f4364fae133e48bde2659e5903e133371af5e97b3cc3f84a9671a79187a7d42e

Analysis

max time kernel
150s
max time network
119s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
21/11/2024, 02:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
Size

121KB
MD5

0ca1478489d45ef50ea00cc65e30f283
SHA1

ac3541c33fb0769655b4e3e475d4381b140ba37c
SHA256

f4364fae133e48bde2659e5903e133371af5e97b3cc3f84a9671a79187a7d42e
SHA512

fd88962164d83e0f23a49cdf54e914b7d613075a5289c94bafb5e5616b8ebcea048357281a6e37f4233d148295080915f01f66ab8a5b90f99d443b07f5292c0b
SSDEEP

3072:uAoxPqClJjfiPW1z12uNe+HA/40UugLSckJwd:3oxPpdz12uNS4eaSckJwd

Score

10^/10

discovery evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Control Panel\International\Geo\Nation	quwQocsk.exe

Deletes itself 1 IoCs

pid	Process
592	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2448	quwQocsk.exe
2404	nWQQwQAU.exe

Loads dropped DLL 20 IoCs

pid	Process
1928	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
1928	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
1928	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
1928	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
2448	quwQocsk.exe
2448	quwQocsk.exe
2448	quwQocsk.exe
2448	quwQocsk.exe
2448	quwQocsk.exe
2448	quwQocsk.exe
2448	quwQocsk.exe
2448	quwQocsk.exe
2448	quwQocsk.exe
2448	quwQocsk.exe
2448	quwQocsk.exe
2448	quwQocsk.exe
2448	quwQocsk.exe
2448	quwQocsk.exe
2448	quwQocsk.exe
2448	quwQocsk.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\nWQQwQAU.exe = "C:\\ProgramData\\bGMAYEgk\\nWQQwQAU.exe"	nWQQwQAU.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\mqQEIMcE.exe = "C:\\Users\\Admin\\ZuMcgkMg\\mqQEIMcE.exe"	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\yocEcAwI.exe = "C:\\ProgramData\\xqkcUsAM\\yocEcAwI.exe"	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\quwQocsk.exe = "C:\\Users\\Admin\\hCcIIcQM\\quwQocsk.exe"	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\nWQQwQAU.exe = "C:\\ProgramData\\bGMAYEgk\\nWQQwQAU.exe"	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\quwQocsk.exe = "C:\\Users\\Admin\\hCcIIcQM\\quwQocsk.exe"	quwQocsk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2828	2688	WerFault.exe	346
2412	928	WerFault.exe	345

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yocEcAwI.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
2728	reg.exe
1640	reg.exe
3028	reg.exe
1948	reg.exe
2160	reg.exe
2124	reg.exe
1856	reg.exe
1408	reg.exe
1600	reg.exe
708	reg.exe
1640	reg.exe
3068	reg.exe
2724	reg.exe
2368	reg.exe
1772	reg.exe
2036	reg.exe
2068	reg.exe
2672	reg.exe
2664	reg.exe
2608	reg.exe
2176	reg.exe
2168	reg.exe
2636	reg.exe
3004	reg.exe
2372	reg.exe
916	reg.exe
672	reg.exe
1156	reg.exe
2724	reg.exe
2328	reg.exe
2584	reg.exe
2244	reg.exe
2412	reg.exe
2464	reg.exe
2516	reg.exe
2304	reg.exe
1492	reg.exe
592	reg.exe
2596	reg.exe
1728	reg.exe
344	reg.exe
2384	reg.exe
320	reg.exe
2344	reg.exe
1416	reg.exe
1312	reg.exe
2472	reg.exe
2700	reg.exe
3000	reg.exe
2784	reg.exe
1920	reg.exe
2796	reg.exe
2520	reg.exe
2932	reg.exe
3000	reg.exe
1540	reg.exe
644	reg.exe
960	reg.exe
2628	reg.exe
784	reg.exe
2684	reg.exe
2128	reg.exe
2688	reg.exe
784	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1928	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
1928	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
2756	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
2756	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
2720	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
2720	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
1948	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
1948	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
1144	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
1144	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
788	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
788	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
2304	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
2304	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
1284	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
1284	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
2240	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
2240	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
2644	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
2644	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
2128	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
2128	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
1780	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
1780	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
2508	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
2508	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
1244	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
1244	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
1284	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
1284	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
2164	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
2164	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
2988	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
2988	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
2924	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
2924	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
2820	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
2820	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
2732	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
2732	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
2332	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
2332	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
2800	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
2800	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
1704	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
1704	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
1360	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
1360	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
1684	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
1684	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
968	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
968	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
2820	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
2820	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
2244	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
2244	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
3000	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
3000	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
2644	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
2644	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
1500	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
1500	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
2876	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
2876	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2448	quwQocsk.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2448	quwQocsk.exe
2448	quwQocsk.exe
2448	quwQocsk.exe
2448	quwQocsk.exe
2448	quwQocsk.exe
2448	quwQocsk.exe
2448	quwQocsk.exe
2448	quwQocsk.exe
2448	quwQocsk.exe
2448	quwQocsk.exe
2448	quwQocsk.exe
2448	quwQocsk.exe
2448	quwQocsk.exe
2448	quwQocsk.exe
2448	quwQocsk.exe
2448	quwQocsk.exe
2448	quwQocsk.exe
2448	quwQocsk.exe
2448	quwQocsk.exe
2448	quwQocsk.exe
2448	quwQocsk.exe
2448	quwQocsk.exe
2448	quwQocsk.exe
2448	quwQocsk.exe
2448	quwQocsk.exe
2448	quwQocsk.exe
2448	quwQocsk.exe
2448	quwQocsk.exe
2448	quwQocsk.exe
2448	quwQocsk.exe
2448	quwQocsk.exe
2448	quwQocsk.exe
2448	quwQocsk.exe
2448	quwQocsk.exe
2448	quwQocsk.exe
2448	quwQocsk.exe
2448	quwQocsk.exe
2448	quwQocsk.exe
2448	quwQocsk.exe
2448	quwQocsk.exe
2448	quwQocsk.exe
2448	quwQocsk.exe
2448	quwQocsk.exe
2448	quwQocsk.exe
2448	quwQocsk.exe
2448	quwQocsk.exe
2448	quwQocsk.exe
2448	quwQocsk.exe
2448	quwQocsk.exe
2448	quwQocsk.exe
2448	quwQocsk.exe
2448	quwQocsk.exe
2448	quwQocsk.exe
2448	quwQocsk.exe
2448	quwQocsk.exe
2448	quwQocsk.exe
2448	quwQocsk.exe
2448	quwQocsk.exe
2448	quwQocsk.exe
2448	quwQocsk.exe
2448	quwQocsk.exe
2448	quwQocsk.exe
2448	quwQocsk.exe
2448	quwQocsk.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1928 wrote to memory of 2448	1928	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe	30
PID 1928 wrote to memory of 2448	1928	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe	30
PID 1928 wrote to memory of 2448	1928	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe	30
PID 1928 wrote to memory of 2448	1928	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe	30
PID 1928 wrote to memory of 2404	1928	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe	31
PID 1928 wrote to memory of 2404	1928	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe	31
PID 1928 wrote to memory of 2404	1928	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe	31
PID 1928 wrote to memory of 2404	1928	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe	31
PID 1928 wrote to memory of 2124	1928	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe	32
PID 1928 wrote to memory of 2124	1928	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe	32
PID 1928 wrote to memory of 2124	1928	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe	32
PID 1928 wrote to memory of 2124	1928	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe	32
PID 1928 wrote to memory of 2456	1928	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe	34
PID 1928 wrote to memory of 2456	1928	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe	34
PID 1928 wrote to memory of 2456	1928	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe	34
PID 1928 wrote to memory of 2456	1928	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe	34
PID 1928 wrote to memory of 2740	1928	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe	35
PID 1928 wrote to memory of 2740	1928	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe	35
PID 1928 wrote to memory of 2740	1928	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe	35
PID 1928 wrote to memory of 2740	1928	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe	35
PID 1928 wrote to memory of 2728	1928	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe	36
PID 1928 wrote to memory of 2728	1928	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe	36
PID 1928 wrote to memory of 2728	1928	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe	36
PID 1928 wrote to memory of 2728	1928	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe	36
PID 1928 wrote to memory of 2876	1928	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe	37
PID 1928 wrote to memory of 2876	1928	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe	37
PID 1928 wrote to memory of 2876	1928	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe	37
PID 1928 wrote to memory of 2876	1928	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe	37
PID 2124 wrote to memory of 2756	2124	cmd.exe	39
PID 2124 wrote to memory of 2756	2124	cmd.exe	39
PID 2124 wrote to memory of 2756	2124	cmd.exe	39
PID 2124 wrote to memory of 2756	2124	cmd.exe	39
PID 2876 wrote to memory of 2192	2876	cmd.exe	43
PID 2876 wrote to memory of 2192	2876	cmd.exe	43
PID 2876 wrote to memory of 2192	2876	cmd.exe	43
PID 2876 wrote to memory of 2192	2876	cmd.exe	43
PID 2756 wrote to memory of 2632	2756	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe	44
PID 2756 wrote to memory of 2632	2756	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe	44
PID 2756 wrote to memory of 2632	2756	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe	44
PID 2756 wrote to memory of 2632	2756	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe	44
PID 2632 wrote to memory of 2720	2632	cmd.exe	46
PID 2632 wrote to memory of 2720	2632	cmd.exe	46
PID 2632 wrote to memory of 2720	2632	cmd.exe	46
PID 2632 wrote to memory of 2720	2632	cmd.exe	46
PID 2756 wrote to memory of 2908	2756	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe	47
PID 2756 wrote to memory of 2908	2756	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe	47
PID 2756 wrote to memory of 2908	2756	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe	47
PID 2756 wrote to memory of 2908	2756	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe	47
PID 2756 wrote to memory of 1996	2756	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe	48
PID 2756 wrote to memory of 1996	2756	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe	48
PID 2756 wrote to memory of 1996	2756	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe	48
PID 2756 wrote to memory of 1996	2756	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe	48
PID 2756 wrote to memory of 2464	2756	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe	49
PID 2756 wrote to memory of 2464	2756	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe	49
PID 2756 wrote to memory of 2464	2756	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe	49
PID 2756 wrote to memory of 2464	2756	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe	49
PID 2756 wrote to memory of 1136	2756	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe	51
PID 2756 wrote to memory of 1136	2756	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe	51
PID 2756 wrote to memory of 1136	2756	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe	51
PID 2756 wrote to memory of 1136	2756	2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe	51
PID 1136 wrote to memory of 1808	1136	cmd.exe	55
PID 1136 wrote to memory of 1808	1136	cmd.exe	55
PID 1136 wrote to memory of 1808	1136	cmd.exe	55
PID 1136 wrote to memory of 1808	1136	cmd.exe	55

C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1928
- C:\Users\Admin\hCcIIcQM\quwQocsk.exe
  "C:\Users\Admin\hCcIIcQM\quwQocsk.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:2448
- C:\ProgramData\bGMAYEgk\nWQQwQAU.exe
  "C:\ProgramData\bGMAYEgk\nWQQwQAU.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2404
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2124
- - C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
    C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2756
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2632
    - - C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2720
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock"
        6⤵
        
        PID:1976
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1948
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock"
        8⤵
        
        PID:3012
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1144
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock"
        10⤵
        
        PID:1420
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:788
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock"
        12⤵
        
        PID:1684
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2304
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock"
        14⤵
        
        PID:2732
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock
        15⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1284
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock"
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:688
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2240
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock"
        18⤵
        
        PID:2988
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2644
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock"
        20⤵
        
        PID:1332
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2128
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock"
        22⤵
        
        PID:1724
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock
        23⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1780
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock"
        24⤵
        
        PID:1420
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock
        25⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2508
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock"
        26⤵
        
        PID:3028
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock
        27⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1244
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock"
        28⤵
        
        PID:2860
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock
        29⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1284
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock"
        30⤵
        
        PID:688
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock
        31⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2164
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock"
        32⤵
        
        PID:448
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock
        33⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2988
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock"
        34⤵
        
        PID:2388
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock
        35⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2924
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock"
        36⤵
        
        PID:1592
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock
        37⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2820
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock"
        38⤵
        System Location Discovery: System Language Discovery
        
        PID:2960
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock
        39⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2732
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock"
        40⤵
        
        PID:3068
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock
        41⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2332
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock"
        42⤵
        
        PID:1060
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock
        43⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2800
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock"
        44⤵
        System Location Discovery: System Language Discovery
        
        PID:3004
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock
        45⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1704
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock"
        46⤵
        
        PID:2160
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock
        47⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1360
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock"
        48⤵
        
        PID:1244
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock
        49⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1684
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock"
        50⤵
        System Location Discovery: System Language Discovery
        
        PID:1484
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock
        51⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:968
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock"
        52⤵
        
        PID:596
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock
        53⤵
        Adds Run key to start application
        
        PID:1324
        
        C:\Users\Admin\ZuMcgkMg\mqQEIMcE.exe
        
        "C:\Users\Admin\ZuMcgkMg\mqQEIMcE.exe"
        54⤵
        
        PID:928
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 928 -s 36
        55⤵
        Program crash
        
        PID:2412
        
        C:\ProgramData\xqkcUsAM\yocEcAwI.exe
        
        "C:\ProgramData\xqkcUsAM\yocEcAwI.exe"
        54⤵
        System Location Discovery: System Language Discovery
        
        PID:2688
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2688 -s 36
        55⤵
        Program crash
        
        PID:2828
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock"
        54⤵
        
        PID:1520
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock
        55⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2820
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock"
        56⤵
        
        PID:872
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock
        57⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2244
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock"
        58⤵
        
        PID:1964
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock
        59⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3000
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock"
        60⤵
        
        PID:2352
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock
        61⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2644
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock"
        62⤵
        
        PID:968
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock
        63⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1500
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock"
        64⤵
        
        PID:1916
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock
        65⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2876
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock"
        66⤵
        
        PID:2952
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock
        67⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock"
        68⤵
        
        PID:1928
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock
        69⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock"
        70⤵
        
        PID:2856
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock
        71⤵
        
        PID:2996
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock"
        72⤵
        System Location Discovery: System Language Discovery
        
        PID:1976
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock
        73⤵
        
        PID:1260
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock"
        74⤵
        
        PID:1844
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock
        75⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock"
        76⤵
        
        PID:2284
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock
        77⤵
        
        PID:1896
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock"
        78⤵
        
        PID:1600
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock
        79⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock"
        80⤵
        
        PID:2924
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock
        81⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock"
        82⤵
        
        PID:2556
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock
        83⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock"
        84⤵
        
        PID:2572
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock
        85⤵
        System Location Discovery: System Language Discovery
        
        PID:1676
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock"
        86⤵
        
        PID:1064
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock
        87⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock"
        88⤵
        
        PID:2976
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock
        89⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock"
        90⤵
        
        PID:1692
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock
        91⤵
        
        PID:2668
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock"
        92⤵
        
        PID:2972
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock
        93⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock"
        94⤵
        
        PID:688
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock
        95⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock"
        96⤵
        
        PID:1880
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock
        97⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock"
        98⤵
        
        PID:788
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock
        99⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock"
        100⤵
        
        PID:2632
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock
        101⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock"
        102⤵
        
        PID:2428
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock
        103⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock"
        104⤵
        
        PID:1328
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock
        105⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock"
        106⤵
        
        PID:2076
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock
        107⤵
        System Location Discovery: System Language Discovery
        
        PID:2996
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock"
        108⤵
        System Location Discovery: System Language Discovery
        
        PID:2888
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock
        109⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock"
        110⤵
        
        PID:2240
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock
        111⤵
        
        PID:1156
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock"
        112⤵
        
        PID:664
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock
        113⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock"
        114⤵
        
        PID:3040
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock
        115⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock"
        116⤵
        
        PID:580
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock
        117⤵
        System Location Discovery: System Language Discovery
        
        PID:1048
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock"
        118⤵
        
        PID:2464
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock
        119⤵
        
        PID:964
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock"
        120⤵
        
        PID:1044
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock
        121⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock"
        122⤵
        
        PID:2616
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock
        123⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock"
        124⤵
        
        PID:1628
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock
        125⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock"
        126⤵
        
        PID:340
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock
        127⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock"
        128⤵
        
        PID:2664
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock
        129⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        130⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        130⤵
        
        PID:1360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        130⤵
        UAC bypass
        Modifies registry key
        
        PID:2128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        128⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        128⤵
        Modifies registry key
        
        PID:1540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        128⤵
        UAC bypass
        
        PID:1416
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\cKIEkoMs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe""
        128⤵
        Deletes itself
        
        PID:592
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        129⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        126⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        126⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        126⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2516
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\umsQwMgI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe""
        126⤵
        System Location Discovery: System Language Discovery
        
        PID:2640
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        127⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        124⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        124⤵
        Modifies registry key
        
        PID:2684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        124⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1920
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\AIswkAks.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe""
        124⤵
        
        PID:1364
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        125⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        122⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:3000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        122⤵
        
        PID:892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        122⤵
        UAC bypass
        Modifies registry key
        
        PID:3068
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\kowQMwkE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe""
        122⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        123⤵
        
        PID:876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        120⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:1588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        120⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        120⤵
        UAC bypass
        Modifies registry key
        
        PID:2168
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\QEwYUYcU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe""
        120⤵
        
        PID:720
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        121⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        118⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        118⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        118⤵
        
        PID:1216
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\CuAockoQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe""
        118⤵
        
        PID:2372
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        119⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        116⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        116⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        116⤵
        UAC bypass
        
        PID:2520
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\VGwYwokc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe""
        116⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        117⤵
        
        PID:1328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        114⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        114⤵
        Modifies registry key
        
        PID:1408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        114⤵
        UAC bypass
        
        PID:2096
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\PqYcIowk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe""
        114⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        115⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        112⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        112⤵
        Modifies registry key
        
        PID:2628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        112⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:708
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\MwQggcUE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe""
        112⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        113⤵
        
        PID:604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        110⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        110⤵
        
        PID:844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        110⤵
        UAC bypass
        
        PID:1780
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\JIkscgEA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe""
        110⤵
        System Location Discovery: System Language Discovery
        
        PID:1700
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        111⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        108⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        108⤵
        Modifies registry key
        
        PID:320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        108⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:2148
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\YgYkAYAo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe""
        108⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        109⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        106⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        106⤵
        System Location Discovery: System Language Discovery
        
        PID:1492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        106⤵
        UAC bypass
        
        PID:2984
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\lyQoMUsQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe""
        106⤵
        
        PID:484
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        107⤵
        System Location Discovery: System Language Discovery
        
        PID:2200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        104⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:3032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        104⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        104⤵
        UAC bypass
        Modifies registry key
        
        PID:2304
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\OskssYkg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe""
        104⤵
        
        PID:1360
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        105⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        102⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        102⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        102⤵
        UAC bypass
        Modifies registry key
        
        PID:2796
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\SygoIcsg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe""
        102⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        103⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        100⤵
        Modifies visibility of file extensions in Explorer
        
        PID:708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        100⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        100⤵
        UAC bypass
        Modifies registry key
        
        PID:960
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\XqAowowU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe""
        100⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        101⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        98⤵
        Modifies visibility of file extensions in Explorer
        
        PID:804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        98⤵
        
        PID:672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        98⤵
        UAC bypass
        
        PID:2352
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\QQMQQYQk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe""
        98⤵
        System Location Discovery: System Language Discovery
        
        PID:2452
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        99⤵
        
        PID:2432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        96⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        96⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        96⤵
        UAC bypass
        
        PID:2364
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\hoogYkww.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe""
        96⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        97⤵
        
        PID:1516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        94⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        94⤵
        
        PID:1028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        94⤵
        UAC bypass
        Modifies registry key
        
        PID:2384
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\bioQsMQM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe""
        94⤵
        
        PID:908
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        95⤵
        
        PID:872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        92⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        92⤵
        
        PID:960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        92⤵
        UAC bypass
        
        PID:2952
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\xyoIMocE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe""
        92⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        93⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        90⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        90⤵
        
        PID:108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        90⤵
        UAC bypass
        
        PID:2696
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\JwkccMkE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe""
        90⤵
        
        PID:1252
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        91⤵
        
        PID:844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        88⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        88⤵
        Modifies registry key
        
        PID:3000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        88⤵
        UAC bypass
        Modifies registry key
        
        PID:2464
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\jqsEosQE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe""
        88⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        89⤵
        
        PID:2532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        86⤵
        Modifies visibility of file extensions in Explorer
        
        PID:688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        86⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        86⤵
        UAC bypass
        
        PID:3040
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\sQMggYsA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe""
        86⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        87⤵
        
        PID:2988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        84⤵
        Modifies visibility of file extensions in Explorer
        
        PID:960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        84⤵
        Modifies registry key
        
        PID:2176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        84⤵
        UAC bypass
        
        PID:2432
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\UYwgMAEQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe""
        84⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        85⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        82⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        82⤵
        Modifies registry key
        
        PID:344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        82⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:2940
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\magsYMwA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe""
        82⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        83⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        80⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        80⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        80⤵
        UAC bypass
        Modifies registry key
        
        PID:2724
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\KqQUUkIg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe""
        80⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        81⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        78⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        78⤵
        
        PID:672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        78⤵
        UAC bypass
        Modifies registry key
        
        PID:2328
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\FiUIEwEo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe""
        78⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        79⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        UAC bypass
        Modifies registry key
        
        PID:2608
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\doQggMsA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe""
        76⤵
        
        PID:664
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        77⤵
        System Location Discovery: System Language Discovery
        
        PID:2064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        Modifies registry key
        
        PID:2932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:1604
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\VQUAQUYI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe""
        74⤵
        
        PID:1208
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        75⤵
        System Location Discovery: System Language Discovery
        
        PID:2348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:3028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        Modifies registry key
        
        PID:2124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:2704
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\buUwsQcg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe""
        72⤵
        System Location Discovery: System Language Discovery
        
        PID:2876
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        Modifies visibility of file extensions in Explorer
        
        PID:916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        Modifies registry key
        
        PID:2160
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:2384
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\hUAwAAcI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe""
        70⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        
        PID:1092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        UAC bypass
        
        PID:1920
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\OoMskEYY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe""
        68⤵
        
        PID:780
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        
        PID:1304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        UAC bypass
        
        PID:1592
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\HcEMEIUs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe""
        66⤵
        
        PID:1856
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        
        PID:644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        Modifies registry key
        
        PID:2672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        UAC bypass
        
        PID:2020
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\DCIwQcUc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe""
        64⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        
        PID:844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        
        PID:1328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:2304
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\RCMosIMQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe""
        62⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        
        PID:2988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        Modifies registry key
        
        PID:2068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        UAC bypass
        Modifies registry key
        
        PID:2372
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\vqsQcYII.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe""
        60⤵
        
        PID:1304
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        
        PID:892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        UAC bypass
        Modifies registry key
        
        PID:2520
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\husssAcY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe""
        58⤵
        System Location Discovery: System Language Discovery
        
        PID:2096
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:2556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        Modifies registry key
        
        PID:672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        UAC bypass
        Modifies registry key
        
        PID:1948
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\fKUwIgUU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe""
        56⤵
        
        PID:1032
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        UAC bypass
        
        PID:2080
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\yaQsAYAw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe""
        54⤵
        System Location Discovery: System Language Discovery
        
        PID:2836
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        UAC bypass
        
        PID:1628
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\jAUMAcYI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe""
        52⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        UAC bypass
        
        PID:1096
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\xCAIEAkY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe""
        50⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:1588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        System Location Discovery: System Language Discovery
        
        PID:2976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:2904
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\uuUQAQAk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe""
        48⤵
        
        PID:2588
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        System Location Discovery: System Language Discovery
        
        PID:2244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        Modifies registry key
        
        PID:916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        UAC bypass
        
        PID:632
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\pIoUwUQo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe""
        46⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        Modifies registry key
        
        PID:1640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        
        PID:1088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        UAC bypass
        
        PID:1604
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\kcckckos.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe""
        44⤵
        System Location Discovery: System Language Discovery
        
        PID:1904
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:2604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        
        PID:380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        UAC bypass
        Modifies registry key
        
        PID:2412
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\fiEYAMUk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe""
        42⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        
        PID:1020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        UAC bypass
        
        PID:1332
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ieAokUUA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe""
        40⤵
        System Location Discovery: System Language Discovery
        
        PID:916
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:1100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        Modifies registry key
        
        PID:3004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        UAC bypass
        
        PID:2836
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\DEYkMkwc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe""
        38⤵
        
        PID:1112
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:2352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        
        PID:380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:2812
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\RmksMgsw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe""
        36⤵
        
        PID:2740
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:1420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        
        PID:2432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        UAC bypass
        
        PID:1488
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\HuckUMYE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe""
        34⤵
        System Location Discovery: System Language Discovery
        
        PID:1736
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        Modifies registry key
        
        PID:708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        UAC bypass
        
        PID:1772
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\wcYEMYIU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe""
        32⤵
        System Location Discovery: System Language Discovery
        
        PID:1316
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        System Location Discovery: System Language Discovery
        
        PID:1676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        UAC bypass
        
        PID:2152
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\vGEwkscY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe""
        30⤵
        
        PID:1268
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        UAC bypass
        
        PID:2848
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\TkQkYQwg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe""
        28⤵
        
        PID:1516
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        Modifies registry key
        
        PID:2596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        UAC bypass
        
        PID:2716
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\jMEkAYMA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe""
        26⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        System Location Discovery: System Language Discovery
        
        PID:2500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        
        PID:328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        UAC bypass
        
        PID:1324
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\OkEsoYgs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe""
        24⤵
        
        PID:2536
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        System Location Discovery: System Language Discovery
        
        PID:2796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        Modifies registry key
        
        PID:784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        UAC bypass
        
        PID:1492
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\fGQwgIsM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe""
        22⤵
        
        PID:1844
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:1036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        UAC bypass
        
        PID:1680
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\yIcsgcMg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe""
        20⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        
        PID:908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2472
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\BIokAskM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe""
        18⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        
        PID:928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        UAC bypass
        Modifies registry key
        
        PID:2688
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\jQgAQwYU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe""
        16⤵
        
        PID:1112
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        System Location Discovery: System Language Discovery
        
        PID:2668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        Modifies registry key
        
        PID:592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        UAC bypass
        
        PID:2900
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\UGYMQUMo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe""
        14⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        
        PID:1324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        UAC bypass
        
        PID:1592
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\RusgQkAY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe""
        12⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1120
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        
        PID:964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        UAC bypass
        
        PID:2468
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\hIkccIUo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe""
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1156
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:1872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:1772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2584
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\jugAQYYM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe""
        8⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:484
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1640
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1868
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        UAC bypass
        
        PID:1208
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\XwYIIcMA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe""
        6⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:2052
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:2908
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:1996
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      PID:2464
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\TmgAEkwc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1136
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:1808
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:2456
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2740
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  - Modifies registry key
  PID:2728
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\VUgAkMEQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2876
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:2192

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-8791156481144420576-1124393792-1770060349-1266523318-2053066262-1494710622840927980"
1⤵
PID:1332

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-88188974-1958922399-15521388331929407059417851065183418772672533657-1481988250"
1⤵
PID:1576

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-327659061345672843125151717368814891368378070984167248-578503535-1917923570"
1⤵
PID:1604

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-109817350011712505681767776812-15081530572082431928609577864113513202-1909249140"
1⤵
PID:1704

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "10582151491597567585-828705356-21449925741007443695777050180-685865230-1765670589"
1⤵
PID:2544

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "127752035717366293171667699411200795712981934361139841446-314368577-375056557"
1⤵
PID:2904

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "14251343845464643-1154967964-60818117483186403718808149841663483339831813322"
1⤵
PID:1684

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "57781001412821321564923128951328586774-2097052531-1156747556-495311476-1653088618"
1⤵
PID:1640

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-7440463206236532401313488017-2000547672-16985150511141196613-629252634-1564366664"
1⤵
PID:1948

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1453555012-1345818531970045714-1592304251617689124-14619594522082002456-1656016160"
1⤵
PID:2256

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-11427818621558797854-1049115908-298700894-1499061425-39714030419456063821145903359"
1⤵
PID:1688

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "21125913732020924552-1822481508-7564734251768960793185992975517834918121218834925"
1⤵
PID:2644

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-161442232118282606411402758758-155785284514845954122037860052171604064230407930"
1⤵
PID:1856

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-778898625849836422461513577-1094374222-2826541421752604627234700773223295559"
1⤵
PID:2160

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1492174478-133671743920877975311136330001321504698-285366192562099839-1302882843"
1⤵
PID:2988

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-305798492-4739660351226305732-17771717391069506247-13251238581866994624110911167"
1⤵
PID:2068

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1344509685686629510568853235-840997977-11829849901789864809-1254617295224896199"
1⤵
PID:644

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1519621078195307848919291264281778514569504961065-29139084720325389477651852"
1⤵
PID:2876

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1754685420-865684351826841329-3875044201384044142-91430717-771694895352962043"
1⤵
PID:1260

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-72064714943527623519084227384311666441231646284724353736-1198476854473995923"
1⤵
PID:2664

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1170595918164569281-7966530741887864839-1156774449-742805079-977911964-1158212275"
1⤵
PID:2316

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "292215471803717748-14845473382077403441-121645680860866325814955891711637765315"
1⤵
PID:1092

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-94767412260197976620098659361255989691-650902535-581954883-444263575-1789036228"
1⤵
PID:2556

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-947467534-1585104297-13082291871605977797180446994712715025431538460911-1551244796"
1⤵
PID:1592

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-332483245-3703832323938786312040712110-1983088981347095958-8636427261561522680"
1⤵
PID:2932

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1620986862625027899204999848462709020815673955392131073477-2033092817177383096"
1⤵
PID:1600

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "14065100851348412644231597034-1512248139-728180439-338574400-1325240978-1871271673"
1⤵
PID:916

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1796292035-15008948771867075346106721524469402064175026343813049305-2090440092"
1⤵
PID:2924

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "30939112213161145861097307941-1263429059-536783432-481475593968587204-1750443126"
1⤵
PID:2364

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1539038609-1355956677-26288862311010139431940489663103675553910564324991942478698"
1⤵
PID:1020

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-245533648118241689-1643734883-2122968997-193836372-1131368767-547934325-1727578323"
1⤵
PID:3028

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-14725796741840525247780160595-618941197-1480083398930947883619653358524393069"
1⤵
PID:672

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "4925923751308660293647958626-1537618640-59335526717993946531694833387726768987"
1⤵
PID:908

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-510066299-1882792617210018291308433742-2297555081017271016-1840848945-1148330183"
1⤵
PID:2960

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2035502507-1370250874-566231513553138811589109316-1108748683677265049-1555153385"
1⤵
PID:2820

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1413319035-1887809845-2071892471102831683-1404747477-943454633-1926968614699637654"
1⤵
PID:2432

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-16706993742088136741-2004130207-11832862703083525701344335610-31714944998182067"
1⤵
PID:2416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.exe

Filesize
154KB

MD5
8527bee33ed2d701ae33f217c35166c7

SHA1
bb15eb63a94578d7bfdb66aad4b699bd02d6d6e4

SHA256
e11bad07d37310fb389feb510fea58f7717d621bfd49d46a40e8c26db1ec315c

SHA512
8df97e68b6e606be36bd86d361a9ca67dfbb62ae08bc7f1cb53f633896a9a380599ffd84c758fbe4a5641e40aa2069bd1c9977ecced8d69e17ba36d7ce0ca175

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.exe

Filesize
141KB

MD5
3ca86a861adc8c26a9cce7122dda1295

SHA1
7ccfbb0a0385f43ed5979870aa48a716a0c810d7

SHA256
651d90c282588a7da6090c4f0139d6f3ca2dbb44e94b71b751259106a032fa3f

SHA512
b81d03c9c4bcbbb37d1229a8fcb2a8a9100db996552aba3d15f0453b60c57692ed6bf955f538a51cd9b60e6c1ec64b8142a93e8132153744a9ef54ca83b09605

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile20.bmp.exe

Filesize
157KB

MD5
f542c41323a86612e8bb7cf6b05ab456

SHA1
c77187f0b7ba70c8b3e8ee3ea3b99ee0c81978c9

SHA256
3f22223a64142c7612aa716febed087c7698c96e2f533b81a484bcd2db566e9d

SHA512
0a85a6799030e8e2b368984279c1b95beed8b077a1d9cb5ea3bd9ed3c445f60c95a6d3f212b44f500d79f156b4244e7d251e6b1c1b1a9e1aed33c47a4b5ab8cc

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile24.bmp.exe

Filesize
159KB

MD5
b5f32ad1a1d51fa95d325eeaa56a247f

SHA1
3ce73e27d40f51d522db21737427858b1b768c76

SHA256
d23064f32b9014811f4c79afb38186225fbd865f8fe27d32a02a73a794a51458

SHA512
d27cee03828d14a808a8be683b54d6a42a7afd342c5409677e150aca95abf5f2275d88009a031fc5474558749144467711501fe8793d060f199f98ecebe0d584

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\user.bmp.exe

Filesize
158KB

MD5
d528ebb4b9b6b264aa6c3db194d8e690

SHA1
44eeb9f0a665acb2f67a20334708bcf3539e66a5

SHA256
18f2818c8fc655f2834660c552233024200d906d1162cad94d195b57e8955c01

SHA512
74553113577e2c1fc6dadb95c2952ed891a04a1df85d298153641fd4511ba771326903483f8c5c54004e064c62aea42fedf54a7e06c5f413a0e05a1b04b7c3a5

Download Submit
C:\ProgramData\bGMAYEgk\nWQQwQAU.exe

Filesize
110KB

MD5
60486300156ac86bd03f7099e896de90

SHA1
7b287de868bf560e5777c2899d45aebca89ed0a6

SHA256
7148f9360b4f73136f5508486779ae210f76ad6e027ce9ecc8bcf2e08796b953

SHA512
4a957f9e649affbaba621b1fab1c085d10afe766f2d211aeb9ff472776f3c7d9a06bf9926800c14cc1e14dcdc84ef017fd48ed46c64145a362e6c9741be1638c

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-11-21_0ca1478489d45ef50ea00cc65e30f283_virlock

Filesize
7KB

MD5
4b542ae8cefb03050e85a1d80fbd2780

SHA1
d4d056dfc313af8b736b2613861f22e2cd873dc8

SHA256
e9b3ecd633671ebf77e56953405e5b33cf95d0d303f5264a10e9d9dd9c8375ee

SHA512
8200a285dc446ea5ab581a9a98a83a1923362ce700d450bc2122ab7f88b19137a5b1ddae621610ef4c89477418082007cac725c0ddf17968393d1628cd02fb19

Download Submit
C:\Users\Admin\AppData\Local\Temp\AAAe.ico

Filesize
4KB

MD5
6edd371bd7a23ec01c6a00d53f8723d1

SHA1
7b649ce267a19686d2d07a6c3ee2ca852a549ee6

SHA256
0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7

SHA512
65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\AQQY.exe

Filesize
223KB

MD5
d64c7983781c3db8c3e93c8fe0c5df6b

SHA1
cd51ebfcc3e9f7f77cd456254f6df854249cc1b0

SHA256
2477e5caae0fe4abbd9f9c0a4e95298922168c716ac8a9910472f566ce43544d

SHA512
b1192a625b907a7faae4eb5b306d00d183c845fab6fe2ba6807ca2cdc52b89749fee6e05528d1352e708dd5fc22cc90488ca479575a334b4c55c8c762302f6a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\AkggQAMQ.bat

Filesize
4B

MD5
1637e1295e885290d6052262864c7a17

SHA1
8a19524892f18484a2c64a525ae309e9c0027232

SHA256
677b0b8d936517315bf81d06970db5fb29048041568d13f1dc63a5dbeeeee704

SHA512
6017c0ef6fa25b52b3d93287b155c072168f17cf0e85f7a384da59e889567bc770e3e18330d6617f0e319f092c09104260d8e34bf3fff663c7f150ea49cd36b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\AygcMAoE.bat

Filesize
4B

MD5
c54e2b0ed377de9d72c7b9937bc082be

SHA1
f0728cfddcd71d05ffc9d6dc5aab3e927c0555d6

SHA256
13a4678d11705ec02672426a99c199c7168f7968f479acd0e2c8c63266ce7f37

SHA512
6cf8fe29e6fd629dcaed8e5442a58feab6bb165adbd994a86878c3009127e191194a39d4a701411ba46885a1a9332fb47711cd812df6b5141588ea08107067a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\BAQu.exe

Filesize
660KB

MD5
93f690fb3c12bfe9dc06eb931c47e6b0

SHA1
662e15398e0d38cc13b935b5ebca049651af29e4

SHA256
f817922cd074ba71316cf7ffd82b5aa8319395b525776239f8e2e2a5b90a81e0

SHA512
cc7830cacc2e8f6ce99bec74628bfefb4077a9fa7b2baedaf276232585255d59f0d715889a8367af438b15fa7e409414e437386635ec29472c58a092a713c695

Download Submit
C:\Users\Admin\AppData\Local\Temp\BIQC.exe

Filesize
139KB

MD5
1c6ec7b1996ab11bd0e33b324d859eff

SHA1
dba3794aeddf1baff7c4e0868b4dd80d1b4563bb

SHA256
66139c8d0b1cc6e86442b8b9fc969ae0b212f3b711e18a833d30d45b49981bfe

SHA512
6abe5af4ddbf7a1eec9c3dc8add50842eb771ee686cf70e266fdf05103f623d05d55423bd3096bf471ef2d2fe71a6d0c016211afdb377f6d902d837022dd0318

Download Submit
C:\Users\Admin\AppData\Local\Temp\BMES.exe

Filesize
160KB

MD5
3379f2c923bcaa65d140bb135a248aef

SHA1
345b2c0269153312d02af00d8880e1392fddbd7e

SHA256
b3af889d67773590ba1ce5f4a6e0af50f3007920c976fd8ef84516beaedcb653

SHA512
4c49f03a89f48438558d6b3ad64829795ada76c09c63247ba65f088e463aa5e974017b1aa81763f6ec1ea8efd1b6493c4cfeaf2b42d709cf6ffdf803cdc733df

Download Submit
C:\Users\Admin\AppData\Local\Temp\BYcM.exe

Filesize
299KB

MD5
ed52e5170bdf4f7c0a1dfa969c52ffb1

SHA1
84fc3f4ee738a16a7d87319e1e993f8f5677ffe9

SHA256
d84a79bcef612de36189ea1d8d651bd53368b8e08c9cfa32683f6118d47c8bb6

SHA512
72bdd90f6c2d7edcd369ff23a9170cbacecf98aea0f22c4432e8dc94c35286666b4ceb31c1128a318d96cef8568e1e604e13c9418e1fc42c2ecf1dd4066dc84e

Download Submit
C:\Users\Admin\AppData\Local\Temp\BiMAAwok.bat

Filesize
4B

MD5
8aead11bca239c95a8719c6524e3611e

SHA1
d51b30ac590bcf41b0615127493cd0b69b2ef88f

SHA256
cb13bb9ba6302be6b9a9e741d18187ecd841e0c58cf150a1e9d57fbfc44ce3ab

SHA512
b8cdd06fe466798a25aba03ca4d98f4b0bd635e9d6480f3cd4617cd442ac563695360ea29980d00b8ffc2de43d55c86313358389b9c35109bebaceb6eb037d1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\CEYC.exe

Filesize
157KB

MD5
1435c5bcf0f2fe80735f4bfe7ca19f79

SHA1
d898a81aaefffc4b92f9410daa0358664299b189

SHA256
e07b98875b0987cede3ad5041977742ddf456b9c055b21669d56370005b07d20

SHA512
9d6230c05fb57f471f340b42bd2e2bb1a98a42c1541646f315727ac3a8fdf3ce9203b1dbe47a26e3f8941c00de01681f3a658a8e7985d636afd1e580bae3c5e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\CMYU.exe

Filesize
159KB

MD5
a13ff15fba2609f0d88646659d443972

SHA1
4445cc2f483e839ae370bc440efc370ce0b6d404

SHA256
1e4f7654e7a36db4d2e35d9e6294b437931d88684fff035a4ebf88e2ea11ca8d

SHA512
70b81546ae84a1b9f79181e9373d72d707bc0fa36b2a9eeb90f62e884aa0b0a300d586cc18bc148ec935c3569488a1663c911b96be1a228b1132a58aca27a7f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\CUoY.exe

Filesize
487KB

MD5
93cf4402851438565872f53d2a6bdcd0

SHA1
4941624f05b33969940a7b150a48c788ead0cac2

SHA256
89792d28a7fdae1aa83c7fbf743dd58423fb293ee1d00194ed2a9589114bdb6d

SHA512
ba71de429da63052732020a4ea0183ba3f33d1bfc3896c2d0b3bc504795b14871b14719ae353d3f4836e9ab2af6c66e21c6b10545f23c187bdcea6b60c9794cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\CoUsggQI.bat

Filesize
4B

MD5
68c3a8924a45ae9a8d29883246815432

SHA1
137fffedc9b70d8eef916c572ae93b8c03388c73

SHA256
00eb62f1b2c65a36f677556938ebc8615fced75d056d905b630dbc159cf7785f

SHA512
68c7193f454b3fcab44a5577ea32db27c5477ad718f0a029e4651b25c8d42bd37663e80fa500c86615ec8a76b3fffde6052e02b56a307752dd2aa0fad66f61a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\DIgoYkAQ.bat

Filesize
4B

MD5
61d41a47356e2603f00b7e2098c6f65a

SHA1
e3758114b45bd65ca7c95fba048d4e11bce1bbcc

SHA256
2b9c1fd099614fc7dcf9fe06c21b8fe46351222b91f06af95bdf584c9feac001

SHA512
25255e0f15dd74c0c48e12f31eba709dacad94993e1a200322f72ab52937894cd380cb4b897970e8d9c26db8dafe1a55475c98ec474a9f5e3775d4122a3266dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\DIsU.exe

Filesize
159KB

MD5
2bbd6b61f32de817e6c82bd8ba69a14d

SHA1
c393960380bf7a2c981ca6070cb140fef4e49f93

SHA256
7fd5a457d7d05a1427600be20bdac39a69f0aaa091c89813ff34ff0ff5101710

SHA512
09977765a4dde3992a2c40331aed9a430bec67cc0ef7eee481b6ce082e4870e749bb0da9ab17ecabceea5c7b0064564899a5e18472507d8c8ea6a259524fbc92

Download Submit
C:\Users\Admin\AppData\Local\Temp\DSsEYwQw.bat

Filesize
4B

MD5
b26b6b4dfd8d2f4a12a4f3b327fcacad

SHA1
fcd14b1c2f64e087c28a8a4126f1475a90971483

SHA256
93945eadd328a05297216e59c0f4876af49973746fb98a686a6c2707fe5160e7

SHA512
5c7fbd00859a5302e9bc972f3ce8d72fff31dad389eb0540bd40846bd711795da78c871499d417de551432c2e8c52ee51e44268d916aaa6b637fe47b38f88fbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\DYUs.ico

Filesize
4KB

MD5
964614b7c6bd8dec1ecb413acf6395f2

SHA1
0f57a84370ac5c45dbe132bb2f167eee2eb3ce7f

SHA256
af0b1d2ebc52e65ec3f3c2f4f0c5422e6bbac40c7f561b8afe480f3eeb191405

SHA512
b660fdf67adfd09ed72e132a0b7171e2af7da2d78e81f8516adc561d8637540b290ed887db6daf8e23c5809c4b952b435a46779b91a0565a28f2de941bcff5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\DYcq.exe

Filesize
153KB

MD5
77347dc5b04d1a52345d091a7ee6c41d

SHA1
917166724e67222565874317ec412f2b50663b27

SHA256
8c7e2cd0307a2ff74c8bce3e937721cdea0a213801b804f3309b83edd443f954

SHA512
7cc6f3e91d0f798e3926513d1b30d87da4494cf06fec6c0c700f87f799c1d7e57cc875d4ebdd73d4fb577b310fa2151450292a9cedebcff69f4a7e5902cc1f87

Download Submit
C:\Users\Admin\AppData\Local\Temp\DkIw.ico

Filesize
4KB

MD5
5647ff3b5b2783a651f5b591c0405149

SHA1
4af7969d82a8e97cf4e358fa791730892efe952b

SHA256
590a5b0123fdd03506ad4dd613caeffe4af69d9886e85e46cbde4557a3d2d3db

SHA512
cb4fd29dcd552a1e56c5231e75576359ce3b06b0001debf69b142f5234074c18fd44be2258df79013d4ef4e62890d09522814b3144000f211606eb8a5aee8e5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\DsEQ.exe

Filesize
158KB

MD5
94c615d8ddebf2172cabed7c82d1065d

SHA1
9e7230e510f588cebed40b6abd88eac633f3859c

SHA256
3352ada0c9fba1671b7ebf795520d1b28ab9bec843a3bca8ac58c61ee4d39378

SHA512
d993000390c80f3d835ab2a3248884c50781f84aea96ddd1934fc993993c54b82d967a7bb119e0de6946745c52e7c7be2fc531156b3de3f39aaf9f2e7be6f117

Download Submit
C:\Users\Admin\AppData\Local\Temp\EOUkYQcc.bat

Filesize
4B

MD5
df9072876a02748d14ef73f08510edd6

SHA1
0143be6eb79a3a9a64e16730f16efe78aad8968d

SHA256
efc7393924f1a62d9956c6f18e462a8de5db6b218376485e3faafa709c265a51

SHA512
31ce33cb1a522dca88beb81924e760e62ef59131de784d528e13d9018bfd5c2d03ee442dd89fac84b703cf8f6086832d2ca746227b019376309205858f326947

Download Submit
C:\Users\Admin\AppData\Local\Temp\EcoC.exe

Filesize
159KB

MD5
6f3206d36c7b0b6d4c2828afdcc7de35

SHA1
5197ca775ea228a1192fffc58da709792fe2866b

SHA256
c7568ce9b3c9769306b28dcbecdbd3ef262591461d222d357dbc08d3518ceef6

SHA512
773a5acc0650afd7fc76e804b1138c6cb00cdeb68c92b4967d0dc0779ad910e284aa1ce848e2f68388362f195305366433b222b49e211c2e21fcd34e8a0f0730

Download Submit
C:\Users\Admin\AppData\Local\Temp\EoYq.exe

Filesize
156KB

MD5
ec6fdc2ed48b31212587501286c6af02

SHA1
e7edd4489f137d78fc502d5fc0c1f2136924bd05

SHA256
72404d146cc7f36958fd11a6cb107c4fddf2d2f83efc55c0726433dc1f3c6529

SHA512
885a3f074ca62b2af15fb962f1a2f80164cb63575c53761e18794140053eee333af50ea4d0dca9230b73fd07d05b715b61feb2c17f9c0fc19f906c1891053777

Download Submit
C:\Users\Admin\AppData\Local\Temp\EswO.exe

Filesize
397KB

MD5
f6975e0755e84f3d23e1a65b696becb1

SHA1
e80f98f5e67605031dc0d210fab52d78c6154f61

SHA256
2d4009e522539f4aa75d32118c8589c704efac1647f675ea0d6562b30cc1e5d7

SHA512
fd4db17b3c0932772689209749f40d0fcaa6a630c697dc56387e0527c4c2157e8b3860246c392399fb923f37e64330bec96dc2e51e1f3da3059b804ad4bde09e

Download Submit
C:\Users\Admin\AppData\Local\Temp\FAwM.exe

Filesize
158KB

MD5
d367334471cef50760779ecc150c1ecf

SHA1
736abdc115b57c31b3115cd9bd5314f50e598236

SHA256
fb63d88c18a620673f443d0605ad77f4eae2d673c76d92c27edfc95e935e8c79

SHA512
07b57ccd5d6553514360bfff96592445d9b2a54ee09ed1c4a24b9bdd57d0a2a23da024f6ca0dc8599007ad2099fbef817712b68000e8ac95caa5851c0c7b2121

Download Submit
C:\Users\Admin\AppData\Local\Temp\FIsgAEoA.bat

Filesize
4B

MD5
3f6d830d9cb1d0c8a8ad8fb37e8aa1cc

SHA1
28d2769d3ce23f05c1f7006041252428188adba7

SHA256
2b74d58a393d835b109a5d0d2f8184c74692ab5e681941087e4c8b1e98ec0052

SHA512
b3da2006c0ee2eb6c3450421cdc79b458bdb7d937262fb996522763c3cc7afe0b36da7cea05d9b8e040d9d26a4a357a8e519a0389a255a544fb8028e77338b00

Download Submit
C:\Users\Admin\AppData\Local\Temp\FOoMIoIc.bat

Filesize
4B

MD5
f04e4021df7acc12fc83c2973fcff8d6

SHA1
ae47c575cbd6193c3d9ee1aba74f96050b77824b

SHA256
9bd91f8fb4ae1f3c49c2d3437fd0dd26ec8c1bb7f9dafc15d5d6dbde4cc23f22

SHA512
fdbf1da2a9dfd874a00e3fbca7f9a46a5c36233f734d690aad6dbfdb6ea105256d3f6a1852e02eb6722c96272db67ee6f3ce28263361f9c0555f1de2f099d2e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\FUEssQIA.bat

Filesize
4B

MD5
a06e961b56d16074e04f9230b7689614

SHA1
f8e650319aefee67276514a1b7992022ab2b23f3

SHA256
02b76118778fa8c8dd7f26160c7734a5a289ecf4bbdc2ccbba4e7d76af715e5f

SHA512
4e4dc7a5fd8e75250a61f09509c2eb4d8f066a45a3473b9037df22946059f67327414aedd65c31e6aae5b74952d9f8639ba128a85bc71332db49ed76dc5cba8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\FcoI.exe

Filesize
159KB

MD5
96efa13ebf932e8e715035831ecf1713

SHA1
25f082b145aa8a3cc6671ac7bb3249428709c8de

SHA256
314c623e9e7d1ca8f4630313a26d6b5a17aec5e4fa587864efb2194506ae802b

SHA512
b04278e77213dad71ad4df8fd5ea11200ce80d85dade50e4900cc2d2e48fb8cf50c0b3f9f280f29efec27caddfc219cc605827d00c0c5e94011803a59c0a31fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\FgwksAcE.bat

Filesize
4B

MD5
c1bdfad47827a40acd2554b81d1889bd

SHA1
fae20339de9207e0118bfe901af220fd67604b05

SHA256
b00b058a472ec15b4b2f40ccf5dd601f762731a873737600675b9d524c5de8ed

SHA512
0ceaad541b754ae0f222fc03ffa3744fa0a3e2672c8d2f7381fe2e0d12d60a08f38224378b5f0a6974c27d0b02f48e48e1e00aa305a7144d575e982ec754d246

Download Submit
C:\Users\Admin\AppData\Local\Temp\GEIU.exe

Filesize
158KB

MD5
b71e9ce016a71e0115dff02ad02e56a4

SHA1
a179f899b1ea15dc6da25593b57c9327bbdc49d2

SHA256
8fd775364ee454bed66d8c04d9f375fb43d3a5dbc5f8443f9683122943cfe58e

SHA512
e9dcc2c9d2cf542d8981c2cb50ec8b9b1a2dcd2826eaacc9929989e8012cb57009265fff90e748ab35b471ce7d6f232ead683f73d1631642ae69190744e673ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\GYcm.exe

Filesize
158KB

MD5
ea9eed6e257ebfd07a0bc63b6ec12806

SHA1
1048bf35d57c18bec601ed251d992c18b22ffd6a

SHA256
ac20724d2963391a6d71a9f2fdf472248ec1919771cc3e93bda4713f0a8725a8

SHA512
51c7606c7e82661802c8bf3e8df715c625a1e1b90e741647c8d2af966220a243a082eb928e26579fd532d16e5665a4b5abfc1b740bd7bb72df7244f2c34dcb28

Download Submit
C:\Users\Admin\AppData\Local\Temp\HAQU.exe

Filesize
556KB

MD5
d2f8a12f260fdb86ef13efd42a09c184

SHA1
6d99c480350c31e820481f98a90fd0dea6a268e5

SHA256
80fc4db5bf1b4a308533a16a8eb6786a6d1f48f0a2956ba3cdd5d9ab8c306a5e

SHA512
549a0bf8b33a3d3d3c3e0f6bfca5fd6b5f54febd2ff827509a4530fba319a29c78cf4f562d129dfada47190cbe5ce09ba34d5d0d218835759ce3902db1ae68a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\HEkIgwkc.bat

Filesize
4B

MD5
4aaa5e8cec794c3becbd0c9cda8ba1c6

SHA1
07a2d31be3ca62e49c71a0acda4ee38f42fbd036

SHA256
a23d54999c3b82595eccb8312cd9504c4268c9d126cb97dc41268bc3e5fb1f53

SHA512
6d7f556aedd379ac5b654fd3c72ae52dd569ce36d7d4837f498609e9ab222bb8518c1bd2ccef745fc81b3ff3e4ff5baf4ad04ae0a7506d5924c826139ff5bdff

Download Submit
C:\Users\Admin\AppData\Local\Temp\HGcEYIYA.bat

Filesize
4B

MD5
f0a6e9f94cf9ca98004760e22f7d3800

SHA1
c79921fff9729b3b735ddbe35706222c74a170af

SHA256
8fb127062f79b1095fbd3a7d45e7db4c441d7672829dc22425f33f9fbe57c182

SHA512
ccc7934d15aba074d4efa908ce8f8875e867d4c30585e41aca74bed82edebcd334f4c0b1c736c6c67b6ad42174263f0f3793b9c92549516ad6cda8497e34ab5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\HGsUIcII.bat

Filesize
4B

MD5
d4d8aa2cad2625714d693a6be81d7dd3

SHA1
a632cd0a174830b6e9b404eb2494e7b2a155ae23

SHA256
0a9a0bc0f138214307197a34832e672f923adc4c755380e50a142b0fe293491b

SHA512
4a0d428f396fdfebd6ee3d6261f113f723b4fb12b2bdd0e429b1dfbb440f28ec933ddb9a916d2463ef7856645cbfd7c47a666f782df84b390e38e94b12ff8323

Download Submit
C:\Users\Admin\AppData\Local\Temp\HKwwoYsU.bat

Filesize
4B

MD5
9366478724b24639031f585d72ba4d1a

SHA1
370f66e877b140f66693288455e92647f1bf533e

SHA256
f54f088d072db565d2023a9def016a39f842942094f58884c0eb8428206137ea

SHA512
80825b1447452a2125604330170bceb13530f7f64567ee2b74e7c6c597675206745f1542859a7cd223a229bcf1f16a3f9709ec8108b29f858cebd133ab15deaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\HogM.exe

Filesize
295KB

MD5
1b49461ed6767885638b3e51a1d7c767

SHA1
fdecc2e182650c0c7599c79f5a545e971fbdcd87

SHA256
9d9bfaf0ac7a4f7f56f84207b463831073a5a1d8674d390cc7a540037693b1d6

SHA512
06c539a24f0896a030ca052433754bd10b0baf2925ce831e401756cb4e828eeba5e662ec4036ea705e69d6ebe074b55e56dc4854890996046bd822e15e9ab323

Download Submit
C:\Users\Admin\AppData\Local\Temp\HsMU.exe

Filesize
157KB

MD5
889eff0543863ca4bb796b3a2fac0683

SHA1
d7a9016680e9ada7800d86eb52f5d7ce6cbac428

SHA256
1fd20397699df1e705dff95822a809ed0dba9de2dbfb1f5ac101c32ca3c7ab41

SHA512
7b1bef6d8c2de99f25728e1feed19f28a5e62063127cd2d2bac43ecb7505cfc64c8795fc1abdf6d2ae8b30d5db0451d602136750f52c3e94a414000b1919be44

Download Submit
C:\Users\Admin\AppData\Local\Temp\IIMO.exe

Filesize
238KB

MD5
402a1d22638c93e852da2b6ad300374a

SHA1
69979dac6c234604effa627c36e498a92a240e98

SHA256
317477e769b1e771421a7368ce0c89fb6869ac2a3e9efd3b4bf88f0551c3cfef

SHA512
d30fb4ff9b565860c9c97dfa3994b7974116ee6d8fae04cf7276c1e8a3eb9a040f70b1af718e3917f89b013d142b78f23c22fe2941219b95af3ceaec5c9105c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IOYUoIMo.bat

Filesize
4B

MD5
9dbbd56778ebba4e1b44e54ff9e2047a

SHA1
7df39af1314e6976bd99d0a2ddbe3b8a8280dd5d

SHA256
9c67bcd634f37bb3052d0ff2833b016c5302893f47763645752e6ebdf5576a6f

SHA512
7b519fb76cc52ccb3f051e8913fcf209fd2a8f8e60c9f1ef1efb56b200cb8729002bbeb055b5078d32e936dbe829a435a6947e228266919d38bb0c8557e41a42

Download Submit
C:\Users\Admin\AppData\Local\Temp\IYAO.exe

Filesize
157KB

MD5
c056331da228099253ef389dea213126

SHA1
ce93b62858ac8af282950bd99cfb0974083b31b6

SHA256
0a196339438cddda133622c622b4ffcb73e32593d30d50530d53953a08814229

SHA512
e076eb8a916b58fc5b1cc103e2681be346b20d473c2ca10af57a00f72c92c6e8be85e4175128f892fe952de05ff909fbdba72e6cb9c808efc1010a2151d1b7c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IgscgIUQ.bat

Filesize
4B

MD5
5fd8398bd06c9bba3956d30b91032678

SHA1
dde59986d6e8d779977085ce501f92201feb5846

SHA256
aa2b423c2e9fcee24355e3a30bf8cce48deb281a5b156b7329f82b7e28265c44

SHA512
abc74af50b49f0ac6d46f9eed432fbaa71bdbd559df457d00130a6ac479d1f50851e86a8210347f9c3896e11cade8c340d57b4c6c9a6ce5ee54685927ff9998b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IsIG.exe

Filesize
157KB

MD5
9ea861b6a799b9aa6e9903116862c9b1

SHA1
6df83e78d420c085c0bdb43dc18c3a50f09a05eb

SHA256
e575812b917bf1a31ce48d2a1e8671564c27f0cdd613f2c60ce93823602e0cac

SHA512
6023d168b1a0dafe4bd9c16028e3cf7b92625bda32e2feacd5f32e67096d615fdb86e84cf42fc414cf851142268dfc8dbfb8d10a4c366c335f0c47374d455401

Download Submit
C:\Users\Admin\AppData\Local\Temp\Iwcc.exe

Filesize
474KB

MD5
f4c5792fbb66e83fd70a56ee71b066c3

SHA1
77e8157944ce9254da00c31d43403097c467f7e1

SHA256
a3e72036bc20acf83a1cf039ed9b5ea68e4116b9a22fee4f8151a9fe04ecd856

SHA512
b33a6020f15273939b6b4bb559495b4fd984791cfc66e286c6bb38d63e39582c5a4c97760a81ce84beb48b6fe197552959c42c796f2a41f79e7dc6596708322f

Download Submit
C:\Users\Admin\AppData\Local\Temp\JMUcokIk.bat

Filesize
4B

MD5
0703343980bc41f2a243b393383d1615

SHA1
f815cdbd00acde5434f1a6714abe32af2b699181

SHA256
d9c35551cb35bd5553999379edf115fd4e128ba72698cc8e35059d27c3e2f7af

SHA512
08e28f6696e8b75d79b58f18bfb99cac95dc72c6c54d0674c0a045b7ac58d75bb34b78c0c28de2c42816fc53b79d28fd47ed404dfc2bf8dd93e87cd6b8da4aa1

Download Submit
C:\Users\Admin\AppData\Local\Temp\JWIssUQo.bat

Filesize
4B

MD5
a262c17b919d787164b23853062c7532

SHA1
52b1858280d53478d3edb4ba5c420be1dec9df7c

SHA256
f25b5492895d2b8ece98c668d3510cf78f8783d9c301de6fa5ae7093b6b6967c

SHA512
d732e986050c74bc5a30952d5334d8166937c8c13a301a967f57579bc8bc022972c73fcbf545d5a7a32944cf53de1dc4094f5ab66c998678689fc1d445fed6e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\JkwQ.exe

Filesize
159KB

MD5
b2dca3ad50aab5b89959df803bbfb85d

SHA1
6fe83a9584712dafabadb0ea17908226f0729c09

SHA256
c6b59a45173d2d319dcf4b54c840ddcabaa145ec6c98c2122fd34949a74512e0

SHA512
676b7443376ee6fcd4e5af607f71dcc4c9748d037b0e3415cdcd3aefe0a9a70944231ce45d99c0c72be92aaef7f099b7ec4277604babb75374b79332ca9c02eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\KCAoEoYg.bat

Filesize
4B

MD5
0e5704f750a67823214d21f67703aa3e

SHA1
7354ecc213ce5c0992f09bf4aaa09f68cf1c7439

SHA256
3e87c439ca59f224372cafd358ae6ca34602a93e687173a81c852af89845f493

SHA512
ebfa4cbec9c92eaef15d85205e92ebb825d83db92eda8560eb5a603e623b4e215efc18e6983b5735d78b3e9d8320a175157593869647013d546fd6a5681023ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\KUAq.exe

Filesize
159KB

MD5
e046b964d0b6c6861f9b06719ea7e1cb

SHA1
df5fab7eea8ac110bf5878fd8f61de0ace97a19a

SHA256
14267a13a295093bb74274c85e38a043904a45b42358b11912560a7f7aa27825

SHA512
82be0b04414121b8f85e267711e07fac1456e7a6917dba49bfdd4ae81c79f7b28e2291e73aa5d32b8200a405232b5f1be33bfde0d349d1b29b8f900c2c83a4ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\KUIW.exe

Filesize
160KB

MD5
a93dcc4bc49f981d6242ba284b7873f5

SHA1
d7ec9b83475e01e9e0496b5b4a7482f7e2db2ee4

SHA256
659cbcaea280c2cde60ef7108721c64a7382497a8d8ec0061fdeba9b94a49a5f

SHA512
9a1445cce770fa8a1e803d95ad2e68d824e168ad77ec36142330ae0c60f0004480f3258025d72c81d5d3ba6adca7de35e165542518abc4c0450ed6b06caa3736

Download Submit
C:\Users\Admin\AppData\Local\Temp\KkIq.exe

Filesize
158KB

MD5
9594296665a4d5e019ddbbbb05e3d536

SHA1
6c7a53010b3cccee3dd4c9b9d32f1b1087c8e6d9

SHA256
b9ec1128b23dda71961d7be437188941679cbf9ddc8ea3ff0bca827ce9588a41

SHA512
85fd6af029b918685bb1a2dffe2cddc9195d970661c63e5d8fd2f6928170a7c315afcb485545ab0523507157ddc8de0d6b78a2e3acbd5c3dfc9b65e04b98cb61

Download Submit
C:\Users\Admin\AppData\Local\Temp\LEQAUsoc.bat

Filesize
4B

MD5
90583b85dc5af38a07ca9acbda0b84d8

SHA1
9bbbbfb0d1d4e6c6e4f5b0d085d70a9d1d008672

SHA256
c95edc778ef1f4e8b65483fc3cb33cdf2b8cb6285ba98759ab0d55ffc4554e38

SHA512
f079fd8b57e1e22853b3f92b451f0a47c0030b2ed43b813815371635926a766420df84c98ff8e87d23090b8237f71427926deb720b02cb29ab24ca289799973f

Download Submit
C:\Users\Admin\AppData\Local\Temp\MUsC.exe

Filesize
158KB

MD5
6991219548221213a4dd4a583935796a

SHA1
f68082db2495f6909c4b53e72963c7b7f83a75ee

SHA256
24992b31f56f7b4c72df92efa11ba20ab99862a42c709c5a20915ead6d0cda92

SHA512
f9fcd825addbe953dea8685f4a86472990d9c1182a861ef6e63c413c302fef3b2ebfa2531b4ac731c00237ab298fe13bb8e90c0f5b73e5334501f6b18bb67295

Download Submit
C:\Users\Admin\AppData\Local\Temp\MYQu.exe

Filesize
159KB

MD5
43d6b7f42b6a93d1b8390db355660e76

SHA1
8dad57369a1b6b01d03605d9a7a5f3556178d310

SHA256
5f0e0b6113f890c299ee46df4ae612474ad9b77e5c070a59ae913973218ed1ea

SHA512
c4b7070aefef28f5f6be2b7df976e0ef7f1ef19bd39c986c96c2ac79464d9cf8b7dbe7cb1021dc86f3e73644a9247a36aec4bd71d4afc7a489739a7a967d4971

Download Submit
C:\Users\Admin\AppData\Local\Temp\MgYC.exe

Filesize
158KB

MD5
bf5f33318770af8283e0e887a7d9b6c3

SHA1
b9849c66e53634db60c16589da01e4e3b7657db4

SHA256
f36f023d42f7ed3b576ba1eddb72583a9e6b2e12a45f621d40248c218d10ef70

SHA512
0fa3932c28fba961bd8e48cde5ac2d4247dc6f6d1f60937389a5b67bb77b6cfe06767cfc736bcef7e118419788ca5ff6df0eb3e34f4d4d995e955f4ef1b166e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\NAEY.exe

Filesize
259KB

MD5
ca75a4531255f5092dda75f63e01e2fc

SHA1
d8cd092e68d44abfbe3c59d3776a1b78d6eccaae

SHA256
ad4e9c6411d697c84e2d6974bbfb110d397927258dd31c838ecb79ac2192923c

SHA512
bb06fd1cc417ccd31f76de3644ef48dacfffa1411158371a765ec21455fa319da05c91ad68c61b981bb34e2e2c23686ebe40e934965347fa258b5596500efaef

Download Submit
C:\Users\Admin\AppData\Local\Temp\NKYwkUYI.bat

Filesize
4B

MD5
a73c11b481acf33b7c827a887f1237cc

SHA1
d090d12adedbce1cfacf039fce3bf2b82fc1bc8c

SHA256
a87463caa08db8a792be0a93990a84772e9d1adceba3267ca9c9e57ab503c2c2

SHA512
2d8e7d577de90eac37332ca00621cfdf1b6e92270da3a48e75943cd8f13148a6c4ce897fb24407088ab70f4bc6e99649d364db3a144c4b673497461e7997018d

Download Submit
C:\Users\Admin\AppData\Local\Temp\NQwwIkYI.bat

Filesize
4B

MD5
50d33c810cf238fe536d382964a79303

SHA1
8b7c34c5b86d43c294ce8e11e32254346faab06b

SHA256
2fbb3c1bbe414fa0274a4bf4e0e9d9a80a9cd508af502735ec39f845486aaa74

SHA512
9c0c36c4d7e3a8103af6f4e1f0169b6f0a5abc8d995a8c4b1d55538f44b54d544e07953206cfb5e00e75feb0864fff14758b0543815ccd137df256664dbceea4

Download Submit
C:\Users\Admin\AppData\Local\Temp\NmYAIksU.bat

Filesize
4B

MD5
0c3c27090031782edb17620f51fe9444

SHA1
6b2f2413628360ce3d8a7b29f77f0cae7f2716aa

SHA256
0cd643bf2983a6507cf05058e62ce7180f6f7c3d5d08cfbe7246eaf16c8d6a50

SHA512
7154482dd0c6bfdb7420e88e2e30784765942657e95552a88282bca929e1351c5e2c0215c0d1de951a5ac38ece327d4f61bc3afc0b2e8dbd2483d6108a54f6dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\NooA.exe

Filesize
158KB

MD5
6beac4a5078b75dfd259675994a6f0a5

SHA1
fae6e9a059e9ca37ed7d63a6a24d6035076bb9e2

SHA256
a6450692c62ededde03242aed0664b0334205ca04e401befd0c7bfe856992c3b

SHA512
4e182515ff77c0f25a8614e198d7ea230cccffc0787a3f4e5a6362b9f71aeff071744a6e59d08f370024fd4569e43b00ef3e79cedefa03f4780333f82799d393

Download Submit
C:\Users\Admin\AppData\Local\Temp\OYMm.exe

Filesize
159KB

MD5
19b372fc020ee52d40d995a6d37d074f

SHA1
a65c4cc09b9b2c0d7f8fc2fa9d7287b30b505df9

SHA256
ae65fb04b27c464a14cb94c8fdc29ecdfa3c8ee2122c3d2dd525e60033d8b10b

SHA512
fe7509ca7d313c2f98dfcacea5926f1cef5d96c3c3d7126b81dc99528e87ea80d9d6e97cee13b6e59425cd1a678983b96861f4b7eadffb11acfacf95f629f19a

Download Submit
C:\Users\Admin\AppData\Local\Temp\OoYk.exe

Filesize
160KB

MD5
d556465b5f3ba6757e3a1858e04bad7b

SHA1
1b97f0388956e066349ab3d19579803976c79082

SHA256
dd8e6031f4177d569d126e4973b26afcc87bc6c43a1a3871f9eea90f348b0c47

SHA512
9a3554c3cf016dc5928346dee9cb3523e0ca6000f9c49c2bf9dcc0f71b41bbec634ed64e97dec87548fcf37b2e42ddd4338a1c87fe796e3d3c6081d745fce905

Download Submit
C:\Users\Admin\AppData\Local\Temp\PUoy.exe

Filesize
159KB

MD5
d551eb5c180d09778ef1ac3c5af2e739

SHA1
a1e9608aa835cf01a14147b77e5b053b8b34996e

SHA256
4f8eb57360041341dc896ca37afab5e1a8bdc7b980b1318778fb51d98ea11521

SHA512
8fba3c0aea920d271d32c8886df2f0af933b4614accb89788d9536f101af220eacb062de2baf2d3b56c5d5b116cbee7dbe9984e488ae067f0408291172170ee6

Download Submit
C:\Users\Admin\AppData\Local\Temp\PiksoYgc.bat

Filesize
4B

MD5
e4ae43afa92edfb9b150d5539d6690bc

SHA1
75ce1f3881e860718fea7bf46b43556e9d3e5b95

SHA256
3f2e1a99b40e004f7476a06688c0af65542553f0be504d83e02b88d85ab67a43

SHA512
516777530533f40a4ee2e6434b5a3da1663087685d0e978368034d67832155de99c19130d0b08140523e95bffb4554bdd9c4025f5ebbc021d99f174ee768fcfa

Download Submit
C:\Users\Admin\AppData\Local\Temp\QSYUkMsw.bat

Filesize
4B

MD5
5918de937c16a9a8487e296b4f9b82c5

SHA1
50d9b5018eb096cdf877c860524bbcff3e9fe2df

SHA256
bcb16b7ab4616d42673617699897ee2e074c5ed3810b7a3e54773c51d5f31b51

SHA512
f813715b095aa3727d499080721cb13223b6ecc6a4b3a6c8e3a4ee13c4104d8e56320c458f8a57d497aea24322d2d02af64ea0614383d816df9acc674e9471d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\QYkM.exe

Filesize
158KB

MD5
db49258e30a1263dc01ae2c45d53dfcf

SHA1
c911e839a56e8155d733d6de94e13a573a987d54

SHA256
07c79e8064fed3f5e460a0e8b660fac07cf07bf71a532bde911205d0f9b04e70

SHA512
33e75b9f91ec9943b058392c7fb13f643c8542cd197e9a6320a206bd6ab5f720ea1b8639013c5c33f30226d422c6da0657cedced81cd7b133ef251c1fc5c79f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RSAsgoco.bat

Filesize
4B

MD5
e5d6f6357519916814e705dde1c05450

SHA1
ae1998a1b0ceebb136c096f75057d9b68ea04ee4

SHA256
8c49cc927ccb67c89822a88a79c34857bcbe8ff089995619c12c621b9fb7ae73

SHA512
e73f18fad333761c007ca4286b889857c7d53d106fa9082f4f12a37db840dd0a5f0164a2a189f4d52983cf0213f4dc3cf5b20c783029cad7e5de376d1994d86c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RcEI.exe

Filesize
8.1MB

MD5
fef51a6f2705b4ed56609b41ed3c0f31

SHA1
022c591a3bc6ae724e004ac542cfd1176bd1d05b

SHA256
2d64384fa6a728565de5725945939cdd048e29a672290f3ad51929ccb0645a3e

SHA512
3b6a6a23306fe8bb610b98a10dc07d3f7b6fb6ae0af3e2eedb99edc7a588e6d7ab54be3b84f01f05bf040f727b2f37b783190605b5a6abcc3df525c097662363

Download Submit
C:\Users\Admin\AppData\Local\Temp\RyYAkgEg.bat

Filesize
4B

MD5
36bb072dd96e8e0a21106fc8841b13df

SHA1
ac10ce61c11fbb6303565531138aa06692289f1d

SHA256
3a7fdd96f86d998f30661d5fdf428ee067d69df7662339c8b1c5743017ea03e0

SHA512
74aaa275a6fd7eb4dcae0e944c65b9c9e5d99ed387205af6b3da3c71f3e8c314d0b1a208713ed408e3c9e538b755a092e90e15999e97155d2e7c7b939f98a748

Download Submit
C:\Users\Admin\AppData\Local\Temp\SAsQQUAo.bat

Filesize
4B

MD5
d59c90598e8f2fecc72fc592aeccdaad

SHA1
a6e958c790e2dd04bbd849375667f36a6df83217

SHA256
0282de08129558454d107a0d1b0950974b0fa6235e27cf9c737304b9c808f44c

SHA512
a47b467a5dcb27b0f9d1e5d4928c7e3a274df16ed2ab8f721a48e0cde13f9cf18c4f1a195aa8dfb3d3ab1c6510e14c3436219a70bf2e8e99326b1ac9b1c724cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\SKMQwsEE.bat

Filesize
4B

MD5
7d0f5c833e47010044cc4eb7baf392e8

SHA1
df8fb69efb8200706532608edf8be1c9a8761fa1

SHA256
99126593dfc31c33256832384ddd846a9c51d8f1b75a527f23f3943b426a650f

SHA512
9f7ed6cd3d31dca8297022e99836f593de0c698bf58c8be85163158ff19c9c18cfd5dac7dff37cebc753af3129705a2f54fb70b737e6d193825a0d9c15f83a61

Download Submit
C:\Users\Admin\AppData\Local\Temp\SUEUwUwo.bat

Filesize
4B

MD5
d51f8675e33e38a4866d2d1b2f0d8c2d

SHA1
4a789c6c6b28cdac2efc3bd89575cb844a4c6814

SHA256
7083bc032dcbf1951cc4ddc4699f7ee7a190d3dea3feccb04729b188ee73d127

SHA512
0ea63968a50f017057d35bf7bb7f2c14ef2c039bb8d3054ac3b1e3f4eb389f3c9e05dcb005cbbf44742210e575347f50145152ee46e18e798010be72021bfe9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\SgQs.exe

Filesize
159KB

MD5
6a33de657f1eaec9dd82148bc1e325e2

SHA1
cfe9fed45b090a8c6ef9a17b2c8af6c2ce920d90

SHA256
fbd2556c4cc90880d7b01264bccbc11d02aeda3812d3100f4c6bbf1892735310

SHA512
81e70afa577824b026e900da7e91b2d24a05b5ecafb0295f0b4b6f765ab0ac8d85b4d0d7a40bfa78c2b619277539e2e954630c3d3e9a03e75b3de59263eb05fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\SwMi.exe

Filesize
156KB

MD5
e1b53e14cefcee076da333a6a885c24c

SHA1
b7de7c5a429bb0e1e654a0562a1de2206bd64301

SHA256
5fb806f983752595a1b53dce31d5c80f449e7feb1243197dde345d4fe13ca9b2

SHA512
bdad80905f9ee97d29ab0bbc46d00f13431088cee77845b589b6d8d6d2119bb44413cff1f4f553091575621d1ac4136a6d52e4a33a82e90ea50e3c4d1111582d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TIEe.exe

Filesize
158KB

MD5
093c327cbc5a4617280ec450f2b0b194

SHA1
a97d7ab8c358d910dece53f96f5df19a751f0c55

SHA256
3a6ba8faeb35d82a6a90990d98ee9c1aa5d9404b4630fe696a6c4da619293ee7

SHA512
69ebe6ed8caff721aa60218cc0bb8c9d1266432978593134adb3846dcfd4ae35db79edceb32a6ed15d11697fa2d64c8040b130e69d3b8cd611d52d2678bec5c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\TOAYckMs.bat

Filesize
4B

MD5
dc71d27be69994e97bdf0fcbc500e78d

SHA1
2a42f23b1d5709656fe301ddb4948a7cf010a16e

SHA256
07bb5f2a21541a0512e538d8f1668b5f53d531a5ecd00442a30d607dd31ef079

SHA512
835da7363731c5575973aa4196bd0f99f66ce45525d783e257cbe228e73fda93a9f66ca1961d765b1affdd1a3819a1f3bdff466bb4a8fce29721c0f504c3a659

Download Submit
C:\Users\Admin\AppData\Local\Temp\UIIkckoE.bat

Filesize
4B

MD5
39f027b02f4deb737a7f24efb468472b

SHA1
0b8eb1ad3406f73962db5623199a20c659b77e61

SHA256
eab66688f96ad48c2eab6ecc6367b0ff30943766342f7e7676c34feeb4de8f63

SHA512
651baba76f6677240fa2a0110b4b700d6d2e6ddb517ffab6cbc040956fd6964a2b84803676004e6a922b543809de8ca193fb2afc29f42905fc585fa0bb15f66c

Download Submit
C:\Users\Admin\AppData\Local\Temp\UcEo.exe

Filesize
160KB

MD5
8abc732197cd42a0786f7649d7d8f030

SHA1
f7b310cc75639cb433c02dd6383751037ba5e155

SHA256
b23d22b7843f686c1875e1013c96f5ed843709288d85ba6cc9c8e85e4d0531e8

SHA512
25992c95ab26ed21f7c52339cc62323e6dc019a249c91537030cfa16b075920c1999142db44a2e03ebf8c98c00a9e6de8d4cbbbbaaeb3c8957baa97c6d46b3d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Usok.exe

Filesize
1.2MB

MD5
85aa5a7c9b89761b7abb4d83e39e90f2

SHA1
b0fb6ac002a1f3b59ed4d6466b822fa9bdc91cc7

SHA256
f4b40e5183232e2b38aca306a5cc19be1a43b50d94e0d9fa1532d8bde49ad87a

SHA512
47d450f9091f374708618c590a4f0518326683b2c634d20cc128afe37119d77d2778532bf5ea1525fe8aa72919af0616addca63a8b5050e2b93405e40f49dc98

Download Submit
C:\Users\Admin\AppData\Local\Temp\VEQs.ico

Filesize
4KB

MD5
f461866875e8a7fc5c0e5bcdb48c67f6

SHA1
c6831938e249f1edaa968321f00141e6d791ca56

SHA256
0b3ebd04101a5bda41f07652c3d7a4f9370a4d64c88f5de4c57909c38d30a4f7

SHA512
d4c70562238d3c95100fec69a538ddf6dd43a73a959aa07f97b151baf888eac0917236ac0a9b046dba5395516acc1ce9e777bc2c173cb1d08ed79c6663404e4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\VMwu.exe

Filesize
158KB

MD5
3adef9fce46b10bb241f83f97b5b6db7

SHA1
e5112ca24140589adbf9257d769fb6f994d5462e

SHA256
09a9aac7be81cb288fefbd6102a0efb27dc638c3a2386ef0c43b683b0b9340b8

SHA512
d930c94aaf8c2278d09453a4854bc212ef26c565c860324d4c4d3e69c97d9a6b0ea03e4c5bf85c07060633605e2aaf75698618e00901e997442877a35905a294

Download Submit
C:\Users\Admin\AppData\Local\Temp\VQga.exe

Filesize
160KB

MD5
801120441872336ffa09d4e223a194cc

SHA1
04bbb08d01424702db483b5c5d0fcdf5800eea63

SHA256
cd0576c8cd8e3655ca603fa1035bbc5dae67c516141a9618e59bedda4092a5d6

SHA512
f120198987cacc95715d44d6015a2eda70d11998d79b2ebbe2ce1a96effb68917990ba8a89b1981328c37fc30deb9f42fcc217529781075da4cb359ad3e37a5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\VUgAkMEQ.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\WEogcQcM.bat

Filesize
4B

MD5
43384978040fbbfc9bd0d164837c1d71

SHA1
ef9e0cb62ba42157b95f65bf8166ef25094d67e3

SHA256
5be79afd4487928fa3b01b96220d09c45d094789fc50e3d43286a00e83ecc651

SHA512
da233f4d92c9ba50d439f6944fe5f6d5393a8863d0e23c38cfe906fc73187b801c7cae708bc242921b0398e9b89bd5c4085016d6e40618117c185c9b73ade803

Download Submit
C:\Users\Admin\AppData\Local\Temp\WQwgUQgs.bat

Filesize
4B

MD5
8d1b1a0c43998224d016a97d0495d53a

SHA1
d75d5189703863ba1fb7022795341655c66dc13d

SHA256
d913bf29d16324b4df374fea5a9e506ade6628ff9af9fc465d64e6cb7f88a4a0

SHA512
f4a4c60214919d3c6131d8dfecdb414182edd158434c93a1882906a7a141755d31c888c2bc90556129c1c748ea8cbfc19c9091b527a81118785138a828e07250

Download Submit
C:\Users\Admin\AppData\Local\Temp\WUgq.exe

Filesize
237KB

MD5
19d419f8f465013e26ce6a9cb9d0381f

SHA1
3e70da5a22343bd79e252a2aaf7202b70f9aaa22

SHA256
5c4084fc2c22f35529ed16b611448c5af9728e80708f9f36be7b52b781cfad20

SHA512
65cbe6a5dc7fd990ec32d30ad1307f9bb5640460ce0a2fa681d176544d6479e3a60b18da80d1795a831c7b25a982e59c3275fc81cb9d51e5467b6b2bd7fdacd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\WigEIwAw.bat

Filesize
4B

MD5
07d0ee8c346029f8fcb9f82c8b3d0bed

SHA1
7cbff4b07239220090c82d9e72906ceff114f323

SHA256
fc0f1d93092a9d111519fefabe14f79ab56cbcf6921350239059f38e1ae17854

SHA512
8aa8f895fc4d19215c996bed6fc21d986c4d7e240b87db5645192073b3d4f0502e96146595975ee1c9f39fbdec5119d0590ddea7934fb717286a35c41ef8122d

Download Submit
C:\Users\Admin\AppData\Local\Temp\WiwYoQQA.bat

Filesize
4B

MD5
5af3036f96f9f6a7989d1f496dc32565

SHA1
d315077ccaaa724701ebe273bcbd3583969c5630

SHA256
eb6c00f11c930b783224bef1cba7d3e1a82ded5067632eff085bbfc496e622b3

SHA512
8c5f9809c9e1e219dba16e2d3e233c0b898f9679771b37c01f945804db653462f940c5be63b6f0f38d3701e0f7bfcde3256772c5a3407b225218b7d68c7755e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\XWYIIkUk.bat

Filesize
4B

MD5
756a61b5d0f538346ca46630aaa9aec3

SHA1
ec25c5028acf604006b624287cbed4c83aba8490

SHA256
319f9a2eb2cc5c9b8a504feab0e08a038c043043bd28450010ac4c61c1b3cb89

SHA512
332607ba65a8084e8ada6863e0ba45266a0af09292bd817759d0cfdb4f113f4d1e5ebb3102b2ac70162bdb0d9734de27b1c6118a466331b0a6780ab55efb525b

Download Submit
C:\Users\Admin\AppData\Local\Temp\XkAEsEks.bat

Filesize
4B

MD5
4cc78e8e8d5a14bd5e33d22695e25ecd

SHA1
b59ebdd664d1fd675ba833f2f60c696c53a4afa1

SHA256
081d2801b77de63f6dd2be00325b0b34bb2d06bd9b5738908dfeb9cf58ae5745

SHA512
75232b117a51b525cf43dd9902e627e1e97baa0c835140f53949a6f0eefe796077f15b2ad6237a4f4f1cfc290831dd985b9583bc5352cadcb03074b9eed9ef2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\XkMU.exe

Filesize
868KB

MD5
3ecd073fcaabc6b7508481017c25c913

SHA1
857a2a57c24288d80f7dfdc5035ed3ab4519b702

SHA256
f9f73028b9e8cbdb279f4a8c065fcce2c6440b5b60e78f3d8cb8c21c693a3cb6

SHA512
9a9a6c09cc533e56ff9bb61d23787a3b33801fc3f85fdfa06feea0b655a20748ce2398d869fdc1863a459c17cb86ff54fa274e801b029abc666235f2a869860d

Download Submit
C:\Users\Admin\AppData\Local\Temp\XsES.exe

Filesize
148KB

MD5
26c612379ac048af6c7ded2b4534e6f2

SHA1
a2b75c5856004e299e4498188fe09c3a7b00c61f

SHA256
7933afdd024e6f25ca088fada36d00498dd6b62a5d33fc3d4fa51058d72485d6

SHA512
3387b5361e85af410674af1bb9e0094e385c8e0184ca1240642e8dc9e1df6c6c8f7669f11bc68f556cffcb0641ace28161babc7977507254e0b7366ae871a5f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\XsYG.exe

Filesize
158KB

MD5
633d46d98fb5b0ded10c1cb3fc28fbe4

SHA1
1d8182ff1d749469929e5522cfcf623024a4f52a

SHA256
966f8468248275ff992e3d946a34daa658ed86ce205eeb67150a32d80c652a99

SHA512
bf1837e6e3f35a979aff1b508c6781586faf4f572144e68b47ba8bcdb7e25eab461be2c9e7b84377eabba13590af02c4b338e761bd3cc2ced3be453908f95a2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\XuAYwwAA.bat

Filesize
4B

MD5
0ec533899c6823c16195612f491d385b

SHA1
d5731699b14c5c76eda080eab29263ee5158231c

SHA256
16328a1c5fcc791c422b6f61bc3e8584c476f7cd7478e43bdfae1ec042dc4457

SHA512
29d8bab27a3a0ae2c642f769b84a4880dcea70a7d22006b4840847ec5f65bb4912feda1c941b5e9ed132c7de3c2cdfd1017dc00472b402a90366a781d43a85f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\YMIQ.exe

Filesize
401KB

MD5
0581a5605fd4d365486c89eea19336bc

SHA1
7dcef65bf909781ec9e4934067783073032dd640

SHA256
5b4a64d5c1f695a883b43fca9f027a4d47dc8e344d570ab31780195c7f9157e2

SHA512
87784363154533e5e9c1e0d6f42739280a9b20da9cd25ffd85b723f12979358443fd02fe41c061ebb88f3178345f30965048002df73c2107523f591c2067975f

Download Submit
C:\Users\Admin\AppData\Local\Temp\YMcwMEsE.bat

Filesize
4B

MD5
5ccf8050c4f860fc23cf803a2d5d9c5f

SHA1
72e21f0b74665ab88ba9fca5d7d6c770a3cf5fdb

SHA256
ce4c60787b500d54d69997ab5cd34997935c96c589071d0171531a1195b02c6a

SHA512
597bb4e67c4d2cbe02378163723e5bbde64ddce44d678d002d972b7f584009ab2852a6f65ca2e85f179976892672c36f42362c630fd5ae8cc50ec2814703cbcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ygco.exe

Filesize
157KB

MD5
b72723eedda6186f6740ccfc35d7c1c6

SHA1
951ac20b34b1448e2460fc83f9dc96a7b7495550

SHA256
a74d7df17eb104c646dc9137c54c01c4e97f15ae8e4a3d0e5c7d19204f5e2320

SHA512
dc6f59f6f183268eee10d8f8dc210c3649b806533f83f32e8f3d35d9bb6a5d74d3e08b9f37bce16a90881ef38e2f8c5ff8a7c89a5db22bbbd47208ced2673658

Download Submit
C:\Users\Admin\AppData\Local\Temp\YsIu.exe

Filesize
160KB

MD5
ef772531149ad3eecdc9f2d0815b628e

SHA1
b7a0f1b8ac2e3bac494bf50f35b2efb43eca2ce7

SHA256
56e8699913f4e6ad72e5b41426015741491584f82742c038f9df6224d5f5291e

SHA512
d5b4babd7f70ee45932ac9b1b70b379864696daabc55473be14451f819d711204aeccaa41501b08412f30bdfc576aaf1103ac5892564f7e20079741f3257857b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZegAUEUc.bat

Filesize
4B

MD5
0445cf4a2c4894ee61d28868f2579691

SHA1
7137315b51d9f0831bb02fef0ce5369bb40fe103

SHA256
94fb3b5ed418be3b41c1ca2f80e047a401ca2013a831b079bd87f0dda50fc4de

SHA512
ecef44f652018d4876eb527de4959e64d63d195c3f12c3670476d04b0e541209214a9898f61c41782ce6004b32b2ebff3341c7d1469edd22cd333e3c833b4b0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\aMUQMcAs.bat

Filesize
4B

MD5
2fe53469bce967036bfdcfe58d3aedea

SHA1
6f4659df0f80eb1790dd999f0c2f409f2ac4be61

SHA256
1f569c02e9398b8fdf4d68746e2bcb5c428ba8ef1651f55ade5fe5643b5b8af7

SHA512
f694449c809a70819fb7763b50ba0d115cfb5c6735d8ea4d59cc9d20e3dcb3bac8873ed435fd5464d9b2983803b64e986803de10c5c13252e2897167fe87f082

Download Submit
C:\Users\Admin\AppData\Local\Temp\aYoS.exe

Filesize
159KB

MD5
df563b4248318d5249c644cf35874741

SHA1
b095e5270164f26a8f17be1ba904447a7a503a20

SHA256
54ba84085525a2f72e805d2130de5425a7ef144193961b5b60ac4abdc1998514

SHA512
80ab92b003321c6d1b8319bd61a9dbb601f21e490a58638008af9e0a1d94e371aba7676b2a49bd3523de868f57eed0d2c8e00a1be9846720e934d58ac396702e

Download Submit
C:\Users\Admin\AppData\Local\Temp\bMoA.exe

Filesize
158KB

MD5
0e961876a6ddf240bb99cc362c96601f

SHA1
33d8b47bf0dd3c2b7b51a52073cb5fc93c18c65f

SHA256
de971f7c2670ade3bb849cc2ef80a0bcd7fc26cd3314853977d446ec9fe5ff69

SHA512
bc26e78aff5ad45c030eedf7b14e63a0c26662f2eeff337599cab2a289b46e8f70ec5c10c7cdd6d5fe01cef703dc2b22d1f4472093b41ec9a62702cebe56ce7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\bcQM.exe

Filesize
133KB

MD5
b4d12ec3bbb5d5aeff95acfe84a4623e

SHA1
b71ae8378e52bf93a264fb7abc430e17a9dcdd7a

SHA256
d2753a1a319918fd7f14f62bbb24525618dfe9b2686a77d9f7fb4384e0fde1c9

SHA512
81baafff91bcfc6b09f0963899b35695296de3f053405fbb703da800034c707c2d1ed0f905b06ab0042d0f5b64c6ed855ffe3de2b643d413f66472feacbcad24

Download Submit
C:\Users\Admin\AppData\Local\Temp\bgAw.exe

Filesize
158KB

MD5
5cccd27c82108a0808b7f63b6476d7c2

SHA1
27467aea94f9c913d9b07291f6ed04bcc2283695

SHA256
54c3d9faf3a20014440d8f75179664b8194f17b21e8f121bd2e76a99cc9dc30f

SHA512
edfab21393db7610963899a2e78c81d26471a147b2618408709fdc959be0a0b781a7e3309be024f76f3e5ab110ec16501d172694039aef0c67f14832d5eb0974

Download Submit
C:\Users\Admin\AppData\Local\Temp\cEko.exe

Filesize
4.0MB

MD5
7c31a54495e222292ae12deb55aa3dad

SHA1
0c0a76c2952b3b46a9bc538c66b93d3b02ea6a16

SHA256
bfab66313a9a38d4080b9e689533aa4dac81c4d1f6a37ebbcb197401dc8104ee

SHA512
4286ce39056ddd89b19cfb73525221e385c116edd71b04f047727c186b2dc7cd80aa16fc397db4f5eb951e153d69ae26016ccbed5d9231e84d8cc5012b0e5098

Download Submit
C:\Users\Admin\AppData\Local\Temp\cckY.exe

Filesize
161KB

MD5
658fb9e045d5f3c56f12e850d818d997

SHA1
faf604d1dc4aa26534554ef4e050b5015f3ae9b2

SHA256
813716d2b3f09e8c3d19398a82f29f1a59d7bd46ae090c69c12ab2f1fa52b320

SHA512
7169f6da48fd95fb2b017d7fb74e219b69b808ffa1e18e27164e6bc1aeb9cb06f1bc0b6c67c5b384f0814e31be045099b22638e33cd1a469d5be625cea10f916

Download Submit
C:\Users\Admin\AppData\Local\Temp\cgIs.exe

Filesize
157KB

MD5
11230a5387e9b9c007de39a35d7864fc

SHA1
11067c9ad4eee9e6a7118a71a65d1e65d992db5a

SHA256
5c89e4201e68967033ebc23d9a0cc888ded467c16e2e065ed76a42e46731fee6

SHA512
6c157bf73d205c3f6daf53204c74a360fa23de879315a5aa91fed96d0dc7da15e11cabc427fda90d674b53948727eaf2f7a9130566693b9045be608f3a6c0e48

Download Submit
C:\Users\Admin\AppData\Local\Temp\ckAI.exe

Filesize
157KB

MD5
163e5ba2c0f00634f235ca810ccffc4e

SHA1
26a5623898eeeb193b0dd78b3396fd5c8e422f7d

SHA256
8f0aabc5302d3c1bd00a898ccfabc2ac3303629cd5c5734cab2c6878cac768a2

SHA512
210b9a7c75434110e31c3fbd68485a05c0ba3061a28963f3d10b3b5ab5e261b91bba907b1df73c960f32c53a74b3468dd3d35500322ba6e2625813c11313e3c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\csggAogs.bat

Filesize
4B

MD5
b6aaf05d8d050fb3c5433dbae88cf4a4

SHA1
5f3ba823cccf6162d49414ca8f0c2c17751f71e3

SHA256
23edf77e08bcc0f2a921627e5e5ffc965181cab42bef9aa15f051daeabc468f4

SHA512
ebea28e7875715f11556a4d6ba41da850cc409c8aa389a622f9194a91edd4014336889d6f0b77847098aff265a703b4c164ec3d81816ababe18630b353c79608

Download Submit
C:\Users\Admin\AppData\Local\Temp\daoEAUUA.bat

Filesize
4B

MD5
5feb1dede0a79b8832d32b99b0a083a0

SHA1
22d21050b49420f75faa64d09958d76bfdb88255

SHA256
47f40989037e1364a2cfcd4048f602701ad1bc887b7daea904447db12dee8a9c

SHA512
cf6ab229ce6fbf32bb3be5259391c55882f01f8e30079d227fdd3ebc1388f063d2046a5b1af84ba31a060a86ba27d6eb83759c5dff65484559cc6098812e033b

Download Submit
C:\Users\Admin\AppData\Local\Temp\dgYe.exe

Filesize
414KB

MD5
fb5833b6ce70e1b8162964aeea38fca8

SHA1
4b74135dd1edecc4d9695491e7ba302bd5485eed

SHA256
82cd6ae9f67c76b85f6c458792fce8451e9b6b1bdd3063c70fccfa8d0aced008

SHA512
196f13bc1ee673992407c177ccc76ce2949544b0419cbbb149a0dc22d08d8b1c6364a57bf8558dfde355fe830abdeb04ad974d8c572deabf8e1a003b47932838

Download Submit
C:\Users\Admin\AppData\Local\Temp\eEMM.exe

Filesize
968KB

MD5
2e5445c54ae908ee89cacb1bebdf8e5d

SHA1
09f0197985a5b5b42ed769fb242ffa9d5eab3a85

SHA256
0bade23cac2fe7d0835c61d413c4aa4a93561df6200b21cf3c8369df3935d02b

SHA512
f88cccab4d7cfd2aab771822bc0a784b715ca0d527707fc598b54300f8cd5539a83069c4d56cd0d50fc19644944b60443f70756a8c1139662a5180dc707d312f

Download Submit
C:\Users\Admin\AppData\Local\Temp\eUkggUAU.bat

Filesize
4B

MD5
9d4152f989d31dd2c9e30bc52d2b65fa

SHA1
8500479daa7131b7877d5e55d2305059d95db3fc

SHA256
6830c9163a373e0acf32479b87b09e6637cac0018caa98ac29f68e9a8adac9e3

SHA512
7f6dd1eccf2181217715f3841ba99ea1dded2f37a29996845df1937c5587564e0b200a1255155ab9d7e190ee09df2a999970da0d5d15f7807058e09d001a3f13

Download Submit
C:\Users\Admin\AppData\Local\Temp\emwMwgYg.bat

Filesize
4B

MD5
ebe0ca0405a71326ea9c66d50c7782dd

SHA1
c47b04172ee860c16d6600fdb8e7e35462e11759

SHA256
5dd0dfc4eceab89293ca3bd7b830e20f21830c77241a9a0be78d97a0164e8ac1

SHA512
b95f090e522d7d37984785cc9351ebf4f8f1c84e058256d02898333934f687758569a8c108daef6aeae7cf7e5a8df68463c6f6db9f969aa4d6a2e411db322050

Download Submit
C:\Users\Admin\AppData\Local\Temp\fcoI.ico

Filesize
4KB

MD5
47a169535b738bd50344df196735e258

SHA1
23b4c8041b83f0374554191d543fdce6890f4723

SHA256
ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf

SHA512
ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\fwQK.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\gQMk.exe

Filesize
157KB

MD5
67d36a12c5aa4f1e8fa01edf4bdcfa34

SHA1
4ca31e1cd93f25e823a685a8603206b79d14d31e

SHA256
0bffad4700db622d4df9319df2e00e5e4f79d50b7d67a6fa0f757b09bb76917f

SHA512
c292844749cee0c4a4f9d7863a953a8df0ed3532f081d267063a12b4c4c3e5ea19b2da34d38f1a9644314962605c99981e815778596f9ff6fb4cd2b4c27ff9ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\hMgy.exe

Filesize
872KB

MD5
93b4667fbdee7c1e7faea3ec0ab4cd1a

SHA1
13e59eb62130e2ccf08ddbb5c95f5ba0bc1197a5

SHA256
2975a6234d044b1b5571a318e9cc8a39c3273bf6fbf273f0d1d070ec68f6549d

SHA512
79a8b88e2b04decb19255cee37c80e09bbfb01b5206ce56cb5cabc54eda4ab8a3a19fd1e0b8c04d6ef9e3af45d7e6c8171cbaad10bfc95824eee005a4b3a9a2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\hkkc.exe

Filesize
157KB

MD5
d7d50984ef901622d0378baf09a01f4d

SHA1
e6ee1f8f75a856256cbaea6005a3733b782d1235

SHA256
bc6f1265c16e8a642c66133fb8f28e58032254a0b2f02f7f5e6b394285548a0d

SHA512
51bc20698a706d07434842d99c049f11f184d823fad28fc9b93bd5afdbcbf724f1c0b2438eaff3e71c1d9d6f6b2548308645a1764f20e15de16c3b6bb61b8b4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\hwIi.exe

Filesize
158KB

MD5
ced9272bb8b6ef8bbd9ec229bf058335

SHA1
85876f01654c2113ba9bc0a1a53cade72c4a07df

SHA256
b3ebf29acdc25f3a5ba93ed03526f95676c22caa0c629f72735363eaf4603a3c

SHA512
f4859be483aeade75bf3bff2a664e6b581b323baf00593a64659a89b1dd9cab8cb7234c12ec3522065ce34997cf2de08683fd1f223e7517489006ab13a233cec

Download Submit
C:\Users\Admin\AppData\Local\Temp\iMwi.exe

Filesize
158KB

MD5
cbbdd0a4d93298f9e802e4e144084b32

SHA1
e23bb2e2b9854529f9e07b2a130dfa2c607e498d

SHA256
7dcf2f6bf8e669f2dbf322d4c47ab32236658e85763a122aa5064bf28b94a890

SHA512
7c9d40381fcf3523d8c797e1c70293c946a46811e347e3e788084ddd5bb2e59d9dcfc1b8cc5e8c7fb13e598f63f7a02f344dafb8f2c9e993f9b51b56a4aa14eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\jCMkQIMM.bat

Filesize
4B

MD5
0950dcbe1921a3e7e10ea9fd7b068a00

SHA1
eefdc28adc62f5075cdd35c7abadfbb5d028d318

SHA256
eb403c815022c77513dc9ff9b7c94acc56fab6e8a42525ce7b161050a39aaddc

SHA512
1062bfc8468459a2bbdaf86dccf0edbff6ae413f82aa6352f7cefc01919754be36f75d9ed0f8c97f47662f9b87f715ef20b307d3bb6b5ead409d8ab99e44981e

Download Submit
C:\Users\Admin\AppData\Local\Temp\jOQkAUIs.bat

Filesize
4B

MD5
e80a4ccc03d1a9b1d1f593ed3b200a4d

SHA1
237c62ad04c477fc7783b90bcd6475dac726f5e1

SHA256
96ce5483106a2c881839aa9310a5be0167940599c9747dc987ffa542f1751e39

SHA512
70bd10deb372e23f8793bcd5b9bcb2e8107e52a61074728bb44c37c924792e1987390afc3dbf1ac7b6198a7287e0683bbea4806020316dbee83824c68d662676

Download Submit
C:\Users\Admin\AppData\Local\Temp\jQIQ.exe

Filesize
743KB

MD5
54b4df50ea888662d3192e81a1f044e1

SHA1
2c08b135be18f03f1f00fe82d5bdcb4471814fc8

SHA256
eef14238dfe4594d102c3314e89fa3dca10fb29aba317b9509a0d60795324769

SHA512
732d07c4e8a5982f4867bc9980217f770fc849d1fed871266aad7f2b1f56aba2f2d8e059e53ad9cff98d91b10c52ae5d8420aa0e075ce2c062fe3e9cc0f4ac44

Download Submit
C:\Users\Admin\AppData\Local\Temp\jUUm.exe

Filesize
239KB

MD5
468d224c679d2d30e096779064914991

SHA1
44b1fc52b67fea3d5e8e13ae1f4e780f2f336147

SHA256
baa304392a6e9079e7609d350a6a91c7c73f98c24e8d9cafd08e19e5b62cd7c1

SHA512
82f8f610a4fa30b3d85fd9417522b1ac76815032c9ae07b2966fb32f5df25935a7fbea16348ef82e6fe435b30e76b1df0d985bb8a38acaab9b4a668e7fcb5347

Download Submit
C:\Users\Admin\AppData\Local\Temp\kQMG.exe

Filesize
137KB

MD5
418a0905aaa902ff000db883c2e15440

SHA1
9c7cd0101ef139f350e0e4e9f0cdcf4ea9a2aa0b

SHA256
a6e9308be1a111d97df245222dafc593d95f3535841d5a930f440d779fc1956e

SHA512
9d9f4c3916c4ad157a18b4efc86b61979138df7a5fea2e88f640b8f6378a9ebdcfa273f25c1216c26d8e4c86f531110352414148652d7c2d46ceb1c760ecc209

Download Submit
C:\Users\Admin\AppData\Local\Temp\kQoU.exe

Filesize
376KB

MD5
67773e4dc1db3c073920802fda7ea908

SHA1
14da9b122b8a3f5edeea544e676b8884d1089e21

SHA256
711fd245f86b8ac82c194cb7de367409adeb418e9cf6a2eef316557dfe3cc325

SHA512
153f4671226b15b48be5219c3828b944630a5ea4c44c28cabc202b7d524d9f66049ca0cb53b5297a4ab5ca39a4ca3913fb98305ecf463e65eab09e6dfcaa0a03

Download Submit
C:\Users\Admin\AppData\Local\Temp\kgIA.exe

Filesize
158KB

MD5
f0a398ee3415f5699444ba0b06d8d093

SHA1
735b2063cb0187b4aa4d144820b8080048ba5aef

SHA256
29f0a9b433938bda9da5249147aabd1d049669bdf1f2aadda645f1e58b206559

SHA512
c3e60a767194fcf96f4579b0d694d995878f48d7775136d874cd3ebaf62da13d255fb24cb640d3863fa0819c59c33a7d8d6183fcb30b2344b23e4dd130eba7a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\kgMA.exe

Filesize
159KB

MD5
df3cb766b640dbaa5eb3fca130d1ca03

SHA1
0f70008767debe2d3fc5c60b2a2deb20e5bc3433

SHA256
3864b80bfc1a4c6dfc25942b1def747f02d922b9924186075e4899ae05f53c8f

SHA512
acd270aa4ef1f3ab04b59d10dcf045477051a1a03642211667b9f7936ee07af167a457c9a6e7968b8b61618ebda67dfad882bb75bf6495199babef71a9c5bab9

Download Submit
C:\Users\Admin\AppData\Local\Temp\kkAQYIUQ.bat

Filesize
4B

MD5
f7dc0ce864093a43a7de2486c4029718

SHA1
d301709a37d71f0c409a58ed83e8123410fb32ca

SHA256
e8f3a9439357c67ecc8434e434b2595b911aee499869f72b344d7d49311792af

SHA512
c11ea1056765924448f2b4629cc9d11a2e75c0cf8a23822ea1e261c829c07aff473852c7fed8d78d814fd89a9213cf31f0f33261966e1be371d29ae05b163624

Download Submit
C:\Users\Admin\AppData\Local\Temp\kkoQEEAQ.bat

Filesize
4B

MD5
2b6a8d64184cc1d93ee314638e423335

SHA1
a7f85a31c6400292a10818656ac58e9de9d0b00f

SHA256
4cd03461a7028f1a98c6a378b38f8f28f80081e0ae1edf80a10f97f98aee564b

SHA512
9a29c3906cd139073761da184fa830c05b2942cdc0ebee691b160b32f157e15c8a0ceeaadbf1cdafc2f7405fd4b442eb16921e3141f8e5ed948701dc90eab10b

Download Submit
C:\Users\Admin\AppData\Local\Temp\koYG.exe

Filesize
744KB

MD5
888a1ff8a0ec759b04e6f8b49ef47aae

SHA1
a29832e9c69ca6e70e18f775b004ab7d125d7bd5

SHA256
237bcd77233cc721e00fe011001b0b24115ecc68b6525bce5f0a7ebdb977e3ec

SHA512
a71c04b97a2ec4e44c6cd5cadc00773ec8c4f5d5ae649397dffc423192b09148be61c4400c230f6f26c23582b6ec6f6f6fa74c45d0db12e6b24e279ec57a3c0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\lEEi.exe

Filesize
470KB

MD5
c87b82f5427d8045417f0c08a3a06b3b

SHA1
7d5ad13c3e631eb5209328dbcef04fb6f3a479b5

SHA256
9694ea89179b99226c139c0dac6a67b8ed5495272ee8b865033b89183f3bcacc

SHA512
b9001cf6d4ae29711e312f0ba783d7497d30054e57a18dacfe33b84554bbd73533bf7a4107ffe7ca3c0733051d6c3624ce2ccd3c475db0f19dba483581d2b1f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\lQAS.exe

Filesize
158KB

MD5
4884c9d60c6de90ebd0ab75473c5543b

SHA1
ae11d63a67ae3194075e531bc0830efbc3c02150

SHA256
d638671f0b069e864aca8a60f0bed438d2da8eb8ea88159c6ef41a9c4e1d0c8c

SHA512
f79f6f2839981d3520b6d820cdfb58825234ad49933e6ee2e1a820ba66db1a2f566e777dc42ec7e309deae8e172b9f45601c3284a96bc1e3ac83f1072f2200ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\locgEYUc.bat

Filesize
4B

MD5
f48fbba6823121ae76973744bf256074

SHA1
9960c2328c2fa3a50f7ed9abb3a0df88d45c6784

SHA256
edec891439fe3c1c3e7399b675be81fd5dba204d1e81a76515f4d6d69ed87c34

SHA512
dc6740b1e60b1aecfbe646047b53ebefe24d5b4da12842674e212e17423521cd4acef5a84bdadf0ab28a8cc5a8fd55b34a92ccfaf5beadcacd6cfa9c13c70781

Download Submit
C:\Users\Admin\AppData\Local\Temp\mIgE.exe

Filesize
237KB

MD5
120526f76186f15ea10af000aa2eca9f

SHA1
d6210df89608420be17a61de4736cb1bd103e8be

SHA256
3761ab0f44f68dd75c9f78ec7cd4bfc96e563d85e7d01038a41a3e123dc7b369

SHA512
eec58e521ee5ded35b567da562cdd3300ce482c324bcb8ed46907aa8025f2fbe92ae457a4900268d7c8ec9741fb4583142eb61d9a8c60997fa941088eb622039

Download Submit
C:\Users\Admin\AppData\Local\Temp\mcso.exe

Filesize
321KB

MD5
4062516a86f3b38bb3fe2cce53e35dee

SHA1
1a7ce5347900639e02853de3db3a61dcd806dc62

SHA256
d32e1ac87b42cc977826ad52ba3712e095573a1fde04cbbaf8c38f606329c454

SHA512
da63c02d40cde4963a5a875d0506d5035786151331ad353dc4247b031b0c5e7a023240a5fe6b70c29decf68da429adf44cab7f11c4e7b32600c75b1e5e9616fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\mksC.exe

Filesize
692KB

MD5
550048f32ec663bb3b2452f7b773be12

SHA1
ae0297a9a88c602c6766fbfa45269afc01ed4bc5

SHA256
9a49490fa3dfe839c0be69be59cc9ee3caf709f1d5f169a8268f4ec351b6a89c

SHA512
d31dc7447cf6354c4a001cdcaa3e8c8f840cf51cb1a23e3108ac199a21aa2643a3d9b1d51d264a1d32f40a45b9bcf56135f9d67f134facc4b6577a5b89e792ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\moAc.exe

Filesize
157KB

MD5
6c748b1ce6c89a58569ffe6b4c83b7c0

SHA1
55d8fe325ea8e0c514bdd111476a5513b26b4637

SHA256
b1476ac2bb48ca5b00d0bcbd179f3c8daea0304b9e6bc5a1b18dfff132e3ad78

SHA512
975579f31fc68f1e9412ff6abbd4af0a02a37c5cb03b08225c2e79951ecd350a56a5bf6eed35f900d1eac43a0d5e0aa1c6ed2b07cd2d50b75cde09d7ba5be3a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\mscs.exe

Filesize
159KB

MD5
5078ca834d010f9d526c90a89a5d6033

SHA1
5f4b3097327911047e9d79f854072eae226fab2d

SHA256
a47dc4213f6088bbe332f6f0897b55278de7a2d825165247fdc3627abf09db2f

SHA512
df853eecb297fbb518868c9df1bdeca6044817f934e3ef6e0866ac4558b670a9ad6625c33d7b65f59da8680315629a91cf37d06f04e6522ed1b511ce8e0a78ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\oEoW.exe

Filesize
158KB

MD5
9872e2f23e2e8967dd37ba5540384234

SHA1
c23d73bef9eb2e0d6066eefda85147137a6b8db8

SHA256
4925b005cfc195e2b8bfaf202950c7dea0c6b1fbf08057a481756f8fb9af9c44

SHA512
f3a593d571c5c302db98649db03515ac9f8003788396949580856dbfed93cd880187e0e222cc0663903217a1295a00a79b0b7851fb1d80914d9301e2c9b9fd7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\oGEEQEUI.bat

Filesize
4B

MD5
b91c1ebc90c751311d25d076865dc086

SHA1
2f90ed120f460c26f74cac38ccd1590533193cf8

SHA256
bfc435de461bb68a31f8edfdfa7f8434cbfd8dda21a6af71c6d564f75c5a6945

SHA512
871b8432a0903c9ff8d62c019bbb2cec2ab27bda340de9f0f7b36c44340be83ec35dd19789ddfa2558a229178247e10fd84a9f2501b3ca19feb8c4c6744ad765

Download Submit
C:\Users\Admin\AppData\Local\Temp\ooQw.exe

Filesize
161KB

MD5
f5b792b4ad28b7f47398e47b8073a475

SHA1
4a41aa0b94fd10a238bb7461229d5a1173b0a7a5

SHA256
bd9e3090e5abad42c8978f922b4c4b376fe016ef35785a62921a77fb679af612

SHA512
3fc13563f96a53dc67631adbdf58830ff3bde179e7af470c580b49bbdecccd6dae2a0c9aeca815d966d5b16c8953b5d9a8990f781af58035f410debff249d0c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\osQUUsso.bat

Filesize
4B

MD5
6d65bae07ee40b46567937cc100b7761

SHA1
f79b5ab4df9e450a954a87aeb4522f907e3ba211

SHA256
83f9bc7f15b6c5a9a5c1dca2bd168cb9338d05240082d84a5278b767c69ca365

SHA512
d7ce5813f04c8bf615a5f86a977d0f9e71e5ad75e3d5d73f88bc81521e60c1aa0e7db4c25db0c5ecb4e4557e43e6426dd61fe999e066c48152987eba3d148939

Download Submit
C:\Users\Admin\AppData\Local\Temp\pAMoYQQc.bat

Filesize
4B

MD5
8baf733e404c46834c1e034f0984fd90

SHA1
463cb25965d1af36d7ec2707092ae111b3c00006

SHA256
83a56833d5b8f7e5b85e0ea1646426acf0570e39cb2c870fcacf57c94748cc00

SHA512
150820cdb56f5b3a1c15caa84ff4d9feac491b28b253867c5af439f983455fafcc41dd20630a2e4f16ee8b92855d0e31c6ff78876f8710d2c9a6755a52bd6563

Download Submit
C:\Users\Admin\AppData\Local\Temp\pMUY.exe

Filesize
158KB

MD5
c72b077ae514c6aea6d74f1747e29a43

SHA1
1356e87a44028800989fcb3bcff331865970a940

SHA256
e3207a52d0ce5c9d09baa37f290bc55e50e61692bdb4f70fad481a7e4a0f32f3

SHA512
25df83b90855e3ba4f5481cb2767296939d155f82ea867cec3b87e44f3e7a6542bbf981080bc9372778076d57d954694cec1c1889fb94794e462e84aeedc82dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\pMgS.exe

Filesize
4.7MB

MD5
64f0ca6896c2ee0d3cbcfa034614ddca

SHA1
949217e65ff804a679e1ad8a18899ef9335431c4

SHA256
2eef4f944ec45dc55b96c1f422c0c4e680a043fda3ef994ce2570fda7fbe1031

SHA512
255a378fc7aedc770afcd49f707c73221428662dd5b7fc1531a2ed59125866091dacd0607cb4b2bcbb4f846036132e1ddfeacba7f5826d011af4c0bed126b654

Download Submit
C:\Users\Admin\AppData\Local\Temp\pUoS.exe

Filesize
158KB

MD5
139d2115231b34e51e71522f21054c36

SHA1
f0411e373f3459de68a6e89776fd37fe61773c3e

SHA256
502b1aa904c8198a2b19d3726c8aff4f3bf68885219492ab93f2b1b8f0ac6c97

SHA512
279c1667b49e944799f187d8505d0bfe2b7419e0395a22d8e6477ecfe79a11ae3f7f1f7ff1c01feede1239eef99ce60b1655bf3533c218775c3144faa52ad4f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\pcIO.exe

Filesize
565KB

MD5
4d6557518d52e24d5eaf48103971197d

SHA1
1f420d420356ffa202a66ed4cb40f560a3f7a1f4

SHA256
da8b65e11c7b037c668c7292c30b781594791b00ccf68b36f293ddd2bcb66dfd

SHA512
62f556fdd50e99496ff7cba5e9997f7708082039f729585f672130a9b8bc35b7beb709d6e69dd3cd2475d83761dcb4bfc4ad65badc27c76adc8663c0d89d12a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\poUQAIsg.bat

Filesize
4B

MD5
2e193a31b1977e09682a3a15751fe573

SHA1
ddaeb6a01097834399622350cb71e30217d31629

SHA256
882342e8ba6847be8b5be097fffb534a5dd3a1083e8c9628404cd36eb0a40c10

SHA512
e20e8e1e155464b3de17c8960b4e0b707ed3abbd83b6aad805c56d4ef08cf5e1d1e84c3c30a9ab05abd715c48c1d39ff81e9a240c47918e50c8a1045fc56fac2

Download Submit
C:\Users\Admin\AppData\Local\Temp\pyAokQwE.bat

Filesize
4B

MD5
4243aa47c689729785ed8ec6ac7c0371

SHA1
2a2bd464b5cb709a547a0e80c76092c0acc4a122

SHA256
72f1c4b3ba8cf08c9ced312bb3118e92c25e1322706e2031f959cff01335df64

SHA512
5ca6db0aacd965c67e5ab37a98071c11743d2bedb32dc19fedbd9dfc0ee86424a5d815e29827aa2ff88cee2055c95486d49579d1f330f7a12a5b1aaded2a6a44

Download Submit
C:\Users\Admin\AppData\Local\Temp\qEAI.exe

Filesize
937KB

MD5
b3c84c2f13ca2b6c5817a0adf0f283f3

SHA1
77f62282847e0f5e4e4078d304e0d4b449cdad4e

SHA256
109bb974968f8ff867c8778e66d09f60bb0d8e6a2931f29ffdf9d7d6935ac49b

SHA512
71ec1c90160fc93ee2d16d671d711cd4b7ef5885dff587917f87561a1b581c8bbd365d32e727533dec0c92d31eaf07596f14c60ae778452fc9dfb2a0a03cec0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\qgcYYcUg.bat

Filesize
4B

MD5
a7c7139a84de95be03a9ddca58e316d7

SHA1
575f9de6dd420e4299465317ce247cf33dd9d42e

SHA256
a4e37aad9f50a7004d2ded120a9039d3d4427f96f94894fbaf150436ebc15a2e

SHA512
27b681c78d74b2cf6b32137b94c3a3830fd3ee1101af77f5a6f01d29e37a93232b8d2cb2c6b26e07738b84e9da2a93e4297e348fd6eba10228c1eb92c9ce9b65

Download Submit
C:\Users\Admin\AppData\Local\Temp\rMEgUkIM.bat

Filesize
4B

MD5
c5c00c7170cc4f5f3b152fa1a8bff774

SHA1
0840aecb83d572cef3363f6be812456d9bab5c42

SHA256
fa50f1d17de0c97ce2f4c553cd4e4aad40f61a4b66c4ffaeaf168003e0464463

SHA512
b55bc59029a4729b83efdb65f9ccd65908704f0a6f9ebbdd9318f9efd045a73f115cbcb192af98f21b59faf3e8ab0f56e914d2e51563bbacd84bba0ccc4dc6e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\rokq.exe

Filesize
159KB

MD5
c4d5b7b3e73e7f24354761d780429fbc

SHA1
dcaf043370ade66ce0ebfb873fdf99148fc84309

SHA256
eab3917795857fd6ae0eed65967bc32654c9d42ebd182e53769a55959457005a

SHA512
fc93d1583852282648066ca2eeae51052d1a134db9f4d98b22e7fda7ba66dfeeb41f76fef3406ff65a60b54c01769f89c295dee485985015d716aa5bc56c25c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\sIIk.exe

Filesize
158KB

MD5
b72cdbbbd073236c393230e7ea64f1a1

SHA1
e4d7bd2bb3690b7e339e3b34c060baf496f01260

SHA256
47b017094598708906f27a255a77709b481e5a546a255401087436724bb09404

SHA512
6f5a4166b6d2072a17bdf38f50244b25318e492c9601791cf439e2adba5ac264c8ea7fbff12d946c37a0e343bab202d302d9532e8995110f88a25666c42164af

Download Submit
C:\Users\Admin\AppData\Local\Temp\sIMY.exe

Filesize
160KB

MD5
de72ad8f8eb4c001c734f6bf6e7dcf50

SHA1
27efe7ebdb32cf6fd6e023abcc9b8010e20f2e2e

SHA256
e781d3eb3d90b271f6b6d50597d096b934d626b95970d4775a8cce4a6cf18fda

SHA512
af2795bbe7c67c043ee9968117b5013ad3b7d5c3f26c1b89af99d00fd2e005816ed7e48294db2715449b915c8f21f938cf03b97e278830926fb05bef1c86a4e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\sQYC.exe

Filesize
159KB

MD5
5c2d0df5d198875a83e27a7047652405

SHA1
55f06d7eae527009a5eb4a8de8e2f40f3e533a3e

SHA256
6ecf7bd7baf118383429c2be30d6e9a1f4e0e4efb2ba4469ecf786f6af5f0e84

SHA512
739418871bb07f7350b4ee3b275464183cf959ae8711209a5df6f0174bd86838279c54a7c3d067d50b65c37ec009ab95fdbc498e0f366bbe071d9284e7ee6491

Download Submit
C:\Users\Admin\AppData\Local\Temp\tkUs.exe

Filesize
138KB

MD5
dca43fb2e6b81b4ac498e1dd608afcb6

SHA1
82001fd01eeeae15c1c5294e6804d5fbbf2340e3

SHA256
a7fefb7d4a6c437ee11458c8e6406754f55846798f41e70688b0d3b209c05125

SHA512
ce98ca6c4de0783a97afc51f30efde6584ed6ce147a1f64ba4dadeaf0532b65ab1f34cb2a5f4b043e569a0e4cb9b1a48de039a9a3eda01704a8ea5e722dfa50b

Download Submit
C:\Users\Admin\AppData\Local\Temp\uAIQ.exe

Filesize
565KB

MD5
fa836dd6cd45e5a3fdbd2b5ad5abc49e

SHA1
a4589dc7128ad2251ed539d61a5c56f194b1183e

SHA256
1759f437174244e50298ddaadbc713b7b82e8b14d40bf42edd0c70414e025bde

SHA512
7967ac9e58bb992bff9f3bf5434a7d0fe25ae5d2ac82d0c7a21ddd1a466159fe259260974457ece84a62ec8f92f7513fe1bbe50cdc027d7cc74a146769b3837c

Download Submit
C:\Users\Admin\AppData\Local\Temp\uMYy.exe

Filesize
156KB

MD5
a32640e3818c5a775519843deaea5923

SHA1
03facee9446c903ab89d6e372b1e2a89e9230e88

SHA256
1a1c8ca6eb2fecda1bfde02428ad46e81f1a1a6f6756c7b0df34b3fff0ac21c1

SHA512
85d2468124ce47d7ee297295abe0dcf12c3aa9084f6862edff349334b33aa0e02e64295bc46e5e5c5a364ac90cdc05cdbb75bbe37131360926ed93dac5cdf50b

Download Submit
C:\Users\Admin\AppData\Local\Temp\uQQo.exe

Filesize
716KB

MD5
28bc776169d30aaf45722e1aa6ea64d6

SHA1
21faf021d83b7635aefb7b3d1d5475ea9db09530

SHA256
a51249358a2adeaeacf236e675b85b510e3317f440829e73262d0cfdd576c666

SHA512
b5680fcc60327d0754b06b9462ea58bf7c84dda05e8667c51013c80ac3fc7ebf569e43bd7ee56f24acec9a71bff781ead062fb8b3eeb7152ee3cd9c7e9be1503

Download Submit
C:\Users\Admin\AppData\Local\Temp\ucEC.exe

Filesize
556KB

MD5
8e8db3653a35aeaacd469ac481a1f63d

SHA1
d7032ae26ad1d1b488ff490db15d161431d8f1b9

SHA256
7570582155ecb7dd66dff8a50eb0e94121040600f66de1f4d45fb15d4fd81759

SHA512
d612e4f8d73b1f9753833a7bb3ccb114b3e31b0e8b81532163093583307d11bb41475eec9c711681933fd015f07698c02c1dd0b8b2b077763e5496e312947342

Download Submit
C:\Users\Admin\AppData\Local\Temp\ucYg.exe

Filesize
153KB

MD5
5636d089ee8fc109e42ce2d72cfcc6b7

SHA1
cf3fb4a49a4714052623fc99d3adca5f6acca7bc

SHA256
057aae5f228297f7fd324b5a1d228cd1f4e587decd0f49cc1e3efc5014f1f5fa

SHA512
d89276a666dc74aea54ed578b6bcf0f8a671afb7e464f4acb759f283e07e8eb7a4d9b5e58ee1c7637d67b0b74620332ef98daede9004afdec50c344556c0697f

Download Submit
C:\Users\Admin\AppData\Local\Temp\uqUgkEAE.bat

Filesize
4B

MD5
20678649b0f2bb7c73fc079cf121b40e

SHA1
cacea0acc971cf80c67b1bf1ee99a1d307cc36cd

SHA256
65152adde5ad46ddb7df11609119fac3c18136feeb1b3d7ef0cc72c271d8668b

SHA512
6512ff99affa53428efb01cc9ba1473a01200bad41063f47081cfd5cee7f955f9f0120d3ada91866bc67a82413b67a1b63e3ea9e5653c97c0e8c292e504aca88

Download Submit
C:\Users\Admin\AppData\Local\Temp\vEAI.exe

Filesize
158KB

MD5
50dead2991d75489f03d1e2995257429

SHA1
1648a4e3ac65b3b54b678a1044e5cc73b2ec05a9

SHA256
b15c222baf99ae70f71744b363589cc54d4adcb7f2613bd1572bda0c14bf4587

SHA512
e244cdb55161dbadd21fe9574e4c019d3c4ec440feb2cc976990fbffe90168c9c067bee0ecb7bd4345ac0f54041714fb81fd6f6bb2e5a976c4eac33c9890450a

Download Submit
C:\Users\Admin\AppData\Local\Temp\vKcQsMAE.bat

Filesize
4B

MD5
a487adb44e9ddde36a085d60fe0f062e

SHA1
7d5b2b2cf46d6d70f2c957943929e5fe0c64f1d3

SHA256
3ed75b426ce2f50f2c6a93a717f6ee1f382735e385e8e5978749db59163abd3b

SHA512
61889756cde4f3ebcf5a6526b81c3b6f075183a18ed0c7872ac80d71affb4b30544600821d08913e1ff7686e1a9a8db853b7808226cda98b6f2f1eb5c9809ac3

Download Submit
C:\Users\Admin\AppData\Local\Temp\vQYk.exe

Filesize
370KB

MD5
f62b01903991bf3847f39a942a1566ea

SHA1
2e90ebaa3c8199383af784ff31a3b74140fcabfb

SHA256
2b058524704e23de8b1b5c2c745313aa976843b0084c4fcd57b1bfaa82335ac0

SHA512
67c337f2093025c4024f64693f48ca3e05a44fe0bb5f23484fb501d793b3885007a3d3d786747dc5079b0dbb7c187b1a813a2e0cf9c5a84e6ddfcddfe51ed8de

Download Submit
C:\Users\Admin\AppData\Local\Temp\wEUe.exe

Filesize
871KB

MD5
a00f7e9573c1569da339cd9f506facb6

SHA1
f563e1461c9bbc53a44036be268c23cabc83c924

SHA256
df18642d3f1535d75d75d8547a33fbbe2e9c4d2aaa23497c4f84aefe0768beac

SHA512
af4b8c3fb853480b93ff1ed8259ea070508daae37e197b9f65b66d7e6127404451497028003e43f3f7983f7502879706fc62980f2030de0f86bcba36a4ebd121

Download Submit
C:\Users\Admin\AppData\Local\Temp\wUYU.exe

Filesize
272KB

MD5
a71446f09ee114c4c94e1fbfefd878ec

SHA1
4a545ea92ffb4312154929b74ddf1bd22156f67a

SHA256
3372a16e0df863f5062968e07d48e3be66820ca53481a50b5710e315392ddfb1

SHA512
4ddeb2827f76cd679073931fa1997cd85aa6532f8af3372e9ac708a9172c0799faa50131884b7119100c1f994485fa29b0092c46bc9e27e49264622d06999006

Download Submit
C:\Users\Admin\AppData\Local\Temp\wYYI.exe

Filesize
330KB

MD5
0a67ea26d6025aef58625fa7646b8e97

SHA1
636f708efed099a89ea6b8476b617302c05664e4

SHA256
387feb494e26648ef8cebd705915d25cb2282d1b109d3180befa7998eb520ce2

SHA512
80410db2cbec888a58e29ae310cc96354c8ef243f21724712991feb60dc9a4d2a1ac637cd8c8f0dcf12862a474b4cdb2d0b43491e8c394aa699f4c024cfe4262

Download Submit
C:\Users\Admin\AppData\Local\Temp\wcAs.exe

Filesize
371KB

MD5
42f06291da15e9347ef4fe5a6ac41b20

SHA1
915e653f1c9b33c9c7e65fbfccd1e0e6bad2e4b7

SHA256
b25e17713949926f8f1b354b22f485911e4f0e353e7106fc11f02cc210375329

SHA512
294d89851f62f56875c62115fa80c3cdf1891a646aa36efb11b08550210b1f670bee9e8e498cd8165d0f74341bf78a0fa968a14b27bc95e2f788aa38c8cd7e29

Download Submit
C:\Users\Admin\AppData\Local\Temp\wgYI.exe

Filesize
158KB

MD5
779b5c592fbc653c5ed60ac8ff61a480

SHA1
970de250ed4c614de4e6dbf688af648f461ca85f

SHA256
084cd289d26c60933f9b07fd2ef3cfdcf1566e4fdb2ad667f0f354256d9aa813

SHA512
6c870bd54086ffbb44e72a9026f9cb93908d757dff5ad260684b5366529c9dee5f9da3625f63e5ebb43e78c98c43807e7e121dc7c58af3d93a1bd1c853ea1a85

Download Submit
C:\Users\Admin\AppData\Local\Temp\wgoq.exe

Filesize
159KB

MD5
3c5c96b7a7672a15af39975a94d67b35

SHA1
4c623c23d6c0e5b57d37fea8732b5727347debd5

SHA256
deabb0a9ff53633e0d88fd1b79ad4af640a5148d24a7e81955036bca747d8159

SHA512
84b141a432505cfb344fd70a393fb341514cc34dade48a601b789429723f3355a4b8efb3fc6ec8f9893ac895debf26b3e51091d9b21ff26bb649518cacc20042

Download Submit
C:\Users\Admin\AppData\Local\Temp\wokY.exe

Filesize
158KB

MD5
33f70e0536e3415be1263dc90c78ea52

SHA1
4eba5d6f655e81593de793642ce96a741065ad74

SHA256
4e830ee16b6e4fb386f81809b327d18efc059fe37251951ac1accf52db7ef4f6

SHA512
5faa148e62d8266a80f0059b9d48975fddb0391c3e25ba442f7d6296568ce7145a89b8fe270ce3e6e95c96fabd5e45653ba6abf0768f70b6f9b1f106daf49fe5

Download Submit
C:\Users\Admin\AppData\Local\Temp\xMMG.exe

Filesize
597KB

MD5
b0f3dd90a0c42d20fabb9671493eae25

SHA1
0e4bc8669425464f7cfa8f40cc85ec815fc56f93

SHA256
c473d9cc32d95228232a4a61b46667b669e782cfd2ceaaf46e3e1a865071d7c5

SHA512
15942c4e18251df0be0a58da33207ec7f595325b248aa73ba0f6ccfc5b242511998db5b2f4113f5bab674897b95c734431442ffb7e6515603dd5a47b1049913f

Download Submit
C:\Users\Admin\AppData\Local\Temp\xQUQoAkE.bat

Filesize
4B

MD5
0cd8754b38e89a148a37369315bc887e

SHA1
9f9e8e6761ecb40f14c1b2549504131ed530a57d

SHA256
d62e79b5938f69c4a83ed740a70fc0991e6b0ed11dfb56a48edc62fc788dc35a

SHA512
479f0d40875aaf204ce59b25d4969e4b0915c5216ddf264d0e2e2f95e671f7882c6ac7d5bd20e7335c0d3208b10c8704c7eee0f3e002b8e71987d53d7f03eb46

Download Submit
C:\Users\Admin\AppData\Local\Temp\yIIi.exe

Filesize
160KB

MD5
5c42f6c8842361931acef66c68b5bf0e

SHA1
253686dd4dd94d3e52b21df4a0fd64cfa952eb39

SHA256
77e2fc2d57478342b5cbe66989fe6dbf8cab3fa027049154d3a1a859bf079721

SHA512
9aadf58a72cee1456b8387155c39567dc5ca604b4df4caa14cfae6f6d6fd1a36904806a6a3bd78bbb3e5a75d338399af0efa50ce1b1caac3ca665ddca67aed94

Download Submit
C:\Users\Admin\AppData\Local\Temp\ycoE.exe

Filesize
159KB

MD5
55d948ffb4553725595c52bf4c927f9e

SHA1
4fb643c5b866be60b42266925b7428171024cd15

SHA256
828bf64fdd12df47511afdc5e171f558de8b59710bd40a669d0b078d46628f18

SHA512
baa80cc59ba344ff0dac88b2cb6f55e8752b54c26f0a01060fde96a92fd394c78c83733bbf89ceada322c7891c4268111dd4ee55342599660711c746560a358f

Download Submit
C:\Users\Admin\AppData\Local\Temp\zIAi.exe

Filesize
160KB

MD5
c27d28d7ede6ab7b8ea09c7cb5b99257

SHA1
7b3dcafd1c2c728c803a0e21d76afb5f6d0825ef

SHA256
90f31682d485869cb59906aa821d20afb751fc1d57859c830c55ae79430841c9

SHA512
22c910aedf2861b8482ecef24d11d9a05b19f1a92175c8cbe8feaa135d44f3c99a6e368becf1ce479cbf25259c9f2e496ecc7e53ffce9756c9da5b2662985aad

Download Submit
C:\Users\Admin\AppData\Local\Temp\zoAG.exe

Filesize
271KB

MD5
48959422c80c7185f8fa6b27f990da94

SHA1
3950956aafabbd67616d26a0c6161754ecc7704f

SHA256
1df3fc3223aa42feedf45819d6a1bd8fe19aa3e17ca4efec335eec0fb1b16ab2

SHA512
1ee51c1c23c2a17d1e4b4318f6e11a3438e1b3692a87e47b1a9ec764b49b8ab0ba5c06f42a465465d0a9cc359b2ede8e154aa5d8b9d720f5f8196ac12b9427a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\zqEYMMwg.bat

Filesize
4B

MD5
a80e01c9c52c4ba6e35adc3ce00c811c

SHA1
f8f01b9e1549383a13981d19620e290158b61639

SHA256
cf3f241620adc999deb04eda5371ae0f44d1adff37aa00e38f46fbeace6dbb5c

SHA512
c6ce01f3e7d9d78717f898cf83b3dc41629882d965330fe473aa13d983829b6d9cc42fc34f4eef228e9ab38af06661d78c642868db43e822db516bf48a662ad0

Download Submit
\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

Filesize
145KB

MD5
9d10f99a6712e28f8acd5641e3a7ea6b

SHA1
835e982347db919a681ba12f3891f62152e50f0d

SHA256
70964a0ed9011ea94044e15fa77edd9cf535cc79ed8e03a3721ff007e69595cc

SHA512
2141ee5c07aa3e038360013e3f40969e248bed05022d161b992df61f21934c5574ed9d3094ffd5245f5afd84815b24f80bda30055cf4d374f9c6254e842f6bd5

Download Submit
\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.0MB

MD5
4d92f518527353c0db88a70fddcfd390

SHA1
c4baffc19e7d1f0e0ebf73bab86a491c1d152f98

SHA256
97e6f3fc1a9163f10b6502509d55bf75ee893967fb35f318954797e8ab4d4d9c

SHA512
05a8136ccc45ef73cd5c70ee0ef204d9d2b48b950e938494b6d1a61dfba37527c9600382321d1c031dc74e4cf3e16f001ae0f8cd64d76d765f5509ce8dc76452

Download Submit
\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

Filesize
507KB

MD5
c87e561258f2f8650cef999bf643a731

SHA1
2c64b901284908e8ed59cf9c912f17d45b05e0af

SHA256
a1dfa6639bef3cb4e41175c43730d46a51393942ead826337ca9541ac210c67b

SHA512
dea4833aa712c5823f800f5f5a2adcf241c1b2b6747872f540f5ff9da6795c4ddb73db0912593337083c7c67b91e9eaf1b3d39a34b99980fd5904ba3d7d62f6c

Download Submit
\Users\Admin\hCcIIcQM\quwQocsk.exe

Filesize
111KB

MD5
a53c8c4fe4a4b24964dc393ed971f619

SHA1
af94a8c54915450243d66d83bd7107697ba79aff

SHA256
45208523466609b74f71151e5c6d5a5b0f4f8c0d7f8ba821bcb4ed5c7f115f15

SHA512
a5108822a8698a37eacaf4a955f00f4569c3ec633ea17d164328bc76bdc2234ea6a2f216ab8816af643bd7047381362d3e023f24b7573de577db02dba914de99

Download Submit
memory/448-379-0x0000000000300000-0x0000000000320000-memory.dmp

Filesize
128KB

Download
memory/448-378-0x0000000000300000-0x0000000000320000-memory.dmp

Filesize
128KB

Download
memory/596-1153-0x00000000001C0000-0x00000000001E0000-memory.dmp

Filesize
128KB

Download
memory/596-1152-0x00000000001C0000-0x00000000001E0000-memory.dmp

Filesize
128KB

Download
memory/688-355-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/788-135-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/788-157-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/928-1211-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/968-1167-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/968-1081-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1060-702-0x0000000000160000-0x0000000000180000-memory.dmp

Filesize
128KB

Download
memory/1060-701-0x0000000000160000-0x0000000000180000-memory.dmp

Filesize
128KB

Download
memory/1144-132-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1144-111-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1244-1003-0x0000000000200000-0x0000000000220000-memory.dmp

Filesize
128KB

Download
memory/1244-1004-0x0000000000200000-0x0000000000220000-memory.dmp

Filesize
128KB

Download
memory/1244-342-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1284-183-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1284-204-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1284-365-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1324-1154-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1324-1252-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1324-1210-0x00000000004B0000-0x00000000004CD000-memory.dmp

Filesize
116KB

Download
memory/1324-298-0x0000000077640000-0x000000007775F000-memory.dmp

Filesize
1.1MB

Download
memory/1324-160-0x0000000077640000-0x000000007775F000-memory.dmp

Filesize
1.1MB

Download
memory/1324-1209-0x00000000004B0000-0x00000000004CD000-memory.dmp

Filesize
116KB

Download
memory/1324-161-0x0000000077760000-0x000000007785A000-memory.dmp

Filesize
1000KB

Download
memory/1324-1247-0x0000000077640000-0x000000007775F000-memory.dmp

Filesize
1.1MB

Download
memory/1324-1249-0x00000000004B0000-0x00000000004CD000-memory.dmp

Filesize
116KB

Download
memory/1324-1251-0x0000000001C30000-0x0000000001C82000-memory.dmp

Filesize
328KB

Download
memory/1332-240-0x0000000000160000-0x0000000000180000-memory.dmp

Filesize
128KB

Download
memory/1360-1031-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1420-285-0x0000000000120000-0x0000000000140000-memory.dmp

Filesize
128KB

Download
memory/1420-286-0x0000000000120000-0x0000000000140000-memory.dmp

Filesize
128KB

Download
memory/1420-134-0x0000000000260000-0x0000000000280000-memory.dmp

Filesize
128KB

Download
memory/1420-133-0x0000000000260000-0x0000000000280000-memory.dmp

Filesize
128KB

Download
memory/1484-1080-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1484-1079-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1520-1254-0x0000000000260000-0x0000000000280000-memory.dmp

Filesize
128KB

Download
memory/1520-1253-0x0000000000260000-0x0000000000280000-memory.dmp

Filesize
128KB

Download
memory/1592-444-0x0000000000120000-0x0000000000140000-memory.dmp

Filesize
128KB

Download
memory/1592-442-0x0000000000120000-0x0000000000140000-memory.dmp

Filesize
128KB

Download
memory/1684-1103-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1684-148-0x0000000000260000-0x0000000000280000-memory.dmp

Filesize
128KB

Download
memory/1684-1009-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1704-932-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1704-823-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1780-271-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1780-294-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1928-0-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1928-12-0x0000000000350000-0x000000000036D000-memory.dmp

Filesize
116KB

Download
memory/1928-39-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1928-13-0x0000000000350000-0x000000000036D000-memory.dmp

Filesize
116KB

Download
memory/1948-109-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1948-79-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1976-78-0x0000000000160000-0x0000000000180000-memory.dmp

Filesize
128KB

Download
memory/2124-40-0x0000000000100000-0x0000000000120000-memory.dmp

Filesize
128KB

Download
memory/2124-41-0x0000000000100000-0x0000000000120000-memory.dmp

Filesize
128KB

Download
memory/2128-270-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2160-910-0x00000000002F0000-0x0000000000310000-memory.dmp

Filesize
128KB

Download
memory/2164-389-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2164-356-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2240-227-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2240-205-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2244-1288-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2304-180-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2332-711-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2332-605-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2388-402-0x0000000000160000-0x0000000000180000-memory.dmp

Filesize
128KB

Download
memory/2404-29-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2448-14-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2508-319-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2508-295-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2632-55-0x0000000000130000-0x0000000000150000-memory.dmp

Filesize
128KB

Download
memory/2632-56-0x0000000000130000-0x0000000000150000-memory.dmp

Filesize
128KB

Download
memory/2644-249-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2644-218-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2688-1212-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2720-88-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2732-182-0x0000000000120000-0x0000000000140000-memory.dmp

Filesize
128KB

Download
memory/2732-181-0x0000000000120000-0x0000000000140000-memory.dmp

Filesize
128KB

Download
memory/2732-627-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2732-521-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2756-42-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2756-65-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2800-820-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2820-446-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2820-1286-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2820-529-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2820-1255-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2860-333-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2860-332-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2924-455-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2924-403-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2960-520-0x00000000002F0000-0x0000000000310000-memory.dmp

Filesize
128KB

Download
memory/2988-380-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2988-412-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3004-822-0x0000000000170000-0x0000000000190000-memory.dmp

Filesize
128KB

Download
memory/3004-821-0x0000000000170000-0x0000000000190000-memory.dmp

Filesize
128KB

Download
memory/3012-110-0x0000000000120000-0x0000000000140000-memory.dmp

Filesize
128KB

Download
memory/3028-310-0x0000000000120000-0x0000000000140000-memory.dmp

Filesize
128KB

Download
memory/3068-591-0x00000000001B0000-0x00000000001D0000-memory.dmp

Filesize
128KB

Download