6cf802b773edcd7a7da9dcdeeb36fb2b3209bb616d29010fe90153b0595e2ec4

Analysis

max time kernel
150s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21-11-2024 02:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
Size

241KB
MD5

5c96825d8cd6c41c6d564ffdf7d1675b
SHA1

ed2f9aaa37356cbf0fdb1370d8d580f12e487960
SHA256

6cf802b773edcd7a7da9dcdeeb36fb2b3209bb616d29010fe90153b0595e2ec4
SHA512

6b2b5187aff8a90a9f48924bb40cc660e1b1207def30e5902172a883fdb49ed0b08e180bd4d239752190c1f7af010c2c6eb6afe417768b46c481424fe5771a26
SSDEEP

6144:sh6vAzJiHk5fTX2pGdq2EqkBTnY4zNDfLGrsOiFo/kYRd:sVkH2Da72SK4ZLK/6Kd

Score

10^/10

discovery evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Control Panel\International\Geo\Nation	iMEggEYQ.exe

Executes dropped EXE 2 IoCs

pid	Process
3040	EeoMscAU.exe
2680	iMEggEYQ.exe

Loads dropped DLL 20 IoCs

pid	Process
2080	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
2080	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
2080	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
2080	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
2680	iMEggEYQ.exe
2680	iMEggEYQ.exe
2680	iMEggEYQ.exe
2680	iMEggEYQ.exe
2680	iMEggEYQ.exe
2680	iMEggEYQ.exe
2680	iMEggEYQ.exe
2680	iMEggEYQ.exe
2680	iMEggEYQ.exe
2680	iMEggEYQ.exe
2680	iMEggEYQ.exe
2680	iMEggEYQ.exe
2680	iMEggEYQ.exe
2680	iMEggEYQ.exe
2680	iMEggEYQ.exe
2680	iMEggEYQ.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\wegooQMI.exe = "C:\\Users\\Admin\\cmcEsMko\\wegooQMI.exe"	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\UysokEgY.exe = "C:\\ProgramData\\YYEMkoMU\\UysokEgY.exe"	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\EeoMscAU.exe = "C:\\Users\\Admin\\JUIAQcgk\\EeoMscAU.exe"	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\iMEggEYQ.exe = "C:\\ProgramData\\ACYgMowg\\iMEggEYQ.exe"	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\iMEggEYQ.exe = "C:\\ProgramData\\ACYgMowg\\iMEggEYQ.exe"	iMEggEYQ.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\EeoMscAU.exe = "C:\\Users\\Admin\\JUIAQcgk\\EeoMscAU.exe"	EeoMscAU.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2524	900	WerFault.exe	246
2484	2252	WerFault.exe	90

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
2652	reg.exe
2436	reg.exe
2184	reg.exe
1732	reg.exe
264	reg.exe
1928	reg.exe
1708	reg.exe
1036	reg.exe
2284	reg.exe
2644	reg.exe
536	reg.exe
1992	reg.exe
708	reg.exe
1544	reg.exe
2348	reg.exe
1996	reg.exe
1908	reg.exe
2280	reg.exe
2648	reg.exe
2660	reg.exe
1896	reg.exe
3028	reg.exe
2184	reg.exe
468	reg.exe
2068	reg.exe
2104	reg.exe
2092	reg.exe
2144	reg.exe
1960	reg.exe
1484	reg.exe
2816	reg.exe
1992	reg.exe
2528	reg.exe
2796	reg.exe
2644	reg.exe
2676	reg.exe
2064	reg.exe
1700	reg.exe
2724	reg.exe
1744	reg.exe
2632	reg.exe
1556	reg.exe
884	reg.exe
1924	reg.exe
1748	reg.exe
2444	reg.exe
536	reg.exe
2420	reg.exe
2152	reg.exe
1896	reg.exe
884	reg.exe
1608	reg.exe
1928	reg.exe
2652	reg.exe
1528	reg.exe
1436	reg.exe
1416	reg.exe
1748	reg.exe
2256	reg.exe
2636	reg.exe
1712	reg.exe
1940	reg.exe
340	reg.exe
1476	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2080	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
2080	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
2832	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
2832	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
604	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
604	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
1676	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
1676	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
2104	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
2104	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
1204	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
1204	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
2416	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
2416	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
2720	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
2720	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
2916	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
2916	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
1680	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
1680	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
1676	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
1676	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
2068	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
2068	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
2208	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
2208	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
1888	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
1888	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
2696	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
2696	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
2748	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
2748	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
2440	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
2440	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
2100	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
2100	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
1896	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
1896	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
2076	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
2076	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
2396	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
2396	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
1848	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
1848	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
788	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
788	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
1880	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
1880	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
468	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
468	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
2568	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
2568	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
1772	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
1772	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
2612	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
2612	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
572	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
572	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
2384	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
2384	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
1880	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
1880	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
2620	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
2620	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2680	iMEggEYQ.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2680	iMEggEYQ.exe
2680	iMEggEYQ.exe
2680	iMEggEYQ.exe
2680	iMEggEYQ.exe
2680	iMEggEYQ.exe
2680	iMEggEYQ.exe
2680	iMEggEYQ.exe
2680	iMEggEYQ.exe
2680	iMEggEYQ.exe
2680	iMEggEYQ.exe
2680	iMEggEYQ.exe
2680	iMEggEYQ.exe
2680	iMEggEYQ.exe
2680	iMEggEYQ.exe
2680	iMEggEYQ.exe
2680	iMEggEYQ.exe
2680	iMEggEYQ.exe
2680	iMEggEYQ.exe
2680	iMEggEYQ.exe
2680	iMEggEYQ.exe
2680	iMEggEYQ.exe
2680	iMEggEYQ.exe
2680	iMEggEYQ.exe
2680	iMEggEYQ.exe
2680	iMEggEYQ.exe
2680	iMEggEYQ.exe
2680	iMEggEYQ.exe
2680	iMEggEYQ.exe
2680	iMEggEYQ.exe
2680	iMEggEYQ.exe
2680	iMEggEYQ.exe
2680	iMEggEYQ.exe
2680	iMEggEYQ.exe
2680	iMEggEYQ.exe
2680	iMEggEYQ.exe
2680	iMEggEYQ.exe
2680	iMEggEYQ.exe
2680	iMEggEYQ.exe
2680	iMEggEYQ.exe
2680	iMEggEYQ.exe
2680	iMEggEYQ.exe
2680	iMEggEYQ.exe
2680	iMEggEYQ.exe
2680	iMEggEYQ.exe
2680	iMEggEYQ.exe
2680	iMEggEYQ.exe
2680	iMEggEYQ.exe
2680	iMEggEYQ.exe
2680	iMEggEYQ.exe
2680	iMEggEYQ.exe
2680	iMEggEYQ.exe
2680	iMEggEYQ.exe
2680	iMEggEYQ.exe
2680	iMEggEYQ.exe
2680	iMEggEYQ.exe
2680	iMEggEYQ.exe
2680	iMEggEYQ.exe
2680	iMEggEYQ.exe
2680	iMEggEYQ.exe
2680	iMEggEYQ.exe
2680	iMEggEYQ.exe
2680	iMEggEYQ.exe
2680	iMEggEYQ.exe
2680	iMEggEYQ.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2080 wrote to memory of 3040	2080	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe	28
PID 2080 wrote to memory of 3040	2080	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe	28
PID 2080 wrote to memory of 3040	2080	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe	28
PID 2080 wrote to memory of 3040	2080	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe	28
PID 2080 wrote to memory of 2680	2080	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe	29
PID 2080 wrote to memory of 2680	2080	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe	29
PID 2080 wrote to memory of 2680	2080	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe	29
PID 2080 wrote to memory of 2680	2080	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe	29
PID 2080 wrote to memory of 2464	2080	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe	30
PID 2080 wrote to memory of 2464	2080	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe	30
PID 2080 wrote to memory of 2464	2080	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe	30
PID 2080 wrote to memory of 2464	2080	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe	30
PID 2464 wrote to memory of 2832	2464	cmd.exe	32
PID 2464 wrote to memory of 2832	2464	cmd.exe	32
PID 2464 wrote to memory of 2832	2464	cmd.exe	32
PID 2464 wrote to memory of 2832	2464	cmd.exe	32
PID 2080 wrote to memory of 2648	2080	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe	33
PID 2080 wrote to memory of 2648	2080	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe	33
PID 2080 wrote to memory of 2648	2080	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe	33
PID 2080 wrote to memory of 2648	2080	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe	33
PID 2080 wrote to memory of 2424	2080	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe	34
PID 2080 wrote to memory of 2424	2080	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe	34
PID 2080 wrote to memory of 2424	2080	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe	34
PID 2080 wrote to memory of 2424	2080	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe	34
PID 2080 wrote to memory of 2484	2080	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe	36
PID 2080 wrote to memory of 2484	2080	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe	36
PID 2080 wrote to memory of 2484	2080	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe	36
PID 2080 wrote to memory of 2484	2080	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe	36
PID 2080 wrote to memory of 2652	2080	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe	38
PID 2080 wrote to memory of 2652	2080	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe	38
PID 2080 wrote to memory of 2652	2080	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe	38
PID 2080 wrote to memory of 2652	2080	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe	38
PID 2652 wrote to memory of 2580	2652	cmd.exe	41
PID 2652 wrote to memory of 2580	2652	cmd.exe	41
PID 2652 wrote to memory of 2580	2652	cmd.exe	41
PID 2652 wrote to memory of 2580	2652	cmd.exe	41
PID 2832 wrote to memory of 484	2832	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe	42
PID 2832 wrote to memory of 484	2832	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe	42
PID 2832 wrote to memory of 484	2832	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe	42
PID 2832 wrote to memory of 484	2832	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe	42
PID 484 wrote to memory of 604	484	cmd.exe	44
PID 484 wrote to memory of 604	484	cmd.exe	44
PID 484 wrote to memory of 604	484	cmd.exe	44
PID 484 wrote to memory of 604	484	cmd.exe	44
PID 2832 wrote to memory of 584	2832	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe	45
PID 2832 wrote to memory of 584	2832	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe	45
PID 2832 wrote to memory of 584	2832	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe	45
PID 2832 wrote to memory of 584	2832	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe	45
PID 2832 wrote to memory of 1416	2832	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe	46
PID 2832 wrote to memory of 1416	2832	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe	46
PID 2832 wrote to memory of 1416	2832	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe	46
PID 2832 wrote to memory of 1416	2832	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe	46
PID 2832 wrote to memory of 2772	2832	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe	48
PID 2832 wrote to memory of 2772	2832	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe	48
PID 2832 wrote to memory of 2772	2832	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe	48
PID 2832 wrote to memory of 2772	2832	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe	48
PID 2832 wrote to memory of 2972	2832	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe	50
PID 2832 wrote to memory of 2972	2832	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe	50
PID 2832 wrote to memory of 2972	2832	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe	50
PID 2832 wrote to memory of 2972	2832	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe	50
PID 2972 wrote to memory of 2216	2972	cmd.exe	53
PID 2972 wrote to memory of 2216	2972	cmd.exe	53
PID 2972 wrote to memory of 2216	2972	cmd.exe	53
PID 2972 wrote to memory of 2216	2972	cmd.exe	53

C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2080
- C:\Users\Admin\JUIAQcgk\EeoMscAU.exe
  "C:\Users\Admin\JUIAQcgk\EeoMscAU.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:3040
- C:\ProgramData\ACYgMowg\iMEggEYQ.exe
  "C:\ProgramData\ACYgMowg\iMEggEYQ.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:2680
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2464
- - C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
    C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2832
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:484
    - - C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:604
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock"
        6⤵
        
        PID:1728
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1676
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2556
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2104
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock"
        10⤵
        
        PID:1288
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1204
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock"
        12⤵
        
        PID:2252
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2416
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock"
        14⤵
        
        PID:2660
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2720
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock"
        16⤵
        
        PID:600
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock
        17⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2916
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock"
        18⤵
        
        PID:2960
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1680
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock"
        20⤵
        
        PID:1712
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1676
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock"
        22⤵
        
        PID:2320
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock
        23⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2068
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock"
        24⤵
        
        PID:900
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock
        25⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2208
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock"
        26⤵
        
        PID:2080
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock
        27⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1888
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock"
        28⤵
        
        PID:2736
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock
        29⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2696
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock"
        30⤵
        
        PID:668
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock
        31⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2748
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock"
        32⤵
        
        PID:340
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock
        33⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2440
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock"
        34⤵
        
        PID:1700
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock
        35⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2100
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock"
        36⤵
        
        PID:1740
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock
        37⤵
        Adds Run key to start application
        
        PID:1652
        
        C:\Users\Admin\cmcEsMko\wegooQMI.exe
        
        "C:\Users\Admin\cmcEsMko\wegooQMI.exe"
        38⤵
        
        PID:900
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 900 -s 36
        39⤵
        Program crash
        
        PID:2524
        
        C:\ProgramData\YYEMkoMU\UysokEgY.exe
        
        "C:\ProgramData\YYEMkoMU\UysokEgY.exe"
        38⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2252 -s 36
        39⤵
        Program crash
        
        PID:2484
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock"
        38⤵
        
        PID:2456
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock
        39⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1896
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock"
        40⤵
        
        PID:2916
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock
        41⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2076
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock"
        42⤵
        
        PID:1596
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock
        43⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2396
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock"
        44⤵
        
        PID:2020
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock
        45⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1848
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock"
        46⤵
        
        PID:1184
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock
        47⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:788
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock"
        48⤵
        
        PID:2612
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock
        49⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1880
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock"
        50⤵
        
        PID:1556
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock
        51⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:468
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock"
        52⤵
        
        PID:236
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock
        53⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2568
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock"
        54⤵
        
        PID:1596
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock
        55⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1772
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock"
        56⤵
        
        PID:3052
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock
        57⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2612
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock"
        58⤵
        
        PID:2960
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock
        59⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:572
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock"
        60⤵
        
        PID:856
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock
        61⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2384
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock"
        62⤵
        
        PID:1848
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock
        63⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1880
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock"
        64⤵
        
        PID:2864
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock
        65⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2620
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock"
        66⤵
        
        PID:1832
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock
        67⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock"
        68⤵
        
        PID:644
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock
        69⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock"
        70⤵
        
        PID:2652
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock
        71⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock"
        72⤵
        
        PID:2852
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock
        73⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock"
        74⤵
        
        PID:2752
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock
        75⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock"
        76⤵
        System Location Discovery: System Language Discovery
        
        PID:2860
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock
        77⤵
        System Location Discovery: System Language Discovery
        
        PID:2948
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock"
        78⤵
        
        PID:1680
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock
        79⤵
        
        PID:912
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock"
        80⤵
        
        PID:264
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock
        81⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock"
        82⤵
        
        PID:2536
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock
        83⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock"
        84⤵
        System Location Discovery: System Language Discovery
        
        PID:1452
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock
        85⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock"
        86⤵
        
        PID:3052
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock
        87⤵
        
        PID:2772
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock"
        88⤵
        
        PID:2608
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock
        89⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock"
        90⤵
        
        PID:2560
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock
        91⤵
        
        PID:1436
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock"
        92⤵
        
        PID:2596
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock
        93⤵
        
        PID:596
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock"
        94⤵
        
        PID:1532
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock
        95⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock"
        96⤵
        
        PID:2572
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock
        97⤵
        
        PID:1432
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock"
        98⤵
        
        PID:2848
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock
        99⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock"
        100⤵
        
        PID:1936
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock
        101⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock"
        102⤵
        
        PID:2552
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock
        103⤵
        System Location Discovery: System Language Discovery
        
        PID:2584
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock"
        104⤵
        
        PID:2064
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock
        105⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock"
        106⤵
        
        PID:596
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock
        107⤵
        
        PID:1300
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock"
        108⤵
        System Location Discovery: System Language Discovery
        
        PID:1960
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock
        109⤵
        
        PID:1744
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock"
        110⤵
        
        PID:1360
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock
        111⤵
        
        PID:1844
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock"
        112⤵
        
        PID:2964
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock
        113⤵
        
        PID:332
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock"
        114⤵
        
        PID:1772
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock
        115⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock"
        116⤵
        
        PID:2552
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock
        117⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock"
        118⤵
        
        PID:2724
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock
        119⤵
        
        PID:1172
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock"
        120⤵
        
        PID:596
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock
        121⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock"
        122⤵
        
        PID:708
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock
        123⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock"
        124⤵
        
        PID:2188
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock
        125⤵
        
        PID:1360
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock"
        126⤵
        
        PID:2480
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock
        127⤵
        
        PID:332
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock"
        128⤵
        
        PID:2960
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock
        129⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock"
        130⤵
        
        PID:2424
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock
        131⤵
        
        PID:236
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock"
        132⤵
        
        PID:2556
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock
        133⤵
        
        PID:1172
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock"
        134⤵
        System Location Discovery: System Language Discovery
        
        PID:2768
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock
        135⤵
        System Location Discovery: System Language Discovery
        
        PID:2136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        136⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:2352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        136⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        136⤵
        UAC bypass
        
        PID:1780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        134⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        134⤵
        System Location Discovery: System Language Discovery
        
        PID:2752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        134⤵
        UAC bypass
        
        PID:2144
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\lSAYsoks.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe""
        134⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        135⤵
        System Location Discovery: System Language Discovery
        
        PID:2944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        132⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        132⤵
        
        PID:1432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        132⤵
        UAC bypass
        
        PID:1792
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\fKcQUocQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe""
        132⤵
        
        PID:792
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        133⤵
        
        PID:3052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        130⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        130⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        130⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:2588
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\KgkQwogo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe""
        130⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        131⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        128⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        128⤵
        Modifies registry key
        
        PID:1556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        128⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1708
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\kIIEYYkQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe""
        128⤵
        System Location Discovery: System Language Discovery
        
        PID:2344
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        129⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        126⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        126⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        126⤵
        UAC bypass
        
        PID:2560
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\eqUMwoYs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe""
        126⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        127⤵
        
        PID:2584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        124⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        124⤵
        System Location Discovery: System Language Discovery
        
        PID:1916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        124⤵
        UAC bypass
        
        PID:2892
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\KKUoMEMM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe""
        124⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        125⤵
        
        PID:1248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        122⤵
        Modifies registry key
        
        PID:2144
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        122⤵
        Modifies registry key
        
        PID:2280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        122⤵
        UAC bypass
        
        PID:1476
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\jYYAsQIw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe""
        122⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        123⤵
        System Location Discovery: System Language Discovery
        
        PID:2684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        120⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        120⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        120⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1748
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\bwAYwAkg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe""
        120⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        121⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        118⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:1888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        118⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        118⤵
        UAC bypass
        
        PID:3012
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\xwYYAkQQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe""
        118⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        119⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        116⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:3060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        116⤵
        
        PID:912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        116⤵
        UAC bypass
        
        PID:1184
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\FCQssQcs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe""
        116⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        117⤵
        
        PID:644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        114⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        114⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        114⤵
        UAC bypass
        Modifies registry key
        
        PID:1908
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\boQUAYEs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe""
        114⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        115⤵
        System Location Discovery: System Language Discovery
        
        PID:2392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        112⤵
        Modifies visibility of file extensions in Explorer
        
        PID:784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        112⤵
        
        PID:1512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        112⤵
        UAC bypass
        Modifies registry key
        
        PID:2528
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\qIYokIwk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe""
        112⤵
        
        PID:976
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        113⤵
        
        PID:892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        110⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        110⤵
        
        PID:1544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        110⤵
        UAC bypass
        
        PID:2340
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\UyIQgIAE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe""
        110⤵
        
        PID:2500
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        111⤵
        
        PID:2508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        108⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        108⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        108⤵
        UAC bypass
        Modifies registry key
        
        PID:1528
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\YsIYwEoI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe""
        108⤵
        
        PID:2324
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        109⤵
        
        PID:1432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        106⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        106⤵
        System Location Discovery: System Language Discovery
        
        PID:2004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        106⤵
        UAC bypass
        
        PID:2936
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\KYEssgUM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe""
        106⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        107⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        104⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        104⤵
        
        PID:772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        104⤵
        UAC bypass
        
        PID:1708
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ekwQoUwo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe""
        104⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        105⤵
        System Location Discovery: System Language Discovery
        
        PID:1848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        102⤵
        Modifies registry key
        
        PID:1928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        102⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        102⤵
        UAC bypass
        
        PID:1908
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\zSIMggwk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe""
        102⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        103⤵
        
        PID:2652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        100⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        100⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        100⤵
        Modifies registry key
        
        PID:1992
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\LukcAMsw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe""
        100⤵
        
        PID:1780
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        101⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        98⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        98⤵
        
        PID:1844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        98⤵
        UAC bypass
        Modifies registry key
        
        PID:1476
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tuIwkUYk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe""
        98⤵
        System Location Discovery: System Language Discovery
        
        PID:2628
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        99⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        96⤵
        Modifies registry key
        
        PID:1744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        96⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        96⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\xAcowscY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe""
        96⤵
        
        PID:2324
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        97⤵
        System Location Discovery: System Language Discovery
        
        PID:2336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        94⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:2960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        94⤵
        Modifies registry key
        
        PID:1732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        94⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:2444
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\iuYQsoQg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe""
        94⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        95⤵
        System Location Discovery: System Language Discovery
        
        PID:1952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        92⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        92⤵
        Modifies registry key
        
        PID:2724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        92⤵
        UAC bypass
        
        PID:2392
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\wkcsEsYU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe""
        92⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        93⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        90⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        90⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        90⤵
        Modifies registry key
        
        PID:2816
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\EogckAMw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe""
        90⤵
        
        PID:1772
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        91⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        88⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        88⤵
        Modifies registry key
        
        PID:1996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        88⤵
        Modifies registry key
        
        PID:2420
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\gWYcoogw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe""
        88⤵
        
        PID:536
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        89⤵
        
        PID:1512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        86⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        86⤵
        Modifies registry key
        
        PID:2092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        86⤵
        UAC bypass
        
        PID:1316
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\hGkgYYUw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe""
        86⤵
        
        PID:540
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        87⤵
        System Location Discovery: System Language Discovery
        
        PID:1060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        84⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        84⤵
        
        PID:1012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        84⤵
        UAC bypass
        
        PID:844
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZYEgIYUU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe""
        84⤵
        
        PID:1908
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        85⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        82⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        82⤵
        
        PID:356
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        82⤵
        UAC bypass
        
        PID:2340
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\HoUcYwcY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe""
        82⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        83⤵
        
        PID:1468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        80⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        80⤵
        Modifies registry key
        
        PID:3028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        80⤵
        UAC bypass
        
        PID:1652
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\VcgIkIQI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe""
        80⤵
        System Location Discovery: System Language Discovery
        
        PID:2628
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        81⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        78⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:2352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        78⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        78⤵
        UAC bypass
        
        PID:2292
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\UWYIQgsw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe""
        78⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        79⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2184
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        UAC bypass
        Modifies registry key
        
        PID:1896
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\QKMsgYIk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe""
        76⤵
        System Location Discovery: System Language Discovery
        
        PID:2456
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        77⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        UAC bypass
        
        PID:2992
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\mccIkcQc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe""
        74⤵
        System Location Discovery: System Language Discovery
        
        PID:2832
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        75⤵
        
        PID:1408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        System Location Discovery: System Language Discovery
        
        PID:2744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        UAC bypass
        
        PID:2124
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\QgwswcUY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe""
        72⤵
        
        PID:1772
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        System Location Discovery: System Language Discovery
        
        PID:1428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        
        PID:2396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        UAC bypass
        Modifies registry key
        
        PID:1940
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\PUgAosMA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe""
        70⤵
        
        PID:1548
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        Modifies registry key
        
        PID:1700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        UAC bypass
        
        PID:1788
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\xIcUgUEQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe""
        68⤵
        System Location Discovery: System Language Discovery
        
        PID:2848
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        
        PID:2992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        Modifies registry key
        
        PID:1748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        UAC bypass
        
        PID:2852
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\jwAUkwEM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe""
        66⤵
        
        PID:2740
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        
        PID:860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        Modifies visibility of file extensions in Explorer
        
        PID:628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        UAC bypass
        
        PID:2132
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\YUQYUogA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe""
        64⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        
        PID:2580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:2352
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ICEsssgA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe""
        62⤵
        
        PID:1188
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        Modifies registry key
        
        PID:1924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        UAC bypass
        
        PID:884
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\uSocIMoU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe""
        60⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        
        PID:1204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        UAC bypass
        
        PID:2596
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\QcMIwIAw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe""
        58⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        Modifies registry key
        
        PID:1712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        UAC bypass
        Modifies registry key
        
        PID:2436
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\UsMsoQMY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe""
        56⤵
        System Location Discovery: System Language Discovery
        
        PID:1608
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:2296
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        UAC bypass
        Modifies registry key
        
        PID:536
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\PWYMAoAw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe""
        54⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:2352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        UAC bypass
        
        PID:2620
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\hscwIAAw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe""
        52⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        System Location Discovery: System Language Discovery
        
        PID:2660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        
        PID:1512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        UAC bypass
        
        PID:1852
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\DOUYwEwk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe""
        50⤵
        System Location Discovery: System Language Discovery
        
        PID:1976
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        
        PID:628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        UAC bypass
        
        PID:2724
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\FeQQMUck.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe""
        48⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        UAC bypass
        Modifies registry key
        
        PID:1928
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\UigIwMEI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe""
        46⤵
        System Location Discovery: System Language Discovery
        
        PID:1780
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:2760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        Modifies registry key
        
        PID:884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        UAC bypass
        
        PID:380
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\SwMEEgsQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe""
        44⤵
        System Location Discovery: System Language Discovery
        
        PID:2072
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        UAC bypass
        
        PID:1880
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\iMcIUUAw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe""
        42⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        
        PID:2352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        UAC bypass
        Modifies registry key
        
        PID:2444
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ImIgUMgc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe""
        40⤵
        System Location Discovery: System Language Discovery
        
        PID:2756
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        System Location Discovery: System Language Discovery
        
        PID:288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        UAC bypass
        Modifies registry key
        
        PID:2652
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\TKkcMcwo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe""
        38⤵
        System Location Discovery: System Language Discovery
        
        PID:2452
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        System Location Discovery: System Language Discovery
        
        PID:2428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        Modifies visibility of file extensions in Explorer
        
        PID:892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2068
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\vWEEQQQI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe""
        36⤵
        
        PID:1288
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        System Location Discovery: System Language Discovery
        
        PID:2432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        UAC bypass
        
        PID:1788
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\xOosgcMg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe""
        34⤵
        
        PID:572
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:1832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        Modifies registry key
        
        PID:2644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        UAC bypass
        Modifies registry key
        
        PID:468
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\DiIcYIkY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe""
        32⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        Modifies visibility of file extensions in Explorer
        
        PID:600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        Modifies registry key
        
        PID:884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        UAC bypass
        
        PID:1844
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\WuoYcYIA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe""
        30⤵
        System Location Discovery: System Language Discovery
        
        PID:2352
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:1400
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\qcIsowQs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe""
        28⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        UAC bypass
        
        PID:2596
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\QGAwoQkk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe""
        26⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        System Location Discovery: System Language Discovery
        
        PID:2476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        Modifies registry key
        
        PID:1544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        UAC bypass
        
        PID:2260
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\mcYsAAcU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe""
        24⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:2584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        Modifies registry key
        
        PID:2284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        UAC bypass
        Modifies registry key
        
        PID:2152
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\PokMMcMo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe""
        22⤵
        
        PID:1188
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:2324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        UAC bypass
        Modifies registry key
        
        PID:2064
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\NEUIUIso.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe""
        20⤵
        
        PID:696
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        Modifies registry key
        
        PID:708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        UAC bypass
        Modifies registry key
        
        PID:1960
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\vassMYYs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe""
        18⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        Modifies registry key
        
        PID:2796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        UAC bypass
        
        PID:2656
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\nAEEsYME.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe""
        16⤵
        
        PID:668
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:1448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2144
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        UAC bypass
        Modifies registry key
        
        PID:1036
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\kswocMoY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe""
        14⤵
        
        PID:2516
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2184
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:1428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        UAC bypass
        
        PID:2224
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\wuEwUIQQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe""
        12⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        
        PID:1316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        UAC bypass
        Modifies registry key
        
        PID:2256
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\sgogoQEs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe""
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:628
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        UAC bypass
        
        PID:2128
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\YKAkYkEo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe""
        8⤵
        
        PID:844
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:1248
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:2204
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:1840
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        UAC bypass
        
        PID:2528
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\zKYcokEo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe""
        6⤵
        
        PID:2548
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:1580
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:584
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      Modifies registry key
      PID:1416
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      PID:2772
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\fKEwYUEU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2972
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:2216
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies registry key
  PID:2648
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2424
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:2484
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\rQIAMYEY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2652
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2580

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-75656394212463467394026538421794647535116302701513361473561326620524-368213085"
1⤵
PID:1604

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1770017374-2750826775456523853910130451437417709-19726912128094410051904465835"
1⤵
PID:2528

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "389281150-1018994939185277441867315054-663414305-20454806811678612563775503263"
1⤵
PID:708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\ACYgMowg\iMEggEYQ.exe

Filesize
110KB

MD5
deb725eec3f03f2cf2dd3b8a77e20b99

SHA1
3faf4ec7941b02b0306ca8e1ca702ac3889ea818

SHA256
6e6433827d493acac92641ee5a70415feb14faa94bfd5e4a7e20f181b755202c

SHA512
65ac1ac5d6a4e4551d6ed158e7995a0a256cb550d4fbf260973f9592c0b9a5d13d1df70c81c22b989e4c17ed3efb574c34be0ec6b9ebc4e617975523c88cf224

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.exe

Filesize
138KB

MD5
7ca2c16d934221fd03d2cd16235f1502

SHA1
2da699e54ed59d3c6cc24ead216f36c84720e848

SHA256
e6f65c9586c25362b4463e42ab8471d3777f01d60badaa7ea851874e7312f4d9

SHA512
a95e2addf79ccfcc13e078a8a7fd26c7bdf7b596b62c996aa1d514f67ee49f49a8e102bbe06efa89ea2428b7929227f4b47f25eb73f73925948fc8e57212c3a7

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile12.bmp.exe

Filesize
159KB

MD5
355abfbf7b87ae77e221ea00acf4e86c

SHA1
30ecc649639a8da9a16572c4c8ef9bc46c5b2dda

SHA256
b54c59345226ac4d9a99996d700473adad0b876aff3ab0297fb333451a8d4dc1

SHA512
f475a9bd904382212d77c66cf38c0312abd09cfee82ec9c185f801c8d5435e967f0ce23999f33577e3ae0b25236d5ea67ec0e05b98415d194c5a5b96f108af04

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile12.bmp.exe

Filesize
158KB

MD5
a4ea97b912b9414d3199f2e89c51fa90

SHA1
2185e4b29463c49b998a318082727671af0b8951

SHA256
2e88c0b91dc4164de57458ac9babc93b05f2f180d9fca568751f2b67b9f0456a

SHA512
c52d7f9701b85997cb1a378ac86a8350858edba298128b70e970cc6c41dad1e1d59118cb7a829fddbf5ec9d84c504f2c0f3376fd5f717334ce245023c2188b7f

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile21.bmp.exe

Filesize
163KB

MD5
0d04166a94fba6d7979e8d528220b345

SHA1
aa2c09865459ed34bc30a2a3bdeaeb696398a8da

SHA256
5e8add2cddcfb1f1e34bc12fde80c050053f0ba2a3d4c56c04753b723975b263

SHA512
14932389b55d7ea6cedc2846a318b71aff76f31cf00008a37f9bf676b1610d7a2d20fffcdfdb4537eae362ad0e99c54199aa8431a7dfb38fcf016f9ba18c9477

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile24.bmp.exe

Filesize
159KB

MD5
7bbb56ef07d21c15731cce20f09eaf23

SHA1
1c68113bb66957b63e3bacea836e5c2d1af126a9

SHA256
668b2e7816fdd3c59546595b84e727f59e172c969f4ccc64e925debcbeef76b6

SHA512
c26b73c861dabf6073e1e4d88ee5c63ea8740114cb7384af9d08beb5b0b72ad89912d5e45b393edd7fcb39aaf907d0edca92c25ca3acbc12fff06948421e78e5

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile30.bmp.exe

Filesize
159KB

MD5
9739da5ba49eb0643f0b634e2c10ff7a

SHA1
4ec5c9f72aea06fa48e81e52e2f778ee13b78d49

SHA256
2bc51b82e2115f6a2635190f0c4e395d5d0ec7e4f9b2e9aed1f1242c02d82ff8

SHA512
3aa397e4c3a45db2049df70e243369c268ca5f2df4b0652c3c542c71c816834b00962c49fe669c26c30beaff5f058b2edd0e9f1fdd80d0fdb878b0b83692d7d3

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile32.bmp.exe

Filesize
162KB

MD5
33fd80f7190126ad1c85ff21a681bbfe

SHA1
e7ad7ebdda1fb0b6415b4a4cf2bf4c6a8a20c2a2

SHA256
39336ca6d08a827c3a83772fd34336e31f83471475c72fd6ae1a793ec8278e74

SHA512
d5a9a7685f0650aef78e1869fb3c5825dc0ab4d1a600f4e6a9fcbfc68351f2d40fdbe3408a46d43c1755ccfec7b2afc74df72e978823f7d909b62bf0ab2d0876

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile32.bmp.exe

Filesize
158KB

MD5
8487fe1e80e74a1a398b8f2393b387d3

SHA1
1e5b1b39527479c5ff52c39404da8d135266a71a

SHA256
2044849d3ab1786cabc0fc323f9784a75332ceaf9c39d7c6b9e150048b480d98

SHA512
db6b86a41e6e993ba32c6b8965b9d4a132588ca085d2cb5ad7d9777a9ae68e40b77f0dfc35425e2a948fa9581a74192be23b18b191618fc6174d99b7290a0fb3

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile37.bmp.exe

Filesize
158KB

MD5
04732fb85213eb3ee8e9f71bfab21e83

SHA1
ce113d8b310ccaecdc68b43a93183f2d311e8da7

SHA256
0ab5562e324d4978248b222dc42f98f1153447098c0a4547d5396fd943962376

SHA512
4ae59381e2a2b74e8b0c07674b5a10a22d7fd295536f7b3ec8c55212cda467e3fbbd3dbdbf7d85a0f67b4702f96c9fa755f20e59a4be8a208c13cd7d7cc42ae3

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile38.bmp.exe

Filesize
159KB

MD5
455069bda480383ad5b0fb40126a4673

SHA1
51430299988df10d853abe9e44c05d488e4f028b

SHA256
a5a77a02fc7e718f1870f696ba8578117d4901b89b77838609b1c059efa5add6

SHA512
0ed6b24a902575b25ce735c5ff62c34ecaf8553d8fe15d6a835a7ec217691c8cdefb3df8f335e94b1724ca0ecc7850e695db8a33c626debfc6c9cacaf4e588bf

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile39.bmp.exe

Filesize
158KB

MD5
7fcb1a3bfd3c3834dac0bcbb8c0b4ec1

SHA1
25b407c3ea14aeb06649ea77779d8a08b5223126

SHA256
395c21f3ac346d144f66911e95e2b5c089a3b0411eaf5ec96b8454587a12dcd2

SHA512
29537fdcc67275e4b6e03bf579a49932e0f211ef14c4da71fe40319a22eb3176b6ea2792de090e0f5c73f48c02fbd6665e63d30927b8f138cab6a09b86eb1cde

Download Submit
C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe

Filesize
566KB

MD5
8dde80d6574ed2cee229b205722899ef

SHA1
7986e94cce64f48fe051b4f44df0b4087ed6ac0d

SHA256
1ed35c98de20aea136580693e6408e4f71301ed1efc35f34826ea2b1e0aaf40b

SHA512
51d296a4baf4a8e6c30ccec8724968a4fbd926b5a370102934ba60f663ba8eac67da41e049f00693abcca70e13677719fe495e939de98ce4487eb3557ec8dc9f

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
555KB

MD5
8ee5ba967c37337a23b78038526a373f

SHA1
75e689f01613bfc2986e577521dd512c671193f3

SHA256
8f821c2ff96064df75f819e32a7c1243c12a7ada842694b8de492284e4ebc579

SHA512
ec7b1f79fe30d821b18c2e8c45ee855f087200db08e36e7c8a475a3d06bff7ddc3f11f5854c8cdba473653ade86d95aa50cc54eb73ecb73c55c278791c4d0b69

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock

Filesize
126KB

MD5
9adaf3a844ce0ce36bfed07fa2d7ef66

SHA1
3a804355d5062a6d2ed9653d66e9e4aebaf90bc0

SHA256
d3e8d47e8c1622ec10adef672ca7a8992748c4f0a4e75f877462e7e661069698

SHA512
e6988737153a0996b14e6baa45e8010ff46714fe7679d05a2676cc18e1c653e99227e7507cdae4f2b6a99b3c31478630e7e1ae13d0f7c12525406d8cf9867ca5

Download Submit
C:\Users\Admin\AppData\Local\Temp\AEgW.ico

Filesize
4KB

MD5
47a169535b738bd50344df196735e258

SHA1
23b4c8041b83f0374554191d543fdce6890f4723

SHA256
ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf

SHA512
ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\AGkYgkQI.bat

Filesize
4B

MD5
f0d9a28b27ba95c7247e28248ae57ffa

SHA1
0f321c9cb20b9a2145f09f45b324e3e4311c1212

SHA256
1860698bbff25cc45926917bcca846b3db2d9eaaf4632de52170583022d493ae

SHA512
c06fbd02e2517fc74f99f35434b824e91ef1a28703db0aeadbaa3c9f7836a58014a605e28ba76075469a3af581542d02e861383cbedd19265d33418eb8adc4a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\AUEW.exe

Filesize
159KB

MD5
7af5bab8ab3bf3b8e642731ae8561e4d

SHA1
95107a0739cc07902e306c95bb83d3e2725314c2

SHA256
91d6c744de091c2be367226ef06b4fe0c06b16bba4103c607547360a968bfe0e

SHA512
9214a520ac2536a7f074e897406564f3ddaf825e308a638b6bf6ee3b2b7b2a58f638761549e4bc2d97eb399b5928753111509e7e9cf721bb88bf2fe754907d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\AYsq.exe

Filesize
869KB

MD5
782a621ebef4fffc1e874c62719e0fb5

SHA1
2524bfdd7999bc35775e2c47fd4a127d37ec5fa3

SHA256
7cf590d638d29c01467209d86f108f5a9f3a61ef3b2e17857e0ac2a0782ed1f5

SHA512
730e15141147d959e6071aa81a73ad1c62159159ddf7e9eff95572108425e620b0e99cc1d7b5c696aa961f50a786b9abd1e0e6d40a8f24dc86f3c8b7fd99575c

Download Submit
C:\Users\Admin\AppData\Local\Temp\AcAssYIw.bat

Filesize
4B

MD5
4f81c04f2321587a7ae5c332bdddd318

SHA1
7daf742abe406e1bdfb27d10c0c41aae9a1561f4

SHA256
0638b72554d9fd3566d130ebb02c7e6fc2525c3a478f1f36b8f0d90afabdc208

SHA512
80f37f4f46ff50b7fce8247a1423b21daa9ab510e20ab705cb06d9f9adacfff35e8d7658d3e255e864efcd71b005b1e02da0c8a6995d2087c699d01ccecc9a25

Download Submit
C:\Users\Admin\AppData\Local\Temp\AoIO.exe

Filesize
159KB

MD5
d5de455824af997e0908d357392a3488

SHA1
6b1735aa92f6c0bb1cd370618855fedac7359d3d

SHA256
d427d8fc815616bf9f0f8f5ac87140c83be3037083c55dc2d7e972cd86a417e4

SHA512
209f2ea5e2308177ff617c074f6e8d11ac95a8b91fe85e46b2a29f0798ad0e5676a417244eff9a82514cdd1d9b6b0fe1265c79d814277ef9a8d646ee1800f55b

Download Submit
C:\Users\Admin\AppData\Local\Temp\AsUK.exe

Filesize
149KB

MD5
47e5d40f7bc53fa362f2f00062bedc18

SHA1
7d6a4a94d0aeeb0ec825f86dad476a6866ab5439

SHA256
9be70018553ec144f00bd7178f9a53539c7002e7fba861d7c1a45ac9d41d0d1a

SHA512
10f64fe94e415ad30f236a0468fcb609c665ebb120728b4f03a296c4ad89b9acc1f8297be5117cc5d29eb9742d4ec14d2f0d43404c8f596c2a21ff94f2198bd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\BoYwskkk.bat

Filesize
4B

MD5
a5a0328b9b0d3dcf6730ad52371d2447

SHA1
4fd322bfd356e773047538b541960f493523e20c

SHA256
0491ebd2848ae3bfa8c1f49926471bedd3ef15265b9778d159590610af3a5202

SHA512
0d2078c6f352f00bbe0068636504d4290fdf5cb6b1742bd129b5437c092cc42b43f849021d12803551b86b83bb028c066882bff0345da79fecf6995316e856b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\BssosUMM.bat

Filesize
4B

MD5
a1b6a6d704edcbe4e325a0e7780d07ab

SHA1
3889c6344838e9037b571d47d1bd381cc2ac7e7c

SHA256
9371f32a879f9d7242b21c046e66847f6d63f1950b21a9bb9a6b96b2c0f09989

SHA512
88e594885b2c7e4c6c62c5ddc877ade77c1a74aa09c42f9ba0217252ef294d8241350c85085247bf368d2e3460f71ce263944ef6aa2057519475dfc3e071866b

Download Submit
C:\Users\Admin\AppData\Local\Temp\BukUkkYc.bat

Filesize
4B

MD5
5bb9716a2b18a11d2c61f9abf97a6070

SHA1
f94e06f08c82ae8a60406f6d8f99fc8064dae66e

SHA256
dd2bc5f9276a3ef06098274f3c591cd4a426d7b4c2dbb84934720a4bbbeaab3f

SHA512
553cd88eb97088ec0421599fc892f8c033e57c5cb195fb95d3899cec87feb591aef7148363bbf8b39b1d6f0494a69d1b28dbdb26152dded7a1d568b12bcb3553

Download Submit
C:\Users\Admin\AppData\Local\Temp\CYwA.exe

Filesize
158KB

MD5
7488aa0afc8fe4a341c0c75ffb36bb46

SHA1
54e5178877d80a3395675f4145348de4fad1a709

SHA256
04ea8014618f0cd4b49c15ac0f1e5599ba21ba7abcbb33f0166e2931b7bcf716

SHA512
2bb4b05e13962ed9dfe61ec97363102841ab5ec20b642e46f3608bed762ae05014137beeacbe05cb0b474f85e1d4eb12b3d49d78e4d6685ee0213e7c837307e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\CiYIEgYE.bat

Filesize
4B

MD5
db063b3b7eea3206ffa85d91c4026082

SHA1
a74ee97d8f6e85ffe117fc48937795f242cbcac1

SHA256
ff61433724c07d0b17f43ae1fda339a6ce5c01ca41b39b3a42ad56a8c2c6781a

SHA512
b575be8191d5bd08a907e20aa4298bd0e470d7a43881920f2727998a9a0f0a17fd09f9d286dc9761a7136987468b56d62f52c8b4a4b7248ea0f7223bba653382

Download Submit
C:\Users\Admin\AppData\Local\Temp\CkMS.exe

Filesize
158KB

MD5
c29ebe04755bc3bfc05ba1a11d425b8f

SHA1
d8fd33b73d58ed5a7c20145c676b875bb480dcc2

SHA256
1d09964ef8cd86212de0ece44c69f8a6e436c8613cb86d391676ab6fe1b40541

SHA512
45ec6e2eaec7e0579374caf421cbd084c7d1301b44da249ec0c5e35cb9a27ac004640214253be78e0530d1b36be303932133fb72002a22e1188b29f8eaf94a18

Download Submit
C:\Users\Admin\AppData\Local\Temp\CkgQ.exe

Filesize
158KB

MD5
900f40ff7f75213745098a4da13003d6

SHA1
3ea28c5cdd371f430b85a0132f84e5dffa3fd5c7

SHA256
aeaffb88f6b46bb77c2a3b8ace9889f677d69ca574f97c776c4ddccad71700d6

SHA512
4c899946b7c2553030dd1cd552ae2f59b09a773b5f4fbac8db3401f4bcdfea3af51b6555f1f1efa9798d142838bd2a6a6bb5441dbd15bc389076b802ce7aff1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\CoUo.exe

Filesize
158KB

MD5
5454ee3514c82c93cd30b9622abcc03d

SHA1
a65420c9425ea9ed066d71b6f7a861b3ce5b4e39

SHA256
ad9943611473a73eba36207fbf16a9ac64bdb803b4582d7b525dc329656db560

SHA512
9a7bb615a4a2f4654c3d9e5b3eccefae2fb586ec507f37400fb20157eabb331c551378ec2476ce38ddf8ebe1be3a9330d182b5dc65d89319a45de3895e923741

Download Submit
C:\Users\Admin\AppData\Local\Temp\CuYQkAsg.bat

Filesize
4B

MD5
105de9e3f976af54f63e334dd0ca2d31

SHA1
c54fecc25496095118afcde2e147dbef0ee70f2f

SHA256
9827f7210b16e2197eb5d408c1d9d2e4237527162531d89e28ad0bce98254779

SHA512
16a9900923dfa14d5aa2268f4181312334a4ed02e7d94b2905156804bf2632440a56d694fdd22522213acf758842c2bc502fe4a3ad2659d18355d689d12ed655

Download Submit
C:\Users\Admin\AppData\Local\Temp\EIsU.exe

Filesize
160KB

MD5
b8ff2632aa423cedb512338fe764ba42

SHA1
f486ad51569fa7770c77905d00b49361fe5490f8

SHA256
3840a5e126d75fe753fd126a42901ae337f979258c7b3e088df6553acd54bf1b

SHA512
7da7a46a56d6e71d839c0df13957cddceb1ff272810e7249d5f8f661d0f5bdcc8ffecc192ced15d54617d0135d8a1c1539d34110a0d6ac86e676e3e4b4e83b11

Download Submit
C:\Users\Admin\AppData\Local\Temp\EQkm.exe

Filesize
159KB

MD5
c5d097d3e3cae1dfea4f1515ee0cbbe6

SHA1
2cdcf509c4e62409010b7c174b2e7072a9c2e269

SHA256
2330c6a5675c9006c561342452e40629fc2afdd586c7274eda0c42d9890c5920

SHA512
7af11f3ceef52a467e427c1540c3d592b0853d060345cd51905c2b1de87e7c664ac23b3e81324e670dfe1a457daeb62d29334ddd242f546816ee74c72f4884b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\EgAG.exe

Filesize
158KB

MD5
b3e2681519c2a869980959616727d21f

SHA1
463a9e7c604a2b59c725d565418d39c2034ef549

SHA256
460aeb97300c076d934499948d30d8d990a6b35a283360997a90206bbf1c296e

SHA512
28287a86aefd3386f634fd6c59cc131d49b804228f381e8eb0b9baa117e427dad9d1733616915d3d7b8bbb0356ceb6ff700091a3589780472dafcc688a71e7ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\EgUQ.exe

Filesize
236KB

MD5
53fc521494b3383c3d8ecb2701988c6b

SHA1
4349aadfb106177cfb892b3341733f876c05b74e

SHA256
e3bff861f1dc00d244681aed984669f2dafd3bf4b625a0ada313680c1f7380bc

SHA512
c13a48ff21d08ec62593b0ef7f28ed1711db3ee069698f0446bbb598339c90c08fac3424bf7e215a00c34129d4c307b8ec74ffd4343fbc62dad69291af6c8966

Download Submit
C:\Users\Admin\AppData\Local\Temp\Egsa.exe

Filesize
159KB

MD5
f845780f097b303bb728e1a96701c1e9

SHA1
4f8baa99ceabfb9460e3dac972d352459dcce2f4

SHA256
b3efb24d890e161c3822bf6886f55e7d9084934d6baa1b7319fb356a84c4a60c

SHA512
bbab6c01cd770b3f83c6b3ff92aacfcfc50c9d14520fe01bb12b0429cfcc6fcd350e79f250b9922429cf24006e08ae293ce88a21e9f945f09e793f5654075c6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\EkMe.exe

Filesize
154KB

MD5
6a241c68ebb0acb0b43c83a3026fc860

SHA1
98a8ffc846ad0783db640371b807d7f59dfb57b7

SHA256
ef640c44c7145a6d321b66d5fba67e688cecbb6ce4f4639fd61b91e1ebf0be68

SHA512
785fa12ca964de7ddb0c584d74b7d2f4cbdfd8fcff47ebddecd977269d09b3bbb9aefbd8669e00987ed08fce84b9a35145f995a4278c8174aafb9b287e7e64f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\GEAq.exe

Filesize
442KB

MD5
664bf7c103af429eb87dcf2cef2af5f7

SHA1
a85f460537a05ae49841d1244ae9bca5947b0c23

SHA256
048380e50d93d913ca0c8005e75a3ecb80bac899fe0e1d567b9c6b4be4ad9969

SHA512
62fd2fbd859a1e9f386e0dcbfcea15b1b4349b826f07a2d084cdb29cb173cc13d43520d25bb71b1cede09c993d62e5aa46fc2d306cdc2bc9fca6c735cb768677

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUoE.exe

Filesize
159KB

MD5
eef5c9321323abd984b1e1f9403045b6

SHA1
305dbaa1e4c75ce6f5c59b46d66216ef1a04c4bf

SHA256
976b862988fdc20a56d88459d163448c2561b755bd084290a405f44143b1fcdb

SHA512
dc86797acbfb2eeae0481884e09d54554d3c5d59c205e7ed82774f434c827b7039558bb4051b800b4d8c7723cd9a5086025584e5fcc626d1f6e655019ac50053

Download Submit
C:\Users\Admin\AppData\Local\Temp\GgUI.exe

Filesize
159KB

MD5
56bce127f0584f3d1dfb078512a36552

SHA1
c3fc08b33a55b3e85e0d5844f2dddb385c0922a6

SHA256
7cff6288fac2878b8dd274409e0e8d02e8ad6aa783f6ffb049bd7b799d1138f9

SHA512
939d7ef76f5d90f4a5af62b5663625f5027949ced3a1f0bc663b11c87ea737d62f37def764ea04b862df6011d4b9944ec0841b65249df1830468745189cde606

Download Submit
C:\Users\Admin\AppData\Local\Temp\GkkU.exe

Filesize
159KB

MD5
08d9ba627bc8b803b8b639393c3b20a6

SHA1
3c08de1d651f3687cc58792f713135da80ce6814

SHA256
5574c4533148c10cbd45894c90b6db9f45953fb82edc5680b2c7a947ec05e286

SHA512
15687b3a59866ce0a51e82fb62574abdb517d89efd72cf75a8ff64df50a3fa4b5f3cc247bfe81562fdb7e655a286cdab1907c0dda7d79c65f6e50249ff2f496a

Download Submit
C:\Users\Admin\AppData\Local\Temp\GsgcMcsg.bat

Filesize
4B

MD5
78a4b996903cfc529c42e5cbbf0d0f2c

SHA1
7c293f18d3f3ce5134769761006d15c987509dcd

SHA256
fa0f83b6fea9ed622b84f8a2c346afc6947714372c356d2af0f32145a1e8668d

SHA512
914a28b18ff5878419635f8fe151e06941c0b9311d6baa9be16cd463c0df13934d42b588964492630eb86d7eb8e465c5f7ed4b8cd3cd04260cc2c61e1d2e166e

Download Submit
C:\Users\Admin\AppData\Local\Temp\GwEQ.exe

Filesize
532KB

MD5
5cfe1f0e0eab7214c9e64a55af21be3c

SHA1
fef4016863ae59523cb692d886a9c15c9ce1ce82

SHA256
8562531d781d60d24337364bb69f7e1aed8d3cf1ca2bc2006c79efe5fd231860

SHA512
265043272e5425e8e350c056b3bbf2bfece0bd0349723a74a647034d5ccba6a6e547a2c2610bc7786765a96089b97ced612a94c18e661bbf1f528eed1b029fe0

Download Submit
C:\Users\Admin\AppData\Local\Temp\GwkA.exe

Filesize
134KB

MD5
5bf5e2b9dea1bb3da37558e8ad979590

SHA1
2536d5be46a7a2fff0af873f481e6729138d2325

SHA256
f09dc301b768d3a7fa11442c85592882dfbdb73e43b31b253072be8716167038

SHA512
a12ef561f2811abbbabb3f4a2fcf5fa211cb6500365088ebfcb3328741a53ad927d1a55ffc9c92db0d9df5f38321d0ce24b98d8f85e0bb19d618d1ae3d14c21a

Download Submit
C:\Users\Admin\AppData\Local\Temp\HkUgUUQY.bat

Filesize
4B

MD5
c25a0453bded84685f971451cbf38a2b

SHA1
be3d20e069777addfdab27e7802d72eb3cf35b70

SHA256
8fe6def39c36bec06002191a607058eacfa1b762e942d4a65232336f113440cb

SHA512
51c3c753a0a8649044f0bd59c16871655efb307078c69a7ac26c871e67adf640e48bee6b312226443bdc27d6f2c07d3292a207ca4d6dfac94ba8978a781ff2f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\HmQoogsE.bat

Filesize
4B

MD5
51183f7496fb91a7e62c970383985c5f

SHA1
0a36d795d60a8497d1a3048fa23d998500593642

SHA256
088890d8484a7bed49772a33d63c6f7dc45e74b5f68efd3b03ab0b442d1939ca

SHA512
edb88edb6caca50af187db4c1dfce7d53a51457fe417c1360e573829018459935df8a2a65a1ac1d3f739566ccfbb1232497bc96a1decfeb07a7439694c833f10

Download Submit
C:\Users\Admin\AppData\Local\Temp\IAom.exe

Filesize
159KB

MD5
64f6154a38c7cddcebc84c609fe9ead1

SHA1
d9fc7a8c1769681e88d2f6769ea7cf20228bd6d8

SHA256
e50de19ea4f4fe69c0956b6e133fed96dc1493aa41e0367ae567e6dff8025384

SHA512
72998cd868f9ed432b6473bcd958b116136cc517197e5eb24633b4d60df642fa6eda5b2a29b69b81e366954e2bde3bd5e5f31e196d20be544f0ef64b24bcf831

Download Submit
C:\Users\Admin\AppData\Local\Temp\IIII.exe

Filesize
237KB

MD5
414a40a1a2640713a52502287bd0fb7f

SHA1
71914c78cb2f577625f38c9dcf2cf09f77de7b5f

SHA256
4085f068efc693ca23c32eacb80e1209c2b8d9ede6d7f065fc6c957b9a83113a

SHA512
5a829e73eedcdac9c215b86eff0b964246b3d5474885f85856516892e6f316715d2d6c67b31ed212f7bda18c0b0afc3bc8c69e4b8207c31a7c3093390c4b0940

Download Submit
C:\Users\Admin\AppData\Local\Temp\IIMs.exe

Filesize
743KB

MD5
dbbc4e7bca19f0734e8cc3b0e0ccc22a

SHA1
22727855815f3c9028a010dbc269abbd1c9cb5e2

SHA256
65bf8c035a12735ce00214cceb22e1068e6e7be7e9b7d9033162334cb4dc03e2

SHA512
a88e3f38b875a37858e5ebfc92a87fb735c8d8ef610076337fb3ab1d6c380e474543ba96eba7396f9d7843a85b78c7358222b73817ed366b9045c2a1af54a73c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IIcU.exe

Filesize
159KB

MD5
468b284de9b057eec8fde69f5567e3e0

SHA1
715d2326470d8972e8040a93e69c08db5f448007

SHA256
91d43b9e26d8d1160ca5c187f2d8121c91ddab44370003690e66db47cde993eb

SHA512
2fc208b697bfc5ebfe7105fec41401618c2140e7ef873aa36b647b6370e3711ce7a550d34a227f3def3306f2014c087b0933a966be9caf86f7f2a0b3772ca1e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IUos.exe

Filesize
158KB

MD5
47769565afcc2471a50b6f944ae994a5

SHA1
91c652d09e50273f321874443636977431537e60

SHA256
9cb428e4cb757496987f8663cf5e3b5e9468e18409a0e5cd7c9a47e2d8ec69e6

SHA512
7b308b810f367635f8088dfb9cbcca1def4c04f157d973045814cace4070353baa231ab95e357c78bc3e7bfe3b358fe6ec3f6ccdd3348592c055e7fdec8badb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IYAq.exe

Filesize
160KB

MD5
99e510c0cf92cd6889b6e68c7aa13374

SHA1
488d131534a16236983ee4cfe6626837e177cdef

SHA256
184dd67e08790c923ef504735a9a66fd37e2eb7a041d40b143081dc624e2305b

SHA512
d9b098f9146417e68f785f3d9412aa3d4e368751595123958d2d51d271dd0d4b47c62de1613b0d2e3bd28fc315e5931b5c9c9557ab5c160947ff817b6ddbcc05

Download Submit
C:\Users\Admin\AppData\Local\Temp\IcwY.exe

Filesize
555KB

MD5
35db4b006b0b23e4917e78b5ffda83d1

SHA1
9013f9c7e5415534e325e7b24402313dfe66b092

SHA256
229cadcee20c00bbaa1547ac3327172ec8ef43258fe661a640abdbf630b378de

SHA512
3ba95d0566fb0e235e388164657f947e3dfbc3e12eb3d6478d7deef1455b748239854b3578e5d364aa7c9272019e385630f1fd004990b69cf14ef51be8ce6a99

Download Submit
C:\Users\Admin\AppData\Local\Temp\IisMkcIk.bat

Filesize
4B

MD5
07d43266b33c07c17b8cc419907173f6

SHA1
1a01587101f45db3a634c83d3ef8f1bdcbdebd4a

SHA256
41059713b8f9df3a7aebaa7729b51a60a9faa05ad39ab76b05748f790d9121d1

SHA512
32723baee599191194f4f2b245e7c6ba51e16e402cc71966cd2816cf95794f4fa0e0ffafa33676598f1e8ff4cbf75b53835868cf5c21bbccab27d75ce91ebfeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IkEm.exe

Filesize
159KB

MD5
b4f63bf1c5c100dc2e9d9997911aed9e

SHA1
becbb3f0e3acdd060d44cf28e5214652dd5007d0

SHA256
ae7cdc29c1abf26226a6884f4e3862b4a3a71b2779d1f5a156389626054d70ec

SHA512
64c8ce742ec47e4c6a0fd244480d25c076419fc1c23709a187b06dcfa50ed74c437d54b9ce913ea17f13d55508403a6c09bbd511f39ce137d9dafc3153ee2e41

Download Submit
C:\Users\Admin\AppData\Local\Temp\ImYwUssg.bat

Filesize
4B

MD5
2e6d8a5f82b11e67dd1fd372f1dc9726

SHA1
a0d1a7ec6ecfad0428ead3ec5bbadea1289b23a8

SHA256
d76a79016d25fa44cc1da675a170b3115ed6c6a36c64eced2d30145d82e6e60f

SHA512
35ea26f9d85d95bc0f658cb16bfeebc2e75c30152a11b08f10fb7e195458b5fe9bdd0572ff72fb51b7f7779aa611e9d79519be1b227448c3c8b08a86a58b142c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IwYQ.ico

Filesize
4KB

MD5
6edd371bd7a23ec01c6a00d53f8723d1

SHA1
7b649ce267a19686d2d07a6c3ee2ca852a549ee6

SHA256
0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7

SHA512
65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\JEMkoYgo.bat

Filesize
4B

MD5
6eec23f4a70068c25872ac290ee93fe7

SHA1
b293ba2b21dc9ce7d596cb34bacafb2edc3ec866

SHA256
ccef0d65d9b5839ededcf95fa8821e80de53a675e0baa2e15f39dd801159f3e0

SHA512
7b65ee536f62209185c3443d3c25420610e4cb2beee5a6d2d7082990f7434b68a91fd2ef646aadd1b8f4539f278f7f7e0938ac05ea7b028e713dfae13bc3c183

Download Submit
C:\Users\Admin\AppData\Local\Temp\JmkwUAIA.bat

Filesize
4B

MD5
2d83af6a516b24d4992a0c09bc1afacf

SHA1
d6fcafa4af9e1fff1e7424d6e279ed16e75d9ab5

SHA256
8499c9643a60b4271aff39dca867e69554a4da7e10672463e738c1171569d840

SHA512
8678d2aa307a8604f9f45f615058c1c734efd8bac982969ad515fcb0a86ebd565de3b15c9b5b453b5fd8d2a6fc53019539337dee992bb877971243c6eba0743d

Download Submit
C:\Users\Admin\AppData\Local\Temp\KMIo.exe

Filesize
158KB

MD5
23a4c3ec5ca12d1387eae7a768eca446

SHA1
99982bf1f614b7979642c840a813cdd24463de38

SHA256
8c8f0bf9688289012c7752c230986f8d0dbaa6b4ae119674554e2d84c47a14af

SHA512
30877030bcad915b9c2ffb78b042edb232b9861c88604017f9c5969cd2f43114de034831baea4fb6460ef1ca0b048f4ae1be1e3c69870a613e8190aaf5a970bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kcsi.exe

Filesize
158KB

MD5
59941d8b75ff7a2db1b98b13bb5ac545

SHA1
473e7177ee25a7ca4861e59bc55cc98713553e81

SHA256
e4c8a49644d3e6f0b4f09a11853165cbd9d1fc90cc5860628503e866273d85c8

SHA512
5bdb0115616c1c2ff343a1e9f5230d0d930dd94c5e087989a138b0d4b5b066c14c5ca0917885ba0765561bbc94cfe092fd75bf3fada32818a3251c5876cf9bf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kgcq.exe

Filesize
235KB

MD5
9734094af809fdf5f336296167bed447

SHA1
158d020df5f688150b230b15b01ecf49552d0d5a

SHA256
36365d1ef0c21e455c41866c300de24672b8f879e7ec93a59b73fd4cd66f2a08

SHA512
92a76fb37eb3db1521f8f50b587ea6e0a6ff20ef512c2e3c81dfdc50f65345ef67aa061e1a077376a4f2cded587cb1ad9d495479359e0b82c93582a656666a8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\KkkG.exe

Filesize
158KB

MD5
517265f318b73dd3d143ea76abf8fa27

SHA1
2ee4823415adef1481378856725c5591c92dd66e

SHA256
52009d3e02916afe7f60e2bc8ea1661553aabd25074c51a70dab77670dbfa87a

SHA512
fd7c487e5bc02f2e753ddcfd8a18dcec741a7744e6ce783bb3029d33ffd52e54a57773f0c0b801e872eb3e8558ca96c1654d15eae3ca923047fd0252c535da6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\KoAG.exe

Filesize
158KB

MD5
e80a01dead9862ef590e63ba74da5aea

SHA1
c2d75de487ca40adee4045d080bc476aabe0f4e3

SHA256
72b4507f1363477d591922e7724bb17643841ede1efbfb6530cefa7d10df39f1

SHA512
25259675dd0d69d06c47f49dbf601e8a10562bafc17a7ec5c2b8fc2ca236bb539ea8bcaace9f6c9b891c1ab3d635a1cebfd35e2b3f15228b012e569497b79842

Download Submit
C:\Users\Admin\AppData\Local\Temp\LaoMAgIg.bat

Filesize
4B

MD5
a6d039e615255ce520c7e4de63ed5d15

SHA1
08e7a1dd73964cd4284e639f51d23252bec36173

SHA256
bd2c76ca925717fa8e765758f3bed4f2d0334481ab6d86d0a8afe27f9a06ede8

SHA512
2f72d52cef9c0091f4096ac3c8ea2d1ce7b8a967d98a33c2394cb645de8ada4f3e1a66dc75a407fe15dbbc18ee40bae15dffe8cdd7d64c549cbeb7fa151707f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\MAYG.exe

Filesize
138KB

MD5
1e556d1c81ca345bd6f2c491c7969c01

SHA1
69b42792b1207c500a8c98eb98ebc6075101f095

SHA256
c4468fcbcb05c024acaacae32c706fdad1039b833869add5d2dcd32cf2763a2e

SHA512
71399a7a3eed5d76be298e54bfb8d03a9264a1ae6e9c27c3312a80b5fd4d48d0b5b132f4ec447341dcf025e8b4a7adff9594336d5436c7aae855a8f01a412f48

Download Submit
C:\Users\Admin\AppData\Local\Temp\MMUUcsUw.bat

Filesize
4B

MD5
1b5bbcbff7c9b3f25a607c5fdc886ecf

SHA1
bdb17bb3354bd53ecd7dc960ad83205af909b075

SHA256
fa8060b7edc8cd5094b4c289b0a7ec2911f269038c0a6fad7317d9d358b06ea9

SHA512
4d2859fe868308d79af8da38a5b49d356c665ecd6aedc4366b5eef497c3df16e4aae2057ca743c750019af28172bb218d5c651be953411e99b19622f14a018ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\MeoEIsQY.bat

Filesize
4B

MD5
3c28f7419bdbfa91aa143e106eaa5649

SHA1
3c22b5bb40c9ccb51d2acd72f3b0ed943368012d

SHA256
432aa518979095f95487b259ae148ca0973ac4f2bd8808663f9589b86aea9dce

SHA512
fab066786263e9efe9640ec82d047abf6420426e658d01b24b5aced99cffe12d101a80956e07ecd3eeee6a5155ee1721eb2c4d2a23a58ae3c506788699086da5

Download Submit
C:\Users\Admin\AppData\Local\Temp\MqAkwswo.bat

Filesize
4B

MD5
8f824ff4b6f70ee9d5983ba6aad2c8e6

SHA1
e241ba07ca66571dcc6b6777e263dd797fd8aa0f

SHA256
b2371a3f1e7ed5cfbb47872c4aed0e3b12b3545c8288910a16d528d220c98ca0

SHA512
7ed9d3b4893424e1fe2dafe6f51fa17e9d10dd96f0cc9983f1fb1b0c50ced1cd0950c29e4768fc98ab2d659737fe81353ee7686c98dcaf2acf0df9beaf606996

Download Submit
C:\Users\Admin\AppData\Local\Temp\MwoK.exe

Filesize
159KB

MD5
3c235c91d42a4c6da1dae4f7ce2b353c

SHA1
1a8f185c75880f481b83f2ca746a1b85c75681cd

SHA256
fa0edf995d8d1252668a84a98254237ae2fbb896adff14710c3e8aaaf1598f3b

SHA512
67491a0aa5eea8d87ca5435fbe0a67ae03f7a2ba988ee41a538a8fc3f1835a6c59e8561f1d25c629cdb612fd61bae46e82c49510445f3caca1c37959fe12eda4

Download Submit
C:\Users\Admin\AppData\Local\Temp\OAwy.exe

Filesize
139KB

MD5
9e37edccd4ca4c8b6edecdca46cc3ba5

SHA1
3d0492ca1158845ed50a5e551a23c51f89bec1ed

SHA256
90f70c3c570031b4d2ccfb6377f9d22f41ba54d7eff3c94d48dbc568867a8a3a

SHA512
63476f7866402e52d474836f26d56bb6da162c635b8b38b05e62cd0613d3f98dd01fd5a2e48b307a90a2548fc9e7065ad2268a2ff836174c3e6839cdd118dd90

Download Submit
C:\Users\Admin\AppData\Local\Temp\OEkG.exe

Filesize
160KB

MD5
1cef5a70b411f01d7207223a5e7e51d6

SHA1
60dd5e43341e6a183c8b72122db3e9cc183a2468

SHA256
5a49f8d6107598278c86c06d31be2acd700cdf404918a1fc1335628aba0c4a64

SHA512
5a26e68196108a20cef487a5c17bcf20095ef00841ff64e0151c3c8ba52de0f9bbd6b72937151395054042e30338de7672f68df4e76678e5736f9cb54a11239c

Download Submit
C:\Users\Admin\AppData\Local\Temp\OgIO.exe

Filesize
157KB

MD5
9e2740a2fc4fc185de5a47aa2bf9deab

SHA1
669b900fb8066dfe6eb6e361e17f55f51ca15457

SHA256
5d9c29121a5b8b847e12e1bb683f240b1e15a5c4302c010b8a5c62f53f36802c

SHA512
e5a9d1612d993a3e4c2fb1fb41b229211881d97858d1f83c921b629d4fb5c031ada625a506a04144cd8072bba1aca5cbdc7fdc46f30090d0bd470b183f21f52f

Download Submit
C:\Users\Admin\AppData\Local\Temp\OoEe.exe

Filesize
139KB

MD5
5e4444af7b77e9c58c3aa656b0f78721

SHA1
b8f28af0a8b7d2c50c933b0053faa57138b76024

SHA256
0f505b0570eca72161c9b6fbb8dd8716ecd5cb6bf449d4d99b4ffea70d6e3591

SHA512
cd6e4bfb4726d243a212a605c9ad8ac140bae11b099f9cb9127433d9eb74ef21dfaa7621f1b6898ede4cf05d321dadd5bd822462a3b41c5024969e2c98a265ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\OsMi.exe

Filesize
772KB

MD5
432c61584670af36d4a71596fd2c96c8

SHA1
b8a329d2c8faa9372b3697affa8e7915d3d72352

SHA256
15779778d390fdd0f5d31c905014bbfd742697be7ddb7128311bc8f3b5930509

SHA512
808c88f9be240cb536d8be314a95bf23591de2db6ffbc34358a76954ffab71d234a8259c4453d31d102c105d9905463a58158458d13893ce42e018838b417daa

Download Submit
C:\Users\Admin\AppData\Local\Temp\QMcM.ico

Filesize
4KB

MD5
5647ff3b5b2783a651f5b591c0405149

SHA1
4af7969d82a8e97cf4e358fa791730892efe952b

SHA256
590a5b0123fdd03506ad4dd613caeffe4af69d9886e85e46cbde4557a3d2d3db

SHA512
cb4fd29dcd552a1e56c5231e75576359ce3b06b0001debf69b142f5234074c18fd44be2258df79013d4ef4e62890d09522814b3144000f211606eb8a5aee8e5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\QUEU.ico

Filesize
4KB

MD5
f461866875e8a7fc5c0e5bcdb48c67f6

SHA1
c6831938e249f1edaa968321f00141e6d791ca56

SHA256
0b3ebd04101a5bda41f07652c3d7a4f9370a4d64c88f5de4c57909c38d30a4f7

SHA512
d4c70562238d3c95100fec69a538ddf6dd43a73a959aa07f97b151baf888eac0917236ac0a9b046dba5395516acc1ce9e777bc2c173cb1d08ed79c6663404e4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\QcoI.exe

Filesize
159KB

MD5
9af576f3b7a1ccfc91e84b20d33a4bb3

SHA1
0359e646fe7fbff9b0917554d8d8639e6ba5985d

SHA256
e7758dabdbfdd25d2b745d2e9aaa4128d852e3f71692e5299653a9fee4b51fe2

SHA512
11086bbf9983ad63670a2ef65565a58f349b1159e77f94e0c00177f574174e83b2ae52d8180a3bc6d2f4ec3abbeaedb5366d387d8477e7d0dfd0dcd9f407b6a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\QkwcQUck.bat

Filesize
4B

MD5
ae921c1d1b68153fb52ee0638189624b

SHA1
325cf1d5a2cb8888cd77f150339f3fa90849370c

SHA256
1ce8f83ee69bc8949b3ba41ece7c6fb70916ba2f8eb91def44fb3b43cefcb7a5

SHA512
3772d43c6c5799fded4c0008e4d0343634ed3fefbc6d8a99921c03f3c21bcec50b97da09f126e144c5f870ab2e46ad25e32f3cb26ef52020285a33316b5e8d57

Download Submit
C:\Users\Admin\AppData\Local\Temp\QyIgsMgc.bat

Filesize
4B

MD5
32848bb8b6a2133c443bf723210e07ca

SHA1
ca37be476b2e4fac31c265c2d3cb9a765d4f0145

SHA256
a7d111d8a5d4cb2f42d62708e9333dc513049f23b9945bd15b0becae0aa37c36

SHA512
541c139e94c6b12cb0adc69759fd5e06803de243106fa36090a60d5b6ae4f3eff1fb06cf358ebae0b2b827d517a5b8b18c1a999b2487c57ad08b4f7cddbca899

Download Submit
C:\Users\Admin\AppData\Local\Temp\RCscQgAM.bat

Filesize
4B

MD5
794a43c18555dfe03ea94c827b444baf

SHA1
0c483fe47e7035ac58c47435539ace4318afaabc

SHA256
b369455bfd3ec673f4336110c8d7e227e7820a3b7d7135a684c1217664a5be87

SHA512
56d4d90421b77a621aa7322fb9c0739545ed4c69e0e84c3b1a1cdf88a5f4f6ac043ff3b490dfc2d97d0a1950500e911e9ce31b2c531c44216efdd88dd552ef11

Download Submit
C:\Users\Admin\AppData\Local\Temp\RsgogcEI.bat

Filesize
4B

MD5
60a6fa535358341f8255b89e8347a3de

SHA1
57b0c1137ad10d31cd6890bdd112b76e2d096277

SHA256
e4bcc12b9a38c698c00c4ecbb34a06e52093623d30b855eb50c958df23c18cf2

SHA512
fd4acc7404d1f0303484e6506426c88eef56f6e96f31a7c8d9439831e55a7ef5eb31d512cf4b9f6120e4a51a17a6e1d86a1b2176c42c3e305b137f43b151dcf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RyEYIcQg.bat

Filesize
4B

MD5
84ed0e66089ff665e79331007b53c0c4

SHA1
08bc9e94ae98b6bf8e3fd3d2e187b4d48a078666

SHA256
fbaa09f2840efbc50bb71867b705aa655f3dabead3123293eda7cbe5dbbb0cf5

SHA512
20f497814aaea0036d580becd6a03296628ffb91fdfa861a1646815a0e4f2a5d68f894022b917a4bbf780c3e1451793dd3ecb7e4ad6955bca964870b220c3ea0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ScIAEsAM.bat

Filesize
4B

MD5
7497e1a496a32c4cc8755f12e0e58d1e

SHA1
d6def7f49de70ad5159a049d56eeed9ac7ca9255

SHA256
a746f9f2a78813cb9e24979a3b3cb6bc9c364855e66eea9a9009e4280d20b320

SHA512
7d5ef3b9b0a183abdae370021284b6ae35d76446f99b6393223e7e1e43fba094c1eace361526e7dd38e0de12172ce74c865624123bb44ace3f4cee7d3cd3c99b

Download Submit
C:\Users\Admin\AppData\Local\Temp\SgQm.exe

Filesize
159KB

MD5
255c9aa33c302f00cc1185bb4b5a8993

SHA1
aac424bf733391f443f281cf478a9ee8da1905b7

SHA256
db7c75dba093d06143c6bca17cd6fd3a761533af2c999a3df20ae7c082e6b379

SHA512
802b99be64a298cfbe8210fe92f769ead6b256727d64903be799e318c4bbf61d8270ef2a0ea0820e348837b6215663c8e6fd6d9ef961db7e20805a82a330f427

Download Submit
C:\Users\Admin\AppData\Local\Temp\SkQA.exe

Filesize
870KB

MD5
858ff103581238853058a0b9ffd8f553

SHA1
b3b8662e46534cf3904f17241330c64cc3ce819d

SHA256
b8788f153f113d5d236646c492e2ebc346623b67295e537a6f401986dfc5ecaf

SHA512
8e52f6aea2b3039fbd422f78e5ecee33ba100157dc183565ff7dc592927779c186784f4ab181b7ba4c8ffada921ec88972ad195e0a1bafa90a742a54fb1dc0c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ssoc.exe

Filesize
375KB

MD5
3b4a4cd42e93100d9a61ac6127fa65aa

SHA1
f7bc5af82f3f042e934fd93a8eb926f679926425

SHA256
ddf2c5f17b55344a35f21790b35d06512c29d60d4c42749dcce6919aa2a49daf

SHA512
367a04c1dfc0b8b866605e0d97aa0de47959e4efea80625c059ea5bb8cc1957cfc7e4c176aeaefdb5f326bece69dbdbdb462b9ab03bc5ad0d25808751cd380c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\UEwy.exe

Filesize
600KB

MD5
798bbd817b655856e91598fe533e7fb0

SHA1
a33f0beb541e2dc4948dc75ed0fa88ebc5e9941f

SHA256
cf67d6d806d8501e536b28e9de4725561682e1a7ff5123fb62d49259cada6806

SHA512
eac1eccfd4843ceb2b84281b4f359b56f55afa53581dc5b8ab90c5e0a6535c76148c5ea3bcc547d085246cc8b650d1b9b05efe638337d16489ba078b91586008

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ukki.exe

Filesize
158KB

MD5
bdacce0ad11ae7010884bff0217c0fa9

SHA1
4d2ce3500d9af884dfacd9cb416051c401ce9e68

SHA256
81ebea190292204ea8d0a4b6481ee76af5671a3915b66434bad1fa29fb5035cb

SHA512
a7cef285ae8fdf769f1b9558610c14044ca1430c2e3c3dee0bb16edb8004508cb4cbc6cc9d977f8a6710d7a85e7d486ba6a0e0ff05728c2ffa08e374bdb5ee1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\UoMe.exe

Filesize
158KB

MD5
c9fd8f1eeba2f4ca8bb8fd05492c1d76

SHA1
0bc39d5c6b0dd1de6ad9ba93eeef32aaa04c8e71

SHA256
b3a440f114989051af3037127e68cf3c17bc11d715823704e4fd252a04390252

SHA512
24d13ac3db00b47ab2eb9754d301e69d869e7dd4feddecda386d311356538afb6bd51845eecc447ee3294c9e07043aec2aabe629c352bb1257fc4689024ef141

Download Submit
C:\Users\Admin\AppData\Local\Temp\Uswg.exe

Filesize
157KB

MD5
e7b8404391c82908c7c706b10521f1ad

SHA1
4cf6706e47a48a24c8e4a03e298ddf682e2d33e1

SHA256
3a3b521ee74a117d14bd835069f64341cf32fd66b3c63fe0f14e8a66097665f3

SHA512
5396638e81905878caf83d6eee922b52ebee676d3331e5755535e6c8845e688873bafede24eab17eb6f5dbcd9225149f47bd634bd746a5cb98a405ed5407866d

Download Submit
C:\Users\Admin\AppData\Local\Temp\UwAoMMIY.bat

Filesize
4B

MD5
741e2207d8d089d09afbaab1827f4512

SHA1
c429777b2d0015f5c4d8be3a5ede2dd426282219

SHA256
32c58b6bc8e552ffa943601e606e3f2cb586eaf20ada2ab84d3febb4ecc774c0

SHA512
acbfe6c7ab3cb48f77a360b98087339a57d3c525b461eff138be62f74da5ae6144746de4ebb7c258ce1bb38449fc3c076ee1817428ce1720a2590a1a3e48c577

Download Submit
C:\Users\Admin\AppData\Local\Temp\Uwoy.exe

Filesize
734KB

MD5
b607893bff3af1f377c574c96a79ff81

SHA1
ea2bd3d37f1644affd27037dfef8618a2d5dd95f

SHA256
2ef66b722636566e4daf4b451b8dd17487c374ad8ebf38d23e339be929087434

SHA512
64c42becb25ffcb8d07dbd9d5c45003e54c5a4653a8677dfcde97a832278295ebc2f3848d9cd97bb78da0ebc61168158fe9263e59ad384947824f12b4958a2fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\VUoUccgY.bat

Filesize
4B

MD5
ec46f39f12b97c2821e337fc6a3d4dbc

SHA1
ca120fdd658c08322ce3f78ff293dd4474b03cdd

SHA256
05cee61a0b4fc4b08fa78bbdbac9dfee5aecb90d9871d5900d1a0eb2ed6ed3aa

SHA512
0d37143c87d60f22a76937f3746ad84c57080ebdeae35bc78a2281e513299230bdb82b75ef7531b20f5877a0e205b2606cf5215a7d236603833e0174b3d58acd

Download Submit
C:\Users\Admin\AppData\Local\Temp\WUMY.exe

Filesize
159KB

MD5
e775546a8b00a8d5059d03c5c5d88bfe

SHA1
23b60a356935f9424a8db4bad387ca2e4a489c95

SHA256
401d38b0e8bdae9e14ed56005371eaeb1ddcd55a05800361689958935e8d9cf4

SHA512
df044e5fa4b5c6e61e0ce487d7cfa731346decb9283d00efc085b204282e65e4b4c33e6ee8f1e85ca1b74d07d2fa0f200c562229bc3a56be7c0a0b3c55e1b8ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\WUoI.exe

Filesize
660KB

MD5
8e027af8c8cf8d15a5368f6208ee50cd

SHA1
4585e1b0f5459d5c3fb8ffa79dae2f88c56c7460

SHA256
b91ac85a5a465e226309bc60d8c786103c45969da856b35eab3ea7b1817dc165

SHA512
6348b29195e2eb5e58df528155b4cc7237b3e8ec8a58a5cc7cbbddc8451e7d7195eb1587933f952a36525c61903e4665687f771f27e89b9e54bcd894b57ad482

Download Submit
C:\Users\Admin\AppData\Local\Temp\XokkIMoU.bat

Filesize
4B

MD5
817e7176c6ff29ae72881e837540ee42

SHA1
419014cb88405a624c45ed8a8603f3d163010631

SHA256
f7a10316a49efdc7ba5bf4a4d00da1e3c5b90f8d667516f6459a8f49e8c3650e

SHA512
2e54180e8ca88d1ff3d5b60e19f14d9bfb5c1b3db06d03ca7b7f4a61eba7f21f28856d7895c81676afea2a160d291ddac94443b30e0126f146ed063440253fc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\XuQYsgcY.bat

Filesize
4B

MD5
035c235a132f7d4ab48cd6afafa11cec

SHA1
63611cc5b0ea56d5e5d7716b5a9628c4c9c6acf8

SHA256
d618871b8e20c6bb174f169eb2cfbbe7440ea774868b80f30e36e052bb07d628

SHA512
8da14b2b881d71f9645a2faa630a2aaeaae82af7532185670b75838274bdd9719eee56904140f40a064dbe322b1803142ceb14644c37dee29d5e47a665d83a9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\YEcE.exe

Filesize
161KB

MD5
3378a5fae357fa0b071faa2c14a26223

SHA1
70047d45a03adfc9952df3a630450376ec658569

SHA256
f698ae424a7c7ae55c908c17628f0ab54f8bc3660576b2df2b83f2b0cc662973

SHA512
c69fc8ce345ae1e6b2a6a608d32f5af5d8af0cde01627d2e05da6e414a2b7c2c7715fd65d5b33b1d3c1a8f4c97bc4c3fcba7c603caa003ab0d3333ae72e78970

Download Submit
C:\Users\Admin\AppData\Local\Temp\YgUO.exe

Filesize
158KB

MD5
6867e67acc5910b6f8a103f250efae37

SHA1
ea5da4dd4a7c5c360687fd1db5e641dc36cd3459

SHA256
059538c013b007cb7ce09f63d8756c3ebd0df9e8140036aadac11c9bf4f98d3d

SHA512
2c2c9aa13ae57a450a0bb518efa9861edc2094c00bbbc68a6ef72ac6b6c62e40b3746a22d6d9ecdb54888db18b785fefcd794a816aeb5c9136bad219b166552b

Download Submit
C:\Users\Admin\AppData\Local\Temp\YkoUAIsc.bat

Filesize
4B

MD5
5ec4d10cd97fcc0df4da9c3f5fc05e07

SHA1
c9caed80a67853da256e5be2abf777219194f9b4

SHA256
fb02d5bb485f4f2592aac1fcca7157cee183d3dfec93d03ec6f2cb8acc29cd88

SHA512
bfb2781fc8588e08a7b50475d1e747f98c90b6d324df9fa67cc7d9c79b1bcfb7384312a0697cdbf7f2a58d5fec4f7f428d4e9d37364a2849607bdee4aca6be85

Download Submit
C:\Users\Admin\AppData\Local\Temp\Yowg.exe

Filesize
160KB

MD5
cbb25e587e14d59f76c16bbb259344e5

SHA1
9414702fa702b31605cbf31e983cb4fe45890a65

SHA256
5b4070c6f1a8589d894d520cd4df4a6c0867ca1ce6cc580ed3aea6fa2a990635

SHA512
7e76101e7fc9554f4c988762891ba3007dede5bcae052f2e9b00b3ae33d0200694641ed1bac1067013704fa4798d6f28c2b5081e6836717df0dfbbe054527f0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ywga.exe

Filesize
157KB

MD5
58ecfd728dbeca0d0b289b9d868f384b

SHA1
406415c7f10c641ed5f57ebedba5ffbcece9a901

SHA256
f1f46bf2a89fcd4b95c6a37673507a475cc7eb1df6065102517db7b53d0e3a77

SHA512
9e32784545ceb96f1248e018cea8449826fdbd14e5342fbb76c96bf77a6d9cf12e8189c0bf2f7753a5887eb4d125978b101e5bde5979c598ecb16ed3b1b96c2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZAoUYwIw.bat

Filesize
4B

MD5
dd23ae605f2e0ef1ad4f3441702521e6

SHA1
8a2ba2a718885e7c648d3816d58a457b3333190b

SHA256
57c2c6f5c369b9ad48aad1fda258deb5bc3b1b1043052260e04530d6a39a6bc3

SHA512
10fea2d7ae759195831fa9bc44faf22fd463f9127ebfcd623f9273dba9b187b0fefa2fdbbfe7b5437898f373e6b1147aef9b2dd23eaeb786492f0f2aaf833170

Download Submit
C:\Users\Admin\AppData\Local\Temp\aMkw.exe

Filesize
565KB

MD5
8ff96ceffc184014f3064ffb50b6c4f5

SHA1
39ea9d2b5c4f00f967446070142f17e28e8fa2ff

SHA256
891ef953b71805584d8852ec10afaccc62feeb34f253ac81c003a161c70e9399

SHA512
32dbf429d801ffda17e86bf728e881c3be29f721f04580b35055db0749544a9b9d4c6c8fa0b95339b56645a7dc0fe5ec9703a436cfff958529947ddb4640f803

Download Submit
C:\Users\Admin\AppData\Local\Temp\aMkw.exe

Filesize
158KB

MD5
ec8cbe2280fefafba1d3378bc32d8d3a

SHA1
e3e2deb3f6aced9ba1a03257cd6be25b395677a8

SHA256
9ef0bba8c798523cd2d3dc8006d19551623c5fc09fd2be759642c88f3a64da79

SHA512
2a1ee271e9587c5d610985a006442fdc37db5fdae67496640bbc04ca20fcc3ef71e8deb174bd86216e12cbcd2a483ee81ecd3d92af897ea72b162dd0508f728f

Download Submit
C:\Users\Admin\AppData\Local\Temp\aUAO.exe

Filesize
936KB

MD5
b334cf64751eab36e23609a6fa7962ee

SHA1
e5185d707edc4c2ec8e41b4a8004fabd7c3b5e0c

SHA256
ebe4a34d4cb2b85d6d5b5ecaa0b7b1ae8d6a09df50a9f48708a72bfc37eada9c

SHA512
86f2c472454dde5f0620a9c0b3581cfbf549d6651d6b2e7b98e292240e481362ffabb50fff251850553729dc138fe44a06ca4637350033c017c8e412b4d997dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\aUEw.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\acYc.exe

Filesize
158KB

MD5
904d76c39d5c24944765a4fcd4e87ce7

SHA1
c3de184579f90a9534167d5330fe3859d823dbb3

SHA256
470169cb0acfddd2e39f0e63f363bad2cc09b3104cc82625d4f62273a7951c7c

SHA512
0596ecafbd722d99517b45c8bd79bc4a9674ba4593c0b19e42bf3023f1ede5510e0591aa6950b5d2297a1c6c931c502af709bc4a8bec585f0d2c81516b6e00fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\agkU.exe

Filesize
158KB

MD5
ea29dd6a0305c8147a750430e22d5c3d

SHA1
dd8392ebb00fec861cfd91b43a8cccd2820cb27e

SHA256
871b1c54542de7c02d5a52ab51ccde22ebd4bfe7a4e323e58decea8220996f26

SHA512
1edbf133e09ad6027e82594bb2de021c7559f5820288ed3230abc517c54bf29026174163a210134e709df2c4c4790ff508908fdea42258a780e3be21112b6905

Download Submit
C:\Users\Admin\AppData\Local\Temp\aussUcsI.bat

Filesize
4B

MD5
0d31ec0d03fc5058c008be3cb2cca0b6

SHA1
d2d9492a6149763703c4908cb4f92f7bf553c9a5

SHA256
4b61a4712e4d0fcb00468b8ff53adce5a41baf4ac36482a60249e1d60593c666

SHA512
01bf232f29093900f3e90fa15e05f0c2c4a3f371a52c5328ed096f8dfee3f79b59034e61a4c80dcd51fd11a6e3a24bf2d9c74a5c24ed07717714ae22ec7f64b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\bEwkoUEk.bat

Filesize
4B

MD5
9a17020abbcd928d43dd421b1a150ce0

SHA1
918e71eeaad20fb789a74cbf92126f26926627c0

SHA256
5d93feea09616b1ddd2140151575112ad699329e4c09de1022592587d5d9f79b

SHA512
6ba888b2f6bd4fd0adbeeea84029b131780e344b15276ed6e0e10ac69c3fdb925a4218d90706418592999e370767acfcd4dd5992708f50e2378708b3b690e01a

Download Submit
C:\Users\Admin\AppData\Local\Temp\cMYE.exe

Filesize
871KB

MD5
3b1f646e258c4b22e41bb096655bf604

SHA1
97884e20038ba89659bb72cae790e0f107123cc1

SHA256
d148c49b92abd3affbb365ce19bef6e62bfc01eb5009a4cd8e77dcd6c10fb1cc

SHA512
356b14b35d220eb6cc84ba7cbc4dc3d8f7c3dd88261c0ca4aa73c25344164fc1de96f5b9a5de08b0e1be34232b67f594912d9236925cb1f14ee67424a68197fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ccUI.exe

Filesize
158KB

MD5
f2bc4ef12f3b9b986ad363ce343832b4

SHA1
d065268c8f432e479b605a7932c4c41573cd9801

SHA256
c3668c25ea29648e8ae30269cda924ff58035105ecee732fbec8cfad78818e08

SHA512
0f2168dd0b8fbeaefd9a15753a58a79d481c91157c51225ba09e3ed8584432a5b45dd3d2a4083f1397675eaa820f1c6a10650743fa7789605d4b62941103cffe

Download Submit
C:\Users\Admin\AppData\Local\Temp\cwYkgkss.bat

Filesize
4B

MD5
924bdf9ec919fcc80ebde2ac2ece009d

SHA1
772b3a08c268f19f4c91208eb307d3465e35ca30

SHA256
53442fa75cc7a50c04ae86c0d6bc9fa657d324914854b3c33af46a1afad1fcb3

SHA512
560dd6673b52c8edf4fee699c413b4638efc7c95fe4aa731736a4055049c8de68c15ad964a646f0d3a1f8a6792df6c319d3994491d1d36a95371f9f519ddce68

Download Submit
C:\Users\Admin\AppData\Local\Temp\dIckEMks.bat

Filesize
4B

MD5
0fdf75c81f252e1346598aff48cdd35e

SHA1
2e36bd44f75ff4661326032d10d83ff32dd45bac

SHA256
3a9343739a0e64577c431436e34cbbab33d9efdb277d7e873ce34ba2eeabda09

SHA512
6d89a69e1d21c9e17830adf2b1263e14d094f4a0a73139757352d8c28223720efb3276eeab8e72fd69b55b21be871f80ffde616bd1a81f02a9a08da9473136f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\dKEwMsUo.bat

Filesize
4B

MD5
9eeb1627c93392c28659cc3da4b24490

SHA1
4e4b005d421266967629fab5bd0daa98a4aabc6b

SHA256
1b9014b6ead3b10044b3deaab309d5a53394c2eca701e7049c6220f48d8a6a1b

SHA512
d3c5d361adb0b4390d41eee633c06bd7b2be0c1116205b4c7525bdea3ba514473cac22125e54417c96f006c06cad686bc359a89a71a1c755916c371f73828249

Download Submit
C:\Users\Admin\AppData\Local\Temp\dWgEgwoY.bat

Filesize
4B

MD5
6ce02ab22891144a3c241e12ede8f81e

SHA1
847bbe4ae78398dffcefbeb2d2e83e913d14f647

SHA256
70354b3cd2426e0726020ecabdab2d0b452515c348da98d8d92680f04676a905

SHA512
9e4c84b58e6ef198ae2cf4b2c3c35680fdaf518829904a52b42bcf3bd7a27b8c6f308582e55a25bd711d507a770e1ebf9ea39a1e2238821ab2fc89a046dd83af

Download Submit
C:\Users\Admin\AppData\Local\Temp\eIUw.exe

Filesize
160KB

MD5
4b6e1f927a33ce26b68303e6d27b1def

SHA1
bdb5ac4a4b4f0300af2be1f61de32861c37a4157

SHA256
688c33bfe83486df817de35348627a44c84375540fb6bca1584e60e2a1ee03b0

SHA512
9a547ed6c96ee92182351bb76d2060ee5e2350dc3f18e5b35c15745e1f04d036eb25bcbaf35a93af74b6076ad69f9ea9afc9aa1f554bdae2766a52066a05705e

Download Submit
C:\Users\Admin\AppData\Local\Temp\eMkq.exe

Filesize
158KB

MD5
ae89c1ac0d5abdd93994a4ab0471dc02

SHA1
a9b5824e753b6b8ffcfebf625e7fd57541636a94

SHA256
d27c927f9cab42adfcc6173bbb9372b92d64f88317bfdb715567a7174cf1b033

SHA512
472bb4f3983f86f1983272deb50a9c0d82bfb2a873ca0bc4fbe64c2d149c6491cd4cd9a1f9bea4c7238811f5d769ad7ba3b1fc0359ee1cacea9e87b70c5120a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\eYUIkIwA.bat

Filesize
4B

MD5
ac38fadc4fb1181cd834cadc22818a5f

SHA1
0b07156044bd0bb831f667c1228da7b84a23e357

SHA256
5730ff5c3210f3f3e87901c1e1bebce3d37b06ca18f44e83d87c46302f0ff4fc

SHA512
17cb3ff954e141ec9011d50262e4915d0668d1c89fba71e52451c36093df75f2e9f84acca5086099cae54cf11bba2657b77443da7b698d6024607952f8d3f0d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ecEgwEMM.bat

Filesize
4B

MD5
8f4c61fb900f5e60c9b5f3d450aee2ce

SHA1
f6871143f0367f0184a0232f18aeda31ceee5330

SHA256
94401d78cdaf6ac5188c5ee313aab4416410b91537e504e79af9c5a1854c0dc7

SHA512
8db233ef4ac3cc5d304b2420aa61e22f0febca1e073effb7a8475436b318bba3d4c81375a8181874aed997c5e15603efc9a44c70d6e31867cbaa27fcd10f9b18

Download Submit
C:\Users\Admin\AppData\Local\Temp\ekUO.exe

Filesize
157KB

MD5
3315bd23ec77c3b9891253424ae9ecaa

SHA1
63b33bb5e73430f9b58c33cacd7ee6f08b708066

SHA256
06c81c7b481d9667e1f9f8213dbac1fa5683eb08ce5f5c8e55f4ae9c84edf919

SHA512
b876d4d30cc891669b03e9702339d2b940c97b2bb76a4dc7e31b5146d2eb6ee1ad6fa9fddcb2f491301b7d9a3559cbebbcf281928ec0c6224fae2bc925cadee4

Download Submit
C:\Users\Admin\AppData\Local\Temp\eqwgMsQU.bat

Filesize
4B

MD5
6c64b8ae8fa4826db62250744845ef83

SHA1
d384e5ee7d0593a79b59bded477adf59b7c86498

SHA256
572108f876b5866e4835f0226b1b8562a3f83cdfbc06f616618ed12b756a3a89

SHA512
3ff8017eefc621485034f1b114f892aa37337f44e7e0c7f25a7989bab2be9311024b8a7f0c9af29f7a2ae7650de7425f3214784c89a6912bad07acaf8927c313

Download Submit
C:\Users\Admin\AppData\Local\Temp\esQm.exe

Filesize
408KB

MD5
4b6fd7b8246e8a11154442e117b6b947

SHA1
0117cfc4853a80216ae8bb8a559360dbbf1c668e

SHA256
e98793498eaacb83c6872c8dd2505f322be18ca849b54fa2366f2dbb24f9764b

SHA512
ddc670a3d9dd2e12b520719ba4158f57e17cacc9952c98bcf5ce284509531173bb5d533625f30c24b7d2625a6735fa6178a8ad430b321ece85669f89a7523540

Download Submit
C:\Users\Admin\AppData\Local\Temp\fcUsIoMY.bat

Filesize
4B

MD5
93b4bfdb55942323e96ede819cc194f9

SHA1
4efa1076284b40755a1cf0b08bd0c609508e9b10

SHA256
04c5f38b1057ab85ff0512fb837748023f3c73d2bef7fe2846c5b145ee4e1188

SHA512
0f968af86b6af5d7990ab2e29f190d03522c1cfde0adb602d7e17ce2bdfa5ff15f25e02b597384f28c1ef47c6f0475cfb97d7e78b4f65f24f22cf4bf0b046e86

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gCAgUgUY.bat

Filesize
4B

MD5
c85cdcb50e9ad61b708308648e226acb

SHA1
fd31ed085e5ebd42f7cc4687fe6f4753658dd53f

SHA256
f2f8d71a379f1e569e9e475dfbdab1e4e865a750e1cdaae61f13d532b4599a1f

SHA512
757f8baf7d309dd3d73c91e880c56af949a923b44d2e18cda3aa0f00d0fbbe74f5ff8e5dc309c2e5adf3527f823d260aa9d5f2e108d1ba22faf095f07b4c3731

Download Submit
C:\Users\Admin\AppData\Local\Temp\gQcE.exe

Filesize
160KB

MD5
1585c6825edeed0d833cb0639c811420

SHA1
bf3f9e5ca2ce04138f16f9a2a1774bfe9ccc95ab

SHA256
b05e9e1e0bedb850efcaf650f7a208ab9ee821694a8fbfb7a63db3993c5bc754

SHA512
c63689c5202b6294d625e0957b017307da80675dfb9c3d38b0c2c1b92de3addc5da00e820673c27c1aefb3fd9ad17f11035e4ebcfbf6e1b0f230eef9431a8a17

Download Submit
C:\Users\Admin\AppData\Local\Temp\gYEo.exe

Filesize
159KB

MD5
03c353ec226ee9e1244a5f60e473a59e

SHA1
5c7e7d3aa398b3631f9192aeaa60bb828b1045ac

SHA256
5909445cf3942de9e27937e617dddd4b588004db0f84430df53e9e2d029ece25

SHA512
900347adcac6d17f896a9a68a5f7c3989f17169a1a689f7503c4b77f20cfc0c7940bab7cf7b582342d95e9123b927d72222991004b612f5d2e3a1916bff21319

Download Submit
C:\Users\Admin\AppData\Local\Temp\gqcMAYgo.bat

Filesize
4B

MD5
3e79daf2d1bb3d33e34eaafea240e8b7

SHA1
ba44bbc5838f2c8bdf8c17198c8bc5ed0d131535

SHA256
88da8b5fdb21c6a69c02bcfa109250e1d242ba0f40012c480dbe7019c14633ba

SHA512
500af5eb2cd0f1b4b93a08b21c3f1a2245f824bc6a0a517487f7073a845ca06ed7d502f7603e25c4681af1b7d63bfa458a5078f942400a8a353d19c290e9b671

Download Submit
C:\Users\Admin\AppData\Local\Temp\gssMEwUU.bat

Filesize
4B

MD5
d1632bf20a7387dd988d1f7901797e2a

SHA1
8bd465f01c6e48a8ca5dab6b087826adb968d6d8

SHA256
7a717f67929d2317ac82a078f42989c2ac5f0a1b2b345930b7bf68317cc8f000

SHA512
cca38c3f5c4483452ae0b726323c3ae1a41cbdd7a51d5a5637774c4aac755d286d49c172bc8d665afce0a2123358c2002b3d037b118240760c5bda842f365583

Download Submit
C:\Users\Admin\AppData\Local\Temp\gwUa.exe

Filesize
515KB

MD5
dc35518220dd25a0e374ff6eddee1380

SHA1
8f563bd86ea080ebbce6d4520fc5678a1d71c379

SHA256
3b93e99124b5c17826b195e58ef405497d1b7afd398c98959b01e443f22be948

SHA512
ef4cc480079f05aa26f3342ae860f734f5dffc8074378d85b96b0e41554cdf8f560ca62d0a434d0aace53a7429cec21b65da5cc07a24c98667eaf9011cc8cb7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\iQIUUMow.bat

Filesize
4B

MD5
f8b9183bc9bfd2dc34e6099441173eef

SHA1
fea787bee644bbc226fa84f7a3970a79bfdc37ee

SHA256
0a74f8251194431bf37387db2190af2e8778e21e2b40f1c3a4ee42c39332cecc

SHA512
dac96fd93691940b48236117376df1d97ca0eb514d1b1ad6d10f3f3d6fba801551020d8073cd983587cf1ab7f40ba172cc717af3ed154e83b5b5e44d71756ad1

Download Submit
C:\Users\Admin\AppData\Local\Temp\igsK.exe

Filesize
867KB

MD5
9303c7fb5d304ae3d1702823ca519216

SHA1
091aa7ccd82f575496e9dba172087ccdd4593faf

SHA256
fb5aeeab03c18e2cc2c1b6e8f959786a8564c4b176dc693c737ca40cfd5abca7

SHA512
07fc2230a0d3a6cd92f877dc3179c707805711d9638bb04ae011816a2eb603ca7c10c0d32affa1b07c1f81ab6804ec067cabc56f3d69be886afbcc8c6604a3dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\kAAA.exe

Filesize
8.1MB

MD5
a771e514a8531f68b3d1348e05dba002

SHA1
b3e997b77feb5f2a8b2397e58624171314f04771

SHA256
039cec52d6adbf8ae492bfdd5d401d17f551e792347f5e44f998e3c75969ea85

SHA512
cd8a24604c74ea25591a46fc0cf3039ca9e4913bcdb8e35831519ac454560e26f09eda05cc5b90e2ea46424e72acd991fce752463f1a92c63a53840b06042479

Download Submit
C:\Users\Admin\AppData\Local\Temp\kEQs.exe

Filesize
150KB

MD5
825eefbe673015d4c7a7ebe8361a1904

SHA1
a3735541f3e94a0d0f89244793d021c9e02016fa

SHA256
e809c8815ca35f880fcd514ed63c73257328171ea8d9c9d3327a4636279b28bd

SHA512
7a3a20aa7190e6a1b23c967b79b759d8fbf09fb9d3a12f833d98be676664a6a16b529c341714014afd76d23333dd4575204bb0a85f56f42d41da5eaf1e8eca0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\kQMC.exe

Filesize
158KB

MD5
58f8a2ba40c297f711783bdbb270ff85

SHA1
7ad7b8e943041a08e734ce9bd14dcd57c3b30487

SHA256
c239001bec84d826461ef19cb72ea69bde3a988699b4a1bdcb240ae5c23db4c9

SHA512
80f8757f30ae9ad4d8b03f7b39dbe4a8d24a94e40174f3487553e2e6552ff4cb56aa6612f7ce3fb5c7d7cc1a8f2436443a45d0a2e9f0c9274c54e1bd9443f080

Download Submit
C:\Users\Admin\AppData\Local\Temp\kUgA.exe

Filesize
158KB

MD5
90dc4214981cbcf31a516193b534ea86

SHA1
fbd80fd0eaaedf1b460bb4163eadb14092eebfe2

SHA256
b402d495454338786be5d298de6764312b4aebb8650f97a470574c7a4a59a3a8

SHA512
d47e63fc8fb390005893ff614daefea03800cdee2d51f32cdd969a2a94529401717f6328d4930e752c25ac4b1cfc86edc2b148af6860e512b474d791bf25d121

Download Submit
C:\Users\Admin\AppData\Local\Temp\kYUEQEYk.bat

Filesize
4B

MD5
81ab8a4fe22a665458b04530bfc2ef19

SHA1
cebb2217163c7868818ffd3b79a8992df5cbf01d

SHA256
f5077bd72b208301173d93f751493f7ff16edb9f56f1f5b08ae68716eb8d2515

SHA512
88a4ae75e76360a27dee1e00f1529f6792fd92bd1059c9e2bc71dcab279747964f91b19da396d626ffd8a6bc24deda09f8f66352269f6a05ce90e16e4445a363

Download Submit
C:\Users\Admin\AppData\Local\Temp\kcsI.exe

Filesize
159KB

MD5
02b378bc5b26ae5b41da7ef4c88fef16

SHA1
5b3a004cca603272c983595930c3e977d8398ceb

SHA256
f8d2649c2c6f2e78c74c50c32baf00ec79e5762a35650c143dcd471892f43734

SHA512
92fbabd36865d68034df906c5801b0b9d327261bbd7862982d51fe50b8d7d92ef29f93e646613e2ae2631f074eca0dcda56233e3e0d458891595f43d829d2e44

Download Submit
C:\Users\Admin\AppData\Local\Temp\kioUwcko.bat

Filesize
4B

MD5
137ed8d444e41dc9aa00de9924798f9c

SHA1
b6300bd3ab9dbb0e9447cd195c8f761f6a093fc1

SHA256
c21e76b494080db69afce052a0e9334daa3faf13d64256c5815c73e762b043d5

SHA512
75e8fc015ad26dda62804d32e934bc33ee2155308d4ac8ad541a27abf36f74ceb41e37884e9c2ad5e1a3095046beb1cdc61334ed833748467b46b93e455ec40b

Download Submit
C:\Users\Admin\AppData\Local\Temp\lkYEAIwI.bat

Filesize
4B

MD5
a81ad1017baafcd1fbfe551168a1bc89

SHA1
102a14e49917867e88fd94d6e09e27a86e68e698

SHA256
26f2e438d9b30229f918ea4ef548078ab5e43021589d68b04e08fa256bbb9050

SHA512
66b9d6a77018625457223abe02fdf4d6e152d1a65625715cd9700585122b280bcdc44f43287f7076610557cb956ba3c77f4e3a2069a3b0065193a1af8d34e106

Download Submit
C:\Users\Admin\AppData\Local\Temp\mCAYoYEk.bat

Filesize
4B

MD5
f8f96eca8488bb08b1afe0638fa34460

SHA1
6631b19897f7f708be4979799a4350d0e581a9c9

SHA256
9613095a3ab245912c960556281c82abdc51afda79a84c742890801e24e13926

SHA512
1e1bd140dfdbc047232f50f858d4c021839967703e2eac548ca6b0d04b5245df95c8a1251cc0bd2a3cd80bbd3d401de242ba6a1b59f6ad0444c6242bc3f8507c

Download Submit
C:\Users\Admin\AppData\Local\Temp\mcAM.exe

Filesize
681KB

MD5
b992e15625f71d36fa23094510c898a7

SHA1
8265db1777178a4cf129477785916587dd6a985d

SHA256
36d678e62efa5659e20db047df5ce6a6d56bce975591ead4f38aaaafd7eda03d

SHA512
fbd55277f7d0a60426319b2502876bad349ed71559f9086569e5728494572234295b11d0b51d2d30467beb86b7dac55c183220712a0187cb485746ce0ee154ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\moAgAIwU.bat

Filesize
4B

MD5
eb0f9e892861e3a1dbb659d1248b1a42

SHA1
813c8aa870e18761c85ba8fc51de1ce1a02a840c

SHA256
e134a22d274ab599efa583ee244b6af9a37973879c80a3b1cab80563b4984e63

SHA512
2cb2e1226d7ac873ee422277ff0fbf84e30f0902a58c10651ee109db5ef2cf689d181105b413394065836ea243f73dd3ff7ade56f7ea283a7f9e488dfe322c37

Download Submit
C:\Users\Admin\AppData\Local\Temp\nWIEsUAg.bat

Filesize
4B

MD5
4632db2cf3061718859eaf3d5b01f36a

SHA1
b855c6731536e65f2928fbfcac943f631155297f

SHA256
00ae36b19916e952623f9249b2df527395a5813c4fa2c15d5bed4061c1c5d133

SHA512
a2487608eda7613e51d7cbb4e0d8745ac3a0ec9728a7703d8acbd82d2ee6cfee75e4d3c10518c12ca917bd95a86b860d4b8ad13ddb90f7c0a7aaa9849f4774f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\neAwcUEA.bat

Filesize
4B

MD5
e49453e5f4e8371c1e5cabd3c9d1a958

SHA1
8316126f1f25e52f5e7fd6a4ae6e567040af9be1

SHA256
2024e45765ca6b77fc7e8b77f724cffa6ebd3a58133c81487fe7c295a21fcf03

SHA512
4d7515827451921937f2772eb0df0b4b87ff9bc4304e1f33e059075494bd8ca365956f76ce7121ed21e8a236577a7c5ba9dfa00f4472817d111f347ef8707fe7

Download Submit
C:\Users\Admin\AppData\Local\Temp\oAYE.exe

Filesize
158KB

MD5
4f4b32d657db521893a76eab7c8567eb

SHA1
65e51798da37991c08a0f8a87232e58b839d9264

SHA256
62cb13ed20e83bb3aeb77270821e72cdc1701f29402aff3e9e85b511a8838f98

SHA512
116fd6586562d5d1f868fcd8f374190d9e59bce69beced370893fbe99fee9313259e40c420c1711e00bfe76a96f65ddd9b90cdbde13e6c59c7aeb3f11719b1ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\oIgE.exe

Filesize
4.0MB

MD5
f898642eafe3a27d07d7c1e79ab1a997

SHA1
8287b077dfa2700066a20eb2f4dcf081a9e5cbdf

SHA256
1bf4961d9cfc7f426497e70bd575a0f6d6ae64d1567545d6ddf324b89ebd1f6b

SHA512
e2efac927c1dfa64995053f87080ab74277a323dd3c592f5d0b0423e3b29c6efdb95a6a6344f62f8f80ed379599eeb1d212dd977a4d1e3feba33ac54ce98bbfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\oQgMEMQw.bat

Filesize
4B

MD5
b94c8f95f193ae284a76ca8d3bfe65b5

SHA1
555cf15e39a7cd00d5d6a920b5fc185acd3cc9cb

SHA256
28fe3b82d1eef281b2f19591a73f66ca41ee9b9893126ae83b0490b0fb178479

SHA512
3cede5e9bdb588d67a13199002e4c0af24bed22c70e78af46ba3601fa789416dadeb29e676624b1dd7cde9d9ea5b8047c1e290f849cfe538a018a44de4a1b614

Download Submit
C:\Users\Admin\AppData\Local\Temp\oUwG.exe

Filesize
4.7MB

MD5
91113486df9c11d88307b6240eed6322

SHA1
19f6513b25c00e7de177499f9baeb1531c1e77be

SHA256
aa893bb2a3bac1e0515f81017c2b42eb983caa1e173f02fa5a47772b78c9aaa4

SHA512
b70361a3b01aa983cde3155f3f9ae5b12e725e360a57046e9cd6afbc53a4a6e9ae0be5ac0c04b8a3ad862c262236630f1f47a28958bf615532f47a8f6461abc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\oYoUEEwI.bat

Filesize
4B

MD5
e74ff1526c9286d5ea4749be0f574811

SHA1
2c356622286bf2107c2be43b7dfe16726669bdea

SHA256
f85e857415cc507d5c631a6ddbc424eda833f746a3983e9334443c95a9ad5436

SHA512
ed9a31e604568731fcc0e25c1b680fb7b236d879472ec4dab4dedda034d101d754075159ce2fc76282a7f6eab32c3511da28863933e5df91acd58ccb9b84ddfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\okQo.exe

Filesize
158KB

MD5
f8c3ce85e159051b5e478141d696e564

SHA1
a9f0b42c3abed978315645e1b0f37f6842b78942

SHA256
1c5af9cfb5e6636f8009ae80efbd7bf679c283d8da2f56db4a1f00b1e2cb7e48

SHA512
184e7d58289637e123234575f900ad03f816d66b8eb470a8059d1fcd16fd0653ebb735b1b4b29002e46ab374be090e818fc043a57f5302cd628f2dab1cb2840a

Download Submit
C:\Users\Admin\AppData\Local\Temp\pOMsQAoY.bat

Filesize
4B

MD5
f72220c059647aa4a4f51314ad23d46b

SHA1
8d09c840f572a2c14c117d8bbf8fcdc49f5a02ae

SHA256
093f0e67a33019795d2e95843734bb58bbedc404adccff9d8bc6639e377ef824

SHA512
563ae330c8e52023bf8357df6f586fd5e0f0eef519b2a7b60cd8bfc10ea0969a190dd105969b2f2248fdd8e2aa41bba3fe9cc0e8e2adc1e0e929760f522d5c22

Download Submit
C:\Users\Admin\AppData\Local\Temp\qEsQ.exe

Filesize
161KB

MD5
1f31ac57ec7860899ed587f8b84979d4

SHA1
df04659d57f005d373fea0dc2c79dbf029275b58

SHA256
65724d3dc8e2e540301778f7d557dc738c496d3dadb3dbc350f56265f74cc42f

SHA512
d7b7e53143fb4bdb73c75e7863f0bdfde63658b30f95153cebf93f7b2ed47fefc6c304582e6a4ada753494596c8c452fd5f1af59a8e31b66afe5c3274b5c18a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\qOYIEMEs.bat

Filesize
4B

MD5
92cdb765b9e4f51b8c60c29d993aecb0

SHA1
f34e15ab01a52c0a15dace3fea09e98026165dac

SHA256
c65b8b049100486211e32bc50df5f780f5e3bbb1db46b925e7a6934f962f8257

SHA512
e3b17a1e3039c624ad8a09b043c05318f25546f01a024c0d958595cde1c822b11441f85c6d6d5dc288ae7c4e55ba23b11282d8a597229d5873792f8982a5cd28

Download Submit
C:\Users\Admin\AppData\Local\Temp\qQoC.exe

Filesize
157KB

MD5
89c3f69cdbe8da870f90143633fff998

SHA1
cced220ebc65554f0ea5d02d08943d67be438e5b

SHA256
ab3048332784eda07f32ef3bed25de8c3a0d801c6b1869f1c9e2b294b0dc6cd4

SHA512
46daf9350dc55116229f19768898e4c8d66b87e1412e42911420fbd5a5dd4291a86715924a37307fa47021d56e38027b89d7d0f5391901c782b22b2a767eebc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\qggI.exe

Filesize
159KB

MD5
b22fff321d31269a354344a9f8d3a6bc

SHA1
57ead5c5145070a5f0129c9d3eb5f9938800a997

SHA256
397d087972b49bc0b255c1f16e963f10d18d5746eeb6f83552e425ce62c8ec83

SHA512
f52cb1603a1f6d8b9ce812fe49836f0e36c590f3bb9ef6f752f1c2bdddb11266ef9e4b693ecf7ffc888536315b28687d5e2036b16ac7b9606670738786cac258

Download Submit
C:\Users\Admin\AppData\Local\Temp\qoUi.exe

Filesize
1.2MB

MD5
7e5723c933488122ee526b263f27a238

SHA1
713a3a995b815f23ada9df6e354f91ae391463db

SHA256
7a8ce6e205ca600a456c7583852d5b060f78b7da315fef70ed4dc80edba99cde

SHA512
44fc300b6500afb18eace30191f4fd1495ebcc2fefa20bfe27a3d8031103bb4be831a464192046f0c5a7558971db54f7c07af3fc3282096fbcf0607ee29aec8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\qoky.exe

Filesize
691KB

MD5
5e3eaaafc4d6a60a4c6335b9a2bcf3b3

SHA1
f7c3998cc3d3d54191d39012a2f608f518ad34dc

SHA256
5140873418eeee60b3c0389b49ee7c0a091f8a195d836df8e6d40933a225c688

SHA512
390bd18f9b5d8690492252816e76ac4e9f10d7ef74f6cb520a67d62c470abd7f50b04772871fc82adc725e358b3c85fdd635fa8b1abd0b0eb436da66320327d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\qooG.exe

Filesize
152KB

MD5
905388e190ad4ae38fdeabc8091f4dd3

SHA1
03c99131b5def851876f47337a358a2c746854c5

SHA256
777b3bbc027c10d843abe4f5b168edddb4235b75149551aac062c3b569ae485b

SHA512
2ad594cdbfec4920b0e0eedbe90c5730b09574c8f936de9e5dfa69c56581b307139f261b9da17780bd03360c849b5baf94b54ec7d5321f67b7a94aa672c5bde1

Download Submit
C:\Users\Admin\AppData\Local\Temp\rGAcsYcU.bat

Filesize
4B

MD5
f8418ccaa1c23ee42c1e63c036066f19

SHA1
1e12c414c39984045323e2c71f27987ab3ad2076

SHA256
b47ed739fad43eeb9d6adb8e50e75f8d8e063e25752206765091ea92d0af3053

SHA512
98744016ecbe5237cc1acc398e235b8f9c926206e6d080cfadcf1b430e97a87190c1aa4bef482bff6c3f25647090d5ad679bb82bf5cad7d0d52b774fca44e097

Download Submit
C:\Users\Admin\AppData\Local\Temp\rQIAMYEY.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\rawggwQY.bat

Filesize
4B

MD5
3e969f1b2d10c5eeac954589d16b4cdb

SHA1
4ff672d623f3bec772f916f95efeb3d932f49f67

SHA256
9eac0ba8b8cb9416adedc5c0ef760141c6003dc87d03cc37cdfe0cd0c1adfb3d

SHA512
fec63e0c3c8f1f90d7552791f17f24ddcc8351e366d3706d33c29ace3f0a0bfa50a63f0eaca1f1104ea74bed85d2634b2916941d4fc4dc879579cb969abfb3e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\sAAa.exe

Filesize
812KB

MD5
65ab77d203cca27ea177f27294f2678e

SHA1
3d1a153f703414799064136d585151f0e691abb8

SHA256
bcc559a06ef76cebfea48a68ec7fa7bb33a79604a62b78fd26c64ce3d49f350a

SHA512
18255d76fc386e74567c63429f2cf2c2360ba8bb746edf1b2ee00d7a6443fe400dd7807e44af3698b53df4aafc57b74de10a6101019007b39f0e38deb51ea569

Download Submit
C:\Users\Admin\AppData\Local\Temp\sAYc.exe

Filesize
158KB

MD5
42e01b870091c006ae8b0b5077359b1a

SHA1
2cf9211d223db50e6f508cb88cc86cfc6e9242da

SHA256
b4bcd3a67d9463362074ccbfc5be6bfc61508f0c5485208c44277467a926affa

SHA512
da0eb79732d7167caf3150bc7dcbe36bc2e18af09f65ce5922084539cd14e121e19ecf0729125b80e0bad25590e01829f3523f1f9bf8af1ffa5f3c987e9cf7e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\sMYc.exe

Filesize
158KB

MD5
b0250eb9eeabaa02b2c7ee77ec6c6fcd

SHA1
26c9e7091225198242b5825c013fb9d70e86a068

SHA256
0bccff32b48e1eee36fdcba4d03fc0bc93e96e81819eca64fe6f69fc1ebd91d2

SHA512
0fafe2b57cd586a306c079e11dec7ce1604ccac7be06aa03654fcafc47a18bf79ecb14ee7bcdd2fd8ca8fb3e3f25c2df8a525158190f8b520f8b56638324f1c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\sQEq.exe

Filesize
744KB

MD5
8aad838e996161fd39fe7bdcc468eecb

SHA1
fe91b1cec1ef5a9cc56d06cfe880541d27a09271

SHA256
193cc270513e7a9924cfd213a46baafa3863cbefa08f6360b2d2cb8611e01891

SHA512
6c98db578f11a275c3380dc6a3007ae6107c35a6a8ce6f1ee547386f0ceac96afa8daa27f2bad2dc978244bd01ad74028acb98a2bdf115b704967d1f5035e439

Download Submit
C:\Users\Admin\AppData\Local\Temp\sikUsoQg.bat

Filesize
4B

MD5
2416058ea5809efc962a661b0ae0567e

SHA1
285afb86739f35297f0a3ad3aef671ba4d14ad97

SHA256
a4b029dacf1f01d8229d8bcb0ed8b64605d1d33f4543f26af1ab776e7eba17da

SHA512
f00cbd59be2fd7c1c6fff1f3ad1a2b323ca128ca67ecb9305a12e87b9884e10b51638529c0eba81a7cdf8a4606460b1c41aca759e9580fc21fbf943cfbe2d17f

Download Submit
C:\Users\Admin\AppData\Local\Temp\skkk.exe

Filesize
516KB

MD5
1d6871f1cef4889f620cfca65d0b5273

SHA1
fc3eebc9d4b3f6998bc83d05efe7ee899c93871c

SHA256
31bc8108e4e7fa618918f64260484edcf5dcac11808de7fc78b9f50a2829f365

SHA512
d60341d6a96b1975426a5d66389c911db14680b4d0b43e697f94265d17aeffcb0ce4c16307389d9cd637b405fb61bbc02127d630e2df49c4138a8796116be567

Download Submit
C:\Users\Admin\AppData\Local\Temp\ssYk.exe

Filesize
993KB

MD5
1f893699909cf4e9fc5b1af19b602168

SHA1
34cbe315a52a470ef42e75e1bdbf7fa867df4d13

SHA256
62288bcb8c4736d44e04a61e80d54d48e688c8f69c524bff3b041181741992ff

SHA512
f5cd2d54a0e9c8adffd7bea494a7f6b2932d3338ca4752895c3e04b16ae7bdee641c534169b02c2afee0212843fddeef9a43986020e5289b850d3ebfbfb6a36f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tasoIcUw.bat

Filesize
4B

MD5
5ba7e07acf7c1b5e3b27a2b38932bbdf

SHA1
5c5f2885cfee8ab2ee1a75c84af358ddd8e9ad85

SHA256
6bff18301d6a2f69664c8d9cb00e1a9cdeb0b640ab4e56e1b466ec7cc77c67de

SHA512
6005bbf3fc4450717424b39ec2851965bc35cf6635bb1d8a06c8212db652a5e98295d672d2a4d048783f8f33de1bf1e7e4cdb663e92fa0a6fbbaab2cac1a4095

Download Submit
C:\Users\Admin\AppData\Local\Temp\uMIm.exe

Filesize
680KB

MD5
c00ca31e684d2e85a5cbf31a5cb0c250

SHA1
e19ac65a06bf933aca2bdf1fa9c00e13e2764a31

SHA256
b9faca5263e7960c49fc61fd433d35f54c8cac00aedcdc89a316cb6beafabd0a

SHA512
71f5511dbc2b2cfb2546a145c4a5d84cf61be4190f15322c1d2195fe392d7846eea78d76fdb04b3e13a53c44caaba912fcab79e94b7538b63590d6f8618c521f

Download Submit
C:\Users\Admin\AppData\Local\Temp\uUEYUoIE.bat

Filesize
4B

MD5
51b1e7c3697a95195d0c197cdc870034

SHA1
a5270606aa0421c9b8dcfa7b7138fc3d9eec036c

SHA256
24e63788b2ad2088f9e07f4b62b10e66598dfc291eacd98129ab87cb62c5aa4a

SHA512
f0b6ea0dffd947e210af82df9139a61c064d0627025fd640dfbe644228580b9074e186f922f7d8dab66d90ab4f01cda591a65ea9f26830a586412a9237653496

Download Submit
C:\Users\Admin\AppData\Local\Temp\usgw.exe

Filesize
161KB

MD5
a78640269fb1c87bb7b03dfb1c2f5b37

SHA1
19b1f7f3dbe0e1d104af825a52397bdbaf9e1acd

SHA256
2cb0996b73be738e96f6991de023bf9bfd613aac7fbd8c21a91df56382330ffb

SHA512
8171c38db83bd4da176d2913c865a9a26d959f1d162fc664f3a39ab1c8a27cfa1bb97c4665364a6b246ae5e0f11fc7bc4fe72267cb8887e739ecca275b7b8209

Download Submit
C:\Users\Admin\AppData\Local\Temp\wEoq.exe

Filesize
158KB

MD5
b7c1bc91e0113a179fd80f79732c6f98

SHA1
10d4ff7a3bed458ed257997290fb426531813574

SHA256
d2d11dbc9489776a2b54a0a757b6dfe9c029f7f73bd5d8a645e436147ced15ec

SHA512
8ca9f291fd236d651f0e8baeb1c5fe805007dc6222c8671571f1685219ff2f5ee0e9a135238855d831cfbbed9abb1f895f661873a75bc0ed6d385b3131354855

Download Submit
C:\Users\Admin\AppData\Local\Temp\wIMS.exe

Filesize
238KB

MD5
8e9da3a11047898a6bb356ecc8c7ad59

SHA1
88262b6be86e50b378e3ba6cb554142a10c586df

SHA256
b394c70130c440110f0518697d4190b6eaaeb77d7f0e65390f4ae8666779619d

SHA512
3d34eb451bfd2b000074fc8a00db9ac2e3e547e4b61564e85b7988b1f5d21e36466340a808bb30f97183a632c9564f0a682d9a2388cfe5e50cd441e8e36d2087

Download Submit
C:\Users\Admin\AppData\Local\Temp\wUQK.exe

Filesize
158KB

MD5
62c6d700db6d1b86f9100c106005c5e0

SHA1
6175e350437e607b6e8e9b5e484a8e431f6de277

SHA256
1e6c79166d8c1d2fcce01bc78af7064c885b47d5dd2e9b76ce098c68e27c72cf

SHA512
075372b7200042090e98b7341bf3f5eab396a8177675e33872b86ac5a9f65445dd32c83fbe942b621868439162a2aec4a3d3dd5bad7c87dd72f449fd85cf6007

Download Submit
C:\Users\Admin\AppData\Local\Temp\wYcq.exe

Filesize
158KB

MD5
54535bb47cd5fefb838da9a686d3660f

SHA1
c0ca2a011ad096ed23b95976182ec5fb6dd013d7

SHA256
16d80855364b849728cfa6875a2bbd80def10f746de4b87d1f024912e2f412fb

SHA512
6ffa06e2acda7e18e9e57e0b27cc53fc8c001ce3777e6f4724dbd900f74a4c068f8333de1bde21a53ede03809b547e6286cf9e81a7593c1c4ed4b4541b2a5bdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\wqkkMcQY.bat

Filesize
4B

MD5
e37f905ae41b472578339e76fa2ce13b

SHA1
80aa50e183f5bd386b9b150824317ee9f3782cc8

SHA256
eac5c476ff15e6f39f1dc15e24d2f89e17cb3b79d51baeff2c0d22a7f4e8d312

SHA512
2d2a71e2f1a73d75c9d964ee723ba5945a44f715f70e1bb05cdffb8f54fae6491938342b5786f61fad6a2ec5ff1b50b1531a64afcc16820e528458c8b5c2b4c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\wsQE.exe

Filesize
160KB

MD5
35a6e8463c5d68aa25b17db89cd89d41

SHA1
b5e148e890bd5e0ab640cb05715202828fbbf60d

SHA256
41f695fa0a44e041e2711cba5a9d700ab6fa4e5ead48791937196dafc4bdef90

SHA512
f8bb46493a2d4ead0c5c6ec88caea5f928ceabea7c23f7b7370ada05a1088dfa07ec9c6c60aa91f6313bcc0a58a43cf75c85fea7456bd9187fec7bd9cc1ccd5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\xOYIIcws.bat

Filesize
4B

MD5
5e8f3475a8510f6a8e9c56ce096fd30e

SHA1
34a353120e2bf70721d4122d2993af81bad1c48c

SHA256
ef3f688a32a85d92bd0439e179cc10b45285ffae62d331f64a714d3b4c23b00f

SHA512
ceada45a332792e7811e00e06e21b9ec4baff39dc5328fe2dd43da45d6da936ab4168f91dabdfb569bbd64f4856b8a23afe84fb1ddc5c003d043099b183608a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\xocgcMIc.bat

Filesize
4B

MD5
5d9c6a399faa05e0aebbd1210be1954e

SHA1
87d7a9d09d34ad5ab2d74069d8b668fe2b59f4d0

SHA256
998b53b453f77db0644152629be821e9b572ad58a37b79ec0beae24856b13adf

SHA512
2e2fd1797b2c7dc446590b664050a67565a7bd1691dcab9f82b8f5cf636f60d8371c877fee2a5cc0218322051227036fa624d02e6c6cb6d24551d1cf57049309

Download Submit
C:\Users\Admin\AppData\Local\Temp\yAoA.exe

Filesize
157KB

MD5
c6e6315e04c9d7e612cacd4a44b09a26

SHA1
a3323fa35baba58b81a4f331af1cd64ecd2b5705

SHA256
150c40337889e877d41bab001c2cb5754e2eb3f918274c51b7ece80fa980dd35

SHA512
705dbd65610df1f7e6461a0124ce6dd776577e79a7ba0a01ef782a09e1d24fdec2f9178e0f8f532477698912bedcce5917a7637770197745e3dbc61bf4594bd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\yEMq.exe

Filesize
159KB

MD5
62d770cbb08bedb8712f3afaed9512cc

SHA1
3cde968d82484a52479a2d050ba2afee937750ea

SHA256
e527ed7e8c3d99b361e69cf096f99e2b2feac90ccb6898815fa49be91032407a

SHA512
70fd8e50fc971bc05810c40d5a4077a0a16a78eab7eafa70f2cc14c779dbafbb8cc8f38318db4a2f3fee1673d044efe6562d601e6007677da542c779b6d36284

Download Submit
C:\Users\Admin\AppData\Local\Temp\yIcE.exe

Filesize
658KB

MD5
46b49fb29720341dc59f2d0ce308f512

SHA1
3f46554bea2ebbc213a0dffdbf15c5460dafa9d6

SHA256
d6a48b9f2309ce76d45fede5a3b0ca813619d6073f24b4ce84cbdd1529df267a

SHA512
75cdaefdea767839cbd17a7e79550a75ca98f9f8a5fa81e8d100c66514c6200ef1165a1d76a15f1235c287a585cec011f4c4b803a7b7431bfbe696c4edf20548

Download Submit
C:\Users\Admin\AppData\Local\Temp\zAwsMscU.bat

Filesize
4B

MD5
289d55e011f10794abc82fae10a1f8eb

SHA1
0d1cbd9faf63cb76146a35e118a47c6804355991

SHA256
730b13bbb14a57a241505703080f86667111fbd976feb7c8b5d87955ddfba0e1

SHA512
255e446cd2725b26bc4c2837d51ba7c633f905cf27f7e89d3b9d60f74ed4303fb8967cf731bf8c94688cb962643d88d8f33ff0149d69f19ee0fbcbf0f3d804be

Download Submit
C:\Users\Admin\AppData\Local\Temp\zEYoocYU.bat

Filesize
4B

MD5
b9015fc200f9674ab705bdd05483cf9d

SHA1
b9ad6a53933b63a79e631c6aa931b3affeb12ca9

SHA256
bc6caff87d0ee40667038aff3f9f581a5f8ddf7693d21be0b4c6d09d3b956f39

SHA512
97dbd511c6f953580e99c4647ca33ddf81f64832b41688bef5640e33152681a171858ad0b21154da05f4094dff9719668595c48b1eb5214efbd7fb922794bc0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\zuEAMoUQ.bat

Filesize
4B

MD5
92978e0e18a3a004b72f12349f2dba34

SHA1
2a07a48d0326a59935c03f5213b4ff75ab65314e

SHA256
c3a4805fb52b0210b30c67064d62b33b7e1d71f602027e18b7a49b9456d790ff

SHA512
57e13d120e54c0225a1c31917eec523b31d30ca70d8d2ac02f101892359cd7a2903b687f6bcf1296ee0d41a31ada9e6d9fccbce7c5ebc96211921d40fb73e89c

Download Submit
C:\Users\Admin\Documents\UnlockClose.ppt.exe

Filesize
1.0MB

MD5
85c6db8a4159c22d7c33b18ed55926b1

SHA1
44743ca81f2ae749e230b6aa3ce2f452d1089b48

SHA256
f89b87c0dc6e48b8461437c5a391eff948dd32b2db696898f5db0aed6e111658

SHA512
39a61059b67dd83c1d2a2a6bf46dd400944c308d6540252f882d08137e471c2a5611aced9155f52c0075d069bd746e3416ac6b77558a72c9b318514f2299558f

Download Submit
C:\Users\Public\Pictures\Sample Pictures\Tulips.jpg.exe

Filesize
716KB

MD5
5ebfd68a48013b68ad0bf6cb20d22810

SHA1
4312560e53496ad8067d4f8be4f466c855383064

SHA256
7c9c2d18ed61e041141b29607d7c1b43a092292923fc3cbe1fbafa6f52398872

SHA512
ab7f9f5bd773910b70feb982cdeb941aa02936d4e65f91f7bcd9b7ea8fe4731c59e7c16d4541d3b6e61d8f0bf8f33953f6354a45fba1fd20b78d0fa7c4499d3a

Download Submit
\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

Filesize
145KB

MD5
9d10f99a6712e28f8acd5641e3a7ea6b

SHA1
835e982347db919a681ba12f3891f62152e50f0d

SHA256
70964a0ed9011ea94044e15fa77edd9cf535cc79ed8e03a3721ff007e69595cc

SHA512
2141ee5c07aa3e038360013e3f40969e248bed05022d161b992df61f21934c5574ed9d3094ffd5245f5afd84815b24f80bda30055cf4d374f9c6254e842f6bd5

Download Submit
\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.0MB

MD5
4d92f518527353c0db88a70fddcfd390

SHA1
c4baffc19e7d1f0e0ebf73bab86a491c1d152f98

SHA256
97e6f3fc1a9163f10b6502509d55bf75ee893967fb35f318954797e8ab4d4d9c

SHA512
05a8136ccc45ef73cd5c70ee0ef204d9d2b48b950e938494b6d1a61dfba37527c9600382321d1c031dc74e4cf3e16f001ae0f8cd64d76d765f5509ce8dc76452

Download Submit
\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

Filesize
507KB

MD5
c87e561258f2f8650cef999bf643a731

SHA1
2c64b901284908e8ed59cf9c912f17d45b05e0af

SHA256
a1dfa6639bef3cb4e41175c43730d46a51393942ead826337ca9541ac210c67b

SHA512
dea4833aa712c5823f800f5f5a2adcf241c1b2b6747872f540f5ff9da6795c4ddb73db0912593337083c7c67b91e9eaf1b3d39a34b99980fd5904ba3d7d62f6c

Download Submit
\Users\Admin\JUIAQcgk\EeoMscAU.exe

Filesize
108KB

MD5
1d1af10fd06fc22abb31a9933454fc45

SHA1
ba8356ff6afbb8b34860df4a61a436c3a0f66b7a

SHA256
f3fe869748d9efce86b60c87cfc6e04775600d5d4d1a1a1bf4e1ac2e76ed9bb1

SHA512
9693d03b466e500781708f19ffe3aa5878805b64a6bb5306405b5aed99a4871d5533687608a9cadd0c3dfd9c4668c7b37a1e4881f70496e46cac67051ca0acf8

Download Submit
memory/236-1163-0x00000000007A0000-0x00000000007DE000-memory.dmp

Filesize
248KB

Download
memory/340-373-0x0000000000540000-0x000000000057E000-memory.dmp

Filesize
248KB

Download
memory/468-1053-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/468-1186-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/484-55-0x00000000001F0000-0x000000000022E000-memory.dmp

Filesize
248KB

Download
memory/600-192-0x00000000000F0000-0x000000000012E000-memory.dmp

Filesize
248KB

Download
memory/604-87-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/668-350-0x00000000001A0000-0x00000000001DE000-memory.dmp

Filesize
248KB

Download
memory/788-832-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/788-951-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/856-1477-0x0000000000260000-0x000000000029E000-memory.dmp

Filesize
248KB

Download
memory/856-1476-0x0000000000260000-0x000000000029E000-memory.dmp

Filesize
248KB

Download
memory/900-451-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/900-282-0x00000000002C0000-0x00000000002FE000-memory.dmp

Filesize
248KB

Download
memory/1184-831-0x0000000000170000-0x00000000001AE000-memory.dmp

Filesize
248KB

Download
memory/1204-124-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1204-155-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1288-123-0x00000000000F0000-0x000000000012E000-memory.dmp

Filesize
248KB

Download
memory/1556-1052-0x0000000000360000-0x000000000039E000-memory.dmp

Filesize
248KB

Download
memory/1596-1249-0x0000000000170000-0x00000000001AE000-memory.dmp

Filesize
248KB

Download
memory/1596-648-0x0000000000170000-0x00000000001AE000-memory.dmp

Filesize
248KB

Download
memory/1596-647-0x0000000000170000-0x00000000001AE000-memory.dmp

Filesize
248KB

Download
memory/1652-449-0x00000000004D0000-0x00000000004EC000-memory.dmp

Filesize
112KB

Download
memory/1652-1227-0x0000000077B90000-0x0000000077C8A000-memory.dmp

Filesize
1000KB

Download
memory/1652-2328-0x0000000077A70000-0x0000000077B8F000-memory.dmp

Filesize
1.1MB

Download
memory/1652-2329-0x0000000077B90000-0x0000000077C8A000-memory.dmp

Filesize
1000KB

Download
memory/1652-453-0x00000000004D0000-0x00000000004ED000-memory.dmp

Filesize
116KB

Download
memory/1652-452-0x00000000004D0000-0x00000000004ED000-memory.dmp

Filesize
116KB

Download
memory/1652-1226-0x0000000077A70000-0x0000000077B8F000-memory.dmp

Filesize
1.1MB

Download
memory/1652-450-0x00000000004D0000-0x00000000004EC000-memory.dmp

Filesize
112KB

Download
memory/1652-461-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1676-269-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1676-78-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1676-110-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1676-239-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1680-216-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1680-248-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1700-396-0x0000000000410000-0x000000000044E000-memory.dmp

Filesize
248KB

Download
memory/1700-395-0x0000000000410000-0x000000000044E000-memory.dmp

Filesize
248KB

Download
memory/1712-238-0x0000000000160000-0x000000000019E000-memory.dmp

Filesize
248KB

Download
memory/1728-77-0x0000000002280000-0x00000000022BE000-memory.dmp

Filesize
248KB

Download
memory/1772-1343-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1848-853-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1848-760-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1880-1085-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1880-929-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1888-307-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1888-337-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1896-455-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1896-559-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2020-759-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2068-292-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2076-551-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2076-671-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2080-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2080-10-0x00000000003B0000-0x00000000003CC000-memory.dmp

Filesize
112KB

Download
memory/2080-17-0x00000000003B0000-0x00000000003CD000-memory.dmp

Filesize
116KB

Download
memory/2080-42-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2080-6-0x00000000003B0000-0x00000000003CC000-memory.dmp

Filesize
112KB

Download
memory/2080-306-0x0000000000110000-0x000000000014E000-memory.dmp

Filesize
248KB

Download
memory/2080-305-0x0000000000110000-0x000000000014E000-memory.dmp

Filesize
248KB

Download
memory/2100-397-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2100-428-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2104-101-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2104-133-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2208-316-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2208-283-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2252-454-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2384-1478-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2396-649-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2396-782-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2416-146-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2416-179-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2440-406-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2464-32-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2556-100-0x0000000000120000-0x000000000015E000-memory.dmp

Filesize
248KB

Download
memory/2568-1258-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2568-1164-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2612-928-0x0000000000240000-0x000000000027E000-memory.dmp

Filesize
248KB

Download
memory/2612-1428-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2612-1308-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2660-168-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2660-169-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2680-1479-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2680-31-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2696-360-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2720-202-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2720-170-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2748-351-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2748-382-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2832-33-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2832-64-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2916-550-0x0000000000160000-0x000000000019E000-memory.dmp

Filesize
248KB

Download
memory/2916-225-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2916-193-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2960-215-0x0000000000290000-0x00000000002CE000-memory.dmp

Filesize
248KB

Download
memory/2960-1392-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3040-14-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3040-1393-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3052-1307-0x00000000001F0000-0x000000000022E000-memory.dmp

Filesize
248KB

Download