c4ada8628f591a551e8d3eec090bedcab90c9cccaae9e641d8a57e80ab3cc307

Analysis

max time kernel
150s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21-11-2024 03:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
Size

117KB
MD5

9fac3e4225b3aaacbf2a59a2bcffba00
SHA1

252caef9b62150eee9a7d83db7d68f7355e62216
SHA256

c4ada8628f591a551e8d3eec090bedcab90c9cccaae9e641d8a57e80ab3cc307
SHA512

1489fbbf331476dc673791835f921f44f3cb5a2f37fb3762787927e3620a019645df9c9e23f0457b3aee8761966b8eb1d434fe2f718e0c7edabcfb5f44eb2d72
SSDEEP

1536:zcUhcQHa9YT9d4tl6xKYfx0CnMOYWzxbZKIM7URtQK2WxnnvV3gwyIDwo:zDLHZd4+KYf6CMOn7YK2SvVwID

Score

10^/10

discovery evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\International\Geo\Nation	cGAEkwMg.exe

Executes dropped EXE 2 IoCs

pid	Process
1600	cGAEkwMg.exe
1212	pkAoUoMk.exe

Loads dropped DLL 20 IoCs

pid	Process
2532	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
2532	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
2532	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
2532	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
1600	cGAEkwMg.exe
1600	cGAEkwMg.exe
1600	cGAEkwMg.exe
1600	cGAEkwMg.exe
1600	cGAEkwMg.exe
1600	cGAEkwMg.exe
1600	cGAEkwMg.exe
1600	cGAEkwMg.exe
1600	cGAEkwMg.exe
1600	cGAEkwMg.exe
1600	cGAEkwMg.exe
1600	cGAEkwMg.exe
1600	cGAEkwMg.exe
1600	cGAEkwMg.exe
1600	cGAEkwMg.exe
1600	cGAEkwMg.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\cGAEkwMg.exe = "C:\\Users\\Admin\\UmkgUYwI\\cGAEkwMg.exe"	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\pkAoUoMk.exe = "C:\\ProgramData\\XqsIUUEo\\pkAoUoMk.exe"	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\cGAEkwMg.exe = "C:\\Users\\Admin\\UmkgUYwI\\cGAEkwMg.exe"	cGAEkwMg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\pkAoUoMk.exe = "C:\\ProgramData\\XqsIUUEo\\pkAoUoMk.exe"	pkAoUoMk.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico	cGAEkwMg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pkAoUoMk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
844	reg.exe
2504	reg.exe
816	reg.exe
1928	reg.exe
848	reg.exe
2808	reg.exe
1900	reg.exe
1448	reg.exe
2040	reg.exe
2772	reg.exe
2488	reg.exe
2632	reg.exe
1920	reg.exe
2536	reg.exe
2532	reg.exe
2032	reg.exe
1804	reg.exe
2744	reg.exe
1868	reg.exe
3056	reg.exe
2868	reg.exe
2864	reg.exe
2852	reg.exe
2912	reg.exe
1756	reg.exe
1436	reg.exe
1124	reg.exe
2340	reg.exe
876	reg.exe
1188	reg.exe
1552	reg.exe
2496	reg.exe
2148	reg.exe
1668	reg.exe
1808	reg.exe
2908	reg.exe
1456	reg.exe
2028	reg.exe
1612	reg.exe
2916	reg.exe
2752	reg.exe
1324	reg.exe
1876	reg.exe
1584	reg.exe
2188	reg.exe
916	reg.exe
2604	reg.exe
1992	reg.exe
1440	reg.exe
2860	reg.exe
2572	reg.exe
2344	reg.exe
2784	reg.exe
3040	reg.exe
972	reg.exe
1440	reg.exe
1308	reg.exe
2316	reg.exe
2504	reg.exe
1944	reg.exe
476	reg.exe
2968	reg.exe
492	reg.exe
884	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2532	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
2532	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
2256	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
2256	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
2700	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
2700	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
780	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
780	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
2148	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
2148	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
816	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
816	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
2324	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
2324	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
2864	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
2864	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
1952	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
1952	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
2712	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
2712	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
2480	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
2480	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
1912	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
1912	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
836	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
836	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
2676	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
2676	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
1896	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
1896	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
780	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
780	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
2268	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
2268	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
616	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
616	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
2848	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
2848	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
2960	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
2960	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
1436	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
1436	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
1756	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
1756	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
1440	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
1440	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
2256	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
2256	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
2288	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
2288	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
812	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
812	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
1488	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
1488	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
2768	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
2768	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
1900	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
1900	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
2776	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
2776	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
2988	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
2988	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
2924	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
2924	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1600	cGAEkwMg.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1600	cGAEkwMg.exe
1600	cGAEkwMg.exe
1600	cGAEkwMg.exe
1600	cGAEkwMg.exe
1600	cGAEkwMg.exe
1600	cGAEkwMg.exe
1600	cGAEkwMg.exe
1600	cGAEkwMg.exe
1600	cGAEkwMg.exe
1600	cGAEkwMg.exe
1600	cGAEkwMg.exe
1600	cGAEkwMg.exe
1600	cGAEkwMg.exe
1600	cGAEkwMg.exe
1600	cGAEkwMg.exe
1600	cGAEkwMg.exe
1600	cGAEkwMg.exe
1600	cGAEkwMg.exe
1600	cGAEkwMg.exe
1600	cGAEkwMg.exe
1600	cGAEkwMg.exe
1600	cGAEkwMg.exe
1600	cGAEkwMg.exe
1600	cGAEkwMg.exe
1600	cGAEkwMg.exe
1600	cGAEkwMg.exe
1600	cGAEkwMg.exe
1600	cGAEkwMg.exe
1600	cGAEkwMg.exe
1600	cGAEkwMg.exe
1600	cGAEkwMg.exe
1600	cGAEkwMg.exe
1600	cGAEkwMg.exe
1600	cGAEkwMg.exe
1600	cGAEkwMg.exe
1600	cGAEkwMg.exe
1600	cGAEkwMg.exe
1600	cGAEkwMg.exe
1600	cGAEkwMg.exe
1600	cGAEkwMg.exe
1600	cGAEkwMg.exe
1600	cGAEkwMg.exe
1600	cGAEkwMg.exe
1600	cGAEkwMg.exe
1600	cGAEkwMg.exe
1600	cGAEkwMg.exe
1600	cGAEkwMg.exe
1600	cGAEkwMg.exe
1600	cGAEkwMg.exe
1600	cGAEkwMg.exe
1600	cGAEkwMg.exe
1600	cGAEkwMg.exe
1600	cGAEkwMg.exe
1600	cGAEkwMg.exe
1600	cGAEkwMg.exe
1600	cGAEkwMg.exe
1600	cGAEkwMg.exe
1600	cGAEkwMg.exe
1600	cGAEkwMg.exe
1600	cGAEkwMg.exe
1600	cGAEkwMg.exe
1600	cGAEkwMg.exe
1600	cGAEkwMg.exe
1600	cGAEkwMg.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2532 wrote to memory of 1600	2532	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe	30
PID 2532 wrote to memory of 1600	2532	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe	30
PID 2532 wrote to memory of 1600	2532	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe	30
PID 2532 wrote to memory of 1600	2532	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe	30
PID 2532 wrote to memory of 1212	2532	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe	31
PID 2532 wrote to memory of 1212	2532	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe	31
PID 2532 wrote to memory of 1212	2532	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe	31
PID 2532 wrote to memory of 1212	2532	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe	31
PID 2532 wrote to memory of 2272	2532	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe	32
PID 2532 wrote to memory of 2272	2532	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe	32
PID 2532 wrote to memory of 2272	2532	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe	32
PID 2532 wrote to memory of 2272	2532	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe	32
PID 2272 wrote to memory of 2256	2272	cmd.exe	34
PID 2272 wrote to memory of 2256	2272	cmd.exe	34
PID 2272 wrote to memory of 2256	2272	cmd.exe	34
PID 2272 wrote to memory of 2256	2272	cmd.exe	34
PID 2532 wrote to memory of 2752	2532	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe	35
PID 2532 wrote to memory of 2752	2532	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe	35
PID 2532 wrote to memory of 2752	2532	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe	35
PID 2532 wrote to memory of 2752	2532	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe	35
PID 2532 wrote to memory of 2772	2532	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe	36
PID 2532 wrote to memory of 2772	2532	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe	36
PID 2532 wrote to memory of 2772	2532	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe	36
PID 2532 wrote to memory of 2772	2532	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe	36
PID 2532 wrote to memory of 2864	2532	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe	37
PID 2532 wrote to memory of 2864	2532	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe	37
PID 2532 wrote to memory of 2864	2532	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe	37
PID 2532 wrote to memory of 2864	2532	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe	37
PID 2532 wrote to memory of 2860	2532	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe	38
PID 2532 wrote to memory of 2860	2532	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe	38
PID 2532 wrote to memory of 2860	2532	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe	38
PID 2532 wrote to memory of 2860	2532	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe	38
PID 2860 wrote to memory of 2656	2860	cmd.exe	43
PID 2860 wrote to memory of 2656	2860	cmd.exe	43
PID 2860 wrote to memory of 2656	2860	cmd.exe	43
PID 2860 wrote to memory of 2656	2860	cmd.exe	43
PID 2256 wrote to memory of 2616	2256	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe	44
PID 2256 wrote to memory of 2616	2256	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe	44
PID 2256 wrote to memory of 2616	2256	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe	44
PID 2256 wrote to memory of 2616	2256	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe	44
PID 2616 wrote to memory of 2700	2616	cmd.exe	46
PID 2616 wrote to memory of 2700	2616	cmd.exe	46
PID 2616 wrote to memory of 2700	2616	cmd.exe	46
PID 2616 wrote to memory of 2700	2616	cmd.exe	46
PID 2256 wrote to memory of 2356	2256	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe	47
PID 2256 wrote to memory of 2356	2256	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe	47
PID 2256 wrote to memory of 2356	2256	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe	47
PID 2256 wrote to memory of 2356	2256	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe	47
PID 2256 wrote to memory of 2088	2256	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe	48
PID 2256 wrote to memory of 2088	2256	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe	48
PID 2256 wrote to memory of 2088	2256	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe	48
PID 2256 wrote to memory of 2088	2256	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe	48
PID 2256 wrote to memory of 2504	2256	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe	50
PID 2256 wrote to memory of 2504	2256	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe	50
PID 2256 wrote to memory of 2504	2256	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe	50
PID 2256 wrote to memory of 2504	2256	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe	50
PID 2256 wrote to memory of 632	2256	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe	51
PID 2256 wrote to memory of 632	2256	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe	51
PID 2256 wrote to memory of 632	2256	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe	51
PID 2256 wrote to memory of 632	2256	2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe	51
PID 632 wrote to memory of 2968	632	cmd.exe	55
PID 632 wrote to memory of 2968	632	cmd.exe	55
PID 632 wrote to memory of 2968	632	cmd.exe	55
PID 632 wrote to memory of 2968	632	cmd.exe	55

C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2532
- C:\Users\Admin\UmkgUYwI\cGAEkwMg.exe
  "C:\Users\Admin\UmkgUYwI\cGAEkwMg.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:1600
- C:\ProgramData\XqsIUUEo\pkAoUoMk.exe
  "C:\ProgramData\XqsIUUEo\pkAoUoMk.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:1212
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2272
- - C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
    C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2256
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2616
    - - C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2700
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        6⤵
        
        PID:2820
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:780
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        8⤵
        
        PID:2396
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        9⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2148
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        10⤵
        
        PID:848
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:816
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        12⤵
        
        PID:640
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2324
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        14⤵
        
        PID:2768
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2864
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        16⤵
        
        PID:2984
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1952
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        18⤵
        
        PID:1860
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2712
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        20⤵
        
        PID:2536
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2480
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        22⤵
        System Location Discovery: System Language Discovery
        
        PID:1596
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        23⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1912
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        24⤵
        
        PID:1868
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        25⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:836
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        26⤵
        
        PID:2956
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        27⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2676
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        28⤵
        
        PID:1584
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        29⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1896
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        30⤵
        
        PID:1660
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        31⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:780
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        32⤵
        System Location Discovery: System Language Discovery
        
        PID:2416
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        33⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2268
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        34⤵
        
        PID:1944
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        35⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:616
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        36⤵
        
        PID:2716
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        37⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2848
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        38⤵
        
        PID:2968
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        39⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2960
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        40⤵
        
        PID:2536
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        41⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1436
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        42⤵
        
        PID:596
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        43⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1756
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        44⤵
        
        PID:904
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        45⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1440
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        46⤵
        System Location Discovery: System Language Discovery
        
        PID:2980
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        47⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2256
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        48⤵
        
        PID:2988
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        49⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2288
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        50⤵
        
        PID:1868
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        51⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:812
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        52⤵
        
        PID:1660
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        53⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1488
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        54⤵
        
        PID:2896
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        55⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2768
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        56⤵
        
        PID:1888
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        57⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1900
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        58⤵
        
        PID:588
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        59⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2776
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        60⤵
        
        PID:1512
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        61⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2988
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        62⤵
        
        PID:2320
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        63⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2924
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        64⤵
        
        PID:2040
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        65⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        66⤵
        System Location Discovery: System Language Discovery
        
        PID:2352
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        67⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        68⤵
        
        PID:744
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        69⤵
        
        PID:904
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        70⤵
        
        PID:572
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        71⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        72⤵
        
        PID:2084
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        73⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        74⤵
        
        PID:936
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        75⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        76⤵
        
        PID:1124
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        77⤵
        System Location Discovery: System Language Discovery
        
        PID:2712
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        78⤵
        
        PID:2840
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        79⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        80⤵
        
        PID:1968
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        81⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        82⤵
        
        PID:1892
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        83⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        84⤵
        
        PID:2200
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        85⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        86⤵
        System Location Discovery: System Language Discovery
        
        PID:1028
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        87⤵
        System Location Discovery: System Language Discovery
        
        PID:1012
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        88⤵
        
        PID:2668
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        89⤵
        
        PID:880
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        90⤵
        
        PID:936
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        91⤵
        System Location Discovery: System Language Discovery
        
        PID:3000
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        92⤵
        
        PID:3060
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        93⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        94⤵
        System Location Discovery: System Language Discovery
        
        PID:1672
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        95⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        96⤵
        
        PID:2528
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        97⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        98⤵
        System Location Discovery: System Language Discovery
        
        PID:1972
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        99⤵
        
        PID:744
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        100⤵
        
        PID:2000
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        101⤵
        
        PID:1220
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        102⤵
        
        PID:752
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        103⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        104⤵
        
        PID:1868
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        105⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        106⤵
        
        PID:2748
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        107⤵
        
        PID:2540
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        108⤵
        
        PID:1624
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        109⤵
        
        PID:1016
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        110⤵
        
        PID:1664
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        111⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        112⤵
        System Location Discovery: System Language Discovery
        
        PID:880
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        113⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        114⤵
        
        PID:1448
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        115⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        116⤵
        
        PID:2492
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        117⤵
        
        PID:3052
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        118⤵
        
        PID:2768
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        119⤵
        System Location Discovery: System Language Discovery
        
        PID:2884
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        120⤵
        
        PID:1308
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        121⤵
        
        PID:2772
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        122⤵
        
        PID:588
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        123⤵
        
        PID:2984
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        124⤵
        
        PID:2508
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        125⤵
        
        PID:3000
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        126⤵
        
        PID:408
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        127⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        128⤵
        
        PID:2892
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        129⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        130⤵
        
        PID:2528
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        131⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        132⤵
        
        PID:1016
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        133⤵
        
        PID:1480
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"
        134⤵
        
        PID:2744
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock
        135⤵
        System Location Discovery: System Language Discovery
        
        PID:2820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        136⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        136⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        136⤵
        UAC bypass
        
        PID:876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        134⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:1612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        134⤵
        Modifies registry key
        
        PID:2040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        134⤵
        UAC bypass
        
        PID:992
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\KocAIoYI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        134⤵
        System Location Discovery: System Language Discovery
        
        PID:2900
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        135⤵
        System Location Discovery: System Language Discovery
        
        PID:2116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        132⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        132⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        132⤵
        UAC bypass
        
        PID:2972
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\iogkAIcM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        132⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        133⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        130⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        130⤵
        Modifies registry key
        
        PID:2532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        130⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2536
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\gIcEEwgQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        130⤵
        
        PID:1884
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        131⤵
        System Location Discovery: System Language Discovery
        
        PID:2792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        128⤵
        Modifies visibility of file extensions in Explorer
        
        PID:616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        128⤵
        
        PID:332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        128⤵
        UAC bypass
        Modifies registry key
        
        PID:2784
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\OaoAkYkg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        128⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        129⤵
        
        PID:2324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        126⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        126⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        126⤵
        UAC bypass
        
        PID:2180
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\mMkAIkcM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        126⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        127⤵
        
        PID:704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        124⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        124⤵
        Modifies registry key
        
        PID:2148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        124⤵
        UAC bypass
        
        PID:1296
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\dgAQwwok.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        124⤵
        
        PID:1032
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        125⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        122⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        122⤵
        
        PID:264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        122⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1612
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZkcAkIgw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        122⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        123⤵
        
        PID:444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        120⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        120⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        120⤵
        UAC bypass
        Modifies registry key
        
        PID:2344
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\rUkooMYI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        120⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        121⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        118⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:2248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        118⤵
        Modifies registry key
        
        PID:2028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        118⤵
        UAC bypass
        
        PID:816
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\RKQIIgEU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        118⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        119⤵
        System Location Discovery: System Language Discovery
        
        PID:2056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        116⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        116⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        116⤵
        UAC bypass
        
        PID:1484
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\SCEYMwUU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        116⤵
        
        PID:492
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        117⤵
        
        PID:332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        114⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        114⤵
        Modifies registry key
        
        PID:2908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        114⤵
        UAC bypass
        
        PID:1412
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\icYQIAkI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        114⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        115⤵
        
        PID:1104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        112⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        112⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        112⤵
        UAC bypass
        
        PID:2668
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ocMEwIkY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        112⤵
        System Location Discovery: System Language Discovery
        
        PID:1120
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        113⤵
        
        PID:1296
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        110⤵
        Modifies registry key
        
        PID:1456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        110⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        110⤵
        UAC bypass
        
        PID:1856
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\EMsAYsQA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        110⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        111⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        108⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        108⤵
        
        PID:2052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        108⤵
        UAC bypass
        
        PID:2840
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\gCAIUwAg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        108⤵
        System Location Discovery: System Language Discovery
        
        PID:2792
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        109⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        106⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        106⤵
        
        PID:616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        106⤵
        UAC bypass
        
        PID:3044
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\rCkYIcMM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        106⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        107⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        104⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        104⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        104⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\fecwQkYo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        104⤵
        
        PID:1896
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        105⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        102⤵
        Modifies visibility of file extensions in Explorer
        
        PID:876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        102⤵
        Modifies registry key
        
        PID:1448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        102⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:2156
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\lIswYkwE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        102⤵
        
        PID:2588
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        103⤵
        
        PID:688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        100⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        100⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        100⤵
        UAC bypass
        
        PID:2380
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\fUoYUMsk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        100⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        101⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        98⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        98⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        98⤵
        UAC bypass
        Modifies registry key
        
        PID:1440
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\KOYUUgss.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        98⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        99⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        96⤵
        Modifies visibility of file extensions in Explorer
        
        PID:708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        96⤵
        
        PID:2988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        96⤵
        UAC bypass
        
        PID:2880
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\YgUoEIIs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        96⤵
        System Location Discovery: System Language Discovery
        
        PID:2976
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        97⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        94⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2144
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        94⤵
        
        PID:2892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        94⤵
        UAC bypass
        Modifies registry key
        
        PID:2316
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\SEkccEIE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        94⤵
        
        PID:764
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        95⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        92⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        92⤵
        
        PID:2896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        92⤵
        UAC bypass
        Modifies registry key
        
        PID:1868
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\kGEUEMIE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        92⤵
        
        PID:844
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        93⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        90⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        90⤵
        Modifies registry key
        
        PID:884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        90⤵
        UAC bypass
        
        PID:2480
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\JcwcUcoE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        90⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        91⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        88⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        88⤵
        Modifies registry key
        
        PID:1900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        88⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:2972
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\nkIUoYIc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        88⤵
        System Location Discovery: System Language Discovery
        
        PID:756
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        89⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        86⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        86⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        86⤵
        UAC bypass
        
        PID:2068
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\hSAkkEcM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        86⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        87⤵
        
        PID:744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        84⤵
        Modifies registry key
        
        PID:1124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        84⤵
        
        PID:2228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        84⤵
        UAC bypass
        
        PID:2956
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ricksIkA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        84⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        85⤵
        System Location Discovery: System Language Discovery
        
        PID:1796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        82⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        82⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        82⤵
        UAC bypass
        
        PID:2260
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\yiYQEMow.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        82⤵
        System Location Discovery: System Language Discovery
        
        PID:2700
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        83⤵
        
        PID:332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        80⤵
        Modifies visibility of file extensions in Explorer
        
        PID:552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        80⤵
        Modifies registry key
        
        PID:1308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        80⤵
        UAC bypass
        
        PID:2668
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ISgEQwQQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        80⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        81⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        78⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        78⤵
        Modifies registry key
        
        PID:492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        78⤵
        UAC bypass
        
        PID:2352
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\GiwAQcAQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        78⤵
        
        PID:1524
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        79⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        UAC bypass
        
        PID:3040
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\kacsMMAU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        76⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        77⤵
        
        PID:2896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        Modifies visibility of file extensions in Explorer
        
        PID:756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        UAC bypass
        
        PID:2884
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\aGwYogkA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        74⤵
        
        PID:236
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        75⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:848
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\fKQYcQUc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        72⤵
        
        PID:580
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        Modifies registry key
        
        PID:2916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        UAC bypass
        Modifies registry key
        
        PID:1992
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\vEgoEMgQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        70⤵
        
        PID:1432
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:2796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        
        PID:876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        UAC bypass
        
        PID:276
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\XyEQoAYo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        68⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        
        PID:1120
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        UAC bypass
        
        PID:956
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\rkYoYUsk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        66⤵
        
        PID:2588
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        UAC bypass
        
        PID:1364
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\YOEEcIQk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        64⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        System Location Discovery: System Language Discovery
        
        PID:1812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        UAC bypass
        
        PID:1484
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\egYUEUEI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        62⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        
        PID:1264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        Modifies visibility of file extensions in Explorer
        
        PID:960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        Modifies registry key
        
        PID:1436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        UAC bypass
        
        PID:1220
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\QmUgcooc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        60⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        System Location Discovery: System Language Discovery
        
        PID:580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        System Location Discovery: System Language Discovery
        
        PID:972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        UAC bypass
        
        PID:2964
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\IwgMgYAE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        58⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:1456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        UAC bypass
        
        PID:2320
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\GCAoAsIY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        56⤵
        
        PID:1872
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        UAC bypass
        
        PID:1512
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\DsQcQsUk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        54⤵
        
        PID:3024
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        System Location Discovery: System Language Discovery
        
        PID:1640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        UAC bypass
        Modifies registry key
        
        PID:2604
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\fmwUwoEc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        52⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        UAC bypass
        Modifies registry key
        
        PID:1440
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\jaoQgMkg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        50⤵
        
        PID:756
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:2536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        UAC bypass
        
        PID:1712
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\MYUAUYYY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        48⤵
        
        PID:1364
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        
        PID:2352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        UAC bypass
        
        PID:2588
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\KAkYEMsY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        46⤵
        
        PID:752
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        Modifies registry key
        
        PID:816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        UAC bypass
        
        PID:2540
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\KEksEwoY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        44⤵
        System Location Discovery: System Language Discovery
        
        PID:1016
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:2676
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\iYwwswwc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        42⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        System Location Discovery: System Language Discovery
        
        PID:2116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        UAC bypass
        
        PID:2560
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Nicokckk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        40⤵
        System Location Discovery: System Language Discovery
        
        PID:2044
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        UAC bypass
        
        PID:1704
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\nMAwEMYI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        38⤵
        System Location Discovery: System Language Discovery
        
        PID:1480
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:2852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        Modifies registry key
        
        PID:972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        
        PID:2772
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\zQcsYoYE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        36⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        UAC bypass
        
        PID:1484
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\vggAAUww.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        34⤵
        
        PID:2584
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        System Location Discovery: System Language Discovery
        
        PID:620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        UAC bypass
        
        PID:2604
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\AEgYAgEg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        32⤵
        
        PID:2228
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:2332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        Modifies visibility of file extensions in Explorer
        
        PID:796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        
        PID:960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        UAC bypass
        
        PID:2208
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\QSkkoUUE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        30⤵
        
        PID:332
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        
        PID:756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        UAC bypass
        Modifies registry key
        
        PID:2032
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\sOoUIUoc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        28⤵
        
        PID:1480
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        Modifies registry key
        
        PID:1668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        UAC bypass
        
        PID:572
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\waMoQkcE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        26⤵
        System Location Discovery: System Language Discovery
        
        PID:1456
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:2888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        UAC bypass
        
        PID:2716
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\LCYwwUgA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        24⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        Modifies registry key
        
        PID:1944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        UAC bypass
        
        PID:3056
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\lOAksoYs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        22⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        System Location Discovery: System Language Discovery
        
        PID:1752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        Modifies registry key
        
        PID:1552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        UAC bypass
        
        PID:1580
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\vIIokMcQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        20⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        Modifies registry key
        
        PID:2188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        UAC bypass
        
        PID:2140
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\paogYkok.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        18⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:1856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        Modifies registry key
        
        PID:2504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:2928
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\MCAcwgUI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        16⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2912
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\iEcYUMcY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:2668
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        
        PID:1864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        Modifies registry key
        
        PID:1876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        
        PID:1440
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\awwMkgYA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:1524
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:2716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:1596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        
        PID:1912
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\maYYMQoE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        10⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:3060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        Modifies registry key
        
        PID:1188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        UAC bypass
        
        PID:2588
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\EmoAgQwc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        8⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:1984
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1324
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:332
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        UAC bypass
        
        PID:532
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\jEQsUowA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
        6⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:2140
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:2356
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:2088
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      Modifies registry key
      PID:2504
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\LgwwwMQY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:632
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2968
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies registry key
  PID:2752
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:2772
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  - Modifies registry key
  PID:2864
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\nkAsAAAc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2860
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile13.bmp.exe

Filesize
157KB

MD5
89ca08fce6b06d7c7300d4908ae1d40b

SHA1
256275690a8cd583192b465ffc783ccc7cdcd11e

SHA256
4deb19e463e422d64d5e611d15ddb81f15c533809e1de683649ef93a2d3a9c5a

SHA512
6fc50d15f134758342361f8b4b56688930593ad92b0e7e4b2b7e1ef6baeef377a5bce9f9eda44f3a237ca578207663d48486ab2419db33d1ba71d9984f6ebbfb

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile17.bmp.exe

Filesize
157KB

MD5
2eb550299b5b5abda3f3ea8adb222bba

SHA1
077e8355f63ca0043cb977c4758f48c077a8c931

SHA256
211619bf49a924c08c9428374e68008c47c3ba0661b952cd2d621c33e4bec657

SHA512
d4bd1643b791c58f5fc97cc184e5453a986e3f0ea062e96254cab7c9163272c132764d22d3787bb51d133d21b352a1d646a17dae21dc90de9f119a085172d8fc

Download Submit
C:\ProgramData\XqsIUUEo\pkAoUoMk.exe

Filesize
108KB

MD5
26199788df95d372079b14640839c5f6

SHA1
9540512d8cf7eb018f50660d21dfa5b5ef9e116a

SHA256
1e4360fff2c863a025e96f561a769412ae2bbf76cc0231d060708c7120d02c9a

SHA512
c334ddde040a92b8ce6d2a7546fbe37d8056a4de7be5bf898042aa138b6b2b8519ea82af29ba979e77109b53512054a22728a245b38369e0e2504250aaa57b40

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock

Filesize
7KB

MD5
7b96834e1052bc1779d35e027b0f719a

SHA1
6d56be801edcf9bc449473784d7b2291939039a8

SHA256
c04f54809574033ba6dbadf3e94017ceaf9adf5de7d3e5c74650bca0c34ae947

SHA512
32f58556e886156ace18c5fb7e5675cbbd041e2c03e50c3666827c5b95eb0babd6bb16bb4606c260fbeb7bd44fb4bb1ca511648584da147d7970a3f284bdd4e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\AgAm.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\AwwQ.exe

Filesize
4.7MB

MD5
7d3593c1b062a6deb454fb9bb2f48d80

SHA1
84323f51d7e69ce8aedc8fe99099fef0d4f6c96a

SHA256
c73d3ca87595d1f3d4eb4d4388d719c4f67f9c61534c84e727983000133310d8

SHA512
5b02b585461063b0db48d0ff630e65f8f67d08bf4e0ab36bb7db167a8d750d6bddd6ceef2ee478767265b3423333e051bffcfeaf76fad9b83f169502aa73004d

Download Submit
C:\Users\Admin\AppData\Local\Temp\BsUAAQYc.bat

Filesize
4B

MD5
f193a1d03b09c16e777a35949d6bbe12

SHA1
f27b2aa3e370cbfe18eaf5936433809443022cbf

SHA256
10eaee96255c97a3b641e073b5124a53ce895cfe162e578c6be72f1577190837

SHA512
27e64d9db4b627279be0613d2d724e3d751a73b84d595fa46c76cc78826855dc2c4589021502e6e67903917bec1f2df895fa54c4fc8db6be9e089be7ded0640e

Download Submit
C:\Users\Admin\AppData\Local\Temp\CEYYAYAM.bat

Filesize
4B

MD5
72b9fbf1c1ef3d5665a69c8a42b56bad

SHA1
de2719263e5eb96d33b691bfa5c6847d1a6f2d8b

SHA256
60d79289a8d9803c2b49c70114fba0722e49a125446f49345f541323df198b1e

SHA512
ba20618c7fae0a95485ee2f827033ee9d6a976947212126d74af969ade05bd8bb6a42e3942d3472ca41313009bcb9dc4e22db65bd248ce62964454c394eda534

Download Submit
C:\Users\Admin\AppData\Local\Temp\CcAs.exe

Filesize
157KB

MD5
f5956abcd1070541ec937e88e2fa8c5f

SHA1
3cb94cbeb9a2132d49bed2e647d8c1221b6e918c

SHA256
df35bf093ba98268b172b9183c3bd93156d7b1454d2e601ffc51b13a1320ec36

SHA512
8849f3c3ed0183afd7cce4ed9cf126b97d68d63981ac027e6535cc8c0e0b02078a16622eb9c8837ad9064e4658958dc27c2b8edc922eca0a13e3fe22f3822c30

Download Submit
C:\Users\Admin\AppData\Local\Temp\CoUC.exe

Filesize
158KB

MD5
9b9c64d7155b2cb63229e59c85159403

SHA1
0df466ec13a715fab1967fac0f2f94d3c2be103e

SHA256
c1c2239dce1c4c6a8f53de37b61e93267769aced496d24e82c34aa78d0669acf

SHA512
c8dfd4049642b954f8d2c0178cc497401087142c8915d0550100f7302cceb61140074698ce453f99b7e897a97add44604be0c6f64e0df4ec8cbfa2e63a50ad8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\CwEY.exe

Filesize
138KB

MD5
efb408fee06b0b989b2b02845883e52c

SHA1
6febf51ad6526aa397cd69bda7e1a4f8baf10d2b

SHA256
107ba698c1e9198dc2a83ecfd516824ec634cab40ad2b371b524a69937f767e5

SHA512
5164faad4150bd64361542d198e20b5c16924b772adc0123e6a276255575bb39c741b98a028d2d4f60441472adfb6ec906bf9838dea55d24d2c08be0c43c5e1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\DysoMoIg.bat

Filesize
4B

MD5
dc7cb6e4f80c7b26c5108d53083db065

SHA1
fc2741a85fdacd2148bb5a98ce42e1e7056ffb07

SHA256
de40d2ccbbf0eefe5169310fcf1251f016bf682fbc0aab3add914640626edfd9

SHA512
3976982c286aeb64f1f13b29937ab470ba5254242f536a9ee97a0dcd25a95fe96e9bb0074cc8b5ba9b0375fd837caa1ca381a8f863a1abf27f0f016de4c03020

Download Submit
C:\Users\Admin\AppData\Local\Temp\EMok.exe

Filesize
157KB

MD5
b66b7b5effcdb3bbe74e0cfa80bf2ee9

SHA1
987c8683601f25134183f802aa9818d376193e3f

SHA256
8647c963e7f9c077eb11dce2b025f8e9b065703e28251bccae59aadac8bbd452

SHA512
dc22de8b1e8560ef4315cd75a9d87716f5309d5e35f7cbb421de542a50dbe0c3c3195f2cc4895609b5446399546fc028e032113337fddbbbfcd408df37c77f7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\EQsi.exe

Filesize
158KB

MD5
49608486fa09f2c172d5e6358b082e51

SHA1
10d0b7e56bae180baddd6b4bb4b580508ea6b918

SHA256
5e97324b4a1167746ea7a4d9ca59ab25b259db2892514cef4cca3db6f867f823

SHA512
8d5304ff7ec85acf9e8e667e92b9898676d52533f68e56a5277e648c2715609fc942c6fd89b98f977dd6ed389d9816c0d2f3890b238daa464964670ed7a8ce8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\EYYC.exe

Filesize
159KB

MD5
3436c9563cc73a318cf966e0b830bf92

SHA1
36b585e1544c8caac1533251fd83b0dd2c2db2bb

SHA256
3f092159bcea671db57a8a5f8bb5e319eb70b7339d80cfc604e261f3804733d0

SHA512
ab003f09a910b1ecc135561e5434eb85c710680616ae48b9f914c92d7cb151050aa0e3bec1bf8a3f24bf44c117d56b9e91d25ad94ed01fcdb0ae70c544ec1c1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\EwUM.exe

Filesize
995KB

MD5
efb81eb3543c6885eb532bb394411b04

SHA1
2006231b3ac2cb9a66ab5cc81e70068c29d1cb62

SHA256
0a54fa49717221809b65263129d8dd5ae979200447a08dab6f61a44f6b67cffb

SHA512
ad8b499a2fca961e00e0eb54fa26c563176d11b5c44d9c63d0412056f0f5f7d70b49a355a9b2919d1a2b8cf1f889e2cd011687fb0148b94ba5a71594792fdd61

Download Submit
C:\Users\Admin\AppData\Local\Temp\GAwQ.exe

Filesize
580KB

MD5
ac9f8f65f401ca4cc2144ecbb14c759e

SHA1
6cd414a548810d4d5adfa341f2a31ed387c0211a

SHA256
1905d403270571cbdf29a8030dcb4f504a048a958e131d6f28702b32693b5400

SHA512
3b20e6e5a80148a97bb80204705ffe5390d5398440636de0626d2676a621affac2d98f45ef947ef0fea2981d9909ed0fe72175841c23e16210b5dce74978a7a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\GEoI.exe

Filesize
159KB

MD5
14baece4def9c1b2eab841470a6c2168

SHA1
9409073c7a33ab64bbc00dd79035eb6a17289195

SHA256
dc388c63bb635703632e0bf866bf78e17e31461aba745aa5855bf3f8782bfcd9

SHA512
f2c841a3c7a2acea50e3683befac5e95d8ceb6a3e19d3580182ce2ef82fdbc8dfea1ba645ed266c51dba49e4ec5c87e4fd90b746eafc7989b944969cc2298962

Download Submit
C:\Users\Admin\AppData\Local\Temp\GwAs.exe

Filesize
565KB

MD5
688b3971bfe221a75447f3b112473bde

SHA1
132637a1b2b1348517902df989bba8ed7fac411f

SHA256
463836dc8df9ca80e1ec64750509a39eec39073f9bb97fe449901f8184a84998

SHA512
962ad7c1f99b0f4f8abd327ad3983efdd1687fb67eb9a22a00d3fd1c05b59515b77992ecc7ed62a02d5c85632b699630623a9c09072f3fbde08459b107cef47b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IgsY.exe

Filesize
969KB

MD5
3886817b9f4eedafbb75ba609e89fb9d

SHA1
7cee9f8f2fc44b420636c5865292ff2c8eff35c9

SHA256
cca3fbfa597a5cc3ec320380cf69925cee3ba9c39e85ac7c0332cdd26dcf88b6

SHA512
cd98b08e0087b8fae3c2e4e3aa749f8fe6e80438602908ec15bab17f92f85250fdf976d23e9c9688925541c222c4de95a1e5ffda86467ccc542186bb7b2f02ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\Isce.exe

Filesize
158KB

MD5
b7282bde8d4b82453869483e262e6544

SHA1
dd5170299377587a1eaf8e3241199717787a8014

SHA256
d9d24e6f837ffbc0afe0f3b179ba1035535f05b4bd113eba7cdf8fff7f8bf09a

SHA512
c943f804ff4fe166e7d513520c69520bef12f4a04761a802e789338bd0c6be3b548c44a3330f22a8c56899dc7208c2f1af7a27f57fadc9863bf4ad24aed19f12

Download Submit
C:\Users\Admin\AppData\Local\Temp\Isgk.exe

Filesize
157KB

MD5
8784263cb4605cbba6148baa63d049cc

SHA1
04518326efea3eef5c897fd3caefcec21b6a6e68

SHA256
dc181e07beb22fe2f11dd5ff85fc1dae3febc30d76ab14cfe7738e6315a7a1a4

SHA512
38f883e5eaf3b3c9a7a6c706c7554a560db656608af6f6c71142aed8ad3ddadd7c595de1c3890f90ca4dc216f80f397119f98781cfb199e37d6beb62b05c68b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IwMo.exe

Filesize
157KB

MD5
bd77f7d8d3172990aeb01d1c636717ef

SHA1
4a63016e488f994a4fcd2fbf536d7c03445dd742

SHA256
58d8b8cebbf07cd997123edd9cc586a61bccf882cf03acd3bdfe0f099cf3f761

SHA512
7569be9c09aba5fa30134a73e666f59f7df89909a9a59968b691d4f85b8cc8e7252a3f744e2d32ac834b95815cab48d881b962225804903c6f00e6a278b5603d

Download Submit
C:\Users\Admin\AppData\Local\Temp\JYQcwcww.bat

Filesize
4B

MD5
017b6b8795ff11b82bb3f327d8ca1d58

SHA1
350088b32c5e18944b1b8a8d3d24c6b8065b4099

SHA256
d2944e022d3f5f3b79e4d78ea4b27af730fe37b9cf8baf421be27df4ac68b21c

SHA512
06fd6ff38d3f27e1ebafcd9aebb2d722eb7dfaed0b0171dc32aedba6892134b64be36d65feadb41b5321a6233e5f21396c6c4b660c3e0e7a78ceea801afaf4be

Download Submit
C:\Users\Admin\AppData\Local\Temp\JioYYgME.bat

Filesize
4B

MD5
9e5c4850beec5159092ac9e9f56e9415

SHA1
fda56b5b5832988f6bbb050b1d9a73cb834521db

SHA256
7120e98f74eb07a09f5da12e5f631b3d32808ef1ed68f1af4227dbfebd9f20c4

SHA512
979f36175c3f4ee3171b9f7e2de3aa4160b5d32065f87affd353c484d75585f480e4543f102bb5896be275de74b702668358781cb59d8312d71b589b7eb8f1e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\KAwS.exe

Filesize
156KB

MD5
84d74a031284e5d72f7c71501f302ad1

SHA1
21cf55e2dc6a2f69832c4104d382a978b0576b08

SHA256
67747802d933a93fdb6f9cc1b361bec804e9f696b11b0db9e28e33617aa60888

SHA512
e50d46a4c9d7d03e690468253e6af976aed400ecab3f651e5677f096f695a486c88747039a46750cb785996c0973bc2208d5656aa3a0b0baa8aded0f4d06874e

Download Submit
C:\Users\Admin\AppData\Local\Temp\KEwU.exe

Filesize
137KB

MD5
52b5e5ec9aaa5095609228c9ab8348bf

SHA1
4a3ae2df1dad8082233ff09874be993ae1391e60

SHA256
9e948dc489996708ee2a9c1a63f26038b22b83f279a3fa6ebb87c1143384c2c9

SHA512
a74f15967284b800139bf3d24265afed8544904e882f2818b072e93fb5d8faeee81e70dbc78d725116406cd14388b7d97b8a517728f7ba53ddac066fe7724538

Download Submit
C:\Users\Admin\AppData\Local\Temp\KIQi.exe

Filesize
159KB

MD5
ef8d361584ee76594206ab7d67d76c78

SHA1
5d129e598c23a8a6e130a97f5a7db9304af1838b

SHA256
53ec2aa364404000db4f222dd2a7541be246e7b3450c39d8cc4d55183391df19

SHA512
329f7009a2d423cbf743201bc1de7f540166cc8cee1255369f7eb7818219b57fd7e0b7a71c95410b307e1fddc3bd7a32f784858bb2bdf230a32e5abba5738c70

Download Submit
C:\Users\Admin\AppData\Local\Temp\KQUY.exe

Filesize
159KB

MD5
f0f617b9b222c5de7ababafcfb497e64

SHA1
e743afda3a03f0f49b1796ae2dc7d9738e90725e

SHA256
aa8d564c4c146f0241797263792a42f4057a2596f78d72a7a9f1fc8dfc6e5e49

SHA512
5da91481f7bdb13deb40581eea55403ae50580ed2700763d3952a334b6fd8d386c0106915e9eb9db835d4f0f71b972c2f9c76a4422b33f0a97dae1847e1709a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\KgQQ.exe

Filesize
157KB

MD5
8bc1c3cda2313d06784e2e96fcc7ee43

SHA1
d15b89cc82e2a1c96c8d3b77ffccf64a924a352c

SHA256
2ae08d29146c5d65588fcc94f111d823be3a5d8f656d84e93c17d077f5c9e5e7

SHA512
a172049c6a7dfd52c86eb3b5d8150e94dc6a22a3a79e58bf4585a9445064a133af22aaa7e707a010a1eaad7c32aa2b53e52605081e438fb610689ad3ddc4d295

Download Submit
C:\Users\Admin\AppData\Local\Temp\KgcsgIsw.bat

Filesize
4B

MD5
079530829d542971d21a0331329bceba

SHA1
4589d98a6c160c2a5265556efff5a7b6d7c23513

SHA256
42fc13617e001484c4a3716b8ae33beeb3bb8f620ccf6120d2d62e65fcddef51

SHA512
fdb1ba47ee715f22c08afcd90fcf14fbee2ad35cec7ac3111f2f2603431de3fed2890e350b89097e1a0890823cb16a120cbb8823b240b51bd6cd59a231c79690

Download Submit
C:\Users\Admin\AppData\Local\Temp\KkoAcEkk.bat

Filesize
4B

MD5
88f659b1eb1390f989bc9ae0920cf841

SHA1
abb4a6bd85f140e767be5b24b848d4bc97843dad

SHA256
1bed415bcbf8d7c76002ef84e5f4412f42f1399ca0075552bcd27c0a8e4c13a0

SHA512
078ef1a5655623a016cc3b120a94327adba0505c852b18f1d9267a36f21081ac8f9c5a6a222e477b87e37cc8b012b857f4668cf48dd5c531f14e77e2517ad0bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\KsQq.exe

Filesize
158KB

MD5
fbafa0e5bfb2c36d9176d0648cecf4ac

SHA1
341cf499c242b2b7aefd7fe33f212f2fae030407

SHA256
8ebd024e1cdacf6f7e2619df31b984a8b12be1610cafaa6627360b312026bab5

SHA512
3165db5fa814484d752c1a558a856a1dd4934579f545f0b84a6d31b5a9446077cf2df6f9091492f3bd67b2728c171b8806bdac8ba38b294fd30b55e3127d227e

Download Submit
C:\Users\Admin\AppData\Local\Temp\LCcocEMM.bat

Filesize
4B

MD5
58615d8a9483956288a4e27f1ca889bb

SHA1
969b02348513de2044aa8befacd58cb3c6d613be

SHA256
0f9aadcbcf739f6f641e9e5f97b52361f298b53fe819d3d28b4e1a418dd9984a

SHA512
d010edbade5f02c85ac201f3bb5c76fd45b552ec24e23f49f62fef8915a79fc43e1408e52f319ebe31c872ba7c58a1c9e6714694fb9ac18c719bd1a538b42a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\LuoscAok.bat

Filesize
4B

MD5
4ad441188a1bcd59fd833cd239197110

SHA1
c8fe03a8d09a4502f9badd2e23974257e0753dc6

SHA256
b4a90583e1badb97ee3754083346262a07741c105bd006d99bed172935d23666

SHA512
a3401fb28305549c50955d4dcdae0901916a328bffb14330bb49d718e0d620618f483bb7810c0a23dfe5f97ba6c72027cdadd54f5befc8b838da17f07830576c

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEku.exe

Filesize
157KB

MD5
13050d51aed27381c324babcfd96ed99

SHA1
4c95b07f88afc6385103b653eec0f6725995cd7b

SHA256
d91b63ed4aeeb91b045178d2f8fddc65678221d0257b42fdea5aa1fa1823d46c

SHA512
5f229a44d530983799b8c3c7fdea18047db0818a880f5326db95559ea36d6b8d0a8c9cd1ca3bd4e8363cab51e1f9890b19a9ca9bf6ca867a8ee522eafc7bde54

Download Submit
C:\Users\Admin\AppData\Local\Temp\MUYI.exe

Filesize
4.0MB

MD5
2d06c6f091929bab5c54aa9f3e5392de

SHA1
331fd1793d3216cd839eae37715fbb4d6359b580

SHA256
e7f2476ea237e8a664b508d25c252555c68282532faacd881b2f2c647e4df467

SHA512
64f2f43ecb65eb7fa0b61ff5a30f22f68db0c7437e957ed3af0bd3f8bfa26a5ba37ba59d19018e8db105bab38ce09c65d7581a94a3c97283cf8312686f049119

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mcwi.exe

Filesize
149KB

MD5
ad26f1c84e0dad28a90df1fa953cbc39

SHA1
0990c1adedde52f808ae5a8ad36ae9346cad3590

SHA256
d7fa5623a6f5d16782e223c0b54e5c2670ed77f0b9cb05e8a4dc9279bfbdce8c

SHA512
d2d26233ba482a04399674e99fe9d3d6063ff988d38594843bc2be684143f67db6e955869e64ca5f81d8a71380277613061094e436bf57cee8cbeef581f4a9d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\MgQa.exe

Filesize
160KB

MD5
7c5cec14a22f286af5d2ef3e5286f8d7

SHA1
d98caefaf97fcd86b92e2e9b5d53a06f727e030c

SHA256
46a1956d901d0850da1d35aa334b0e744a90535222f30df80e0feb8e6b6645bf

SHA512
46cde637c6b6a7542ab3a19a91e1b8a40c07c58546d12ed032505b419ee02a3566d411a6695804d19b6069f3cbb51657fe6c1787d42894db4e4dc9eee6f63b64

Download Submit
C:\Users\Admin\AppData\Local\Temp\MoQU.exe

Filesize
158KB

MD5
15eaaf8ce5bfe0ecbf79aa8dfae9eb1f

SHA1
f981acbde5328173ac3c21d097e3136ee4e8680a

SHA256
9e6c9a7910f7d46cebc00cf17549b460f74682a2cd8ce559035dfa653f96e635

SHA512
c31134e2bba8865cae4d652e993821ebcf3c9ecc040bc7ea050a3469689626668fb261759a31ad7d31e2d8d3413fe0d32c1ea35317f733022f7c88b2ccd370c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\MsgUcYYg.bat

Filesize
4B

MD5
5b146230fd33cb3fcd1f77234bd21089

SHA1
a3a1332cab153f8d3b7e8aab043615c0ddebc23a

SHA256
55b2edb26fb45c5d12257ba700369f56a9a9240312d4a63a92097f4e25d0006d

SHA512
36fb8af2d56549fcb92a21744e893ddcb6a2522c5fa8f51dcafa12f31fe762a5495657b8676c7b0e39c044aa8387c0f0c78326ef0b7b3b8d0dbe89f684c1537b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MwUa.exe

Filesize
138KB

MD5
6c220867d8577ff32e1384b16e56a0cd

SHA1
35babd1bc3ea67af409ee3cd92eea99b51a4ed21

SHA256
7a2a12213e75b597c6f2e49359d736242d6ada32c4f78fd95c65fadffc3c767c

SHA512
003f7bc177447079f4a9642dd7898520be59c1bce878a99a6b64f3a9c13d9866f4db80c42c55bec0382ba5912c2d64798d26386b516c5dec5f42341d8d3df0e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mwkk.exe

Filesize
158KB

MD5
51bc40f18218d2cfb301fc9ffb9a99e9

SHA1
9df2a18cd17b744d8b711402c2fd2542034abdeb

SHA256
68966e248062a1592b1e74f79c7dd9c01532f53de400494b5f41323f0b788136

SHA512
9a80152cc01c721e0ad0880f5bc3cef4ee03dc34c4cf481c01777f7c5af757e420072b87a918f06157210ed47478e16515da6d81ddd60483fe3bf8982dc42f5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\NsAIwwMc.bat

Filesize
4B

MD5
b2521a892e167e8f66d4bab8387c2594

SHA1
6673588c5c8d1e28f6f3c05aa382402a0cc5a63c

SHA256
3cf8be16ab6a29c83e5e1700597b0cc98bb60b009b41cc57700cf769354b5724

SHA512
ab2b47f581cb107ca6cee943ab7db07c45c93d0720025846edec940e71babf744f58943930b98f0125265f1ccd5d590a0a514e74f7310baad54701880b617dbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\OAAM.exe

Filesize
691KB

MD5
365e4c543bef107cd263538e0c67462e

SHA1
548872288f282934fc8206f589feb93f0cbba268

SHA256
cc151e04a4f045fe2e0ebb05e613d8f8b2a4b041c6d429e208cb1c3b105c6556

SHA512
6114007ace4a4ba087b040d9cc5efaff943dc46118fa4524e156e3b931ab2a94b70fa68936b23639a6b85d7bf9361a6f0852ced7ae8ddd65c36ec7447ab7c21c

Download Submit
C:\Users\Admin\AppData\Local\Temp\OSAUoQoc.bat

Filesize
4B

MD5
7669e2136e900a3534d275fc27a78f73

SHA1
c4aba0e24d06648ab61dd9fb4dab7ef01438afd3

SHA256
60015c5bf76e5deb29505b8f36574f5e0ab5e92198506605b0d08688efdb18b9

SHA512
4f80cb39cb11016a1221e5ed70ca5e7d6eb556893037d53b0758fe28acf5c1f03f0df0926480f9e44de0748de943c14a46a1175e6430ce61e9acbda33ef65c57

Download Submit
C:\Users\Admin\AppData\Local\Temp\OYoI.exe

Filesize
158KB

MD5
195cf34e1611748d3a88e9e8d8c88bc8

SHA1
49313ca2a7a8741e4f23d4075140c806262d6dc2

SHA256
1d473c96a8c4666278435f6954f84fe0e18cf58571bb805a2c783259b32503d4

SHA512
0bf0a305d43dd409119ac2f3bb7400bcab0f1dabb8970b88a5a6762f78ee5bcf619202204e7ab895b110ae42e291e983611b21cc439d232d14feec639557a53c

Download Submit
C:\Users\Admin\AppData\Local\Temp\OYoo.exe

Filesize
236KB

MD5
2e51578db75b8fca5e30bfe3aab6f60b

SHA1
4e9600df04ac725a3564192c8086e01865a21a69

SHA256
56f722230f9b29dba3689ca3574121264e70d9bb617ef1f06cacbe745c19b5d0

SHA512
4e159a344ddf0b5d449c2fd169adfb7e1486c5e99dfe93836314252dffda68f2302878fdb2600f6d2d5f144e1dc1d9e3c592886485f90d26f7f76d99092a7de3

Download Submit
C:\Users\Admin\AppData\Local\Temp\OwIW.exe

Filesize
159KB

MD5
74144f4d30484f63df70c0a7d5ef96a6

SHA1
0a0fe0094dc2aa258f29cd72be8db8fbc9d57026

SHA256
c564a33930c5c50a583bb78e7be91be93d7d6c435fe059b73f5c22c14152b100

SHA512
0381e874e875505c80b9314bc7b8bb49e24565555fcfa3d85ff0f5b01c38e8811ed38d881afe6180a98a52613b517b75ffaa98acfb31e5cae3182b6329fb1c5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\PEAsYcoQ.bat

Filesize
4B

MD5
da7ffa79f1db17b096dc8e32c6240118

SHA1
dcc405c0e0fb3c29d7f098fe15602e04b409c13c

SHA256
866a896dd9b608347228077a67d236d82440f809eb9599d1a43082683ff07821

SHA512
36bf9249b8b3632e87538ef737903e55434b870be3e31f11c13c69d8a80525e8d39e5e53e6862dd23ec19cafc08839f16d56d3668b7d480acc27cf075fe25a42

Download Submit
C:\Users\Admin\AppData\Local\Temp\PMwAsQgE.bat

Filesize
4B

MD5
ca27cd6094338c129b16ceead52c55bb

SHA1
c55c80f6e719bb8c2db6cc79cbfa0cf57357ad1e

SHA256
e75c7432cd7db23c5c391e63fa5a78e59df3eb3ce9d00d41bded11ee21c3e393

SHA512
ec4ec9e54ad282684354cd2652cbd34c3dded3b8360d063468a46c5cb731dcfdafa6e82d3487057af6542d70710085f041a261d97db799c440a61b86181c1472

Download Submit
C:\Users\Admin\AppData\Local\Temp\PUAIgYIo.bat

Filesize
4B

MD5
3c2f0f499df48286580eda06a5c27484

SHA1
08cccd592e07a46e8686667507e0d19f70ee0071

SHA256
846efbdeb5b220b553bb573df814895649d2eb6d42d44abccceeb4075ce49661

SHA512
21883070f00091cffdcdf9e175bbb7d13e84771d6d743fb7223eab2dd088ec450fd666a730aac5c94f0900d3ec947d2637e31889f692a06c33b1e082651d7674

Download Submit
C:\Users\Admin\AppData\Local\Temp\PYwIsEgw.bat

Filesize
4B

MD5
2d0f6bfaa3923bff109507019dc1f3aa

SHA1
632ae7d090faec96fd4c2b2fd61e5f143d67393c

SHA256
86ca7747d063e20793cb853248344ae023d32823b346e71675751f1bcdb6f34c

SHA512
9e50faf266c9cea91f18960f038a95de902e87f07f7abdf1e19c704ac7cd0dac8d7912e93cac80680a8f308a923a85a08137bd1aa18dbf148612f2a7ae4517d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\PuIsoUco.bat

Filesize
4B

MD5
e0d35cbd69ceb0b781050689e681f15e

SHA1
e266a535c14e1bf5ecf96c129bfcb6a56c3ad547

SHA256
f6b11c5e308d632fd598678637e4635d78c44fcef6a9c44bc5f404a4d2fea7a7

SHA512
94b9f3e1db9ff361b296db84fbaaf875d7500f7e931696fb6845b4ccd9f2b0087e38d96bf8603cfa4248bcc29f5b5a0738825d60c9129d6c46dcb19cf1802532

Download Submit
C:\Users\Admin\AppData\Local\Temp\QQAo.exe

Filesize
555KB

MD5
c089e5cc74034612e164ef806ae59bf1

SHA1
5db26030c29ee64ffc88766eee6340c39b036589

SHA256
854607a8aa729ec5bc6965862e93916342936d423448f426fa6e81242954b7a0

SHA512
bfa545facc41c8f2f635f009853f376ff5e58f474f20a724eeddc3cf9f09c5dd23629db1a0ba41ac2c80490ddff7a5d241521ee08b59b2ce5e19611ecd8f75ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\QgYg.exe

Filesize
238KB

MD5
0d373f6f76830a8c78ff0cf4c6ec6ffc

SHA1
a0fed8526831e2c2cdf9ccf01c95dafad482094e

SHA256
2e80a116fa93037890f4059d18043c4a027a2939880832ccc7952477d549b6bc

SHA512
5060d052a9182962edc56ca019fd0f8cc5d29cc301516e310a80d0b6afa8b82cf6b268f2d1b1c4f141e02e4182a6ac3f998946faad2abc112cccd6acc79e234f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qkck.exe

Filesize
160KB

MD5
7ee086562e14b85a8bd5b318d0a6ba2f

SHA1
d00befd9857340e630cb234ff92c807475c26e5b

SHA256
6d2cf6d2f56faa2cb24c7e93f33c9a0fa13d58310f6862640fa0c648b2527877

SHA512
7d5bb11633ff5a839c9ea9c1bdfb9e1545066cd527179f4da8b79d29188b8c1b6d2401847e4de0f2194b7f6a478aa8664346324591bfbcdb2cd2266dbfbb2057

Download Submit
C:\Users\Admin\AppData\Local\Temp\QkgIosAg.bat

Filesize
4B

MD5
ae820d2632c1c6e1473fc64a7fe18ce0

SHA1
8a0e732ccdc791f3cf5228aaa0faa412720b7a2e

SHA256
ab984ecf95c94b81a3a45edd045dc7140fdb3b805c9f9e4f4945df9253f847ec

SHA512
6427ed48d530dc982f9440027c3462ec73c658cbd386749a9a49247cadbf33196e7a355aa0988836f2c6f1d950a9d205ef7ad92125c5dea2f5f58b1f3770f5d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\QscY.exe

Filesize
154KB

MD5
6e7591aaef24a437d2544656dcb2b4b4

SHA1
c05561eee7a8579f667eedafe67dd590f65fd6a4

SHA256
c9505c0786c05a207e0bb7dcd91e6c45ae8f6225e53a21da18c0ba730f4efb91

SHA512
f4b9081292c4dc420d3af9d6f1c1141fff2e35e3a075746cc5c34d89898008d1b731ea15ddb8a680b04e22e850914a997507ba7e9baa441d84c679c94c1123e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\QwEI.exe

Filesize
158KB

MD5
501ca141e64bcd62c7d339d5588e81f4

SHA1
7b7a3028125820a50ec45e8057365dee2d25fbec

SHA256
26e94ba495e9a8ec984ba67dde3ddc40e1bb21b8be35f315359c2a91577ac7d1

SHA512
9c9b26711756d05b88fb08f846e1f2c6acef36dcd951ff01547318f78c6348a2851967200f66655376aae60746c967601bd3e1227bb6d3af96846d4860280067

Download Submit
C:\Users\Admin\AppData\Local\Temp\SQMm.exe

Filesize
425KB

MD5
aad9422b62cb0e5f7b2bc98bbefc7df2

SHA1
2bdee97c4bc93cbf75625d656ae67efab3df238f

SHA256
2f73629fa752f0401c5a73d1db6b1a76ab36e5ec338707e99d78ef6e44f0fd64

SHA512
102cfdb9f96b82ca14d709b6fa347821de187498c69c95a28924f303a1e72af22b3ec43751263c6594ca7ce4a83411961669e7bafbe4616eeacbf4e34b7cb8d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\TGMAUYUA.bat

Filesize
4B

MD5
8fbb70f0cf43bcc902dc59b76a2552a1

SHA1
fa45a24d29bf8e2c7d7a1d987cceaacf7f37bba4

SHA256
dd89095cf37f4da08d56f093dc50764855d1208ce9a679d7f980f410eedf65b0

SHA512
2413366f1a5c68485f2abcadd9abaf019ee2d8305b3a2e4f17163fd19069486041e89418ad7fc5d5ed5bdbbdf5fde1c95fecc23ed399319c8e4e72a5feaa7877

Download Submit
C:\Users\Admin\AppData\Local\Temp\UAoC.ico

Filesize
4KB

MD5
47a169535b738bd50344df196735e258

SHA1
23b4c8041b83f0374554191d543fdce6890f4723

SHA256
ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf

SHA512
ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\UIQkIAkM.bat

Filesize
4B

MD5
0249364f1257852e55160b1d4fac9ca3

SHA1
7217bf55edd0cb0a10ce3d09c81f8b1062a10ef5

SHA256
bf9b50b8df512432d46425bb3eca053d6b04c8e39ab73eac8cacf8aaa705c724

SHA512
77d82224a6f57e1b1826d6c9a6ab034c54f6127668e0b0b26050882be1afdacdc0792b2362a09e192029d370d1f2a76d7d407f4e447941c7cf2fd73d9ebd6713

Download Submit
C:\Users\Admin\AppData\Local\Temp\UIsA.exe

Filesize
716KB

MD5
093c3d9a7b8d4a87f04f707827c34f98

SHA1
ad547e0bb8b798cc0130eba8e7300466387c8622

SHA256
b0a86f13db8cb9014ec680b3fbc3cc2861abb1815180635d4c01035149e3db70

SHA512
6cc3f3b0e4e383f89c85fbe1a5e313f8a0c34eead1d6df86e72e764546998cc2810a0784a58a9ce028281c5866d12bc4b54cef4c99f6389211939b2a76146858

Download Submit
C:\Users\Admin\AppData\Local\Temp\UIwS.exe

Filesize
157KB

MD5
d89bf5fdbc16405c3d8d9c3fdaea9e1f

SHA1
b6c978868c56d1bc82c4401696d42170cfc8f8d1

SHA256
9e1892384d27205fb426e6bb326907a6987263eb9fc30e5b3b155491eee30d88

SHA512
0bc44107d2dfbaaee8a6cda7e6e57c3930d23fa2697ab66ea0b74f627fa98409e99dc5274e247bb1a6c1766aa6c2fe45ed1f286fbe443c4f7677bbf4703794fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\UOQwogIA.bat

Filesize
4B

MD5
076528b42469fdbd353ac45000659000

SHA1
d0316eadf8d978a45c21c4c31bb611150d039c21

SHA256
f70fa5e5e47f1bb8d378e933405830da5ca92ffb7359d2c2e7717edf57f21391

SHA512
d7b0717ea0f6353607f8221bf67fad4564ebcbd92ed5c9cab8382f31ef0ba4d1690778a5614b007c62232315933e3d19ec7c5a63cec5a699977f219e76e89bb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\USEkcUwk.bat

Filesize
4B

MD5
5dd7d00b21c59b9f6d6f9bbd1701a336

SHA1
ca0ad8f4e202425ba177e321dba0f00d8628510f

SHA256
8959141e1f2ec302b2db7843083ca950a253f00955fa72a8da87abd2f8f572a5

SHA512
ff2c06114fa0c8de1a568a5aa1fcd657e7db1141785b533d534ed1c858e9ab49be6dd7f3fbf45dfc019be1032d7c08a6e6d3780b6bf5502c099f0dd15f889fcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\UUoAMsQw.bat

Filesize
4B

MD5
4953b9fff8595256ff7a20f3bdebfaea

SHA1
d2a0163cb4b15fd83e1ac49fe2b58978f234b933

SHA256
b7c849cc0f96c8e4ed177ba3d759da12b00a32f556824347c27bb8d5964f9ae4

SHA512
0cc5e73ed2406e92f25b2b6582753b5b213de725f555050b625e3c7f9d096bdcaefb7be81a2a67369a2539e2210862fab803b9ebca477ceb3c35dcb6a34611d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\UYUM.exe

Filesize
158KB

MD5
9e3df39089e3c63b80571333b0e07716

SHA1
198b8adafefe6bc9494efe33f12fec602602aee1

SHA256
2afc5947a85947c45b15c666241f1f8c212502aa0255a33ee2ea5104fb2a4076

SHA512
e149cf2e52cb1b6cb2411f3f5886b9f672f10789dc63e1d55760568dddb78945341645203d24df98dc2b34c0caeede8f7d36a09824cd1c65821f65a2b70e1f86

Download Submit
C:\Users\Admin\AppData\Local\Temp\UkMY.exe

Filesize
206KB

MD5
c913e919341bbc22b33035e67366df94

SHA1
04fbe5975cd7ce02e65f1f43124ac31a080b137f

SHA256
93590c05bd362369b8462b0e7d888e189fc769cfbb49b492f24c511995b895b6

SHA512
603fbd14fbd921f631373a401d1e3ef08da664df570d92dfef191a8e1b7c133fcd152a435e5256706e1cff2c5349e39c4f73f99b2b68b385f77e91597ea62635

Download Submit
C:\Users\Admin\AppData\Local\Temp\UsIE.exe

Filesize
236KB

MD5
3aef26a299c477ed982bed4887e2b7a1

SHA1
ad87552d0f30ff0473da1c306a969b5c5c1e88c0

SHA256
6e6b1fbffa4ca4e4d1b305789aaa3885ddffcb49218a4744d906a9af078599bd

SHA512
55eb22350f2387f574132bb94b14e4c1cc9c5cbe0b1475420f5a24f76f18cfb9d9033dc21cf18b6118c2daca88bfd80a03580729f6d0764f524e503805fc749b

Download Submit
C:\Users\Admin\AppData\Local\Temp\WcMq.ico

Filesize
4KB

MD5
6edd371bd7a23ec01c6a00d53f8723d1

SHA1
7b649ce267a19686d2d07a6c3ee2ca852a549ee6

SHA256
0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7

SHA512
65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\WgYs.exe

Filesize
159KB

MD5
c0effca387bffed6b24aa28cb58460c3

SHA1
ab234ebaf0d601fea30a78a8747cf1c338f00be9

SHA256
f9d97742800c1b2b3c08daaf3fdcfc5bf27968805f3899865e0bba27c8834f6d

SHA512
61596be1198d13733ef0439d38fd27f27144738616055dbf3ad553dc95fab28949480da71d634533ba883a26e30b4a6ba08d4a856e56255769e23c4d6c6c5fa6

Download Submit
C:\Users\Admin\AppData\Local\Temp\XqUUYgwM.bat

Filesize
4B

MD5
66946f563dc1aad6dc34c48f46605a5b

SHA1
0f87db3d874934606b65db1326f553b9178d8019

SHA256
1bf596d41c6a7bb2ab654e9f78f2c941d6a7e183410c13fabcb0c22c0e9ff6fd

SHA512
f9d2908d6603f471edfeeeec1738d34e560f673cccc8560ee7d51af79fb900e4b4b12797c3eef4e10e31c889606ece7cc6c0ac9b4a502741658fe03345b183a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\YAkk.exe

Filesize
274KB

MD5
2bd1a8a197179fbe6a2a90fdd0a2b77c

SHA1
94cd4dab409e0c464ccc1f85c071b7efbfbba23d

SHA256
10bc69fce32893024f9fdac99bf12981a5de70715b79951260902c1baa49a19c

SHA512
b1a4b1beeb9b08f2a64fb88823b5852b4f3018234344266b68f7ad23bd79db1e66a9f0b737374b45187fb5ac24fff53be73eaa36779049b9d1f80d8933305855

Download Submit
C:\Users\Admin\AppData\Local\Temp\YMQA.exe

Filesize
158KB

MD5
48664ecd029a16ec5e1a6e50140d3f39

SHA1
8cf082f0cb9832036339dab64d54abf526055e33

SHA256
173a12c817ea664163faec847bfb0633a37fdf63cf522439082a5420413a7448

SHA512
acb64df1269d741f4733df516c9686109388f33e3f98427423a3cd86e3c0b8ce02697e74d2fada7dc49bd697e8c09f77637c6759fa16ae29238c7f7796935b10

Download Submit
C:\Users\Admin\AppData\Local\Temp\YQoQoUgw.bat

Filesize
4B

MD5
e569229b29d3099d95263a37d73c14e5

SHA1
380f8943c87bb1ea5d9627127d56d2fca3db54d2

SHA256
27da46e7f72af2229f8cc46bc853250676d9274663ebfa2eee87e2f0f9e9e36f

SHA512
11a8bba2ec3fd84641bf5f71a94550e8e26672cfc39e44a05015d76b92750cf0735b53b11e81765c8b50fa03aabf83ba024dbbb73225e694359aabda8a3c26f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\YSAAsoEY.bat

Filesize
4B

MD5
17239b46a287b7be9c7a821c4ca68b18

SHA1
788623114de434c662bcab95be2136c47a384d16

SHA256
b55e22b614a06a1fe43d9903b6803939550ee658625935dfa134f6830f0a023e

SHA512
2d6e06148c2e73c7f62a23b89cb37fa34edfbb9e96955578088050149d9f0e9068e6d44f1053c2637fed85bf4ad264f5c559f1de767a936d680bebb4cb309f5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\YUIK.exe

Filesize
157KB

MD5
b51413576b1f42cdd096e959ef409ce2

SHA1
f9b575824755a86a0773635777be3bb55ffc820d

SHA256
00e8c617f0b691bba8d97860f47f3b02418506c72e2437b03a426a3c2c6e4f22

SHA512
45807424bd082a8a01dbb38ef996e9866807298a69cb2de44a145481f36878ad6151efd54a46fb3952f8c78c064c92acda161b2522d74f4c500a4e267ed79fef

Download Submit
C:\Users\Admin\AppData\Local\Temp\YkgoswIo.bat

Filesize
4B

MD5
f86feae30cef343ba9336f3fe450743d

SHA1
f0365019e46506f39f07fba25e7cd8db10661750

SHA256
00d7c542902f40d1ef9b171ab35d80d40c254c15abe56d5e79349b765c9e9600

SHA512
b3bb7073a377f24bc3b2a530c53665e84ae764b3c83bff8dbdefb2bf160a0d2350ca4c6c94dfc25a94ad5e5df64b0f46c70c787318b9767570dff29342fd475e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZKIAcMAM.bat

Filesize
4B

MD5
84365ee711c3010004fb30fde5db29d6

SHA1
bb417ce0f6568761cc6e890ef24e9bff94e24c0a

SHA256
2574e39c263acdd2c65a880a6b5389c782819de8c40e2e7f18acf7cd0bf26ea3

SHA512
e21adf93ce0564adea22ccc0988fee1f8c9c587cb637bf3734b173d17857bfc65d3c440d6fdd2764f62745d65c9bea51b62f814cd24b4cb2e5593b2c928db1d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZeIcQMMI.bat

Filesize
4B

MD5
0c87f7e40909e6489dfa38d2f4de3c1d

SHA1
1a467686e936e3f8acf0670bde005e1f791f14ad

SHA256
174c62c6e29196c1cc1c2721829ef5389ae70edcb6c0db5086f4a1f7703c7f45

SHA512
df39d38b8a09438cfd4b4534a9ce5b8b685dc443f5aa7048f1ef6b396ac93aeeb8fd13b7f285f4d26d93a14f7cc3c56e26a44ccde2d7214fd898366f72b8c3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\aAowEYYE.bat

Filesize
4B

MD5
fe62e2addf52574ca75181c77fae4f7a

SHA1
3dbb2ed226188ef1a21e1eaf01dfec17ead3764d

SHA256
e5fcaa01f5480ccd01ced77fbee03a60fa1ed1d39188f5cf11edacc62d752bce

SHA512
1c7ef08c87f7c8474ae838a0ff5de3bd1a3953f87833838c7307c9c8fa1b1b547f23f94343f8ad4e7dc1b54db63a64b67df191662bf4b6910083d120edf899af

Download Submit
C:\Users\Admin\AppData\Local\Temp\aMAm.exe

Filesize
157KB

MD5
ca1ac7839c2a8b4aab704d47582a196a

SHA1
a7728daadb68ac1b241d7e392eb45d35c3346a3d

SHA256
8cd845b3cf2f39bedf6a102adfca97df185e9762bbf5df5caed2177ab7101178

SHA512
57b5183fa6dae907bffe15d770a0b9ba1ba540fffaab1dfe5e09274d43fdd3b090038c2a22da3de9f0645e199e4926971da2c436dcf7799c23286d3fc3d5ae1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\aMMUMYEA.bat

Filesize
4B

MD5
2469a6aeb1fb269a0495a532714ff79b

SHA1
e24b7863c4e137ee597b36b209de4fbd5b6f04cf

SHA256
be292938b8e1b15431bb13e76731be45285eb32b15c3661b62a21bf5331b486c

SHA512
eca1ac2b154f706a476bb7f5b17084d71a2b6f2905ff3ee21583ee8eb3709c5603200aedc0db4c7409cb6e8927ba281055c56873bd078791d532ebb6b727170b

Download Submit
C:\Users\Admin\AppData\Local\Temp\aUoM.exe

Filesize
564KB

MD5
b4ed50d15cd6daaeb9c53dcc7bc6942b

SHA1
06a2cff83f42a2e02cb78b2698cd9f1ebe5b5215

SHA256
b6f26a461cd9f41c92c7fec84fc10b5ddd19a7fd45a88b997784ae92d45e3e25

SHA512
ba0104698def8fb218510f7804a63303da1e842e9437640db127ba115c0495c75ceaf47ae28d6c2824f5b3d0490b3b4ab355ba095b153eaf9b355fa386d3bbb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\aUsY.exe

Filesize
140KB

MD5
87597cfd9a92b46b3cd2c13e5ce69d8d

SHA1
948f348124e09f3af46bafb2250dd1393e07a981

SHA256
d358803f59861618bbe33f16cd75a4a04a44de37bb52e6e5e7eb3dbbc5c8d966

SHA512
d17e67af564b066dba47258252f32c7b9ce3f0fba81a8d683b62204749471da9b6c46dbc180515519f78244497e8ff1126ad989bae901611ca28bbfb2e4811b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\acgK.exe

Filesize
156KB

MD5
fceb55479c4200811ea6cf8453da26bb

SHA1
5ccabddc427e3520422dd0aa699e0ecdd9c69a8f

SHA256
241109e1dea5224bcbf58aa17f7e7af198af7f2db144b1aabefdf12bec615a67

SHA512
08a9ab06f9fa474f2d6f2dd0da1280bf31572bf4c690283f5b9c3c10e29b7fa505703215a5232dde8a8f613ba633e4767108cabb1031b62030917222511d0663

Download Submit
C:\Users\Admin\AppData\Local\Temp\akMO.exe

Filesize
158KB

MD5
0e9417899aa5242571c9fb7ac6fcafd4

SHA1
2db8df5f2123f1f2b261fec03ce5e4df4d0f1565

SHA256
296c6d77a00511c83e86644683126f7e782ae22a554717dbeb935e9c9d2519eb

SHA512
e875a0c1fb76a52914e2ffee52f0a2ddd42de4d1eb81cac58fe1f0cc721d43cdd1d2b3700dcb3d63756efd0d43332eb93df6289431a1eb20e591122c244a3c5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\assi.exe

Filesize
158KB

MD5
45235e13e66f720c3bef4008da5563fa

SHA1
c0a912720fa3204edf5d38bc73c595269ebc29ee

SHA256
412defc0a1321ba6007188679296efa33f7947cdb8632f9afe5b9bfab65eca8a

SHA512
cda1382929198f1b9cfaa580c6c974e8b4728b4db98fa261539972fd5fb25e5de20daa6d1b3c15e89511041458df8053f4d9e3a66e005f98c06681776f10907c

Download Submit
C:\Users\Admin\AppData\Local\Temp\awQa.exe

Filesize
160KB

MD5
6dafc658be3800b810f5f987789e95dd

SHA1
df3d965007f0fd57bb9716eb410bd4dab2f81f21

SHA256
b6c35315104a3a7bcdd133c8c3fa50bfcfd87416fd3370b79dd101383955e707

SHA512
1345c37cbf696c782e497a251fc4c44aceeea5c2225094d4bb249fdb87b9b5a40270baa15afa704790854fa8a2ec01377da157a723a299d8d018847ff641e156

Download Submit
C:\Users\Admin\AppData\Local\Temp\awQw.exe

Filesize
158KB

MD5
66bc7f04ebc60c0673f714592d05e0df

SHA1
7c3bfa4d67cfc06c5d8bf40c7b30b99e86e305cb

SHA256
4aa1b874d409fec7f2aa90d8c188506417299cfed34e9b0cd94cabe2745a24a0

SHA512
cde223b1d766ed0581501e6dc1419f6bf259a8929f1e0e01e6c700213e7cae8cbba6d79f19536523c522ff0ceec86b88f0384510201783aa3e8685798332a3a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\awUk.ico

Filesize
4KB

MD5
68eff758b02205fd81fa05edd176d441

SHA1
f17593c1cdd859301cea25274ebf8e97adf310e2

SHA256
37f472ca606725b24912ab009c20ce5e4d7521fca58c6353a80f4f816ffa17d5

SHA512
d2cbf62540845614cdc2168b9c11637e8ab6eb77e969f8f48735467668af77bc113b8ac08a06d6772081dde342358f7879429f3acc6984554a9b1341f596e03a

Download Submit
C:\Users\Admin\AppData\Local\Temp\bGwYcoAU.bat

Filesize
4B

MD5
7ca503e642a9f5827709c594181ac229

SHA1
5c96fd814e297de07b37bed5d8d5de1c1fd88ce9

SHA256
6b1bd0628373a70dfb6ce4782a1e19688509b776e498cd7709deec9db5409fd1

SHA512
6584a23c1eb973107db11e7c586afc605da7787b39e9964bc8542e8d0e3433b88630ce00806db58f63cfcdceac5ce0d072b219cb477070072306f858ee78ad3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\cAkS.exe

Filesize
135KB

MD5
9579afbe64fd44b3aa38edd93a0acc19

SHA1
059d36c08403ac113edebcf7e417dfe8d15a63b2

SHA256
91300b9237ec3a311b727f9291ed38cdd5511b2ee36225d49af1ce117db575cd

SHA512
eb0383a3dd9701ed9f079fdd2ad41595ee1b5d5e52af23cc4d8ef55b24d46eeb5a81ded893afb00ca2e25933008cfc32c35d396a10467013478be669301e7be3

Download Submit
C:\Users\Admin\AppData\Local\Temp\cEEwQsgs.bat

Filesize
4B

MD5
7db654622bd1b8a3b235647e4a463d07

SHA1
345080e6e07eeadd6be8b9f97c62e41b06876fc6

SHA256
426a120a816c99f52454d96c436c4189f4865c5d1d9369a7a343533d74040847

SHA512
1a7424f107ccb7bb8d33dcbfbaa4174580b893f88cc5e6c9a9c02cd23e081d3ecf63365d3f4999bfe8e177d19b75f9e11c9f66d73f2b11410606d8a7f4867b94

Download Submit
C:\Users\Admin\AppData\Local\Temp\cEMG.ico

Filesize
4KB

MD5
f461866875e8a7fc5c0e5bcdb48c67f6

SHA1
c6831938e249f1edaa968321f00141e6d791ca56

SHA256
0b3ebd04101a5bda41f07652c3d7a4f9370a4d64c88f5de4c57909c38d30a4f7

SHA512
d4c70562238d3c95100fec69a538ddf6dd43a73a959aa07f97b151baf888eac0917236ac0a9b046dba5395516acc1ce9e777bc2c173cb1d08ed79c6663404e4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\cIEQ.exe

Filesize
159KB

MD5
26c66fc53eee8a2aea364dacb88ee9ce

SHA1
7168393e4ac151614f5b7d3f0ac757ea40a498e9

SHA256
729ebbf511a7c0220c14667ebabae789b648e5c952f4650dbc9cb5b32f6451bc

SHA512
7b079bb3b13688c4c1bdfb3d3242a95aaaa4fd61bdf5b4398a259221ac8bc5b838cd667bf5e5759dcf49a0a5cf4a631405fe0fcc3b5c5980d50681409af43ff6

Download Submit
C:\Users\Admin\AppData\Local\Temp\cQYYccIE.bat

Filesize
4B

MD5
72999ea2f0b7939f5db06c4c9ab18ffc

SHA1
587e269a635e02007e82b474d8a8cbbd1bdfe125

SHA256
1b0560946e2067be7135b4689fd9e7def3814d8d817d9859a00ce19ce04ac842

SHA512
55acc8f28dd3479f343db693a9f1e4db168c44b9b4aad9b2cb845a0f378de42069a67b5d99dccd41ce509285716e21f58a1d5ed6cc57f029a43ede0b0c1d9c07

Download Submit
C:\Users\Admin\AppData\Local\Temp\ckUi.exe

Filesize
157KB

MD5
75cdf409af0f4c4ff7df3c3fa581776b

SHA1
740d33f40bcd00fec51bb2e098e211970aaf8264

SHA256
7ff7cd7e43e9a4739e00c30a239cae061d880e2acbdde1b28abb005bae5e59b1

SHA512
45ef7a3c177cd4c4d66678df63d47beefdc86d1276fbd7153c8f07a891020ebf3d4e1c3a1a41dcdb697ee66721734a54afdbe4a15cd733dd236005141712d131

Download Submit
C:\Users\Admin\AppData\Local\Temp\cogy.exe

Filesize
237KB

MD5
39c912982b7ae98ed43585e509048d50

SHA1
5a9b44b7000aaea63bbbf6735dd898eb5d6fa585

SHA256
38e7451ff45cb4b4414a9483e2ea47fc61a03bde57c6b273baeecfc786f46f76

SHA512
619a5d92e4fce6db853e9fffbce9ba21b17f7737839b90b78b00a2762f1a642b41b903018c5a69077a2c22108dd9dc021c8ba763c9874ee2da7d39461e370c25

Download Submit
C:\Users\Admin\AppData\Local\Temp\csok.exe

Filesize
160KB

MD5
2502efcfd1232e2da823d41843e31881

SHA1
9f0cc66ff27f5265e23b99c22411688691c9374f

SHA256
803f4acd245cb816033beabef3e64a8bcbb8e38c62facfb9fdaf309dcbc7d004

SHA512
82fbd0873c472153add4064bebc1cc0a4fa6fa92da9f5d97d8b73510ea7bb0273d9d23c1f46e4780a3f90490755df10fd73efbcaecf0b97da3ecd255f9b3876b

Download Submit
C:\Users\Admin\AppData\Local\Temp\cwQy.exe

Filesize
868KB

MD5
fd68fdbceb16621712df674ca6198d66

SHA1
ac5c50beca0db427953f48ebc1d78fa5aabd3a45

SHA256
4346ffe5eb84f012166ef8315d9ceb2b3b0775bdda88065b80e6f4393063d59c

SHA512
90f8a5d312ca3146b0da01430bf5f617ebebc8b35d263be1ce72bc78f63d8515f97b339d4ee3dd8e257d0a4f8eb86271ef5b1c640943c0a7bbf207e9bf1991b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\cwgY.exe

Filesize
447KB

MD5
d8b224f879e13a6d80c77bdc8b115023

SHA1
6cbcada20d24f7793b3c2b3cbce3e4f65f991957

SHA256
bf4eb20e2982c200ecfe348b6c0e4b840c797db51a88ee50a83c4aa91bf64b3f

SHA512
2bb113259b8ca571bcf3f6223795056a282def7a368131da4d8c5a3a6d6e640ad10e153eb1da18e0ca491097e2d46006605182f6815c8a82b2f3f3e26f10a9e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\eEse.exe

Filesize
159KB

MD5
af844be11f71271b7b41b915c483d52a

SHA1
b0b6e5288a5bf98791933d74728b1228b24e220a

SHA256
4cff6b45ebae450a73a1a17a3b138cf6362cf60b569035afd621bd4a9590ffd5

SHA512
431fcc7a3dfca473c89310b59e7640f3b7790acb89071e5b690d30bc0902d042731691ada1748040f7d337047be3f6e9865ed58cf3cf0882f3d313bf3c7612d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\eMoA.exe

Filesize
158KB

MD5
5e93c4a00399a0bdf51c3cba473dd7ff

SHA1
a9b7d3d9b6331b927f9d8081842889785bd479f6

SHA256
7001a8fe4a41714c8c91a43d6b73aaefa199a73989bcd99d99b2d49893767bb4

SHA512
ec35acec6a7fb93b0a07a13a9450e8775a845b51a8427d658636dad29b7ab9fddd916dc9ea4f9f7363b5e5f1370520c1ed2d7a3f4a4d88b514257af4824258f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\eMoC.exe

Filesize
158KB

MD5
a07b3820879bea0992c375cddd788d24

SHA1
2c73f3c99facf4ccda1df06d1273943eb7606315

SHA256
d4ff895724d59c017a287bdf8d490d773c4a5fd3f44e44b093b940b26387f12d

SHA512
c0418e398f4c339b4ea450771176459b67a329642bf9ca2a040f63e32349d277f1ae7049408f83d3c733098991949f9e54cf3d235ffc45e0cfc69e1a136ad834

Download Submit
C:\Users\Admin\AppData\Local\Temp\eogm.exe

Filesize
159KB

MD5
a76f2a9d4a00b6886fa9ecc0da7fe913

SHA1
85d0c627f19519239722a67500fb0bc15ef801bc

SHA256
6b2bf6ef257f8898efd4db7a716fcb75f41a04314c7a88672b9d7b5d0929e69d

SHA512
932a4faa9ef8952e76fca2fd6f385aacc4f46fb8109e82ca91fe593d18acefc2f39ab5a1f5da60ad38a0a1d15f931aff2369c58a3e8b32baaf4620b919b22e77

Download Submit
C:\Users\Admin\AppData\Local\Temp\ewMcoQUY.bat

Filesize
4B

MD5
c7b41fe5f8a523291089a33817453008

SHA1
059919911379190fbe94aac4c5d874aa3f78778c

SHA256
707922a9fc5d44349932373c900e1a05c7a9ac1564b3fd161bb601be7bf9dff9

SHA512
8f783ad263804d94a25c892eab53c184d33916ebedd84e2c303be255b02c1f00eaf21b868da85e54353f1f0d08ae2ed8bb1ec67635c475d9d1bb852a2d26041b

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gEEk.exe

Filesize
157KB

MD5
c017dd5dfca05bc7e06e7862d65e4325

SHA1
c585669225815989f24d56a1e93dcd49d6e5c079

SHA256
64b4bad2ed2f44106c85cffb75d0b59ffcf27c803b8423a5814977cb9507e3aa

SHA512
f012c969149018261a0431701809ae3ea2d490270f0e4ad7511e08e6d4cfc26d0e4933824747b06ce2c0d598c9f395ed760cd104860bdbedea6d1951fe8bf0db

Download Submit
C:\Users\Admin\AppData\Local\Temp\gQcw.exe

Filesize
157KB

MD5
478661ccadf12ae10ab01586f58bc5d8

SHA1
c826fd0715b828b5b903875126cda859d4b7081d

SHA256
5e188cd69f93e7acb0f8ea22091beac5a2d966c92e262e1e46169362eaeed0f0

SHA512
8570595fa9801e6fd209f91bbe6e204808a4da7eb7bb38d452e83a2fb9ad125f36837fa0783f7011d1e9924638977acfb497a56b968252a52aa490327132ee0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\gUgk.exe

Filesize
159KB

MD5
da32843bec29a4098f83174f51f49978

SHA1
a44c268f386450835a598a4580536d90ef63e844

SHA256
86b85623ca4a978d892ac66afc72968ffd9b4aa5e9585c3675fdf86bdaed9b55

SHA512
a8c866ff2df283369285eab20c2f2ddef4cf90849fcb7e3ce78ba9d7c58a9e695ccb4f46b1a38d10bafce187d09562d7d33fb88ebbca7ef965978e7a569223da

Download Submit
C:\Users\Admin\AppData\Local\Temp\ggsm.exe

Filesize
743KB

MD5
3f0ae03625ed6ad238c6a85330da6b8c

SHA1
b039d122e439c5c2bb931009722e2b88b6524759

SHA256
7e4c879563b9d083b10b7c2ae0404b454153e66ee32a09de2c1727c9efa8185e

SHA512
75dc1360994835242720a5f3f603aefead7e6d9e27d85666fb639deeda34d050b761f140c7bfaece030c0a77e655ba2d7578b3d1236aa8bba95e4368b698ddf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\giUocwgg.bat

Filesize
4B

MD5
b6c4bb0a3509588e9f4f783b3a369017

SHA1
fd890530b1f090cff660cbb877264bc94216dd22

SHA256
a2c5dae0abba92407e8f8739e0f9cfdcae07a6d6d154b54e673491aae2117e21

SHA512
b6e5e85d7b45a7f959a8503aa3e1e47d5cd25caba4d820bf2714d9c82cd63f1ca3e8e244b6ad5bd8aa5636f3e050a9368b5264fcd391672e9b3ae1c6e875b94d

Download Submit
C:\Users\Admin\AppData\Local\Temp\hgAAUIEI.bat

Filesize
4B

MD5
fbfe89d36183469232a3d11ff96d1dbf

SHA1
d6f7caf1629a9cedb988b2ad6e8847ff25ae295f

SHA256
8949ad3447a7a19744ec13b276300393141af60a16900a41de683c0f8a042f03

SHA512
e5fe386caf7f4586e7086dcc109fb2dd45c7edd55c425810fd59686c200152ae5f9a76977d4b9e15251560a8396a5d68b3a34cd6b74d0f45129035a73d74e0d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\iEAC.exe

Filesize
158KB

MD5
66bf43e83a05b46d411a32b038e512b1

SHA1
c3a1b227b7908148dc0570b1263325c884905972

SHA256
1f5fdc0777ef6285f258992c5f69ec99ef00a960f9ee02ed1a1a1c962d59c3be

SHA512
eeef9ba8ebc920bdb11da1e667461c38c7b421ed0058fb11539619aa380daf79c3882801dd6193d5be23c18ce894a5da53cf02a1a906b3490c286fa818e6ae6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\iEUq.exe

Filesize
157KB

MD5
f70a64e779d7d549c67d95e9adfcfb9f

SHA1
8fc58cabf22579f05aa397bcefdfe082df241404

SHA256
28538851db0afa33cdad9fb8725a2b0fa65c08da761d8e84a8b78def758762ec

SHA512
f7c6a48979d868df0b242860c0f1c88be09430ff887b10d8655ad5653dfb176afc5a958ccbdc90a719d1049d3dcbfd287f6e7b563465450e134254f56db41188

Download Submit
C:\Users\Admin\AppData\Local\Temp\iEooQUwQ.bat

Filesize
4B

MD5
55bb1a6fb5247ca477db02be8a14ca19

SHA1
4876fd0f53ae7f5a683cb837e543bfc172b8434b

SHA256
c6c6871b1794343b91a0baad92592dad8223982b88216eadf1cd28bf9231d2b6

SHA512
af0ea085c39ca136be62cc280840581b2979613ac31fe7d9c352e97abac80e703f44b7e712eb57cc7581d00a26076c0e0a12210bf599169d12d1ff156ae091a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\iEsc.exe

Filesize
158KB

MD5
286a588b8057e4421ee6acd3dbd77287

SHA1
a490fe59b1ac3f27ff5f6a7d2a13d554162f0003

SHA256
ee5848b3685076de85de1bd3c80d1f79b39c1b287abc139e304369bb7f418b00

SHA512
05a3712096e4b0673176dda0fd6a563deac8290941604b4d669705d2faf21d43b16c6b6e146cf33ae008d10ffff6d8d9e9303bb434ec55d0c616b531b6c855ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\iIUgUQIw.bat

Filesize
4B

MD5
14d0ed85945f7bbaaf12d9df3a12168f

SHA1
881efd9cf6c1d97b701e66aa034ddd8eb6cfeb8c

SHA256
08a93adfb726cd53b1e8dbe303fd38304149218b75e0cf98fe5d4ba73e501379

SHA512
2a30f6e5f982d73afc510de4cee1d4e60b40ba7ac3e8575257f6ca9229894eac1e19c6b8ee07377662ecac479366e7caa5fe60e5c7b33219d513dc3c94c8e4eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\iMAQ.exe

Filesize
1.0MB

MD5
07329bd4d951ddca0cb4cac21a8740ce

SHA1
aa3b9f1c691f9f678f6ed5ba889c83d7143d7455

SHA256
5c9b41a107bf65a38cf324f9c86f9d918c8db0fb87e86857b31aaad76362e86c

SHA512
e46a6f139b020151f2f45532cd4a7125ccf2fd30fc77acba23fb95b9ead7bd452d2e6e4d2dd8ec92a0a148484594bbed0c88d8e86d3b8cdfeca281318a6f9d6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\iUgK.exe

Filesize
744KB

MD5
a38aca57290e80ba6e4459e8fe5cfcaa

SHA1
ac5dd129d538a049fe2df6a11f3070af6e935a84

SHA256
a307b9d54fef1ece643ab5857221d9fff441e1a484f2acd52b63ea1c1fa4fcd8

SHA512
87ecaad787dffea327998d2fe7a4e6d7e428686e9e15894439a009ec8f8b69bdc18d2ad355440c92316158157c2302626f4aee9cbb108f290f625a074a796a92

Download Submit
C:\Users\Admin\AppData\Local\Temp\icIw.exe

Filesize
159KB

MD5
af0d2e183886e674de0001c2b22c5a26

SHA1
01a0cb89f8ef37a4cf62dfbe110dea6bbe35371e

SHA256
91aaf1ed00ce022ac0e5bf98b08727d678c0460964525d5ec6f3c0e7a08ac923

SHA512
21b022f2dfa6c8c81638189131506f118897716a99c4931dc292dc7c504f6d8792e60e643f9fd47a2791af96b02cfe77de33308a28d2a34a7edd64149796537a

Download Submit
C:\Users\Admin\AppData\Local\Temp\igAK.exe

Filesize
158KB

MD5
b0ff1333558773e851436652fad87102

SHA1
328da106644f919513807c41a50cda354659e0ec

SHA256
ba6df54d235ffb27972bb8dd7536e2149b2689e36f591ec86473b5ebab6e01cf

SHA512
321adfa7512ee9c6157bc2b4ccd6b3859d49f845ce58eb7e9dcd3819b94099fc7c6b3985c454791452e6227df330229d6ea6ee782eb5c6e7ee4bef0efd5e48f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\iqoQQoAM.bat

Filesize
4B

MD5
435177d2942e60b80574f8383e6afa6f

SHA1
1883e255c97d83fb0d2ed2334662cbf35b7a0a07

SHA256
f3d3125673e2686ea94d419999417633553b68e106833723cae4d6b0b2136865

SHA512
fd49417fa2064d64cb15b96d8d7af02aa2bf6ff1dce31da08854afba852903a0be3b5c89840e68192776b73d6f874ce6bd8c468abd8a4e43778565f19c73b8f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\jAUowYwE.bat

Filesize
4B

MD5
c2887dd3579b32a27370634a6874b343

SHA1
95f10cf1a3db9105eb5831fb3e607748ccd9de25

SHA256
880d175bb570a82dd09eaf421360e49dcc7c2bad6948cf672a31e359c00f5360

SHA512
18605ba7980f5d8bee4f189e0e706701bd72c4b28e4ad6306cb099b3fd3d68056e799d26272382abb435c3023c43f7e51d5ecb30e21761e75841b796ee2afdfa

Download Submit
C:\Users\Admin\AppData\Local\Temp\jEwcUAss.bat

Filesize
4B

MD5
f01b6b9c6e71db6712093fb2c3120a5c

SHA1
d2af6eea69a4c7850b609cbb524730d2e43adafd

SHA256
eaa6c6704cd09d78732014ff66cb1f85995f6de982f7cac04aa007c8a5dac4f1

SHA512
bc009e521827777163303958bd306c70914b45696fec0b4818b4ebf052340c3ddb523a5389fcc9ecc20b0137f9370a7c02fa045aa840af50c607e45c2045234b

Download Submit
C:\Users\Admin\AppData\Local\Temp\jUswAUMc.bat

Filesize
4B

MD5
a99836a8c97c3e9be93cc60b6f50c1d1

SHA1
48b914cf1c2f19a514cb68a90b37c1a99dfcd027

SHA256
8401d3e4ece802736d3a67bc7dce28dde037e053f26fed6c1ae39e9bfe66c331

SHA512
5a351cbe914ce1c050f76ee44fcad1f3a5a16842b5c278feb91b6125fcb51bf5e3305be2b797fe49a9341bb961476c3103669a4731e0c81313639e6fb36672ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\jWAIUQwc.bat

Filesize
4B

MD5
e237e108a7916465b729ed058464a82e

SHA1
427c608b1b08fc80764fd12f2bfb698c803ac890

SHA256
b0459abad8108ad90a44f9a7898be195790d1df89060ea084e0b321f306560f8

SHA512
2785282f659026fca6499a4ee81f307c93d366132dcd2d357716ae44850f95f031d26cc804ecab3e7e3d96c034bbae555aff9578785dfd118c67a85d1f4f33f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\kEwI.exe

Filesize
158KB

MD5
2d9ce322ce171fafb2ab45e3a96cedc0

SHA1
0c3dd3cbed1477d0a85510e3e204f157e5d601a8

SHA256
770cdaa9d44d0e9c2a2c60bb809065448839af843339fdb76e0b8ace5e4fb70d

SHA512
6e4d95c5478f9e63306046a491057672be6a3d924ede904a5091d946dda50e022e862324a461a33d7ae597d2c901ed9ab33a9944c46fe4ba8379a00afd1e233a

Download Submit
C:\Users\Admin\AppData\Local\Temp\kcoO.exe

Filesize
160KB

MD5
90dc4df80d311ae4d2d9a5d09d0dd2ae

SHA1
95226cbc79730efcaf95a25a76fbce36056bb3e6

SHA256
a61665a67321c263e53a827b67eb26bf8f522d41d000ba533c77dc28ec9e074c

SHA512
aa22109ff4b3011b605d43d39668b9bebbe94f0c80383b72b6e15178e72a25d61c16d42ebbafe36e8d693f70229fe6c4dda42fa17ac5b193b86db5c1c44deaf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\kgsU.exe

Filesize
991KB

MD5
528778136a6736399184fddd3e278b76

SHA1
e57c41ae3c21e4952efa84b12b20cdad06e85709

SHA256
52d785b968d46173235fc4320e60fda8dbb5380f0902ff53429fc1b52053fda9

SHA512
104c5f462ef57cac14f747fb30028cfa3220f37c2cdfa2d63fc77151528bad189303e20017543e1ced514be4bb899c6ebd853ba9475bc4771c709e8b41b88969

Download Submit
C:\Users\Admin\AppData\Local\Temp\koAc.exe

Filesize
159KB

MD5
0d34b871f81e1f73649d7aa069f041e2

SHA1
1ca92dd5a83cceb4416c6c4d1ea0c0634bd4377b

SHA256
557e031e04244beb1666a2622623f6ffd8bff2c54d3bb2b0fae3b75bc736bf91

SHA512
bdc33f9d8a4b076fdaf7edbd8e787e82c3c8a6e1d868cb6de4035a35d0db3fe89028e9ab710129d025e7111ec3394f42ff777ad6786911e126b366632b0a4d4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\kwoS.ico

Filesize
4KB

MD5
97ff638c39767356fc81ae9ba75057e8

SHA1
92e201c9a4dc807643402f646cbb7e4433b7d713

SHA256
9367b951a0360e200345d9aa5e6895e090fc3b57ae0299c468a5b43c0c63a093

SHA512
167328960c8448b4df44606d378f050ca6c24969fbd7cc8dcfe9ddeb96ac7ccd89e507a215b4c1debff0d20a0a239d547f1e496635fa2f06afad067c30597c46

Download Submit
C:\Users\Admin\AppData\Local\Temp\mCwYwswM.bat

Filesize
4B

MD5
aaeca793e740ddd9523598c8d9da33dd

SHA1
ad1fc1dfae61cf9879627291a124536af6f99ac9

SHA256
05fc48dd3e94c82f034079733dc9509d8ad10946bfc65e28471d2f4f9a44b5ed

SHA512
a6fc714f759d476a29f23cb9d350583a36e7bf91fa9799d0e694025344ddbfb52197b5383c89496f0542c524995ac4e6868878c447dc1e8e04b44fe8720f5245

Download Submit
C:\Users\Admin\AppData\Local\Temp\mkAc.exe

Filesize
8.1MB

MD5
bf95bcc5feebe05d93ca64d2b151efcd

SHA1
ce25d48a441c165fd92c7aa6bff6627e0ad4f8e3

SHA256
4bf53a21099d363c2d856f51ee4c3109917ff67f8f28120861fd1d72289d7d44

SHA512
36a8509981bf095b581745e813decab8d62156873a9c056c5412c3ec5fad448c4c5d9617fc71f5fb09dea0cd96226f588520b9fa4e8d1e68a6b70684a7db8187

Download Submit
C:\Users\Admin\AppData\Local\Temp\moUy.exe

Filesize
148KB

MD5
bda9e865a87c45f72a1c4a91ce02db09

SHA1
c97a91b0d737fb888d2eb00f24aac9bb3911d71b

SHA256
91411faf7a84d2b9940e8bd8ed0b30cc1f296c76dc194b6fdc79815d5e2b2a75

SHA512
ea867e145b5b2a190be9bca573abd86368a64cb779d46ec9f830b6668e64aea0b92f849dba554316dc23d75d1c7ee99672a038e2e04d80998ce3d2acd52a99f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\mscO.exe

Filesize
157KB

MD5
7ea048dd77a1b9e1e31b995e1d03587e

SHA1
18dd5fca0c29e6f937480ff03399cf383ce487a5

SHA256
260459d0396af265db732a94ed416f903036f6d583a9830a3ec5b69f512a51e2

SHA512
95ff0580e757f12ada92109f6e433a63fff2ca3f622026e3af4d8a1551773579cd74d2011170a2ec7d980c4d654622f45ce2f1807d5c04f76bab533f559dcfd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\neEgAQMM.bat

Filesize
4B

MD5
85e4c5b3f81400c96cc3740d8be5848f

SHA1
cdae7b03827f054ff40f8ba6bf2c20b32d7c9305

SHA256
d2b68d7ca2dc526a6caec2a5e8c9850c4c92d5246f88590643a10436a188f609

SHA512
7aa45c8a6eeb64a1e9004a3a3d2a077ebd863845759f5738a0c35bece67752668de4c15cf1d9812ccd2bedf5698829b3bef69dd0c6bd2e74332b477642ca4430

Download Submit
C:\Users\Admin\AppData\Local\Temp\nkAsAAAc.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\oIgE.exe

Filesize
659KB

MD5
20ca8b94f7b2dd96e00d889d4d8630ad

SHA1
f3933f755e60ecf99f3ce6502fc3f3a08ebdcc5b

SHA256
10b7a2064060991bc68944397363136281a3ab59da090ff2090f8b443a4229e2

SHA512
495856b195656440905837e742e234112a3524edda4ad76420c753ee1f573654a6acc467ed260b680f562cd09a0ec3dc270a5cffd52b309cc5262fdf0dc69d6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\oIoq.exe

Filesize
157KB

MD5
9f5debd54d506eaafab9dd4fbabbf2ed

SHA1
fbe1920d691dc6e65478b36f2580e811611bc85b

SHA256
df7b7a77f1e6f272797ddb300e621a9acd5cdbf5e8a7306ebf12e6a9ee3e8df9

SHA512
99846d6c6f48a70996b66aff30b0cc94da92b829233fd25284a6c21042bd72c45a7ac56df0af55a819c48875786bfa1d53e6aa8ebc9e40856bf17ef06e1aad64

Download Submit
C:\Users\Admin\AppData\Local\Temp\oMIA.exe

Filesize
159KB

MD5
49d0216280aca939453a5d0bf8aa9087

SHA1
5c2b188effafc3cd5fa69fc8976a290f24fed940

SHA256
bb9a2e70279bf5b96bf577fa86a6d66b8f7a0a09b3ec8eb747a07f3fe8be27dc

SHA512
4d0ad79f26e8323f77983d4673b61c68d1d718b2d897ba25a059809a4617e839d3dce7fe8ac71f2cd9af99b9df65ba910118aded9f0f3e76a0051351f604046c

Download Submit
C:\Users\Admin\AppData\Local\Temp\oUAK.exe

Filesize
161KB

MD5
8ecef63be8d2061cc59a984421b43526

SHA1
1e08e010b1cdf8162c8ba33aca5d85575a2ee6f5

SHA256
012d87a47eb21d4a07da9111ff1ef97ad18a47e073dc71c428341789e4a5fa27

SHA512
fc74ae459e7c605fffb9bb58e5aa4b38fd2e1c0c2770f6def68a389b702f929a9dfc6ad4f22aa88ee3c10377e12abd494fc23f0201a296da674316acbe9c57e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\oYoU.exe

Filesize
158KB

MD5
30f975a930f631f533ea09b99539b66b

SHA1
1c4879a84d2f6b4d00029c7aa9e67c531224bbf6

SHA256
266bbd8dc16433cfba86d6a38e084b4f983fb222791e24b297380043a572ef06

SHA512
d6e1bfa557c8509018acb5a573dbcb295c298e789f785d695d413a78d44f5c60a016b6bf86eeb76615563866b7db3674567f291eaeaa24ccba2df740c93f72c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ocIk.exe

Filesize
158KB

MD5
8980c653577f8a662c06ad57bc6fed41

SHA1
dfc647f7f79a42b12db0d9828ada0303343d0833

SHA256
c884e6d0f6e59dbeaf6452f720b289ea8c25f9e3c6f367ffa60b479266f5ed63

SHA512
3b8043f10d58649c0efa8f7791212f46c4ffa4610b27e5d26a3c921e1de916b1338b39db5c09241a047871317551ebd405873c58024e3983f616a8a24a38202c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ossI.exe

Filesize
158KB

MD5
46c49379b075fad9ad0cc5508638b54a

SHA1
367723ee8dc5b1cc58fb535f71d86c3828487522

SHA256
e885e2f75214171af66c1efb6f52c2ad9e1a9bfaa61c53abf436d65f78f88a63

SHA512
c062692d793bd2723b637d500f706fefcbb26e3d41fbe06a23d20197b693f77c93cb48b0767a511ec1d77dfa3076e0c642710627500945310101bb4b15921c48

Download Submit
C:\Users\Admin\AppData\Local\Temp\owIQ.exe

Filesize
157KB

MD5
0aacfa9082981afbde201b50bb8ed665

SHA1
8cfa11366987f332531de635c2990b910b9c987b

SHA256
d845dc5d12dd9e93e55acf7068a2f19c16363c5b9ca60e49350521b6395c9823

SHA512
2c97b78e6252f7628a9b4e303bb870f3a82dcecfbe06d8878a6174e5d2161d649bed3201ca18cca6cffa67edf2a0393e3de7b2589407271836466cb00d104524

Download Submit
C:\Users\Admin\AppData\Local\Temp\pAgYAMIA.bat

Filesize
4B

MD5
8bf6a6e6d79a8e751aff38fce8f77dbc

SHA1
34280c23c9b1008ab60b49ffd83f00eeed045f1e

SHA256
44a16c47c6833f1dbb0a45ee6e929c83402a35a48734b24c9f805f8a8b969223

SHA512
aad59ce44e92544d94a11690e05e497fea21e9ac5cb5c153964f6acec64ecd7fda909fa3ccd11c661ab20e7b2975a9bdc078c0ed69af823cc3bce52c7f5e247f

Download Submit
C:\Users\Admin\AppData\Local\Temp\pEMwocEY.bat

Filesize
4B

MD5
059750c12030cbde46faa2951583d4df

SHA1
89063ef4f31c9a1490c506feaf5a05b2c5b3f589

SHA256
b9b19adb551019b5cee8960c322215278144be1e0d501a217db729c75e665713

SHA512
971781a23d1cd6c6c699ab8b9fdb63d835cef6ccda42cd35075d04a9bff678f9855300534124d09c792e908a5d913ab5f04dce30f9d566f21f2dd5f398a49bf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\pkQcIoAU.bat

Filesize
4B

MD5
90648735d2c69d6dcb7d8d528ddc139f

SHA1
b44bfcf74567e1f690e85a1205390da70640b363

SHA256
19f21d22cbda088739f899188492755ddaa1ec04e644de28c709387c28e344c8

SHA512
15c08272359f29ddc8e278ed88356f0e82846c88d9ecb677bd89308b92b0b318824dd02f3307bf1b81e6572bdb7cd170915adc73fc057192185118b45d9700b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\pwMgYEcw.bat

Filesize
4B

MD5
3d842af9a127c1af385cd5f147b2b860

SHA1
8cb96e2959e564d2a11e758f0b81851a81bd5b3c

SHA256
71627d144fc42c2eadb53cb56533eab50a0505dc8493a4513390dc6ecaf5f4e6

SHA512
ed9d9e27d0c92d008560fe5b886af0c9bf30a9776a4b27df12a1435f53e18524d59ca252df7be8b85fb7c72dfe3ad10959173bda645083c64f322ce30eec5b09

Download Submit
C:\Users\Admin\AppData\Local\Temp\qAUW.exe

Filesize
935KB

MD5
b54919baef61334acd9d3f1f15ae74ba

SHA1
c20e7e9dd229e1bf6e40b077e44c7b9cff549081

SHA256
1eb9312235413589af9316a6be5233161bcf916bc758d151cfeb7729096fe79b

SHA512
929ba1e2960f905c91477c5b922649e02daf36cabda0757735621a4bca516ab6d4e5fae5c5f28cd71c3689e0b4cc4ae4e2dff3b189cac3131de8ee015ac8b1df

Download Submit
C:\Users\Admin\AppData\Local\Temp\qUoIowEo.bat

Filesize
4B

MD5
af3bb3eca675b5d4e116d9b40d139620

SHA1
d109c830eb91b73864ffcd3b1741e335fd284b06

SHA256
879acccd5a03dabdf8202590acc6048cc929b746d19eba7d53d1f5a0f4e72353

SHA512
0f5d01788e6c2516e262fbdbc26d7f8e89f5725e8c5791af5c94d1a38c3e398abee2b8449ef265cc9b7ec55ecf76549c27c746e0d3989f5eeee9c119ad4eb3c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\qYsa.exe

Filesize
156KB

MD5
47140bfc699e10ef4261131aead3eee5

SHA1
5f770036cfe389e7df0f833cd82a8b088f8bfc68

SHA256
ec731ce481240791dbce4ed80182cf4395371491c75fb09620cfed5fab5fd226

SHA512
52472fb78cf8c2072e1ff4287072475584a0399ec2c0cf8015614f7c15cf5eae4a7e2106f7cde3fd9935067d2c655cfcd7c93165bda219cd2766556cad712dc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\rQwIYsoY.bat

Filesize
4B

MD5
81445458994e2b06cb33166c2fd67c77

SHA1
91204c3f7e51a80c4d24b0d2a6f3b86a36845885

SHA256
a210aa405e1c9c5fd7c5077a7cb4e932c5570d042b7cb4ac057e7ea9779f4698

SHA512
4d9e5effae4ca9a9b2f6d2793ea4ac2c7eacda702edb9a12028f6a9c591c56c79313e9b3915b8dd7ed0188acba8e8388d7ba367f65fb54a26f7a2d7dc7368b2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\rSQkMQkA.bat

Filesize
4B

MD5
adaa488991143928bb6fb10e1f804a13

SHA1
e1991c7cfa597abee84e3e491602cecb4361b404

SHA256
7538b6c1014491c338bcf04645a34b1c0cba0dd46cb3fb858561d9a8ed5ba20e

SHA512
4a6cb5daf628610a9542c5ce083e73360454368fac0cb7e3265b5a9cb55ac06ca515c887a987976afafaeeee1c25837e428459a8306055f80274753f91f787d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\roMAsMYo.bat

Filesize
4B

MD5
24c8713c3c3cb6c6b5fc2d9d62ade933

SHA1
400618a52b9ed4bf6cb6fdce42298cb9d9db7451

SHA256
f1045cce7b8b28b6a6fd25906dd695869fd349afc178f27d995a7c3d964d9ceb

SHA512
56ce9154945b2edd0916dabf660b4f34e59b38d9649ba7b5cc52267f73913bdc1efbff5dc750fb37d7d241232ccb3b5dd296d70543073e0d54902091f85383be

Download Submit
C:\Users\Admin\AppData\Local\Temp\sIYgQMoE.bat

Filesize
4B

MD5
82bec0f014c461356bf762fbcd1f1e70

SHA1
fd929c727c91e5c985ec3a573e197d8ad8564ebd

SHA256
25855e58c4b90312241bf53b46832f1c28ced8abf7d9202d4b77e98a37aca40b

SHA512
3c1a080adf4c4fb7dde725dddf4a9577db77043c8a7e222c7d23ad012df638e65f9489b08e9281dacf2f3d5e53f5a339e74de7c8c6a9f4e5a78ee3dad8d4c155

Download Submit
C:\Users\Admin\AppData\Local\Temp\sMIS.exe

Filesize
735KB

MD5
89b8ed286fcaff4e8299432143b6c5e1

SHA1
67efd682637500da2761ce2d3534de613072b634

SHA256
23ad2364fcedbc3284420efdd7ad132b5b594b3424736c03caedc728c6e51128

SHA512
3dd886094f01e3352077158f2b839d8f4176a233231221253fec0410e25920395c1f511a5fdbcaca6d75e00ae6e3339a93a7ad76593ef14bd2884248da15c6e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\sScUIUQs.bat

Filesize
4B

MD5
8a751396645ea4da2031dbc801e879db

SHA1
17c7eaa67ac64a97584ccbe2c367cf2a3ccedf38

SHA256
1eea79fb131141918c8c0b0bb0221b8d47b744478843b3741db87bc8eef79fee

SHA512
ccf5996322a29d6c8e0345d60c1378345b5a3b5dec380a4f36ed0f08405d8c59ec2c15fa634792adda75d2cbe6935d5c43109d5094a8534a034bba48506f581d

Download Submit
C:\Users\Admin\AppData\Local\Temp\sckk.exe

Filesize
557KB

MD5
1a10c3adceee514fc40b30d9b5370873

SHA1
79c436ab0b9f7b396cad0afac42219fdd96779a8

SHA256
446b9fb553687b0fcc0f38d61c11a203296c8a4994d168f79ea0e626f81afb75

SHA512
5a304d7cb89385e7506996d0d06d9f60576d2a1f3a647680f2729ca03233bd2e42e592abbe24036acc62b61a99b3a60981f6fa593a715ed4e967d6c12c1eacc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\sgcwAIAA.bat

Filesize
4B

MD5
c3849457851b47722a37411db9839ca6

SHA1
250cf78b56803f96f4bd99e66ae29de22e878684

SHA256
1f3fb9d0272921f7c457e9f899a93a7bbe3563ca7415073a48af6b7fbba23e55

SHA512
e248db4ff8cc6803083285e17bcf0097ec8e9ec4dc8ef397f39c8305fe2f694bff71b49a77fdc30202f3dda3efade2c9ac44268ce6246bda511b58cbe2031622

Download Submit
C:\Users\Admin\AppData\Local\Temp\sgwm.exe

Filesize
160KB

MD5
1cf0a2970ec6354b85e5dd27f92e3b44

SHA1
0d4e607b6540f97cdc3df22c420df31fb692ad7b

SHA256
66bd0b08541f715a1741c0891d1c8cb19176c352e8ac6f5ce679f93c7735a9f2

SHA512
4fc476b7d15e5a17fc46929d530f250ff89593dbd881858527d389681fe2aa95930af622727c36c9b8f84acf6def8d121703c0710b6c93e032fd002c974756b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\soEu.exe

Filesize
313KB

MD5
f52260ae99bdc716d31ed63f4feb47a0

SHA1
55c68bfd90dcacdc2cc85f0c7887f95183036b5c

SHA256
1e30cf3cbf6c2378084c762ee3be38e0eada767b21244cabbb06921c7e7dfd15

SHA512
c7c13e733e720a7077b5267fd24c1ec253c51a7d5c178dbe999beaba75ea8b7f05c3b3ef907e63f033673e9bdc02cfd3c322274d0590883ba1e68db87f9b760e

Download Submit
C:\Users\Admin\AppData\Local\Temp\suIwsEYM.bat

Filesize
4B

MD5
437f65f885f33e0477e7c51640c2327b

SHA1
d96cb53201608b08ad1b7d066d409ce416c6118c

SHA256
6e17bcca1c853f4e55b647b649c0a57dd81b5f6d7a836638c964afdbe4ad39ca

SHA512
8b4f579efdc7c1683c06f6081e5b52eff0e802320baa0a6537d278e9ea0700731bae323a5de76e925c854f60b9c8c72ca69fb73fc6949f9ce8328ebecf1557a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tYUwUgQM.bat

Filesize
4B

MD5
3275d3c24cd129d310347eceba258275

SHA1
715fd25a3317b982795f29f1709e019c9d941c18

SHA256
f5e290d04c8c098830de8d5ef342056a8b43a879e7522ca97812a5c8af2fbdc5

SHA512
eb46a904815634a0cb35994add5f1af1abbffe3a8b85f05491e81cb4592c75f768e7ed70df4fb85da2bc40442ec0188ba3e83178625272829ad4d26a396240ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\uEws.exe

Filesize
153KB

MD5
876f4498fad74d6c3997c779974d18d8

SHA1
2e171eebab7cf0161866761179711f41f7d82034

SHA256
d168240fda6a284e535f2ffe7810841ef9bfb5c350264ca36d3f6d0b783c2fbc

SHA512
8326d3196f4bdcd8a59222ded7792a8c95aae8a81dafaa412943be5bab7635166bd4e1043bded4dbb4c29e69ee97de314926747287f9dbb1aee0c6423f85eaa3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ugcc.exe

Filesize
160KB

MD5
9c461eccb14bd2b3e190727cdadc7b05

SHA1
3a5d966b5c7b252be919eb949a5a1a159cd9ac05

SHA256
220913af999f70e1e60f8d18940be7e635a22ef77dda48bdc573df9428a7fbba

SHA512
baf3a6ae774ff7c023838c86f38537f0662d15190a940ef49480a5535afc61d5e3a31427c30d15f8184fd71343ebfa79448a3c46763d56444feb1179456edb48

Download Submit
C:\Users\Admin\AppData\Local\Temp\vqQwsIkE.bat

Filesize
4B

MD5
956997d5253bf8e169b5cb62b95056e8

SHA1
c6428640b291720eae4cbf6f52aa811da9459212

SHA256
75a4a1ac4d1bc4bb1ed5fe80ae257d2f60f2977949338d3251bf297c8c7a82ca

SHA512
da37b4d925c45d896fa3f206f4c80ab09b0494f180f665bc452cbf9eac089ae86e717804354fd3156fb8a7afa8ef1b6a199e3923b1ba707043064c14e2af29b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\vsMckoIk.bat

Filesize
4B

MD5
38c1e516ac00f9fc3142062087b37aa3

SHA1
c59476f1c380e48c5c5d680332e537b8471cbb0d

SHA256
22b631bcdac1e0a11f3ae6d57d5b8a8981516c9fdfb61ef3d4ddd9c5c7405104

SHA512
0d68116ae6fba4e863005139a62c36c30718fddac0a4a79f12ecf50c6ee880bfa514517b6c363528f1e13a512007e0a8353523cad62a5390fec9dcff35f896ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\wAYY.exe

Filesize
1.2MB

MD5
1a5410e621eb529e9acf1000def862fa

SHA1
d618a49d513bf44a6f38d4774560cbd4d8b4d8c7

SHA256
9c0348ab943e648e3508272faef81af462e1b19b50ec3f0cedb0ce63a35db16a

SHA512
3c44c8ba8e3d9905e84a806c92af4ad0cd2b1966ee9b27c7e38d798bca38120b1f88472f81975e445502ce324631a0321f3d94f3381df5fed59ec6b20e2889d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\wEAQYUgU.bat

Filesize
4B

MD5
4c0859f383935be657985c9b141fd8f2

SHA1
efa6f1c11febab08f3c38fb3afd1b46d675a86cf

SHA256
db91e3181c7ef0a1d3f11c8d8323770962e84649a6f8905aa4109e1327dcab6c

SHA512
c899b89c1ea81212c45fc257d3aa8d849da62776d91aad66891931ad6b9e698a9e20987621b03de55454b15de91cb2f5e053060bf4ff2aa8d06c2de96021194a

Download Submit
C:\Users\Admin\AppData\Local\Temp\wQcQ.exe

Filesize
160KB

MD5
128391fdb3b22a20fbd22a01b512e4ee

SHA1
6dcdcc4ca57a1e0ca3bbc63dfe3f8c54f1b33518

SHA256
d96f197ed6ff61a3a5c1ca09e3f459ca7a41702669b8f9b7e65a0c85eb788237

SHA512
1ddeb4fc680dbc25baa8d3591b1cb04ca8312da2961e78d9e5ecde1cac05bda05a47f7ae5522fa5aab7f8706d578bef053fc2c63ecf5e94e6facac51e874c1eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\wcEO.exe

Filesize
160KB

MD5
1598a5acccd6860bb467ce89121c5f00

SHA1
dbd91a1d2061fbfba9dae63ca61e75f33922bf79

SHA256
17a9dab045f84f4278cdd3d48237826af3c02acf32bee1aabeb8ced8b1306e55

SHA512
029a3aebf1aeede7f77bc44e20d64bbd5fa2de574b0c641ef8d252e54a7125af65b8b5fa0e103dd091a1ba091c6172ddd0aa8e605958bc843f904b2d74038510

Download Submit
C:\Users\Admin\AppData\Local\Temp\wcQo.exe

Filesize
161KB

MD5
f774513e3fd849078c87596842485d16

SHA1
e98dc0661f2c79df71da1ae12076aa41978a8428

SHA256
b39018dbf00f4fb215d7bba30db44f7c36b274bd0812855ceefc9becb7931fd1

SHA512
b5ed1efd4fa44ba0666a9890956b834bf094c7ba6bbef9472e11d53334939e6016e66dbd359a349ccf3d3c0170130229ca99eff63427a61c38eb04df441e1758

Download Submit
C:\Users\Admin\AppData\Local\Temp\wccq.exe

Filesize
159KB

MD5
d394d70a1f4d4eda9b130c0b1aba150f

SHA1
d64c5a3e1c45d2d36d115d017b0bdbc35576992c

SHA256
0181b4627e6e5604ea423bea468d3a7eb1197d5b8644d90385bc103c56d9971d

SHA512
d14a390179860ac328734861b4e3deff85c52973f5abcba85eb83c78d0385a1095fcbcdcc3b824c77bca23baaebd5827a6c73634461f69104ee1bd80d38919bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\wgcIIkgw.bat

Filesize
4B

MD5
4871b40833a040e4fb3403addf53edab

SHA1
c9b9133cf3cc748e9dfe414e76b0f84ba1973930

SHA256
5a34f876d4efb3caa632150cf0b2821394a5984a04339dd880f4980ff8b5b3fa

SHA512
0b64e05e5d82d0e925ace9cc28e744c74bcb502984c5977c3420492ba4ea108aebadd9bd651b57efa9b705cf3adbe6d2adb0b8444491294eb7584a456db275f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\wsQQEoIA.bat

Filesize
4B

MD5
2da380da0a353016942d3ce668ceec86

SHA1
ac4bfdafd4a03a38efbd17794e06bd6bd02de608

SHA256
877e30af38fdff7ea3ec511bf744e54f1885aec884faf99e5b19c4f46d7c8479

SHA512
0d89fadc84eb3373a07aa0f38aa66a4187a9d110a0a4fc77c6d822fa20e9570352dc1fac8b6afd5d2fceb0339a857488e62adb340d7617ebdba7181b472649c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\wwci.exe

Filesize
160KB

MD5
ea9a5f4b09a5f344834e19e39fc1a6c8

SHA1
54a724961cea85ebfd659f32657edf0cfcb38d60

SHA256
73eabb5ea21dd4974b58d68be47c171c22ffcf0672cdabe1bedca29edf39008f

SHA512
57b5421eade7ab1c6648ca701f2b9cde7b4feb043e3528695632dbbb8831b73557e54fe6ed5817116564cc69870b1946f6ea71cdbd9bb0f16289124a8a572aad

Download Submit
C:\Users\Admin\AppData\Local\Temp\wwoU.exe

Filesize
160KB

MD5
f977b144c7ceda0b2117458be86108f3

SHA1
f4a08c8a4234b72d7d92e916f2ee09fc55ff7246

SHA256
71e552f5c5c54eba2acfe9ffcbbe7696eae4837567cac48bd764f6a0623e9595

SHA512
51e393fbd79377646b0fe1072ded4d0c06b768142e37920b68436b72b99e3af55e67583f23b488ebecb796c0ca60533e58fd5bfbfdb6de71543160d69357a1b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\xIwQwwcE.bat

Filesize
4B

MD5
9df0b6a5733ba0dc83568514dad3709e

SHA1
a9acdf3f22e38ccdac129999ee3e0656132bc619

SHA256
2b73716c75c6838bf38c669390c1b63efc3e5e236af76817c207e4a7bd1936e6

SHA512
a3e78395998fde7af325cdc111ec8205297af46374a0b1a91f7856997c08d9e775304dc2f96a5dd9ccb68af1a884b4bee21a8ea32a17025e1dcc526c058a20cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\xWUIYQgY.bat

Filesize
4B

MD5
5d9ac5116a3294e4cf165e0b86517de6

SHA1
af90e6d436ea798d0c282af09a97bd70889c0c19

SHA256
4881f4e551a6a4bd9604efad8065f57f4a786857d6e61d333681921001384a48

SHA512
ca348dda87853e2bf04d7489fff2eb6d339c14185766b4ac8ccecd977e9865f91e2295fb0e1a034459300b1e1cf74a43f9986a1124c21a2189ffe6bb3b2bdd02

Download Submit
C:\Users\Admin\AppData\Local\Temp\yMwC.exe

Filesize
874KB

MD5
06789d5ef92f17dd43be1a9f73d806bf

SHA1
792ddd00598796400cda6f4c4970c055d553c8c7

SHA256
bdf6298f1e0af7152df1780b9b1a381ab75f5224dbeac312762cbd9759c0d7a1

SHA512
e9d5749f9bf399fbc4312d6ec25faee7676b962d824b5d13e56d45f614dbcd0712c31b69cc7d06399ad1fff46a120d229dba09ada85e61cfd68d3d0da7bc7f1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ySMcwUgM.bat

Filesize
4B

MD5
cdd40bde28b4fa510288ab92ce3870e1

SHA1
06ec5d6be66eabae5b02c40b697b81295061ef32

SHA256
bfbb331791af00c3abc88f92b1b00385b253fcf54d97eb99774ab93fe5adf67f

SHA512
0f072c0d82bb93e4af1f3bee28734a5969cc545a46ac1b092df6bf31b4e2c92f213105edb09613412050f1c93c91b29d401a3883f89a002c37bd383b0ea82b80

Download Submit
C:\Users\Admin\Pictures\ApproveConfirm.bmp.exe

Filesize
813KB

MD5
ef684d2f074b8a3cd3a0e45a3c1eef3b

SHA1
b7f63f876c35c1a0e1f6981aea40ed7d21c22ad3

SHA256
a22feabc82199fdabecc47cbe510d1d0f089dffad11bcd21b18de2b4d520f33d

SHA512
1eb59e5ae198faaf3a35ec769b3390e0c38b4f7a3f1d87ad7e88ac97bdf873d031183bd8eb6c4a913baa9b2d4aa1dbb9e9f159d114b81a8c35efa5ceaad83932

Download Submit
C:\Users\Admin\Pictures\DismountRepair.png.exe

Filesize
1.4MB

MD5
b2c964fc7bde2c5b44da8c8184ad4fc6

SHA1
0ac59081b46114536ef8e630dd6c02ed134487ad

SHA256
8cce05f748eb5e85686870758eaaa9d17b70ef31edfce06b2e9d65d0ae1f99a8

SHA512
8788510ca3dc335d6f6cc3facc4bf902a944ce21b124c342c6ad82550959b28799849c2f41b96205b09406701918706829a8fbd5e8866cfcfbe8cff1e3c641e3

Download Submit
C:\Users\Public\Pictures\Sample Pictures\Penguins.jpg.exe

Filesize
871KB

MD5
da85e6532c8ab0046b27d7510ff2a91b

SHA1
40eaec0a4e16e4c4d3f38f25d4cb5e35c2c4673a

SHA256
7170ba45bd49bea11028feeb195a8eb1da23ff9713bc5b11ff1c1c559808163b

SHA512
79fe8cb4aca1bfc547aae1373fcc03f82f7583fa4dd2659ef2135f6a7908e0d763f4fc65b725d1d15400f32b19adfa2689820c6f0410611f529f36c0f02bf9ce

Download Submit
\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

Filesize
145KB

MD5
9d10f99a6712e28f8acd5641e3a7ea6b

SHA1
835e982347db919a681ba12f3891f62152e50f0d

SHA256
70964a0ed9011ea94044e15fa77edd9cf535cc79ed8e03a3721ff007e69595cc

SHA512
2141ee5c07aa3e038360013e3f40969e248bed05022d161b992df61f21934c5574ed9d3094ffd5245f5afd84815b24f80bda30055cf4d374f9c6254e842f6bd5

Download Submit
\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.0MB

MD5
4d92f518527353c0db88a70fddcfd390

SHA1
c4baffc19e7d1f0e0ebf73bab86a491c1d152f98

SHA256
97e6f3fc1a9163f10b6502509d55bf75ee893967fb35f318954797e8ab4d4d9c

SHA512
05a8136ccc45ef73cd5c70ee0ef204d9d2b48b950e938494b6d1a61dfba37527c9600382321d1c031dc74e4cf3e16f001ae0f8cd64d76d765f5509ce8dc76452

Download Submit
\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

Filesize
507KB

MD5
c87e561258f2f8650cef999bf643a731

SHA1
2c64b901284908e8ed59cf9c912f17d45b05e0af

SHA256
a1dfa6639bef3cb4e41175c43730d46a51393942ead826337ca9541ac210c67b

SHA512
dea4833aa712c5823f800f5f5a2adcf241c1b2b6747872f540f5ff9da6795c4ddb73db0912593337083c7c67b91e9eaf1b3d39a34b99980fd5904ba3d7d62f6c

Download Submit
\Users\Admin\UmkgUYwI\cGAEkwMg.exe

Filesize
110KB

MD5
86adf7f7ae4a85df2b387cbb904d295d

SHA1
6528314775d832ce133cf8fde3c2e6a25bd99ed6

SHA256
2fcf009fb70367ba91a010f1879ae520e1a2b93121701c6bd8d8f5bbc162865d

SHA512
7c5e1ede3a8d5a6a307ea9d64021bebc9d497d0122d5adb9ee5b8b1a331a05126d5a801cdab84e200597e18480092e0d62055a04ec0a98e49ecf9a7aaf904c7a

Download Submit
memory/572-2027-0x00000000000B0000-0x00000000000CF000-memory.dmp

Filesize
124KB

Download
memory/572-2028-0x00000000000B0000-0x00000000000CF000-memory.dmp

Filesize
124KB

Download
memory/588-1570-0x00000000001F0000-0x000000000020F000-memory.dmp

Filesize
124KB

Download
memory/588-1569-0x00000000001F0000-0x000000000020F000-memory.dmp

Filesize
124KB

Download
memory/596-707-0x00000000004E0000-0x00000000004FF000-memory.dmp

Filesize
124KB

Download
memory/616-417-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/744-1942-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/744-1943-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/780-373-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/780-109-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/812-1290-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/816-152-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/836-276-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/836-308-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/848-122-0x0000000000270000-0x000000000028F000-memory.dmp

Filesize
124KB

Download
memory/904-2038-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/904-830-0x00000000000B0000-0x00000000000CF000-memory.dmp

Filesize
124KB

Download
memory/904-1944-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/936-2180-0x0000000000270000-0x000000000028F000-memory.dmp

Filesize
124KB

Download
memory/936-2181-0x0000000000270000-0x000000000028F000-memory.dmp

Filesize
124KB

Download
memory/1212-1501-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1436-742-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1440-974-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1488-1281-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1488-1414-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1512-1641-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1552-2194-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1552-2098-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1584-321-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1596-253-0x0000000000580000-0x000000000059F000-memory.dmp

Filesize
124KB

Download
memory/1600-1391-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1600-14-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1660-1268-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1756-852-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1860-208-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1868-1196-0x0000000000120000-0x000000000013F000-memory.dmp

Filesize
124KB

Download
memory/1888-1502-0x00000000001A0000-0x00000000001BF000-memory.dmp

Filesize
124KB

Download
memory/1896-351-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1900-1596-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1912-285-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1920-1956-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1920-1862-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1944-387-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1944-386-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1952-186-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1952-217-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2040-1793-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2040-1794-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2084-2096-0x0000000000160000-0x000000000017F000-memory.dmp

Filesize
124KB

Download
memory/2148-131-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2156-1884-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2256-1069-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2256-64-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2268-396-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2272-32-0x0000000000160000-0x000000000017F000-memory.dmp

Filesize
124KB

Download
memory/2288-1205-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2308-2029-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2308-2109-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2320-1738-0x00000000000B0000-0x00000000000CF000-memory.dmp

Filesize
124KB

Download
memory/2320-1737-0x00000000000B0000-0x00000000000CF000-memory.dmp

Filesize
124KB

Download
memory/2324-173-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2352-1861-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2396-100-0x00000000001A0000-0x00000000001BF000-memory.dmp

Filesize
124KB

Download
memory/2396-99-0x00000000001A0000-0x00000000001BF000-memory.dmp

Filesize
124KB

Download
memory/2416-364-0x0000000000130000-0x000000000014F000-memory.dmp

Filesize
124KB

Download
memory/2480-262-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2484-2182-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2532-17-0x00000000003E0000-0x00000000003FC000-memory.dmp

Filesize
112KB

Download
memory/2532-22-0x00000000003E0000-0x00000000003FC000-memory.dmp

Filesize
112KB

Download
memory/2532-41-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2532-13-0x00000000003E0000-0x00000000003FD000-memory.dmp

Filesize
116KB

Download
memory/2532-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2532-12-0x00000000003E0000-0x00000000003FD000-memory.dmp

Filesize
116KB

Download
memory/2536-230-0x00000000000B0000-0x00000000000CF000-memory.dmp

Filesize
124KB

Download
memory/2536-231-0x00000000000B0000-0x00000000000CF000-memory.dmp

Filesize
124KB

Download
memory/2536-584-0x0000000000120000-0x000000000013F000-memory.dmp

Filesize
124KB

Download
memory/2616-55-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2616-54-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2676-330-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2700-86-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2712-240-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2768-1514-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2776-1571-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2776-1663-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2820-77-0x0000000000120000-0x000000000013F000-memory.dmp

Filesize
124KB

Download
memory/2848-483-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2864-195-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2896-1405-0x00000000000B0000-0x00000000000CF000-memory.dmp

Filesize
124KB

Download
memory/2924-1816-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2924-1739-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2956-299-0x00000000001F0000-0x000000000020F000-memory.dmp

Filesize
124KB

Download
memory/2960-461-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2960-606-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2968-447-0x0000000000260000-0x000000000027F000-memory.dmp

Filesize
124KB

Download
memory/2980-939-0x00000000000F0000-0x000000000010F000-memory.dmp

Filesize
124KB

Download
memory/2988-1751-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download