbb550dc

SHA256
67dc018476bdb926934ee9ab717b9ab51b568b26789913efc1a634eb7b99c4ab

SHA512
7eeeb7445a6418c48b6f05111149f23858949b4f8a55848dfcccf70fadeed90922f1862e4559bcd9ed76e6e5dde36595a756e946e41b90d4d9a78aa5ce3fa3c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gkoE.exe

Filesize
158KB

MD5
1943490ce6ae85c2ea5e63522c4afaee

SHA1
ea51213c243d60cb611831f381890806588049e8

SHA256
f4c9bfef328ecf14898dc69d4028d9a915d68547088c5dbe09e8f54a3f154444

SHA512
0f6f2a6bda1211f3016ea8c386a64c74140a5b6fa9db4c6abc5d0c2964e930fc361881444c384ea670c33123dd361156dbef5db3211e4f7f1297b6728b45acac

Download Submit
C:\Users\Admin\AppData\Local\Temp\gsAI.exe

Filesize
158KB

MD5
f8bab7bb2b22e8690c91a06001071e86

SHA1
985a3a9825e53b43674eedfdebe6338ea72c6841

SHA256
0d35fd1f98d84cf59d0f588983df70d3ec7b8ead5744e326362ab3a776abc90b

SHA512
83e248cc1b9360b777f183971194dfa2170866a27e910b6bdc2ed8351c9d6ced651a66d451df49b414a3bf86999a79ad295d7984c4482c0c829fdcb187279460

Download Submit
C:\Users\Admin\AppData\Local\Temp\iGIswIEk.bat

Filesize
4B

MD5
fbbf3e24b5332e9f364320d629a9d718

SHA1
bb8984db9f8f680fdf7743a8e0b2ad584b0673f7

SHA256
34234ca002801015e76f3e3f00cdfd8f8ee330393624f400eced57d81a3b41f6

SHA512
4988a587e5f761ebd6f507fc522487ccc4a845b8e5913895adf14ba79a7f6c4abf61241abc9d404aacc31b847c1211820a2ac01d6d5bfe92f1a08226e1dc82c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\iMcs.exe

Filesize
157KB

MD5
3b36e0f53af42a0756e38a1ad554619a

SHA1
6898c986261b9c1f7eeb8ed06c7b66433338ac1c

SHA256
60c415c7d469fc6d62b0c6cc6710e9f1034c533cd2486995548e3d789a4a961b

SHA512
31a8fe610f218b28ea93cea3c1a5134c55787580867cb36a5c287903b0ce1b9e9da7216d91b7d3670bf4bb8aa34736b2a752733a00db34d537bf85bf2e464e1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\iOMUUIEE.bat

Filesize
4B

MD5
5b7c6a871d3f161a29549130983338c3

SHA1
2939faa71e4082dd525d8b28baf8807e70f79672

SHA256
b8187c29fa8d22db6e3505791635db487d35cfd5250fa8f22a4846846b048ac1

SHA512
9fd615ee45b99f461106f514d195875f7f223af06f5cc048c7937b8047eabc3954c3c661d6b0c0804ea379b09ea70a9722f89df2f292a3166d7902018512727a

Download Submit
C:\Users\Admin\AppData\Local\Temp\iQsw.exe

Filesize
159KB

MD5
b56c865143eae4357ba0de827f704907

SHA1
a96ad0e49c79d13df71d1ca9540c31d4be88f363

SHA256
3c7433d20a829bc04515a198b89bafb74a81371e65f8a3a3e21e6257957a03eb

SHA512
13194c88a6b529a9ae1307d5b3ea652c58a3bbc49f6e79d9e588f57a673621a097b0e55653c9295b91f2d540d6fefbc456a2d5b8aa53f5a94dff5df5bccd9a15

Download Submit
C:\Users\Admin\AppData\Local\Temp\iUYY.exe

Filesize
158KB

MD5
d0d7e38d11cabc95ce549eeadd414193

SHA1
a1fd201f46f95524851b2e0b54d87006da9fb6b6

SHA256
346ecbb0ad8b1403c047feed6f27e48b608524967d23ac4eedd402c38043cb28

SHA512
0be682a3cc504c17d12d0864d5e1ac6f9632c8255382c10453b17d3b694acb2e349e30bdeaa6da777395d5637fbde65e5820be9e4a25a33160609ca0af32a06c

Download Submit
C:\Users\Admin\AppData\Local\Temp\iUgAsMsk.bat

Filesize
4B

MD5
c33bd055653cf250141fe28dc17b800f

SHA1
387e456d642a4d85a25b11d28dd9e9b74c90e131

SHA256
7dc266317804f1088ad0ce10a8af517481fea8a7b7a57f570ac9ae6178c3f295

SHA512
9ab17d0cbd95a49c28c2c08dd7c4a8b5eb1f12e39988d19fde8a8380b58179dad8cb4c7285117d35984860bea98ebf7b9604a4317e0437c35533af03732d62cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\iUsc.exe

Filesize
158KB

MD5
8480636a53c700ad79108ed8eb98f4b8

SHA1
6b2ac7e11e26b3d36bac9deaebe73f1d5b98ffe8

SHA256
7bbd317a6f1f1a24b779542658294937da583c5d155534b0e3a8502171acadca

SHA512
a55efdb6f4a1ae1218da38b809999d2821b2e8e2133c2e3c5118dff9177eee108df094746c63793131a6463b72eb269f2e8a3a7ced353b8f10566dfbd25d3de6

Download Submit
C:\Users\Admin\AppData\Local\Temp\icUs.exe

Filesize
1.1MB

MD5
1f32d9dd6de46c11faaad1b1b0e3ab00

SHA1
1546b78b33298eac3ff592aa5abb63e2d7184b6c

SHA256
ace66b4eef64c07d11d9fa37b92e5d8568a699e56c13db86bf50d88738114ede

SHA512
98cb77f63dccad8d4a32ecbf1ed28ca4f60add056c68fd805b6a278eec0b242ebdf6a684e81d1d38affd5e14b3f3059b2b9f03220550b2f3e3642ac870ada4c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\icke.exe

Filesize
149KB

MD5
21d225886ccda7f1dc6e4d5a6f91a0e6

SHA1
1443595908f0ea55af7e58dcd0f4ee2c2de628df

SHA256
a15cec8856daacdbc2442e45820222666dbc3efb91c0936354415346e72d6a7f

SHA512
f308559c78915a6273d2a9fdd2bd526374aa1ae3b3a53e08e6c3477ca67c685f6bd840be8339ca22325d9689d4f9892a5ea05f371ca8ce4755c39c36fb57016e

Download Submit
C:\Users\Admin\AppData\Local\Temp\jMAcYgMU.bat

Filesize
4B

MD5
b8e8e0c2850d41a4cd94d597665e8117

SHA1
061536492143c3953b06e357c5ae2f0389177509

SHA256
5456c6c3a11e60c637b6d19db963010658875e41761da11e85341e96471d2a7a

SHA512
fa4e78d350de5529848e92ffa5ea9793620f7f7dc78581947a4a75794936c05c712aed20e14bd6bc41c79ef0592069be2f0cbaf687fb0b8983810057ad2c3f23

Download Submit
C:\Users\Admin\AppData\Local\Temp\jOkogkck.bat

Filesize
4B

MD5
aacd732aefd4855b61d3edfcb03914de

SHA1
3471643b726657ced681352817b5a95ea1a607db

SHA256
7e9a1bae4924269fa6eb751fa86ffa427ccbbfc06bccf54b96b435158db8175a

SHA512
e15f91a5229649582f0aab32258df1279e75a8664bb8b1016b893b34d40ff90f21f2562c2eb1be57addefba5545abe5f9619c1f64fc26603421b484137b2bd36

Download Submit
C:\Users\Admin\AppData\Local\Temp\jssMwAco.bat

Filesize
4B

MD5
1a818c159eb8029bab37124071d15f41

SHA1
0b6708f707d5b7ac5fd42e9a12e919150aa20df1

SHA256
fcbc7c0babc7fa11db11e7753629bd5f0d6de4dfbe1aa6ddb9058e5e42b756fc

SHA512
8f4e06e8337b449ac99d67f16d98ca58fafc3a61ef889be7c2c177e4c24d3b346a9c664f0b0bd189426a3e1db8f95c3bb7d8f484ac8fe2180ad0fc96feb30164

Download Submit
C:\Users\Admin\AppData\Local\Temp\kEkM.exe

Filesize
785KB

MD5
5581ffd871909392203a5bd7005cb8a2

SHA1
28a19713812961bd90e9d335c2234167ea23a11e

SHA256
8528690de37e4baa09c9d33ae1e2238855e97fb38aa910a8263c9ea5bb876fc0

SHA512
86538b44fdf55c17c4f821982a198270c1d9a50d152e36158ae00548dd6542e7e23e764dbcdee028aaf17ce1eeb930bb8b083b43ce2196601e99d62b7ade87f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\kEwIUIcM.bat

Filesize
4B

MD5
39258fafa3a16cf519a5632867229016

SHA1
c416d7ad70b6a70609bc001c84a674889ff4d449

SHA256
ae6d8688ed0b36329d1f22a7316adf169748d643abef9fc4c64c068f78e32530

SHA512
ad69367b207aea4b3e18aaaf5835265c18ad822815950ce74e2540513d12170cdf43ed4c96e9840ab4c9a36fbde8a9ca77bda2142cf253b9769325bb3fa76019

Download Submit
C:\Users\Admin\AppData\Local\Temp\kQIi.exe

Filesize
558KB

MD5
7dce6038d4b7cbb3d9c25399ccc4ca04

SHA1
f8bc2f3d09aaa441acac48f731ab73c99562cadd

SHA256
42ab55b5bebd815d38d114aee6cdfd4593cca5fa04dfab9ab15ff51e4fbe4aab

SHA512
64d27d4bff8b72ad4ec76fb0880ee938b8ef9a1bfac76c8043c89750048fa3d1a1adf9a86cc65bb1bbc78d7ea493b2cab1487949d949bc5cdceb7e94b66421a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\kagEgkYg.bat

Filesize
4B

MD5
184c953cdf5c60a3e52fd5a8727a9664

SHA1
b68e959a363c58b06fe48e80d8fb299abf2a95f0

SHA256
3ccbec9615f332af67b13afa8e54e2a47d6f35aeeec09f8a4255acef5670d9dc

SHA512
2fcce05f21287427099002df5eee949c9e8a3cab777274f7d5825f14f050ac3f413a66f847846ca0b232ecdaa0158f746c3d4c9dc08b9c56cdb7a9a37f21bc3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\kkwo.exe

Filesize
236KB

MD5
15ea42cdc1cfae463daebd2217786af4

SHA1
96aebff7320b9de1fe0c79aa1ba4435e4e5b58c9

SHA256
9f1e1802abddcf9eac627f0e59e8a9bc793d128249a883355c07cb823d667883

SHA512
c8ecda19990b9404eb46ad68e56fd5edb0c3a9e86aca568864b2751ba2cfb88a0f4a31832e3458408b77b4e015821c86ac0aa34ff9ee053c2c8df540dcee81e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\mAwI.exe

Filesize
159KB

MD5
591a56fdc48447ed9051bae3724aef75

SHA1
701ce788eb267da93b3efeca5809d673395638a8

SHA256
63c92d0c372c450e347fed887a9c0c729ce3d9a68d11232ccd54a539a349775c

SHA512
92b4d0fe492928c49893cfe39e4bfd85c4676eaf3afc6f0377f16d1153752ab1767ee49d09bc92ea40294950d030bf59928f053ee6239167a68a25f08dfffdd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\mIok.exe

Filesize
158KB

MD5
f7cccbe2f552515585ac6146b2b67317

SHA1
52fb4ed270b7cd421479ebeac3a04c2bd1099567

SHA256
394b46f8490d3f208d65f881753b17155ab8ea4705bf32407c2578f10372b10b

SHA512
91d9bff72bc29ddfeb94a57dab473956f77f2257027ede13157f2cd4cb2d2ec35bfc241f278c456764334f78b4223d2b4cedf12a3c4539a277e836b3abf398a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\mMYk.exe

Filesize
160KB

MD5
39616432763122e46e6d6e3744b64b06

SHA1
42a5e713e2b8282381501efd0176835486e29845

SHA256
ff00379a08c3ea134a0b2a1101d6db973a67ffd0e53b074875be86a78f7db812

SHA512
ef0156d5cf9ea4e0c28795eac52dcd99176fcd194293fb09a5a5c0a8e0256b3acfcc3cc730057bb8ddf36e3a6174b6282945f42b6f216c88694fd937b0945631

Download Submit
C:\Users\Admin\AppData\Local\Temp\mQoQAIok.bat

Filesize
4B

MD5
9ff618b7003f837bed420b646a1d8ce9

SHA1
fdcf43e83c572759c4ff3e0a49f017e7e90a2332

SHA256
9f55f27a58b1c0aadc64161e4d1c42dddaa9c0a0cb476901b58e878ea4a67a25

SHA512
7dcb7a29e398bf0f052a1478a8bba33ddb6f190a8e8a8e27f12552664e7cf0672017a80a088caef541df639a3efc4523e3992b6d2ff77e64857731761318f853

Download Submit
C:\Users\Admin\AppData\Local\Temp\mSYMUMUI.bat

Filesize
4B

MD5
ae6b43d4a55478dcef92b8a45029fc21

SHA1
adbb37348d19fc5a71dbe9d79b7835a2c5659a22

SHA256
4732d3ea5be9824430d30eea906df115b8f3327edf1ba4e809b8b06b632f4b95

SHA512
bcd2c2b19b75a85212792fe38b6bf399e2a55ac503c7e92497e445aea34ac10cb28bd8e05f95876fa003d9201394b2ee5e33c7cf46ec1700bee41cd08d226a1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\mUwm.exe

Filesize
159KB

MD5
bc90cef7fcfb614a2a6754a298133da3

SHA1
f0e68e9f4d3914183bc48fffda3a5506ecde0fe2

SHA256
36fa8eca7a87c12a9e18a708a77c5fb9d848c5a511cc10c2b447f4b5b7f8b9f2

SHA512
f9bb3f57e3a74b29faa7f65404b005edfd6e0267150867b2f2844a1662998a9874009aed8d0146a177788a20d4808d6b9d2e050c0ea116533e088259fc135581

Download Submit
C:\Users\Admin\AppData\Local\Temp\moIO.exe

Filesize
158KB

MD5
62970f0a54deb677cc997d70ba58f265

SHA1
39e6735065c56a730f00bfab8ad96ef36d4a04a6

SHA256
a2dfb1a24e96173067e9ae54ec40c30501a8550ef6c08cd9c895aa8c30bae7c6

SHA512
f73289280369c64b9b9fb295795fd37987082044a178f2c8f44df5a211513c2c9629c386fb020644a834e6001b7d138eb588f2e31e49ea9ab03715ce1ea05a3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\msUS.exe

Filesize
157KB

MD5
84cc46a74cf79486e83bba6cc2ea5ac8

SHA1
10a97894a7e4f251cc3fe9996746d5e1b366c817

SHA256
32b6cfeced1a5474d6a5beab87351578f7ac8cd41ff37e54c3da6cb4b7d24fda

SHA512
879e8ec05e4d8d675f216f8419a53b5c846fae2b08a5cddedf9b9c8201e2ddcdbc9ceebba2456afe1b8a08eb8c6088ef4874e42d7cfac989c969d0c5cd085ff5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ogswUYAw.bat

Filesize
4B

MD5
d793d287cd4b75010312e4accd42847d

SHA1
93a849a441eb33428da21db017cdd4a63422da6c

SHA256
55925bd5ed790dffc736a024822c8ef4f4b2de1f1c2ce6f3d711442ef2c588b6

SHA512
f1059ab48da8d472f489c14bb65c32505db02dc67f28cd7cccd9c1f2b6890f4a18378f5c562c5fac316d3cab51a876963dbfa1295144876466864f6cd6d2f5d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\osgO.exe

Filesize
158KB

MD5
62e69feb0ce0b02ebe0d75c7de47a2ff

SHA1
5917958a786519f71eedc5f31311ad0e37229515

SHA256
b1a9d7a9d2c53ddddadbf46f2dc1a97656f011af0a02a31b9e4f7e38bffdf406

SHA512
551eb8fcac45b04bd450d7fbe4a6393723f7cff4a1ce9272f09e2a008e02124112a7e5f232193fbf04350dcce399b86d992dc5e21b9c715f8578a12841190119

Download Submit
C:\Users\Admin\AppData\Local\Temp\pYMAIcQU.bat

Filesize
4B

MD5
f416cb6bc09240732b9c6d0923c72438

SHA1
dc560dc784a30dcb6926fe2f59ad97524d78d812

SHA256
e129e82c063dc2562bc2da3764772914ff144019c740fdade7e9a7abeaed3498

SHA512
4414e19a4d6ac6335104df3db135d38b64b74ca0987d07dacaf5b956f2055983fcef301abb476c3ddd86b3b3b920d4481f4b04cf9b5aa202265f6ea16ee70e8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\pgwEowss.bat

Filesize
4B

MD5
276f98f2cb38529249bcda9987922c33

SHA1
ac57551c50623bf17fe53cd8c79ee3951a665890

SHA256
6c07ad0f2dadbe60f1b335adc079f9767b829336a6360073ff426037cb44d91a

SHA512
79a289e6fca9b07beae79c4136c4cfc9d6b7bc2b1004a6b6316260dcc81802e513aae0379dd3222455567a113635e084e2fe03406591a98bd51df89f5f4955f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\qAsgcoQg.bat

Filesize
4B

MD5
7c7becd903ccdd61f624ae3529734b38

SHA1
b467c72a0861c24d4c7aad7c792e9588d1b07abd

SHA256
28670aa127b13fc757c272bdfc374871b72ce1cc68a57f26710298567bcc71e7

SHA512
4eb50310a3d79b6bbf8226dd3ab21f94000677bcf58af10546c8327ef484c3e6c1eb68d6592c6350d4553fcb120d942852cf98ec1ece96a877cf2516c6adf301

Download Submit
C:\Users\Admin\AppData\Local\Temp\qEsM.exe

Filesize
236KB

MD5
51aa38083e65715096d244961d334fab

SHA1
13ee51cb2d6b180f03cd2cdc3b9e008154a0c44f

SHA256
b903b1d6bfc1d8829542a372c7a1eb552f94834ac86dbda06c0b9ec62a348d56

SHA512
86916039d835bf736d5ff92951263b333c39e2b4ab8a9d478387cf942a6e6eb3cab91b6f82ba043eae5f71acdaa4fa2ebf8b623f43b9a7fb2cd2f42d6b95a067

Download Submit
C:\Users\Admin\AppData\Local\Temp\qEsW.exe

Filesize
1.0MB

MD5
a418544ecec1aaacc43d04c2b5fc6d05

SHA1
cd2e8a9554b3cef63da34f719d91d2bc48d804ee

SHA256
25408c06b1195c259be7deac432927f8984fdc850fee8d3a62e2079453747285

SHA512
75f87443ac9fad373ff2ef0867c652777d611fd99fb6d0a5d22fe027ca8bf416e2bfa288859024365f141b8ee6f1a4a898ad940597899cd3f4937b8c9c500b2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\qIEQ.ico

Filesize
4KB

MD5
47a169535b738bd50344df196735e258

SHA1
23b4c8041b83f0374554191d543fdce6890f4723

SHA256
ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf

SHA512
ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\qMQk.exe

Filesize
159KB

MD5
0a4bc0e2f63adce5a75f10a6e6ac3e82

SHA1
f4b6579d25228b1b782c7a0c455da4e180a61c0f

SHA256
91b9cd7a0cb1f64ad1a5e9773658b8a25e36ced53e25fc03e829c735ed1a8e7e

SHA512
1e3c79d1544ed3141ca013acff229f6b17a8d21f827aa3e387a7c3a1c9ae56cda4572c96fb2174a4ce4cf5c234b56377f8a99deb4452b6cc2747a173ad9ab583

Download Submit
C:\Users\Admin\AppData\Local\Temp\qQoe.exe

Filesize
236KB

MD5
9af9a5e7446bdced2c5ca978fdaf2f43

SHA1
8db994243504f3b28f42b8e7ca29b2a11f2c80b7

SHA256
09a681db8bd8acb9f69b7cf4a56240a44c8e04514b3e39cd0f65e44e9d7dbf10

SHA512
b94dee03da5cf08c661f5e622b3c432c616e7773e02607a3a0c409943f66f6eb177a6242ee7bdaebd8553b334def767b84ae677e7f58b8779c25fa6ae0b4d2fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\qckS.exe

Filesize
1.1MB

MD5
5bb630200f1cabcf642bf4468e0ad777

SHA1
4f58762a7f1f3be6bcf79b61de169f4624a4af9f

SHA256
86b607042786f28a7156aaf273a75676811cdbcba8afc72b7422f212b43df62a

SHA512
bbcf4212e42bf562a2a82ddf621df9ab9ce5b910a9bc630f7b0df1acba75c0088d2e0df5030e7492e80f6d89d6a527bd5e8e62ac520bbc0bb5964a2bb37e2926

Download Submit
C:\Users\Admin\AppData\Local\Temp\qgsa.ico

Filesize
4KB

MD5
6edd371bd7a23ec01c6a00d53f8723d1

SHA1
7b649ce267a19686d2d07a6c3ee2ca852a549ee6

SHA256
0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7

SHA512
65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\qkAq.exe

Filesize
158KB

MD5
a1faaa7f108a6cbd884fa71332980acb

SHA1
5975400d142f0069cc6164c7d7d5ac84fd7bc755

SHA256
643c4b32ae851ad6ba50983b403168dd838367c7ba3d20a980122e9c61a00c8e

SHA512
5f634b2e9632447f89812b80c2cad9eabbf6f84641c2342567f74c666a436f617522b96857e8959e081629e889702573fd3561f5e6cff78ba05b80b6d16e9780

Download Submit
C:\Users\Admin\AppData\Local\Temp\qowAAswE.bat

Filesize
4B

MD5
60790d3e69aa6930c5330c241c0608b8

SHA1
6a1dd9d52449db0bab43b837079fc8a8163cc29c

SHA256
aeef351a3cf6714752c9d894aa2b77a92e2b8be624a821513483b5fc2a7c1740

SHA512
89f9ea411059a7fa6ae7cefa4b824eb913c1b9138959dc3faca06f3eaf6accd608537f0560795f61f2c67a6f3dcaf63d172068187a6ac69507c9e93a6087e571

Download Submit
C:\Users\Admin\AppData\Local\Temp\rmMQwoAs.bat

Filesize
4B

MD5
bdd1707d1b2626b6f45069c0ad5da76a

SHA1
54e86b9b3f04b3eefe2f894472c0be3a0d4ac68c

SHA256
a85b522b0d18e7f83da04fc46d0bf26767d12aa555d4c210aad609d8c5030343

SHA512
899f4683c5171ad7330081942c08314d18478dbbdd56e65bac0d22cc10feef4c50cd6d3b192e4ea5af36d3700027a8652550c791e25f42620dad5a4fbe76f0c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\sIcA.exe

Filesize
745KB

MD5
a3f23d272f56430b97fdb482e4b5377f

SHA1
71a8fad1a9f509d16a9b7382dec1ef04003d3976

SHA256
013d7561a25a3b561beffa868c64fb33748e7551166ee3d52757249798563ff1

SHA512
adfd310cf8166d6d32e7ea4e95107f21408e3d5847467dc5493472b707fbfc2ac371e487681e279c371ca5c1abf439aedcd6e2a497b27fceb0a37a37ed0f3bdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\sSsEsAkM.bat

Filesize
4B

MD5
dfde75e3a2a0d6710a9ec1e5ae6407a1

SHA1
c2f297a8e46facd416a83e84241418a61db51d8e

SHA256
7c3f59f464673d8d2e5dab25d5d1660da7ad48f31e89d23d6d96ab404d25c986

SHA512
ae87c1a013da61df5f015476b2f0799ffdb6c014564adba89d2dd8901d0fa18ced93236a124bff5685111342c8a4f2846cf649f6f9a5fe3b105af230a273c26f

Download Submit
C:\Users\Admin\AppData\Local\Temp\sYES.exe

Filesize
158KB

MD5
627ff4d42ec90c754f546d65dfa90dd2

SHA1
2b5d50c11a89dd6e08e9410f5adf186a2e79e710

SHA256
e93e401d98962b9e7b0d4eb55818d4fc98bc7ecc9090205ee96663da4e749a27

SHA512
daa4362df713cafcd9d6a4d545d0a51aec98599623502381873fe15403972cb812f8528191e024ed91f240259de1e13d697cd303ff4109fb78d2b175af1d77d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\scIY.exe

Filesize
157KB

MD5
f770daa1e42ea1cb3a5869397ddfb01e

SHA1
455423fad9dcc69c055e95ae216962d226ca525f

SHA256
8ba5ffc8ee63e5c1810ee97e10b61ed16f0c62b3d93281b8296d06ad1a519857

SHA512
2c87390afaf07ac1849d7ada1a35c3e73d7fb91e2c58f116cd44f9225947a9fa20240207e2728125539bf671593edeeb92d5d97c8f47bba17a3ea53d388d8408

Download Submit
C:\Users\Admin\AppData\Local\Temp\scwy.exe

Filesize
139KB

MD5
2c380da5f352c41abd8ec20e3805625c

SHA1
be27373971387b573612b8f2f3c0db61a17de8e8

SHA256
2ca4a1eb5b352cc18b8b7fe0f8a641f6b49df1901f3954a4d1384387cc497fcd

SHA512
6249122e6aa1bca00706a7fac2c9557acc036ded2852d8395e1b4cb9d3503b7884146c6f1e746a317cdbeb32fe61ffe3210772603758a16396d129ccacf48443

Download Submit
C:\Users\Admin\AppData\Local\Temp\soIK.exe

Filesize
159KB

MD5
f5457ba1bde44cb3adfb43de2738221a

SHA1
a063db2b4e72f6a38ea29306a392c86ea2efeefe

SHA256
0772559a4ca458d91bc812c1c73db97a26b3b0bd5c87cd9d522a672a1124f742

SHA512
b8ed30bbe9a0db4db8030559af4350664d861d86a3a0dfea3450907bc72e34b90244a642e4ee8358556818b3930b0e789dfa5d10a745d842cdb91f1b3646ef1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\swwo.exe

Filesize
134KB

MD5
3ac849b1b7988f1f284ee620b9993b6d

SHA1
fbc22ae10222dacae598b60844c293d1ce6c9b7f

SHA256
7f94e4f4239bfde406fce4a7c8f2ef5a76d3acd7f98e6c0d0d7c80ed9de94599

SHA512
7dcca56cca90e44b7281a04910fffac7b50f25c9f64b75d93e42afeebe2c3bf296a149fb9d2b0ab8c9e579bfaac9ade25844a3a38b2782379ffe89b00d82afda

Download Submit
C:\Users\Admin\AppData\Local\Temp\tWMgQsEU.bat

Filesize
4B

MD5
b1f17f53cbdeca1294193452781589c8

SHA1
d9d456a996b9957d47fc2910187f9e17e34c7335

SHA256
4c9076adc3bb991ffb920dbcb9cd8f9d37482fd1e6fbb1c40b0d2ee4df5e9c22

SHA512
6fe7d1e56aada8dde4a530f9e755bfec49a77d1b690aa2807c8a9d2ec180ba2b969ea5fec2c2120e233cb9caa0a50a207aec4cf9ba949093b17711461f4d1805

Download Submit
C:\Users\Admin\AppData\Local\Temp\teoEYgoA.bat

Filesize
4B

MD5
fa0775b489bc09760e8e487147945424

SHA1
f3af2942b607b6f656618290da816853eb850367

SHA256
550154d90b2d660c4ee19322fc2347d9e09309442891ec9520f7c389d6d63826

SHA512
ec23265a8b631cdaaadd9eeae600657881c13b3dd9a97c681a77fa94926c2078a29c97302d625f6051c483d873f7acc8885872c9b1783747b23053c45427107d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tqYgckEw.bat

Filesize
4B

MD5
7ad6338a3f57ea18e8d753f6d5ca531a

SHA1
341be53aaefabdc83cb0bef587a255264703f6d1

SHA256
20c4eaff91de8fea5844a4e8edab149e5ef721119a5ebd01f95d4241ea0ef8f2

SHA512
2cb6e5d26542825f3a8da030d1960593c86ccc5eb62d87a7f127256a1a37201259d29a3189495b3e5fe4d9a6ef713ac0ce69b38f292a63d321a723da15e484f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\uMQw.exe

Filesize
161KB

MD5
83882c753e061b0e1fe5158222a1b8e0

SHA1
ca588dcac2037717fd9dfed74ba4063d91c48c3a

SHA256
998bcc8974b2ac5c7f344e65dff4cc3a3015ff59dfb5f75afa87ad71956f21e2

SHA512
2448a1cad1ca5f83acecd17a568f189a40ba7d8c5468a126c2f30458a9237ac6b4443aa870bd62ec3d2e4ce363c09b8331e8887223c3a8b4512d756bb7b20191

Download Submit
C:\Users\Admin\AppData\Local\Temp\uQMk.exe

Filesize
159KB

MD5
0357d41cad9919309ed0cc97aaaf51bb

SHA1
bec7a570ce6589ce391e6502a8e28a28ba91668d

SHA256
005c27048d35329cd0b8dbdc1df19abd78b0b85aaa6e5ca32ba59ba2dd14fa5e

SHA512
0d3ed57a4af274c0fc74fefdb2075768601d2a19f1f85e82ea7208c47a4c26d6dde74b41b3bca7543266de98f1a5d15de8a775e73ca7e985ad13d982bd720085

Download Submit
C:\Users\Admin\AppData\Local\Temp\umkUUoAM.bat

Filesize
4B

MD5
801eb738898289c0788f45c790848c58

SHA1
4a920878867c31a8733016fdd7c8de75ed6dbfe4

SHA256
c5ed0a3c3ec471caa47357af655c194507e2bf76444253af945359ac664a9e09

SHA512
d392b32475e5a37d4590983d532fb97b04c82a63af16b2fb522a3ccfe8b871172dcc82966d4b25279f9099630d50aab84fe792e2e929231f0a25876e1a46095b

Download Submit
C:\Users\Admin\AppData\Local\Temp\usMQ.exe

Filesize
160KB

MD5
7553cc7fb77a9dc97df998408ac78d72

SHA1
8a6206eb8c01c5ab64b6f052071d85e9491df431

SHA256
15fdf41da185da5aa67d92ba9025e915a1e54b54cffa483297f8beb5a7ee5faf

SHA512
ccfab458a5c8a9663d6ce2bf413f301f10576dfc6f3db2ba518ceb9f84acee1aed28b54bee3f2f7844b53cc9434a96af8329544644d834a08f5c11c1c4059f7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\vsgUgIAU.bat

Filesize
4B

MD5
cd2823998a3cd6f307b31310d0854c52

SHA1
ca0c3ea8d78127520e0f369b06a683b313a77c55

SHA256
8b9f2b593edeff50788da73fcfeb3853880b8c6eab8c26de32cbb7bc2f064cd3

SHA512
d7c8074ce113dfac11e6aa58ffa0fbb98d3e27997e7793bb8213b02b8d73722c7d4725d52ce5c67134720ef10dbdc3a3ed7b4272380a4fcf2147d1a119895231

Download Submit
C:\Users\Admin\AppData\Local\Temp\vssEMcEw.bat

Filesize
4B

MD5
b3a0f11680477c2b59a0bbe6c225ea6e

SHA1
5b338e4a9a8f54b62b71370d5f3acf2dbaf02601

SHA256
20c56c26bf1d79b464d81b8d5505f4518d44964ac1c0f1cf59e26b0fd570c27b

SHA512
5eda91608619f77df7c270c71ddd79dc2347e11c6b8232fbf939a0208ed05c9bfface51d80953a78763e86eab27b5d459cfce5e6721ec69a3e65b28980c19c06

Download Submit
C:\Users\Admin\AppData\Local\Temp\vyIMMkgM.bat

Filesize
4B

MD5
d4e0fe9fe2931a1fb4de3452d046faf7

SHA1
59d2c5f79e957e77559ee8d46a9b92fe26929c1c

SHA256
71b08d227074e2adf30c3d281517ff1c5d43944e48471b4736ffbfad6e1d7572

SHA512
41cd371b169e6dbfb0576dcbe4262916396f1c0ad3434fa6dbeee5c8b19d0b27b3966ea65f83a5b807c6b5176c446cd037f095540fc796845a3885dc068312a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\wEkA.exe

Filesize
868KB

MD5
0c9a152be358be52692978d030fa714c

SHA1
f087855aa3ec822877a6cc7560d5624437cfbf4e

SHA256
58f658eef31838cf8e55797207134ff7f8637183e31a9b2d47aa9c0a8af8a571

SHA512
1362bd67bf946b5feb29295e9945971996b3bf468dec2262fbbddd678d734f64ca7c575997a6a4551c62bd2adc4aee0d357af16bbeea9cbb87b56df4af9a7413

Download Submit
C:\Users\Admin\AppData\Local\Temp\wOcYEEEw.bat

Filesize
4B

MD5
35729d98bf76f9cfe7aa03eca7307a63

SHA1
e9f51bca71f6798763415c6d0767cadef35d2a3c

SHA256
70ed99093e725375237217ecd1ab9930421b82e68c6f03dbd2fc10d05af67d56

SHA512
a4e5db33a42a1ebbebc87727cf6e9892d7a0cb4cb02ba51f104cda29c5563218aeda40c5bd2235f32a7a1a6a979e265838f20ed28bae2611be424a2403f9998f

Download Submit
C:\Users\Admin\AppData\Local\Temp\wQgA.exe

Filesize
937KB

MD5
807039ccf61e489e92bf3fdce0e3705b

SHA1
c6fc9e21126f66e2c9995e1b7c8b0bfdfafacc6c

SHA256
6eb8a56f6122007eca0f95917737abb63eccc33547573d6494866c39f12bf032

SHA512
995acb902d52571781458f2adaaca9a9b074f921f25384176d24b18be18a0332425576ccf20bb380ce11883f6c73c59d5f1861d1490094f3889181a9f20821a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmUcUkwQ.bat

Filesize
4B

MD5
206ff1152bf48d4fd21655a60a7d4add

SHA1
d2d3d5cfefef9243960ab89dfc9bf55da053d12f

SHA256
5d2ded6849555c3b439722bb66d05e9a993cc05e34484f8fccb91eb46d4047d8

SHA512
a9876035678d5a0459d4a8255050cf8bd7e81b8fdcc9380cba33708da2e3b25b202f9750ed87ba7ede3fa2aef155ea51c8ef772cf20fd56fdb707646a3ea6ebb

Download Submit
C:\Users\Admin\AppData\Local\Temp\xgAAwoEA.bat

Filesize
4B

MD5
f9a173e0c18cc4102cf4bafbf3c11740

SHA1
c59dcc932b115ebd73e13f4e6436c9b0a9c8ef84

SHA256
b0652f1a2e6a8db5c11d9092e7c27ede46c57498e43e26404ede6ec61774400f

SHA512
b250cf8cb3ef205e28369f976b95a2c430c0a3e57274679aa3b7edb02ce036186c535a2e332570af547384e107009b147e69ac3e0bde777e1b0a9793b9a62496

Download Submit
C:\Users\Admin\AppData\Local\Temp\yAQk.exe

Filesize
138KB

MD5
7942a1e2636221935d114ab0c1955498

SHA1
8dde4a5692b788ea71dff2561a83a93a46516ea6

SHA256
5daafecbbae3d1f1560ba2e1ed97f946e1b6f9f039e6a49a285fbd8616659db1

SHA512
f3f0cc11de3ef4b64f177496b0f7d142d7fd669ebba30a3d3ea898154fb3dd679d354a2e31bc7684b7e0ec89f50a8c79107dfd4b5ecea9d032938d69c770b67d

Download Submit
C:\Users\Admin\AppData\Local\Temp\yAwA.exe

Filesize
160KB

MD5
5f7a6646d774198dee9009141cf7c82e

SHA1
9c4cbe522913ca0392bfbb90d25eb87993eb6892

SHA256
b40b4ab295a1cba0bda8dd8d37d211e8f06058719e0b360cc47f63ca8346a580

SHA512
68118935246da5caac5e17008d3d16b4860881ba0204c0b39019b6968590059c56109e2f3dffb682a6012ad1f121a246a2e2cc0516ef8438e35044cd0b64327a

Download Submit
C:\Users\Admin\AppData\Local\Temp\yEsy.exe

Filesize
312KB

MD5
15af62879e0a7876346c4cee17987568

SHA1
566271dbe4b9d625fc12e425bf91c16486bc76e9

SHA256
02b7e5bc1db52d5b81392de2d0ca60363a59e81201395cfe9868b1351996ef3f

SHA512
69ef0d704805adca10c69fcc5fcbebaa3e8be26e7ebcb3bbb9b35a04acab398c39b5268d29b251bf39b606d820602ec6109fe4300a00d455a4099534f3682ac8

Download Submit
C:\Users\Admin\AppData\Local\Temp\yIQu.exe

Filesize
158KB

MD5
7ae8a0c6106d2fb74686412cff313e65

SHA1
874f46775ace90e45df49257da76d6ec9441761f

SHA256
982cfe6232f6f51cdf003dfef21fb3a15c8c57f6f4d861f8a3ad35803dc0329b

SHA512
f39a28ac294da68f30474f9181933f072e08f7924afaa87876189490a8a54b892812bb38feb532b19a29b9512e998288713a4516c994c52bcad9ac6c78ab4856

Download Submit
C:\Users\Admin\AppData\Local\Temp\yQQS.exe

Filesize
292KB

MD5
9409f31fb1a06735c3e6d65273c59b7d

SHA1
0506fd8b2998ccf5c0ff42c01aa528de0100c04e

SHA256
b605d25b8479f558ac518874beee921125786e40b447f38271b6f9866f8f2d9c

SHA512
db5e573545014fb1bb1f4f31f8d46e60f8a7a3c4916331ec150b892e07e9c5d150400df9f214ff26c9d6b3ad3613c8e6525eb9ebf78f96f6dad64e1878b95fa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ygUO.exe

Filesize
157KB

MD5
2e1f5fa9e93505e2ef9c7321b2c1739a

SHA1
9e2f41b189450eae6dfdb6497bdedfe0557dc696

SHA256
0dd6d762b47eea8fbc2b15482a69b2caa7218e4d4206788726cd0c324f514815

SHA512
1e1d7eb9b4500f78278049b9bd6d099b1bcebcf89d7bf6fb4b136673e7e57d85ab42de06a0331a896030907d0d5409043ef9666e3548ea101cca05b603314a2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\yqEIEUMg.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\yswQ.exe

Filesize
158KB

MD5
4b885445603c7ceb001295ac6140bd2f

SHA1
e81eee65d8eb431109144136f6a8d498cdb674a8

SHA256
89e86615704ea426b268fd2bea48332fd466e71d1ff5168a5e6694fa214d6b66

SHA512
7382a18880e6e2a73a5d2a9c838f51fc3cab3f6c8d3db490966fb3cff9fcd38bf1011538741346bda450bf2cd75d33c9e364e6ccc284ca167352a4d378030398

Download Submit
C:\Users\Admin\AppData\Local\Temp\ywII.exe

Filesize
238KB

MD5
4cc09dff93d743cb7f706cb194b62950

SHA1
78c1290c386b04053267935a96eb2effae21cc36

SHA256
d484bc917efcb2db39806f210909039499abc3b0bf2519e276e11ae923ba4c00

SHA512
51169e6b709a88a7e9c81e166fccc33129c1747a7dd9cc2fb23b461c208defd4ecbbd9617a3c91253340d240179c54eb839740de1dbfce2d60a4fe8eb1360990

Download Submit
C:\Users\Public\Pictures\Sample Pictures\Chrysanthemum.jpg.exe

Filesize
969KB

MD5
c27bee80615955ee44410321cdab83f0

SHA1
dc5be7872d316fd07961efa6f356a5c4e9966155

SHA256
3f67b36c465f2c349f01b37ab288d0b843e74cd3e6f7cdc9a8cc0fcb95769092

SHA512
f77acd96d101b323f40506bf6712fe00fcd298d8ddee5d003b301323a0f4bf34f1a8261e094e8b29abf5d38d99717d565831910f637cc8f601c418fd00c46494

Download Submit
\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

Filesize
145KB

MD5
9d10f99a6712e28f8acd5641e3a7ea6b

SHA1
835e982347db919a681ba12f3891f62152e50f0d

SHA256
70964a0ed9011ea94044e15fa77edd9cf535cc79ed8e03a3721ff007e69595cc

SHA512
2141ee5c07aa3e038360013e3f40969e248bed05022d161b992df61f21934c5574ed9d3094ffd5245f5afd84815b24f80bda30055cf4d374f9c6254e842f6bd5

Download Submit
\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.0MB

MD5
4d92f518527353c0db88a70fddcfd390

SHA1
c4baffc19e7d1f0e0ebf73bab86a491c1d152f98

SHA256
97e6f3fc1a9163f10b6502509d55bf75ee893967fb35f318954797e8ab4d4d9c

SHA512
05a8136ccc45ef73cd5c70ee0ef204d9d2b48b950e938494b6d1a61dfba37527c9600382321d1c031dc74e4cf3e16f001ae0f8cd64d76d765f5509ce8dc76452

Download Submit
\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

Filesize
507KB

MD5
c87e561258f2f8650cef999bf643a731

SHA1
2c64b901284908e8ed59cf9c912f17d45b05e0af

SHA256
a1dfa6639bef3cb4e41175c43730d46a51393942ead826337ca9541ac210c67b

SHA512
dea4833aa712c5823f800f5f5a2adcf241c1b2b6747872f540f5ff9da6795c4ddb73db0912593337083c7c67b91e9eaf1b3d39a34b99980fd5904ba3d7d62f6c

Download Submit
\Users\Admin\boEEIMsg\BmUcgUgg.exe

Filesize
110KB

MD5
de3b0814d379100263e86a25ed8fd572

SHA1
40a53b67fe4705c221ee9a2859fac6743047726b

SHA256
cca359d5d0c6782fa89e673d020ef02a7578dff27368c4f16cd4d958d4397fb0

SHA512
651d5d7f782024ed482c022554807996ff43288e3d6fae7aaec10c0850e091ba6d522eac4ee271b8d62941c4ecf81a8b53a9f7172c23822d94618d722e0d36ef

Download Submit
memory/284-191-0x0000000000270000-0x0000000000290000-memory.dmp

Filesize
128KB

Download
memory/284-192-0x0000000000270000-0x0000000000290000-memory.dmp

Filesize
128KB

Download
memory/332-111-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/592-739-0x00000000000B0000-0x00000000000D0000-memory.dmp

Filesize
128KB

Download
memory/608-401-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/848-1100-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/848-994-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/868-424-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/920-1327-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1196-1651-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1196-1717-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1200-125-0x0000000000270000-0x0000000000290000-memory.dmp

Filesize
128KB

Download
memory/1200-124-0x0000000000270000-0x0000000000290000-memory.dmp

Filesize
128KB

Download
memory/1260-559-0x0000000000160000-0x0000000000180000-memory.dmp

Filesize
128KB

Download
memory/1260-909-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1260-560-0x0000000000160000-0x0000000000180000-memory.dmp

Filesize
128KB

Download
memory/1260-244-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1396-586-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1480-147-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1512-301-0x00000000000B0000-0x00000000000D0000-memory.dmp

Filesize
128KB

Download
memory/1512-302-0x00000000000B0000-0x00000000000D0000-memory.dmp

Filesize
128KB

Download
memory/1516-1319-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1604-944-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1604-156-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1612-288-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1648-752-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1680-670-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1764-1527-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1764-1526-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1848-837-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1848-1783-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1852-223-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1880-392-0x0000000000170000-0x0000000000190000-memory.dmp

Filesize
128KB

Download
memory/1896-1173-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1916-847-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1920-1642-0x0000000000360000-0x0000000000380000-memory.dmp

Filesize
128KB

Download
memory/1920-1641-0x0000000000360000-0x0000000000380000-memory.dmp

Filesize
128KB

Download
memory/1928-88-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1932-78-0x0000000000160000-0x0000000000180000-memory.dmp

Filesize
128KB

Download
memory/1932-79-0x0000000000160000-0x0000000000180000-memory.dmp

Filesize
128KB

Download
memory/1956-325-0x00000000001B0000-0x00000000001D0000-memory.dmp

Filesize
128KB

Download
memory/1956-324-0x00000000001B0000-0x00000000001D0000-memory.dmp

Filesize
128KB

Download
memory/1988-1782-0x00000000001F0000-0x0000000000210000-memory.dmp

Filesize
128KB

Download
memory/1988-1781-0x00000000001F0000-0x0000000000210000-memory.dmp

Filesize
128KB

Download
memory/2036-453-0x00000000000B0000-0x00000000000D0000-memory.dmp

Filesize
128KB

Download
memory/2040-370-0x0000000000170000-0x0000000000190000-memory.dmp

Filesize
128KB

Download
memory/2084-101-0x0000000000120000-0x0000000000140000-memory.dmp

Filesize
128KB

Download
memory/2084-102-0x0000000000120000-0x0000000000140000-memory.dmp

Filesize
128KB

Download
memory/2124-348-0x0000000000300000-0x0000000000320000-memory.dmp

Filesize
128KB

Download
memory/2152-648-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2192-1650-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2196-266-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2248-379-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2296-1549-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2296-1459-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2300-1164-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2300-31-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2316-134-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2376-14-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2376-1091-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2392-311-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2452-257-0x00000000000B0000-0x00000000000D0000-memory.dmp

Filesize
128KB

Download
memory/2500-56-0x0000000000180000-0x00000000001A0000-memory.dmp

Filesize
128KB

Download
memory/2564-1792-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2564-1720-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2636-1003-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2656-201-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2668-214-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2668-1719-0x0000000000120000-0x0000000000140000-memory.dmp

Filesize
128KB

Download
memory/2668-1718-0x0000000000120000-0x0000000000140000-memory.dmp

Filesize
128KB

Download
memory/2688-1162-0x00000000001B0000-0x00000000001D0000-memory.dmp

Filesize
128KB

Download
memory/2688-475-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2688-414-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2688-1163-0x00000000001B0000-0x00000000001D0000-memory.dmp

Filesize
128KB

Download
memory/2692-0-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2692-40-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2692-13-0x0000000000390000-0x00000000003AD000-memory.dmp

Filesize
116KB

Download
memory/2692-12-0x0000000000390000-0x00000000003AD000-memory.dmp

Filesize
116KB

Download
memory/2692-30-0x0000000000390000-0x00000000003AD000-memory.dmp

Filesize
116KB

Download
memory/2736-1832-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2736-1831-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2740-1449-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2760-43-0x0000000000170000-0x0000000000190000-memory.dmp

Filesize
128KB

Download
memory/2760-41-0x0000000000170000-0x0000000000190000-memory.dmp

Filesize
128KB

Download
memory/2784-169-0x00000000000F0000-0x0000000000110000-memory.dmp

Filesize
128KB

Download
memory/2784-326-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2784-357-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2828-1460-0x00000000000B0000-0x00000000000D0000-memory.dmp

Filesize
128KB

Download
memory/2840-335-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2888-178-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2952-65-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2952-42-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2956-279-0x0000000000260000-0x0000000000280000-memory.dmp

Filesize
128KB

Download
memory/2964-1260-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3028-1269-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3036-993-0x0000000000270000-0x0000000000290000-memory.dmp

Filesize
128KB

Download