b098e7888d8952873d9c7455f548313596c775eb6dfd30f3971ac5671f61b5cd

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
26/01/2024, 17:36

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
Size

209KB
MD5

bd0b4c1285f94222c22c6acfa4dc9384
SHA1

056a7c7c8e33a2adf4789ac00f59c35cf3c4e783
SHA256

b098e7888d8952873d9c7455f548313596c775eb6dfd30f3971ac5671f61b5cd
SHA512

561f87b8191a100965b1cf92fbb99cd79d64f69ac8e20ad76a8b0cbe279885b5c6e1519046e1242e72576932aebff329994dd64d22f2d4fc6ad1d23e1d41afaf
SSDEEP

6144:nbbgxfwyn8Lqf2yb6TfJBMWe4dD+1zuaTd7OrwmdsHNP4G9N:nO8LFbQuxMyqJ4GL

Score

10^/10

evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cscript.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe

Renames multiple (56) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Control Panel\International\Geo\Nation	IEcoAcUc.exe

Executes dropped EXE 2 IoCs

pid	Process
2716	IEcoAcUc.exe
2796	LYcccYkY.exe

Loads dropped DLL 20 IoCs

pid	Process
3068	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
3068	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
3068	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
3068	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
2716	IEcoAcUc.exe
2716	IEcoAcUc.exe
2716	IEcoAcUc.exe
2716	IEcoAcUc.exe
2716	IEcoAcUc.exe
2716	IEcoAcUc.exe
2716	IEcoAcUc.exe
2716	IEcoAcUc.exe
2716	IEcoAcUc.exe
2716	IEcoAcUc.exe
2716	IEcoAcUc.exe
2716	IEcoAcUc.exe
2716	IEcoAcUc.exe
2716	IEcoAcUc.exe
2716	IEcoAcUc.exe
2716	IEcoAcUc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\IEcoAcUc.exe = "C:\\Users\\Admin\\JcsQgQIA\\IEcoAcUc.exe"	IEcoAcUc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LYcccYkY.exe = "C:\\ProgramData\\GYUgEcgs\\LYcccYkY.exe"	LYcccYkY.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\IEcoAcUc.exe = "C:\\Users\\Admin\\JcsQgQIA\\IEcoAcUc.exe"	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LYcccYkY.exe = "C:\\ProgramData\\GYUgEcgs\\LYcccYkY.exe"	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe

Checks whether UAC is enabled 1 TTPs 12 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
2928	reg.exe
1136	reg.exe
580	reg.exe
2468	reg.exe
2416	reg.exe
2316	reg.exe
1680	reg.exe
1472	reg.exe
2412	reg.exe
1536	reg.exe
2740	reg.exe
2436	reg.exe
2020	reg.exe
2544	reg.exe
1936	reg.exe
2132	reg.exe
2732	reg.exe
2216	reg.exe
1360	reg.exe
2640	reg.exe
1544	reg.exe
1660	reg.exe
1764	reg.exe
2084	reg.exe
904	reg.exe
2416	reg.exe
1896	reg.exe
540	reg.exe
800	reg.exe
2708	reg.exe
2616	reg.exe
1468	reg.exe
2584	reg.exe
2696	reg.exe
2592	reg.exe
1020	reg.exe
404	reg.exe
2544	reg.exe
1756	reg.exe
2788	reg.exe
2908	reg.exe
1500	reg.exe
380	reg.exe
2164	reg.exe
2128	reg.exe
2092	reg.exe
2052	reg.exe
2156	reg.exe
2176	reg.exe
876	reg.exe
2800	reg.exe
1936	reg.exe
1224	reg.exe
2572	reg.exe
2964	reg.exe
1132	reg.exe
1972	reg.exe
2620	reg.exe
2592	reg.exe
1920	reg.exe
1980	reg.exe
1476	reg.exe
1416	reg.exe
1000	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3068	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
3068	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
2372	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
2372	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
1876	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
1876	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
1332	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
1332	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
580	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
580	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
1008	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
1008	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
1744	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
1744	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
2488	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
2488	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
1656	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
1656	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
2460	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
2460	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
1272	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
1272	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
880	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
880	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
2412	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
2412	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
1468	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
1468	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
2772	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
2772	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
2744	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
2744	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
848	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
848	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
2904	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
2904	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
2740	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
2740	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
928	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
928	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
904	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
904	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
2488	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
2488	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
1416	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
1416	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
1916	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
1916	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
2692	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
2692	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
2720	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
2720	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
1864	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
1864	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
1772	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
1772	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
2488	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
2488	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
848	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
848	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
2584	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
2584	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
2736	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
2736	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2716	IEcoAcUc.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2716	IEcoAcUc.exe
2716	IEcoAcUc.exe
2716	IEcoAcUc.exe
2716	IEcoAcUc.exe
2716	IEcoAcUc.exe
2716	IEcoAcUc.exe
2716	IEcoAcUc.exe
2716	IEcoAcUc.exe
2716	IEcoAcUc.exe
2716	IEcoAcUc.exe
2716	IEcoAcUc.exe
2716	IEcoAcUc.exe
2716	IEcoAcUc.exe
2716	IEcoAcUc.exe
2716	IEcoAcUc.exe
2716	IEcoAcUc.exe
2716	IEcoAcUc.exe
2716	IEcoAcUc.exe
2716	IEcoAcUc.exe
2716	IEcoAcUc.exe
2716	IEcoAcUc.exe
2716	IEcoAcUc.exe
2716	IEcoAcUc.exe
2716	IEcoAcUc.exe
2716	IEcoAcUc.exe
2716	IEcoAcUc.exe
2716	IEcoAcUc.exe
2716	IEcoAcUc.exe
2716	IEcoAcUc.exe
2716	IEcoAcUc.exe
2716	IEcoAcUc.exe
2716	IEcoAcUc.exe
2716	IEcoAcUc.exe
2716	IEcoAcUc.exe
2716	IEcoAcUc.exe
2716	IEcoAcUc.exe
2716	IEcoAcUc.exe
2716	IEcoAcUc.exe
2716	IEcoAcUc.exe
2716	IEcoAcUc.exe
2716	IEcoAcUc.exe
2716	IEcoAcUc.exe
2716	IEcoAcUc.exe
2716	IEcoAcUc.exe
2716	IEcoAcUc.exe
2716	IEcoAcUc.exe
2716	IEcoAcUc.exe
2716	IEcoAcUc.exe
2716	IEcoAcUc.exe
2716	IEcoAcUc.exe
2716	IEcoAcUc.exe
2716	IEcoAcUc.exe
2716	IEcoAcUc.exe
2716	IEcoAcUc.exe
2716	IEcoAcUc.exe
2716	IEcoAcUc.exe
2716	IEcoAcUc.exe
2716	IEcoAcUc.exe
2716	IEcoAcUc.exe
2716	IEcoAcUc.exe
2716	IEcoAcUc.exe
2716	IEcoAcUc.exe
2716	IEcoAcUc.exe
2716	IEcoAcUc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3068 wrote to memory of 2716	3068	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe	28
PID 3068 wrote to memory of 2716	3068	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe	28
PID 3068 wrote to memory of 2716	3068	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe	28
PID 3068 wrote to memory of 2716	3068	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe	28
PID 3068 wrote to memory of 2796	3068	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe	29
PID 3068 wrote to memory of 2796	3068	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe	29
PID 3068 wrote to memory of 2796	3068	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe	29
PID 3068 wrote to memory of 2796	3068	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe	29
PID 3068 wrote to memory of 2908	3068	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe	30
PID 3068 wrote to memory of 2908	3068	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe	30
PID 3068 wrote to memory of 2908	3068	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe	30
PID 3068 wrote to memory of 2908	3068	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe	30
PID 2908 wrote to memory of 2372	2908	cmd.exe	32
PID 2908 wrote to memory of 2372	2908	cmd.exe	32
PID 2908 wrote to memory of 2372	2908	cmd.exe	32
PID 2908 wrote to memory of 2372	2908	cmd.exe	32
PID 3068 wrote to memory of 2604	3068	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe	33
PID 3068 wrote to memory of 2604	3068	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe	33
PID 3068 wrote to memory of 2604	3068	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe	33
PID 3068 wrote to memory of 2604	3068	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe	33
PID 3068 wrote to memory of 3028	3068	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe	34
PID 3068 wrote to memory of 3028	3068	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe	34
PID 3068 wrote to memory of 3028	3068	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe	34
PID 3068 wrote to memory of 3028	3068	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe	34
PID 3068 wrote to memory of 2624	3068	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe	40
PID 3068 wrote to memory of 2624	3068	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe	40
PID 3068 wrote to memory of 2624	3068	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe	40
PID 3068 wrote to memory of 2624	3068	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe	40
PID 3068 wrote to memory of 2640	3068	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe	39
PID 3068 wrote to memory of 2640	3068	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe	39
PID 3068 wrote to memory of 2640	3068	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe	39
PID 3068 wrote to memory of 2640	3068	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe	39
PID 2640 wrote to memory of 1872	2640	cmd.exe	41
PID 2640 wrote to memory of 1872	2640	cmd.exe	41
PID 2640 wrote to memory of 1872	2640	cmd.exe	41
PID 2640 wrote to memory of 1872	2640	cmd.exe	41
PID 2372 wrote to memory of 2460	2372	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe	42
PID 2372 wrote to memory of 2460	2372	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe	42
PID 2372 wrote to memory of 2460	2372	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe	42
PID 2372 wrote to memory of 2460	2372	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe	42
PID 2460 wrote to memory of 1876	2460	cmd.exe	44
PID 2460 wrote to memory of 1876	2460	cmd.exe	44
PID 2460 wrote to memory of 1876	2460	cmd.exe	44
PID 2460 wrote to memory of 1876	2460	cmd.exe	44
PID 2372 wrote to memory of 2664	2372	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe	45
PID 2372 wrote to memory of 2664	2372	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe	45
PID 2372 wrote to memory of 2664	2372	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe	45
PID 2372 wrote to memory of 2664	2372	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe	45
PID 2372 wrote to memory of 2508	2372	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe	46
PID 2372 wrote to memory of 2508	2372	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe	46
PID 2372 wrote to memory of 2508	2372	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe	46
PID 2372 wrote to memory of 2508	2372	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe	46
PID 2372 wrote to memory of 2200	2372	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe	47
PID 2372 wrote to memory of 2200	2372	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe	47
PID 2372 wrote to memory of 2200	2372	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe	47
PID 2372 wrote to memory of 2200	2372	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe	47
PID 2372 wrote to memory of 1708	2372	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe	48
PID 2372 wrote to memory of 1708	2372	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe	48
PID 2372 wrote to memory of 1708	2372	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe	48
PID 2372 wrote to memory of 1708	2372	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe	48
PID 1708 wrote to memory of 1508	1708	cmd.exe	53
PID 1708 wrote to memory of 1508	1708	cmd.exe	53
PID 1708 wrote to memory of 1508	1708	cmd.exe	53
PID 1708 wrote to memory of 1508	1708	cmd.exe	53

System policy modification 1 TTPs 12 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3068
- C:\Users\Admin\JcsQgQIA\IEcoAcUc.exe
  "C:\Users\Admin\JcsQgQIA\IEcoAcUc.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:2716
- C:\ProgramData\GYUgEcgs\LYcccYkY.exe
  "C:\ProgramData\GYUgEcgs\LYcccYkY.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2796
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2908
- - C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
    C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2372
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2460
    - - C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1876
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        6⤵
        
        PID:1244
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1332
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        8⤵
        
        PID:564
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:580
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        10⤵
        
        PID:768
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1008
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        12⤵
        
        PID:576
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1744
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        14⤵
        
        PID:2832
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2488
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        16⤵
        
        PID:2640
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1656
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        18⤵
        
        PID:1684
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2460
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        20⤵
        
        PID:1332
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1272
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        22⤵
        
        PID:580
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        23⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:880
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        24⤵
        
        PID:2052
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        25⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2412
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        26⤵
        
        PID:2380
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        27⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1468
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        28⤵
        
        PID:1220
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        29⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2772
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        30⤵
        
        PID:1656
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        31⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2744
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        32⤵
        
        PID:2308
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        33⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:848
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        34⤵
        
        PID:1224
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        35⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2904
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        36⤵
        
        PID:1620
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        37⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2740
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        38⤵
        
        PID:2840
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        39⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:928
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        40⤵
        
        PID:2040
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        41⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:904
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        42⤵
        
        PID:2560
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        43⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2488
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        44⤵
        
        PID:2848
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        45⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1416
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        46⤵
        
        PID:2824
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        47⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1916
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        48⤵
        
        PID:2608
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        49⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2692
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        50⤵
        
        PID:820
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        51⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2720
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        52⤵
        
        PID:768
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        53⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1864
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        54⤵
        
        PID:2228
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        55⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1772
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        56⤵
        
        PID:1420
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        57⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2488
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        58⤵
        
        PID:1428
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        59⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:848
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        60⤵
        
        PID:1764
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        61⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2584
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        62⤵
        
        PID:2684
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        63⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2736
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        64⤵
        
        PID:2540
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        65⤵
        
        PID:1308
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        66⤵
        
        PID:1992
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        67⤵
        
        PID:852
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        68⤵
        
        PID:944
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        69⤵
        
        PID:2544
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        70⤵
        
        PID:2440
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        71⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        72⤵
        
        PID:2756
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        73⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        74⤵
        
        PID:2404
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        75⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        76⤵
        
        PID:2380
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        77⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        78⤵
        
        PID:488
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        79⤵
        
        PID:928
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        80⤵
        
        PID:2940
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        81⤵
        
        PID:336
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        82⤵
        
        PID:1304
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        83⤵
        
        PID:1156
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        84⤵
        
        PID:2296
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        85⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        86⤵
        
        PID:2984
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        87⤵
        
        PID:1224
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        88⤵
        
        PID:2188
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        89⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        90⤵
        
        PID:2892
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        91⤵
        
        PID:1220
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        92⤵
        
        PID:1412
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        93⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        94⤵
        
        PID:784
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        95⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        96⤵
        
        PID:2020
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        97⤵
        
        PID:580
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        98⤵
        
        PID:1624
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        99⤵
        
        PID:1008
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        100⤵
        
        PID:1668
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        101⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        102⤵
        
        PID:2280
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        103⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        104⤵
        
        PID:1816
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        105⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        106⤵
        
        PID:1992
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        107⤵
        
        PID:1772
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        108⤵
        
        PID:2328
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        109⤵
        
        PID:1744
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        110⤵
        
        PID:2752
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        111⤵
        
        PID:2740
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        112⤵
        
        PID:296
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        113⤵
        
        PID:1548
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        114⤵
        
        PID:2584
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        115⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        116⤵
        
        PID:1520
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        117⤵
        
        PID:2176
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        118⤵
        
        PID:328
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        119⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        120⤵
        
        PID:2608
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        121⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        122⤵
        
        PID:3044
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        123⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        124⤵
        
        PID:2784
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        125⤵
        
        PID:1004
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        126⤵
        
        PID:1500
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        127⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        128⤵
        
        PID:1996
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        129⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        130⤵
        
        PID:544
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        131⤵
        
        PID:1588
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        132⤵
        
        PID:1728
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        133⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        134⤵
        
        PID:1000
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        135⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        136⤵
        
        PID:2728
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        137⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        138⤵
        
        PID:2228
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        139⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        140⤵
        
        PID:2844
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        141⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        142⤵
        
        PID:240
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        143⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        144⤵
        
        PID:1676
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        145⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        146⤵
        
        PID:1664
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        147⤵
        
        PID:1256
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        148⤵
        
        PID:2784
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        149⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        150⤵
        
        PID:1808
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        151⤵
        
        PID:652
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        152⤵
        
        PID:2132
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        153⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        154⤵
        
        PID:1744
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        155⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        156⤵
        
        PID:2848
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        157⤵
        
        PID:1196
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        158⤵
        
        PID:1932
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        159⤵
        
        PID:1772
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        160⤵
        
        PID:1728
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        161⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        162⤵
        
        PID:1548
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        163⤵
        
        PID:1020
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        164⤵
        
        PID:1752
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        165⤵
        
        PID:2884
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        166⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\XQoIAAgo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        162⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        162⤵
        Modifies registry key
        
        PID:2928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        162⤵
        
        PID:1256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        162⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        162⤵
        
        PID:556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        160⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        160⤵
        
        PID:1332
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\LooQcYwo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        160⤵
        
        PID:768
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        161⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        162⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        160⤵
        
        PID:2176
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        160⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        161⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        159⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        158⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        158⤵
        
        PID:704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        158⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        159⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\DGQcoIEo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        158⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        159⤵
        
        PID:1412
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        160⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        161⤵
        
        PID:1632
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        159⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        160⤵
        
        PID:2496
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        161⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        162⤵
        
        PID:1620
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        163⤵
        
        PID:2740
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        164⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\aUYMQYIM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        164⤵
        
        PID:788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        164⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        164⤵
        
        PID:1508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        164⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\TUsUAYEQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        165⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        165⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        165⤵
        Modifies registry key
        
        PID:1468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        165⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\CMkoYAQo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        162⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        162⤵
        Modifies registry key
        
        PID:2156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        162⤵
        
        PID:1228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        162⤵
        Modifies registry key
        
        PID:2620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        160⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\kUoQIgIA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        160⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        161⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        160⤵
        
        PID:2580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        160⤵
        
        PID:328
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\rIQgEMcY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        156⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        156⤵
        UAC bypass
        
        PID:1432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        156⤵
        
        PID:2892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        156⤵
        
        PID:1072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        154⤵
        
        PID:1608
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        155⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        154⤵
        Modifies registry key
        
        PID:1544
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\UyAkwYQo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        154⤵
        
        PID:2468
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        155⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        154⤵
        Modifies registry key
        
        PID:1224
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        153⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\wMEsIwQM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        152⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        153⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        154⤵
        
        PID:1908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        152⤵
        
        PID:412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        152⤵
        
        PID:944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        152⤵
        
        PID:2004
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        151⤵
        
        PID:3024
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        151⤵
        
        PID:564
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\KSMQkgYE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        150⤵
        
        PID:2608
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        151⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        150⤵
        
        PID:1864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        150⤵
        
        PID:904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        150⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1820
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        149⤵
        
        PID:1224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        148⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        148⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\oegMAkEg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        148⤵
        
        PID:2984
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        149⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        148⤵
        UAC bypass
        
        PID:592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        146⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1284
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        147⤵
        
        PID:2228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        146⤵
        
        PID:1744
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\XkAsMoAA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        146⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        147⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        148⤵
        Modifies registry key
        
        PID:2020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        146⤵
        UAC bypass
        
        PID:3044
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        145⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        146⤵
        
        PID:1540
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\jaIkEIEw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        146⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        146⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        146⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\pkkIYsAo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        147⤵
        
        PID:1284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        147⤵
        
        PID:2548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        147⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        147⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        147⤵
        
        PID:820
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        146⤵
        
        PID:1548
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\meIYsQsQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        147⤵
        
        PID:384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        147⤵
        UAC bypass
        
        PID:1368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        147⤵
        Modifies registry key
        
        PID:2572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        147⤵
        Modifies visibility of file extensions in Explorer
        UAC bypass
        
        PID:820
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        147⤵
        
        PID:1872
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        147⤵
        
        PID:1448
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\bOAMgkco.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        146⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        146⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        144⤵
        Modifies visibility of file extensions in Explorer
        
        PID:448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        144⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        144⤵
        Modifies registry key
        
        PID:1500
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\LCMIkIYo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        144⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        145⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        142⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        142⤵
        
        PID:2636
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        143⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        144⤵
        Modifies registry key
        
        PID:2084
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\xeoYAkkU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        142⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        143⤵
        
        PID:2608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        142⤵
        UAC bypass
        
        PID:1752
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        143⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        140⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        140⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        140⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\BGUwogQQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        140⤵
        
        PID:1432
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        141⤵
        
        PID:852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        138⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        138⤵
        Modifies registry key
        
        PID:2316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        138⤵
        UAC bypass
        
        PID:1780
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\yGwsQUoY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        138⤵
        
        PID:1004
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        139⤵
        
        PID:592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        136⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        136⤵
        Modifies registry key
        
        PID:2412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        136⤵
        Modifies registry key
        
        PID:1972
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\MgEokYwg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        136⤵
        
        PID:404
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        137⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        134⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        134⤵
        
        PID:412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        134⤵
        UAC bypass
        
        PID:1680
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\yOwkYUYc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        134⤵
        
        PID:320
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        135⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\UCEoscck.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        132⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        133⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        132⤵
        UAC bypass
        
        PID:2128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        132⤵
        
        PID:1448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        132⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2948
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tuEAUwMY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        130⤵
        
        PID:1824
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        131⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        130⤵
        
        PID:604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        130⤵
        Modifies registry key
        
        PID:2640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        130⤵
        
        PID:1228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        128⤵
        Modifies registry key
        
        PID:1936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        128⤵
        
        PID:2928
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\lsccgwAY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        128⤵
        
        PID:768
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        129⤵
        
        PID:1072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        128⤵
        UAC bypass
        
        PID:2040
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        128⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        126⤵
        Modifies visibility of file extensions in Explorer
        
        PID:600
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\PakEQUcs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        126⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        127⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        126⤵
        UAC bypass
        Modifies registry key
        
        PID:2800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        126⤵
        
        PID:592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        124⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2824
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\NeEYkwAw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        124⤵
        
        PID:360
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        125⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        124⤵
        UAC bypass
        
        PID:2524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        124⤵
        
        PID:1112
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\aisUYwEA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        125⤵
        
        PID:540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        125⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        122⤵
        
        PID:2948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        122⤵
        
        PID:448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        122⤵
        UAC bypass
        
        PID:2832
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\MWAsMQwg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        122⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        123⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        120⤵
        Modifies registry key
        
        PID:1936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        120⤵
        
        PID:296
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        120⤵
        UAC bypass
        
        PID:2452
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\mgIUIEck.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        120⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        121⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\WIMsoUAo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        118⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        119⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        118⤵
        UAC bypass
        
        PID:2860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        118⤵
        Modifies registry key
        
        PID:2416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        118⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1472
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        119⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        116⤵
        Modifies visibility of file extensions in Explorer
        
        PID:704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        116⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        116⤵
        
        PID:576
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\kykQEYUk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        116⤵
        
        PID:2228
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        117⤵
        
        PID:412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        114⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\zuYcEkoo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        114⤵
        
        PID:1884
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        115⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        114⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        114⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        112⤵
        
        PID:556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        112⤵
        
        PID:360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        112⤵
        
        PID:2556
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZAEgkYQU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        112⤵
        
        PID:848
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        113⤵
        
        PID:1272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        110⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        110⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        110⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\BYgoIYgk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        110⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        111⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        108⤵
        Modifies visibility of file extensions in Explorer
        
        PID:968
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\FewMcgYQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        108⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        109⤵
        
        PID:1524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        108⤵
        UAC bypass
        
        PID:2520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        108⤵
        
        PID:1896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        106⤵
        Modifies registry key
        
        PID:2092
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        107⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        106⤵
        Modifies registry key
        
        PID:800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        106⤵
        
        PID:1328
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\yMMsEkUY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        106⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        107⤵
        
        PID:556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        104⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        104⤵
        
        PID:1220
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\GMwgYoIQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        104⤵
        
        PID:812
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        105⤵
        
        PID:796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        104⤵
        UAC bypass
        
        PID:1948
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        104⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        102⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        102⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        102⤵
        
        PID:2840
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\scQYgMoM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        102⤵
        
        PID:700
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        103⤵
        
        PID:588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        100⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        100⤵
        Modifies registry key
        
        PID:2696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        100⤵
        UAC bypass
        
        PID:1224
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\cAUMEwIA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        100⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        101⤵
        
        PID:868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        98⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1896
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\BqMkcswY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        98⤵
        
        PID:2124
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        99⤵
        
        PID:344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        98⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        98⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        96⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        96⤵
        Modifies registry key
        
        PID:380
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\doQwUkoc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        96⤵
        
        PID:1304
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        97⤵
        
        PID:2460
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        98⤵
        
        PID:2152
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        99⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        100⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        98⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        96⤵
        
        PID:1260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        94⤵
        Modifies visibility of file extensions in Explorer
        
        PID:800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        94⤵
        
        PID:296
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        94⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\figMAYIE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        94⤵
        
        PID:1548
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        95⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        92⤵
        Modifies visibility of file extensions in Explorer
        
        PID:240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        92⤵
        
        PID:704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        92⤵
        
        PID:856
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        93⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\AsYQAAIg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        94⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        94⤵
        
        PID:1000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        94⤵
        Modifies registry key
        
        PID:2732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        94⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        94⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\dOAcUoEI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        92⤵
        
        PID:928
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        93⤵
        
        PID:652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        90⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        90⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        90⤵
        UAC bypass
        
        PID:2380
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\JoIUAYEM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        90⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        91⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        88⤵
        Modifies visibility of file extensions in Explorer
        
        PID:868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        88⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        88⤵
        UAC bypass
        
        PID:1964
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\EuIMMccE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        88⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        89⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        86⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        86⤵
        Modifies registry key
        
        PID:2468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        86⤵
        Modifies registry key
        
        PID:1020
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\wcoMIAwU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        86⤵
        
        PID:916
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        87⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        84⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        84⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\sWYQQgss.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        84⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        85⤵
        
        PID:876
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        85⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        86⤵
        
        PID:1884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        84⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        82⤵
        
        PID:960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        82⤵
        UAC bypass
        
        PID:1000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        82⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\qCIwoUIo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        82⤵
        
        PID:2436
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        83⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        80⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        80⤵
        UAC bypass
        Modifies registry key
        
        PID:2128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        80⤵
        
        PID:796
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\XGIwQYIQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        80⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        81⤵
        
        PID:1772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        78⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        78⤵
        
        PID:1456
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\fosAwMcA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        78⤵
        
        PID:1412
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        79⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        78⤵
        Modifies registry key
        
        PID:2052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        
        PID:576
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\hqAsUgMw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        76⤵
        
        PID:2740
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        77⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        UAC bypass
        Modifies registry key
        
        PID:1360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        Modifies registry key
        
        PID:1764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        UAC bypass
        
        PID:2616
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\DgsMkwcE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        74⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        75⤵
        
        PID:2996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        
        PID:848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\YSgEoMck.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        72⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        
        PID:2580
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        
        PID:2544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        UAC bypass
        Modifies registry key
        
        PID:1132
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\AQMEYoUc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        70⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        
        PID:580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        Modifies registry key
        
        PID:2176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        
        PID:2504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        UAC bypass
        
        PID:1772
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\iSUkcoYQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        68⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        
        PID:2548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        
        PID:1412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        
        PID:700
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\kWkgUIEk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        66⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\DwQUoIck.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        64⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        UAC bypass
        
        PID:2272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        
        PID:2372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\PuwoIAow.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        62⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        Modifies registry key
        
        PID:1536
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        
        PID:1256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\DIAMQgww.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        60⤵
        
        PID:1544
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        
        PID:2652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\vCMUsMcg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        58⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        UAC bypass
        
        PID:2080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        
        PID:384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ASowcUUc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        56⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:2440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        UAC bypass
        
        PID:1280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        
        PID:448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        
        PID:1160
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\AcsIUYsw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        54⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        UAC bypass
        
        PID:2648
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\OwAgAsoc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        52⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:1412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        Modifies visibility of file extensions in Explorer
        
        PID:872
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        51⤵
        
        PID:2572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        
        PID:1116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\OqcsoUog.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        53⤵
        
        PID:2440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        53⤵
        UAC bypass
        
        PID:1364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        53⤵
        
        PID:2336
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        54⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        53⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1964
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        53⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        Modifies visibility of file extensions in Explorer
        
        PID:708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        
        PID:1256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        
        PID:1872
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        51⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\woYcoIUs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        50⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\lMoccwAE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        48⤵
        
        PID:2588
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        UAC bypass
        Modifies registry key
        
        PID:876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        Modifies registry key
        
        PID:1896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\zCIcYQok.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        46⤵
        
        PID:344
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:1020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\zSAcgcIM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        44⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        UAC bypass
        
        PID:856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        
        PID:960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        Modifies visibility of file extensions in Explorer
        
        PID:652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        Modifies registry key
        
        PID:2164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        Modifies registry key
        
        PID:540
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\DEEgEEAM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        42⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\aiwAIQkI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        40⤵
        
        PID:2228
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        UAC bypass
        
        PID:2200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        Modifies registry key
        
        PID:2908
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\mkIUAQcg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        38⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        
        PID:1544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\gMQccgMA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        36⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        Modifies visibility of file extensions in Explorer
        
        PID:556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        Modifies registry key
        
        PID:1756
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        35⤵
        
        PID:108
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        36⤵
        
        PID:916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        Modifies registry key
        
        PID:1416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\WIkMAgUI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        34⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        Modifies registry key
        
        PID:2416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        
        PID:2440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\SSgQMQwA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        32⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:1228
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        Modifies visibility of file extensions in Explorer
        
        PID:540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        UAC bypass
        
        PID:796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\VUwMIgIc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        30⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        UAC bypass
        Modifies registry key
        
        PID:2216
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\vmokgYow.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        28⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:2264
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        28⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        29⤵
        
        PID:1772
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        30⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        31⤵
        
        PID:1004
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\DskoAosI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        32⤵
        
        PID:1820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        
        PID:820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        
        PID:380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1008
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        32⤵
        
        PID:1756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        31⤵
        
        PID:1780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        31⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        29⤵
        Modifies registry key
        
        PID:1476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        Modifies registry key
        
        PID:1000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        Modifies registry key
        
        PID:2132
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        30⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        29⤵
        
        PID:336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        29⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\gcAIYIMw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        29⤵
        
        PID:596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        
        PID:2996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        UAC bypass
        Modifies registry key
        
        PID:2616
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\xGoUsggU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        26⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\looIYEAI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        24⤵
        
        PID:2124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        Modifies registry key
        
        PID:2708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        Modifies visibility of file extensions in Explorer
        
        PID:916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        
        PID:556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        
        PID:384
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\aUYYgwwo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        22⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        Modifies visibility of file extensions in Explorer
        
        PID:960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        Modifies registry key
        
        PID:2544
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\gIUkMYcE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        20⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:1228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        UAC bypass
        
        PID:1420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        UAC bypass
        
        PID:2356
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\wUAwAIIA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        18⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        Modifies registry key
        
        PID:1660
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\SCcAoEss.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        16⤵
        
        PID:1456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        UAC bypass
        
        PID:1824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        
        PID:2996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        
        PID:2992
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\TkcAokYo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        14⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:1780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        
        PID:1896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\HwEsckIs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        12⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        UAC bypass
        
        PID:964
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\VkEocgoo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        10⤵
        
        PID:1256
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        UAC bypass
        Modifies registry key
        
        PID:2436
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\nyEkwwcU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        8⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:960
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2036
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:1712
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        
        PID:2256
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\bYEwsocs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        6⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:2092
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:2664
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:2508
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      PID:2200
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\suIQIUMs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1708
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:1508
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:2604
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:3028
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\EMUkIUMw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2640
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:1872
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:2624
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:1520

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2844

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2196

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2596

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2876

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1304

C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
1⤵
PID:2316
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
  2⤵
  PID:1668
- - C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
    C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
    3⤵
    PID:2648
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
      4⤵
      PID:1772
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\xywQkowQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
      4⤵
      PID:2280
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:2164
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:2336
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:2752
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\aYosYsck.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        5⤵
        
        PID:1656
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        5⤵
        
        PID:1540
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        5⤵
        
        PID:2932
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        5⤵
        
        PID:1676

C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
1⤵
PID:2632
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\pcUUQQsI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
  2⤵
  PID:2276
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\MgYcsAUw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
    3⤵
    - UAC bypass
    - Checks whether UAC is enabled
    - System policy modification
    PID:1932
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    - UAC bypass
    - Modifies registry key
    PID:2740
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:2700
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:2640
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
    3⤵
    PID:2880
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:880
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2572
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:1632
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
  2⤵
  PID:1808

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2540

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2604

C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
1⤵
PID:2280
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
  2⤵
  PID:2132

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2540

C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
1⤵
PID:1552

C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
1⤵
PID:2652
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\XUUsggoE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
  2⤵
  PID:2784
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:2252
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:1684
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:2672
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
  2⤵
  PID:2204

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2816

C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
1⤵
PID:2416
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\eswAokQk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
  2⤵
  PID:1980
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:1672
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2580
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:2980
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
  2⤵
  PID:1256

C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
1⤵
PID:2840

C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
1⤵
PID:2392
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
  2⤵
  PID:1680
- - C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
    C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
    3⤵
    PID:1548
  - - C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
      C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
      4⤵
      PID:1004
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:448

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2576

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2360

C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
1⤵
PID:1588
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
  2⤵
  PID:2776
- - C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
    C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
    3⤵
    PID:2080
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:2756
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:2084
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:2600
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\LgsMMMYM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        5⤵
        
        PID:1284
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        5⤵
        
        PID:872
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        5⤵
        
        PID:3008
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        5⤵
        
        PID:1632

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2940

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2592
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:1972
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:2664

C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
1⤵
PID:2736

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "428068528208472825-568709528-133081020-9908858864729060311344520539814315845"
1⤵
PID:2392
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\AuEwscgQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
  2⤵
  PID:1720
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:2488
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2756

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2164
- C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
  C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
  2⤵
  - UAC bypass
  - Checks whether UAC is enabled
  - System policy modification
  PID:2176
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:2228
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\LOAcUMsk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
    3⤵
    PID:2596
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:2280
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\PSEIUgsI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
      4⤵
      PID:1644
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:1116
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:1664
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:2996
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:1664
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
    3⤵
    PID:848

C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
1⤵
PID:1360
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies registry key
  PID:1136
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\kGoYggsI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
  2⤵
  PID:2424
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:268
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:872
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2892
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
  2⤵
  PID:2024

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1112

C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
1⤵
PID:2748
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - Modifies registry key
  PID:1980
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:1976
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\aMsEwYog.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
  2⤵
  PID:2404
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:296
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:868
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
  2⤵
  PID:2460

C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
1⤵
PID:1476
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\REUcEwsA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
  2⤵
  PID:2616
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:2200

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2352

C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
1⤵
PID:2208
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
  2⤵
  PID:1220
- - C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
    C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
    3⤵
    PID:1976

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1936

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1319761701840483021-1819446770-18832328051517751414-20407921648706235891724943358"
1⤵
PID:1224

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\gSkwQAMY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
1⤵
PID:1472

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:960

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1308

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:2540

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:928

C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
1⤵
PID:1680
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:1004

C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
1⤵
PID:1332
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
  2⤵
  PID:2380
- - C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
    C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
    3⤵
    PID:856
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
      4⤵
      PID:2912
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\hQgwYMMk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
      4⤵
      PID:996
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:2208
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\PisQUUYE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        5⤵
        
        PID:1536
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        5⤵
        
        PID:2720
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        5⤵
        Modifies registry key
        
        PID:904
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        5⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1868
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:2840
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\KIIEMAcY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        5⤵
        Checks whether UAC is enabled
        System policy modification
        
        PID:1920
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        5⤵
        UAC bypass
        
        PID:2876
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        5⤵
        Modifies registry key
        
        PID:2788
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        5⤵
        Modifies visibility of file extensions in Explorer
        
        PID:780
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        5⤵
        
        PID:1540
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:2904
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:2636
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\TQMwwgMo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
  2⤵
  PID:1204
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:1884
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:1916

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1112
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2588
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:1980
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
  2⤵
  - Checks whether UAC is enabled
  - System policy modification
  PID:1540

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2940
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\AOAYoogQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
  2⤵
  PID:2536
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:904
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:916
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:1744
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
  2⤵
  PID:2620
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\yEMcIIMk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
    3⤵
    PID:1548
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    - UAC bypass
    PID:2728
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\dCoEIMEo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
      4⤵
      PID:3068
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:1244
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:544
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
      4⤵
      Checks whether UAC is enabled
      System policy modification
      PID:2636
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:2076
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:3028
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
    3⤵
    PID:856

C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
1⤵
PID:564
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
  2⤵
  PID:2152
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\cIcccIIw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
    3⤵
    PID:2592
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    - UAC bypass
    PID:1472
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:968
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:2676
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
    3⤵
    PID:336
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:3024
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\XaQwYQYM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
    3⤵
    PID:2812
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    - UAC bypass
    PID:2196
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:1428
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:2396
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
    3⤵
    PID:2828
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\TgwIAQks.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
  2⤵
  PID:2592
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:928
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:2620
- - C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
    C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
    3⤵
    - Checks whether UAC is enabled
    - System policy modification
    PID:2600

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1712

C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
1⤵
PID:644
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
  2⤵
  PID:380

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2192

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-9854685031070654918-945529757-2048436165-75451547417007521011265972857-1832681608"
1⤵
PID:2604

C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
1⤵
PID:2628
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
  2⤵
  PID:2660
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\aeoYwIwE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
  2⤵
  PID:2040
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:108
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZCsMQIQA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
    3⤵
    PID:1672
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:2216
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:1928
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:704
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies registry key
  PID:404

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2188

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1824

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1543084838-21101741541730890181-206606333929483618-6377187711898712013-83151165"
1⤵
PID:2424

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1456

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1513065635-537369121-958060099430205547573506711210622409-7132645201600979984"
1⤵
PID:2816

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-138757958-7835647314331824066695097371686594581847916460-677864795816091378"
1⤵
PID:644
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\AqsMgEYU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
  2⤵
  PID:2808
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:2012
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2544
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:1680
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\MCYEMoYE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
    3⤵
    PID:1072
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:2808
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:2696
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
    3⤵
    PID:2124

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
1⤵
PID:1468

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2880
- C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
  C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
  2⤵
  PID:1112

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-312946543-1647489690-677873272-4309053531684291745-20304630071942123493438617917"
1⤵
PID:1656

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-178225210-11209925321156828-84738299-1658050273-13299506571708331015911749225"
1⤵
PID:1728

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-629466598826567754-215911180-17180428121820034257-2095929765399360984-1350814289"
1⤵
PID:1816

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1901257313-943425286-475252798-110287282-1560738869680477497736374272029555976"
1⤵
PID:2648

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "500579530-20982948191309886912-2108654504-832345024-1769998405-223961362-463719971"
1⤵
PID:1588
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\juQoQcAk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
  2⤵
  PID:2396
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:2316
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\OAIYQgoc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
    3⤵
    PID:1204
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:1520
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:1456
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:2892
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:2676
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:2540

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1999107848528867352413285156-16235984001183373664562639348-11314761861937582357"
1⤵
PID:2904

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "5805789871210137545521101254-6525631389619842766093046381572589795-1239025220"
1⤵
PID:2360

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "521267729401458586-160481306-599257757444924448-491852784159366910-1892342657"
1⤵
PID:564
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\LosEUcgA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
  2⤵
  PID:3004
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:2052
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2356
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:1136
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
  2⤵
  PID:2884
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\eMAIcYwo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
    3⤵
    PID:2524
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:1764
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:996
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:1980
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
    3⤵
    PID:1608
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\HYMksccY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
    3⤵
    PID:852
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:1996
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:2752
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
    3⤵
    PID:2964

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\SsEIwwkM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
1⤵
PID:2628

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
1⤵
PID:2216

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "871303631-508324370933746361810406014-719585195-1105964460-1184297501618672392"
1⤵
PID:1020
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\uAQcAsUw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
  2⤵
  PID:2128
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:448
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2164
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:2216

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "5990777781091048140-898703538440143668514340-7740161972681468721029272978"
1⤵
- Modifies visibility of file extensions in Explorer
- UAC bypass
PID:928

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tIAAQIoQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
1⤵
PID:2272

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- UAC bypass
PID:556

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:588

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:544

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
1⤵
PID:1476

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "566350745-126323091213475977931958335465-9282223231580373788264675861234242872"
1⤵
- UAC bypass
PID:2208

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "90593950-1435113641120945919-1255496451-3703473198586436285788692201840265301"
1⤵
PID:328

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1033126639-139062791751705765-1290933317-158228765711896317111416952760-1060325005"
1⤵
- Modifies visibility of file extensions in Explorer
PID:868

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:652

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1049569514-204426487921070174811271329923-101141839438259793115623141831176790094"
1⤵
- UAC bypass
PID:2084

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-61073313632503460-1744356327183943263520534801301007286223-16694005111420147836"
1⤵
- UAC bypass
PID:2012
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\hkkAgUgE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
  2⤵
  PID:2092
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:2488
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:2592
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  - UAC bypass
  PID:2288
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
  2⤵
  PID:2336

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1133239418-1074935682-2060095829-1092650601146552222-624426026-168824646288122433"
1⤵
- Modifies visibility of file extensions in Explorer
PID:2112

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-348429974-1286889461-10502062231526963726-1564584750-826296055-1995429960598453228"
1⤵
PID:2096

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-583332937-1303016817-11977384972119948060-857114826-144349873320075779161194381099"
1⤵
PID:2188

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1579970091224881854-1905935595-690834602-5140879532072927489-5469268951475163769"
1⤵
- Modifies visibility of file extensions in Explorer
PID:1884

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1807492171895282299-151658152211636651691093732920-72051028-1221111641-1512188408"
1⤵
PID:2152

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\fgUkIYEU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
1⤵
PID:1412

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-910209339352749379-1731065881-162759421-327046805-1754599207-1832890441-223132842"
1⤵
PID:1004

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2099470146-9974063301124120487-1656707313-804848091-1861409550-1281133214688597935"
1⤵
PID:768

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:2936

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:1284
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:2436

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies registry key
PID:580

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
1⤵
PID:880

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\lMEIEcso.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
1⤵
PID:2024

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "15135598681781668709-14508258711458943029-3417885131790446766-164776772-268340284"
1⤵
PID:2628

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- UAC bypass
PID:2776

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies registry key
PID:2544

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies registry key
PID:2964

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
1⤵
PID:1976

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "768726502-1939612549-752032781-943330320-612002619657960554-30736494483171539"
1⤵
PID:1908

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1167066681-95629055711995201891604064791-1393561667-14911210761048363918300279195"
1⤵
PID:2832

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1470946572-15907788531552425627-1138414419-861709229-1322865580-980431804193272174"
1⤵
- Modifies visibility of file extensions in Explorer
PID:1500

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1015348206-1875512679-443616799-17120318201828144733-15248231661712600469896936166"
1⤵
PID:1936

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "350652719825243039-123336247370195666729811596-1821952001900642128739041727"
1⤵
- UAC bypass
PID:1672

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "113110128816443652522140027856-3511141003252423511496260636803647123-1972872522"
1⤵
PID:380

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1126188492-14104424042105990172685919111-9197223913277679564055207241799654585"
1⤵
PID:2492

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2124

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1328710863-239931837-1593924982-1628523769-1347182741-148114788412144671321986083492"
1⤵
- UAC bypass
PID:2520

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "654606016-1634204065-15313578691261578334206766556418324356862056941939928002575"
1⤵
- UAC bypass
PID:2036

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-991719565-19904252031378746425-21290047399779412012052625385-719059820-604715044"
1⤵
PID:1308

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-763420801-4190792201973338200-460436860-134987164242662351719570389931832437492"
1⤵
PID:1916

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-29319081316675830151436293841554969355-698498328602532651670954509-2044776474"
1⤵
- Modifies visibility of file extensions in Explorer
PID:1928

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1770601190-12696873511998945257-1963411610-2078906537-230885719399327966-1408605672"
1⤵
PID:596

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "26516252795095807-3500560812637254612092784373-10231032461829782957-1406739759"
1⤵
- UAC bypass
PID:2156

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2296

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "14992267291922649614-640463078928620421326842171981082229-865363992-1633504431"
1⤵
PID:2732

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-419901139-1381256824-58968015419151814081129882344-1721863765-16833964222029192990"
1⤵
PID:2756

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1463175790-520307025-10470736-15180127631390440209-11458035982061819164-997925799"
1⤵
PID:2544

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-212031410017972019301792702491-8280333978944853081805925101203038270-1395424900"
1⤵
PID:2336

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1163687604-1444084830934886384-43854051715063229091091815528-6855714141191584972"
1⤵
PID:2784

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-224268224-147132729610062275601834354483-261740324-352336329-1709925737-1062689430"
1⤵
PID:2736

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "18815806431446089893313423031943324233197537568-10778041451414040472126236772"
1⤵
PID:2592

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1145933931-1769198533-632010510241131060-119411421221321630612252153401245437704"
1⤵
PID:1552

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1169454683545278362-1846583275-544241221-15032207094376058741383115934-1841964210"
1⤵
PID:1644

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-16051874837536567356833734266519741-1561451924-947068094-12085004021115947946"
1⤵
- Modifies visibility of file extensions in Explorer
PID:1116

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1820

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-6689281126758254521518860584-48389810013617582831070898561867522061-1368982758"
1⤵
PID:2296

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "958951889-275002086-6598820548636034206890101118508274601593182828-494118767"
1⤵
PID:1496

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-450361044-10368524341873455734-1846738545128734360810275350961506255635501212010"
1⤵
PID:1284

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2180818211076537701832178450-18310322612079709326169510465131668666727996036"
1⤵
PID:2040

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "5633863391284901392-744930597-1317360211-12863953891715998120565712518206653198"
1⤵
PID:2000

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1176096418-761409235280119431581527196154518313496308165-7845020-171708103"
1⤵
PID:2352

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "801851993650888291-9519078661594547470-78097720069419449-960067129-97523971"
1⤵
PID:1000

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
- Modifies visibility of file extensions in Explorer
PID:2020

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-489810481-1468350312767010498171339316832613363712495675978909863651632563554"
1⤵
PID:1476

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "46975309010706990871290752535-9889283221234204248-72027044450310669363288463"
1⤵
PID:2580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.exe

Filesize
327KB

MD5
1717a4681f5f979cbc1f2d363a9ebaa1

SHA1
925533221d0d7c314fb97e8134cb5d06a73f4164

SHA256
832346f27f0f7a88d56cab913f7704746e685ad5c04d9c79054f5ea3fb0096c1

SHA512
a95d5fc87b62284fa6c089e4bd03d466b574287ab837e125cca0d5ad5c26819b49a44ab2c28d5ca26f30092d1d433b243becf0a4c057904052da050d1e027fd0

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.exe

Filesize
214KB

MD5
c6891c501a8223168baa7528ba4c6583

SHA1
af363fe69072a951f1c04bbabb2b9c713d9c2e38

SHA256
7269179fbd6683f6352dac9247a9b362d7c422b3cd294b05716622986e1e9f6b

SHA512
b7a033a9abfb5103829776b022d6226def74c91d092d3ffac3b9dc76323785613ec5ac25079677974c170a4425a379003634de2e43a643dbd71015f7d2fd0b65

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.exe

Filesize
228KB

MD5
470b5e434e574b3071156d1f9dd8cd32

SHA1
a4c607d0da3493d3f91c5bbd428d6818cdbd7178

SHA256
1c18bee35a402959d16a42daa0cbc5c9f3f8d6bb96fe44650e575b7a97aa1bfe

SHA512
e892a40537fb8b23340bf30e1e5c7a7f1b160719dd3b17dacca5f90cd48b507b78b86d34038b5df92124971b89c5e4945d62e4d22d76498d43073fc573111a42

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.exe

Filesize
220KB

MD5
f3a15b9b465cc43f92be60c043414f92

SHA1
16ddb8019f0588de59169389287ec10934093e89

SHA256
e87fed41671019b82faf23039439fa74a108f62808416d6d063a73bb18f722df

SHA512
880cc60ae8710b01e0878ba22362985da0e269abf479f25e85f0ad0ac250bde56633b1afca470d32dc9c9d94354ee8e64af3f2728ede48c2b7efde47d9abdad4

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.exe

Filesize
311KB

MD5
66f7350d1facdfee6d0009248d807c80

SHA1
6ff91dbd1ab4905a23f589ab9a4168cdcae5aee6

SHA256
68e83517de40d3f1389b9bac4bf75574991e23f65e456e4821622e75c6f059bb

SHA512
1cde9c74676176db9260cb78fa73be2d506f8cf867c3744bf60e710268b2c97701277b14f452aac5be134c1c93a20ac51b0cf9080ef231f3c2b9fbaea3680cfc

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile10.bmp.exe

Filesize
236KB

MD5
54b3e95efb966acb209ad50e80a1dfb5

SHA1
3916ba06aee15848b24736af180fa614c14463a9

SHA256
e6ca87a642ff149d509c6808ad98f157bc07b58f493244f0ac440a2ed3d3b3f6

SHA512
223b2979b346fdea1b92fb8462800990ecfbbf45943043187779c3362af657871b5a9fa02cc5fca5b8d9df33676bd5059326a4ec3ab3ec12558bab7fef450e47

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile12.bmp.exe

Filesize
235KB

MD5
451e3216544e88180757e2cb5b9354bc

SHA1
2fb34576a5a18a653bc98ce141df32b8a12ec3d5

SHA256
f2003957f4e98039c3f7dfda627218505b63f873c05f1b53591b73cea21e86e1

SHA512
c58180edc193c9ab2875c1eb7da72d39fe8ca91587fa8a20217a16de6253b754b2cd085fd9d7a27da63bd716db378709fad6f7b1bdb96b7f269e9abde435266e

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile13.bmp.exe

Filesize
240KB

MD5
55663efce969f5aac6d76c26591eb67b

SHA1
6ad1777a810480c30fab629ec22a3d5e13da7098

SHA256
ca9d716014888d9892bb0479a787523bc7088581870d853fe72e9df04557e3a1

SHA512
c77bf2a3e28389cd98124946fe298e3f4f44fbeaa53efab8b8eec86037f34623639169269c092d8aced11afcf3adfaa32f2961d57c2d150129d379f748a0e830

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile16.bmp.exe

Filesize
230KB

MD5
1b67fd788ee547a0c4cf87a4b129ce79

SHA1
65d081206237b2ee08281cc924a9d20dcf5569ed

SHA256
b806eb5476611e8b7cbec6608df975903108bf9a1d600bf0d74c95df6de22413

SHA512
16f986aaa09704875cb98a3f2c3eeb8871e8a04ebdc2ab6bb99ba2ec59ccde14c04edb5ad5cc4412a22b31877b5169059e382a5c2cb4a550c5b454d1c492cbfa

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile17.bmp.exe

Filesize
228KB

MD5
a299b86854d9def5f265f909d51b928b

SHA1
016d25793acc244a11a102c105e87eaf1fb41c94

SHA256
4aca110aba6ab7c169b188f7eae3d655356145d323d1433cd4c95424b191e3a9

SHA512
f79db8af9919a184c40d3f512d4c6a8b741b847d04b8d20b1b5a1c7c023fc15bea8a871ba3718e6b551c3e4046d0d8b8a2dcdce617ac7947eff9f00b9ef93fe0

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile18.bmp.exe

Filesize
243KB

MD5
6cd9298c00522d3d542483437d6810a4

SHA1
0e8e4435a1835fdb1bce19080e97389110675608

SHA256
923ab2706fab1dfeae784590c661eb088a0c74484e7aba0bc3137d011cdba42f

SHA512
fbf48d884bde9a804f9705246f0adfbe61ab6356e9fab79e49c622f4750dc319180645077610f7a02479f7d09c7a5e3d197397de320db046010e7f9913abddfd

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile18.bmp.exe

Filesize
255KB

MD5
ffaccfd41bf1259095554108f552ad7e

SHA1
ea6db69398a831930196b56e927c3febaeba4dd4

SHA256
fbbb4f8e8af64aa9bc3042e5f8935f592895836b72752a057b4c83d1e5957d19

SHA512
e13c9feabb10e62e5bdb1804c57459d8a5284b055b70ba3abe0228a63748f84bfd28ecb136ff23ef6eeff824fcb6f1b6a0bf726780c3ed8ae09a29ea17fa6ee1

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile20.bmp.exe

Filesize
247KB

MD5
f8a462f18031e140e3a4ccc185bfc7a7

SHA1
7a33fba0a1a67922272d2270fc8968808a5befb1

SHA256
0cf61074035cf9a4b3e9b1d0bbdfd1a9318d167dac1936df3668112b436dd303

SHA512
fd213b36ac70cc48f307507889f95ec0384148daf0b497024a5eb69854bf1c10082cac8e3745a3955aa999b77bf30c918361414faa40c3aa1ab0c561404ed649

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile21.bmp.exe

Filesize
250KB

MD5
240ffa82fba862c158aca44b548c46b6

SHA1
1e3a0e14e9b33f34435b238f4bd795c3c770d5f1

SHA256
05d5b576369c79516e253c00ab157c61c028a9eb800303f794af1db8288da245

SHA512
0ba3b49fcf66bd992b4bf1c23b1a2fa2be8306709c5ae2827303a01a5ea33e52de5e98851466dce2c948276fe24c43d21f9a9cc7c0704f2785e51d1c4230379e

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile22.bmp.exe

Filesize
235KB

MD5
60736f71eaeea9748ef5bba6ce9ab1b2

SHA1
12ec3a6895f50c8499eaf296dfea136ad3d944ee

SHA256
ec4f6cf67ff389b0022ca97e81a2f9429f2817e85a16d460ffbe8cff4e55ddf1

SHA512
510e168675dddef442b74c596d0ef85fd9ac2f0c17dcae33134ae4d2c56aaa66fa9cb7bbe32983dfca34fa9d536c8b4acaed68a1ea01aae42af12a058e1e605e

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile24.bmp.exe

Filesize
229KB

MD5
81148e0ecd75338346685a268ebfd6be

SHA1
eb5f96200596a7fec9f9e71cd2bc214032c5e834

SHA256
6a77ac254d66884d4f5d46c00dbf2c8e28cd388f36a2ed1e25db745a4b1ec353

SHA512
af7ddc6961a238604f2dc33e4365575adb65ec1ff34409ac09f33e32f0beeee6c0e8ea0dd86e062bc83e513556c4e0f57e1ffe7a95830c4a83aa9c6daa41f5b4

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile27.bmp.exe

Filesize
237KB

MD5
44e7ad9afb41dc35c0f430553b944b0f

SHA1
20208bd941a1ea7bd370252e9eef6d2348a4ac1c

SHA256
644fcd5bdcd15ba325c7619692b38a3c32cec6f16d45638b13e2e51cff5aa412

SHA512
f33f46cf664dfba621f3c7b7c07986cd5bfdae5d4faa5bb04743eddb87db0daa9619de8a98db4c14ee2146d82b197219ca122b9775d2c93ca30c3551a8dd0e71

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile28.bmp.exe

Filesize
252KB

MD5
412f18c54fa7f8f39709edcc8d80183c

SHA1
d3ebd532e4d577bca0b185791d7c2c223f3a17b0

SHA256
dd0573f17b687626bc693bd255b6203474196a69359dee9c2564197235c96347

SHA512
e4aeb9c51196576fd2ed1486e41ad48e85d3e98bfb69ef896cf703a0c298e05776ac1e922f8aab31d46301d247190d1a5b97413f6d5cc220ffdf0909839593b8

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile31.bmp.exe

Filesize
234KB

MD5
32ba005e8c11783bd4c5d857fee279a9

SHA1
d1f01e77f0c31bee987219e61ff90ca7d62cf770

SHA256
c2b4060ce7538c2f2e075e6234ccd8453ea303e708c05a97fad810ad71784e93

SHA512
3349e7e86bed3fa9d2360443295cc45e7b2f959c091797a817c758aadd873484102d01bce747ecbd2e60d44c2ca57b7aca192a982650fecf82b4a61c6fc2132e

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile32.bmp.exe

Filesize
245KB

MD5
ef68189933d11dc0464e7af03cfa6c50

SHA1
0b2a4d01176ae53a2967fb741e19a3496a4d96de

SHA256
3859e70de2d7838aa184db4bf8676a7025068806d96b5facf445aa2f17c73142

SHA512
ce601ef62c6f480e72114aeb977db04a73281c91696022fe6056c39ba9260ee53f1475abf05376a0e91899319fa33ea3a7a377a86d508cc9ffb3673415584ed3

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile33.bmp.exe

Filesize
231KB

MD5
8f1cc314b7763b8ef1d3f82619adac5f

SHA1
6cb5756c49490651aa36dd25b722bc44bee5b041

SHA256
0946273eef3378dde058c786ffbcdebcfc92a3fefb0f215cf7212b11be33c7d6

SHA512
6f02cd798c53ce57c91c03ff2f9f09674c041823f0984f4288440a8cb5fe32d28672412b6b327c75f6e925194cd457f9c1783721d293055d183bd791b4734893

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile38.bmp.exe

Filesize
235KB

MD5
2dcccea153531c955005d1923c999ca0

SHA1
009a09099ca7e9f0d360fca1ef593134154af418

SHA256
a6469288467f8e1e82cd7813d075198709a9fde099fb226032e33608a38650f3

SHA512
dc6ba3dc24f08d33b883b040092ba20da2d92e8d861c88885484f829c9873d466bbb8b467f8ac298f1acd54d21645dd5021a538c6a2ad27931f105a45bafac69

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile40.bmp.exe

Filesize
227KB

MD5
a7376e091a55e28ed94b2bfd2f24c0a4

SHA1
8232a8b55e2a7f3ae4678b2bb6bf8c1c6d3e7f77

SHA256
9c0caab6b49c075b11ef62da3dd635cbf312b8edb8ceddf5b7ff4374f2a49e7b

SHA512
9fc71f1ec08eb27e9036d1cca9a9b8142c9ded4c8294dacfbf1cea991d553f45bd192eecc72f2ae4ed0fe11790209d855e66067f56c5fd616937ebccd837daa1

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile41.bmp.exe

Filesize
229KB

MD5
6c52f27f91f72ccecf76845915fac399

SHA1
0c2454214c96519caaf7236e336481a29a830c30

SHA256
dee790a0a50b41526ad92519b2de45f16beb10c25b5970ebb652be866a85f963

SHA512
ef8ba8074e017670f3c9f4dc6e4f957cecf75734fa7c0aff6f7279e82d4eda067c62d8fb4b178f9ab9f77dbe52afaa340051525054694112f88f288fa58ef269

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile42.bmp.exe

Filesize
231KB

MD5
7257dbb9b22b4af95d4aec48031b2767

SHA1
ecb1b4610220ab2e228b1ac9119df0973747d482

SHA256
7ea80b530c5cb70fe4a54517344b55f98e13c0460f4dfdb3d1736ca395c01fe3

SHA512
e28efb9cb6ed7d0ae35c01316a2ddc09d31ad832f0ebfd178d89518a324afdcf8b86a11edb85212b0aa065366e31f244472d5b594d3095ffdb7956c03adb92c0

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile43.bmp.exe

Filesize
250KB

MD5
4ae1b576129880bf1bd7f69ce51b8f32

SHA1
aa3dd2fa24ef80c2da4bf96f37808686fedc7bab

SHA256
4349f34dd1979921065ed4bb9f2e034a779e78d297d320e946ad7beddc700bcb

SHA512
58ead2e6ff47fe5f4986cbdd1b193f8d6059096b0204655120452fcb25509813cbc6cbf547aa2267e850645b4a60b887a836c9ea3c7789fe90e66c9199c63e8b

Download Submit
C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe

Filesize
833KB

MD5
2ca31eb82017f493b4bc31974951908d

SHA1
368ea82459ecbb87d2fbee3ca743e2798961da38

SHA256
30a1e5aa908536b20a65cf9a26b5830fce3719e1b7784deccb9ba8f6e0c5d6b7

SHA512
64d93c26523f220372296df963e79a350715d2243daa869396250ecb421a62e0c3283707e10450463acbf7daf9f092cc60dc03ac64b746313fb6436dcf92d332

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\256.png.exe

Filesize
218KB

MD5
37d2d097d3108dbdf9d579b424eda382

SHA1
4bb56b3be1570f635886bc51cf4b68979bc5cb8e

SHA256
5e1bf308e139073bfb013848a14aead008c9feb8ed28cdcf0dd205f5a8c816cc

SHA512
575bcf35b66c68fcc7df9d1a8f296a26c8b66c407082b6d1dc2d1f43143c36a3888004009a704eb6edb8b2e568d66be3c4a543ac5d42ca1419e667b5a56ffeb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock

Filesize
3KB

MD5
542371981ad5d8ed0b2686bcb318e6ac

SHA1
64796f5e9f24368ccd58a4f026e4d9790924a82f

SHA256
1a541ff5a4c4073b946d414bbf734d690d35cd032f958d188ddb6002587b01f9

SHA512
e3aa5121c0f0fae885412ba3a3e8b8cc35b8c0aa69faed21800e2d3f65645d6f836d6f308f5438a192f313b4adc739dc27ff48463131a089378d3cea7cfa225b

Download Submit
C:\Users\Admin\AppData\Local\Temp\AEoUIMoc.bat

Filesize
4B

MD5
1d7a06cd960b34f3a63e7a084ba48b39

SHA1
75e61673b69f8533359072b16756cdd481dc5681

SHA256
b9027f826e9d6e10d316b25614953bbc6005ce4a20e82a985be0c63ef71f4453

SHA512
b31dd0cbfd0c9735344658a9ee0f0797fe1e0dbac79997cda21c7f597ca3491239180051dd0bda9190c7d24bf972980b50f133c1bdd6a0c219d5655285389aea

Download Submit
C:\Users\Admin\AppData\Local\Temp\AQww.exe

Filesize
248KB

MD5
f6753df45c0ac6773ce27581fc55c9f2

SHA1
64f2e777ca445efbff8a40c686f92180cd206348

SHA256
b8d47bea966881533c6d1541871a055725f7cd4dbb4c39c94ee2295bed093c15

SHA512
f859e35c7a65a7faeddb6aaf240c1efaff35a5b881585205de4892130bf81ddca0a8bb650287c8c37ba9de43dacfb7a8a06766e0254ebbf07eb81842fec1b132

Download Submit
C:\Users\Admin\AppData\Local\Temp\AaMQokEU.bat

Filesize
4B

MD5
0670a0bedb27446c23e1351c2dda1f03

SHA1
371b83c2783f4aea7110a5e46821fa74201c942f

SHA256
3f0e2a9482e3adfecec3430ebbb226266856fb8d9dd8a0bc4ae7bce03d80b8f2

SHA512
b01cbdd6d8df4ec0ed73532d6a854c01dc24f0eb7eb1f4585254604da74a31a92c64f1b469705e2ae59f9605f7eca4501d5b1282ba1aa786f0938b56ae46b431

Download Submit
C:\Users\Admin\AppData\Local\Temp\AgQA.exe

Filesize
251KB

MD5
ecbfc496d0c7a725779faa650185b655

SHA1
8b97075aa4b4540fc90ebc8e43730a52ce2db678

SHA256
387fcd9814824886a4ca8f0db4b8ad00284d407671b6556515b7af6f34cb9291

SHA512
5cb2d600a298b105d90f0a405513e63534790ce2641de993bdfc0940cb500de50dda44d02d21caa7d4afe404444fcbfafdb10193ec4f20e4791dfe34c55a8243

Download Submit
C:\Users\Admin\AppData\Local\Temp\Akgm.exe

Filesize
318KB

MD5
6e123e0310b8acd7e5cabd15cd77e093

SHA1
bb0999f66e223f8470b5d405364c752426e3a4c0

SHA256
180f405413628579d22efad1f1941ae38bd6832282412f2c0801c7e7fc630c62

SHA512
bb23dc2116e91b8f98022c0cbc411e4690caf0b5cf9eb83b0338d25bcb95a46b27110b9626cfa73ca2775ef53ddafabaa9e3e5fa22da2be620c63a2a3b32c5ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\AoMY.exe

Filesize
237KB

MD5
762f7eb6cdc869404ca6eb67300d1b6a

SHA1
56a2101e2a3bf3d219d81bad39b5a2dcfc35d616

SHA256
ffd157d37de52ad06c0daef4ea09779fcece1ab82baeda77786499b89ec1f6df

SHA512
5834ce058648d8fb6a92b4c3394727131a2fd16ba814aa100281a4f365c5a6914e01057546b334c4e44c54d846aeb97408538736c6469da672e69f1f8422fa75

Download Submit
C:\Users\Admin\AppData\Local\Temp\BCYgogkE.bat

Filesize
4B

MD5
f42e67d15f352e491148db1e776097c8

SHA1
4cf89737254eeb8277c1f9b97fe4159ba2fc37f6

SHA256
c0dd503f5d1e49a813992de78f07ce8883e65460940b881f7a7c9b6809e0da17

SHA512
b32cb425a9f11c03a6558ede5b99a722c1b235cd26a7541d8d29b6f1027bbb23583dda97a6b471ad74905b37015fb918670b2fddb825b1bd0df30335bc5da5af

Download Submit
C:\Users\Admin\AppData\Local\Temp\BCwAQIsk.bat

Filesize
4B

MD5
4d1e3273e3a66fdec2b031c81a163872

SHA1
85529a2dbe6faa5ad79dfa12aeea087fb73815a0

SHA256
d245c31f781cf003c3b0b3403f69e3f787333d713a0d007f2636b77431e06a12

SHA512
0716830ca338f70094a7ca030f1ad7b476e3773e4e689d6b77df6ba07d316ccafc10b1824e6cdf7ac67750f62ba8d7f7813f58e2260f92969f80f02a67b92686

Download Submit
C:\Users\Admin\AppData\Local\Temp\CIEK.exe

Filesize
193KB

MD5
32b113212d20ec226bc5509da9b2dcd1

SHA1
c51dbe15de59cfc12f3db0f4551dcb8312ea8274

SHA256
0349ead746eb2333b381d7d9dda4ec1b18ee257fd323483e558e152d320bea8d

SHA512
d409270625fa2f093fa3bb56a77322486649ddbcb85efeb798f11030b2098ca14c95a8a4871214accdf23b0f77f6d5d2581a3a5bbf0613cbe3a3ab9a84959354

Download Submit
C:\Users\Admin\AppData\Local\Temp\CoQA.exe

Filesize
231KB

MD5
c1779aebcd27378ae91c7a694c00a802

SHA1
5e66840373fb22949ef4852c4624bb5fb1e90b21

SHA256
ad4996af77bb4aaac6cc23a9aad426637c9aabb7502294631d4ba8603355e950

SHA512
51ea7859144bac22c3f95f321d89195376c629102a56bb4f11a46a59b0f9a3c933c75731f1c64b9d7fc96eed2f2a9e1df5c3f6f534bcf3724d8ebaf05be77276

Download Submit
C:\Users\Admin\AppData\Local\Temp\CsMG.exe

Filesize
238KB

MD5
6e37e9b2ca901a207ec7773046d42a5e

SHA1
7e3a5ad8d0e0ce7214a47e67447a69b50181d067

SHA256
a7e044f258b41e92643f17805a0a7f5925f494947e162cf566a6295cc134fb84

SHA512
e52ed3cf580ace85ebff77ce6fe7f6f5e4d8cf8c0342385a2b3a8e81e7727d56c488b820268701df20bc860b92e269c9f8026b19af59051fdf9e0792c270722b

Download Submit
C:\Users\Admin\AppData\Local\Temp\CuwEYQgI.bat

Filesize
4B

MD5
a4cb764bdc080ed597a07499af979999

SHA1
a71c83966ae90e1637f088e2d7afed4075a6c79e

SHA256
8dd8dc1d300c8fcde50b31131289fff51af066f7cc22d9ee83936df4561b66d1

SHA512
e8263100212a10d35ecc09c7b29a87b52c98e94d4b28fd5c927c60186d50fd32165889ff279eb52f511838e8b6348196e77e452a3459d82e267642d7e629fbf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\CwAo.exe

Filesize
206KB

MD5
97ba5aeb9ac0bba562f1d1b03734243e

SHA1
d024c58b26651486a42ec43350b96b0ec5455707

SHA256
96cda408bfa80257ec8661fbcd863a8acf16a660c5d0c5dfbbdce251a80a3a9e

SHA512
27d002c7bd7267557eab424f88b94ce9d4c55e03e45dbddd881a74c7e9f4ff5db942a0a2db03714897742e8e78bd5bb1ca47a3554f4f1fba53b43162bf3dc6d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\CwoYkYEU.bat

Filesize
4B

MD5
71eb2571ec7b45525935a229a07b6809

SHA1
730a6b0e7026288fe92f9342de5d9d74fe31337c

SHA256
706fa4e35e241cb73e81120be24d7f89ae793582ec44770447c421962b3c2113

SHA512
85e074f85e6113d6cd8c8a18cd502bfbfe4f0b8b4255313f5a84a6bea6802cafc9849251636b1b99b82464b6aa57dc610bcadf1cad5afd38b9719a3807dc4b25

Download Submit
C:\Users\Admin\AppData\Local\Temp\DCkQkIUo.bat

Filesize
4B

MD5
04998b6be29bacbe01016fc6afebef47

SHA1
89d7ba105b99089188fc49f2134d2c369aa12923

SHA256
6a5dd37971b0ad27f575f9c2cce3d60c7f9dc2504711b6bdc0ca45f9047414d0

SHA512
59f2c9a419603ad41c6597ec7926b6caee533f9f1bf66d1826479529772f6d334d64a7eb922f8e7f3fd3012eddf72eda37a1e7db4b0d5017759e8dda12210415

Download Submit
C:\Users\Admin\AppData\Local\Temp\DIQQAooc.bat

Filesize
4B

MD5
adacbcbac5c0417e892a511764ef5650

SHA1
ee15f79abedcd2ea40ddeab89e65442e19b6240b

SHA256
79b1616c92819c777ff2e316c475c39737fe36f5d573e7fa02d1daeab288fc52

SHA512
0ce78a12226c39b7d1af0fc37b73634cd64569c20d86a40c3ea472edfe0687105a74c8a106bb4699ec7de1351b95fe6cfd1a0a5d8892938d027345706e39401b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DeIskEkc.bat

Filesize
4B

MD5
be8e4365874630f5b7ab3d0ba800c555

SHA1
911d74f16a0986f4fb1ac239121f184d7c18c7da

SHA256
45ad9b4744586aa4e58a2722675b4bbc42a99b2d2c91c4efe18987210e078304

SHA512
aa51ee7a82229e0e4e80926895db949e13711ac9b5cb6dc3e42204fccf07b8c782e0013801ba87af98fff4768925d584a9b6942cd5cc47f6cd17a31d082e8c4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DwIYgkoc.bat

Filesize
4B

MD5
d7da1e7607e809e4226911593bca2b6f

SHA1
19e37b6428851b4357d1eca901798b227914fa27

SHA256
e13e56491e88211543e117cff41141d9023662845720ffdf2e4a954358a31b8c

SHA512
5840a878d7ad248c98ca8ec380870eb710f2d41cddbaedf1e6e30c989bb8f33159a876948f56c7941d0372c298e0a632df54b596bf5413bff1cb1f1e46e00589

Download Submit
C:\Users\Admin\AppData\Local\Temp\EAEC.exe

Filesize
237KB

MD5
fb5b7a2dbab94e31df504d343b3ca710

SHA1
ba0092b97624397e2076226c2fa3eac593a51bad

SHA256
8f8fd8d732e115413771af5dabc3d4748900c7a0c8b112578f5d8126242d50d7

SHA512
057f816511990d0b4ad874c413e5029557859a85a7e33bf3ff0080e2e45873b94c3c0b65a0eae58d1d27a148f26468b49a8a1215792281f06327e152c04f687e

Download Submit
C:\Users\Admin\AppData\Local\Temp\EAsA.exe

Filesize
647KB

MD5
c3d1745e2b6fc5e560a7907a62af940c

SHA1
816cf55171a9c1f31c96154cd5958f47bd19808e

SHA256
11a35d7020e980b9dda0979bfcfd31167af97355302c67d4282588da8d6739c5

SHA512
c24a6b878cae3076a3403e551b513553bc14d583d94bd959fba9fe7a2e22424331b9b251723eb7d36379b8b316432a78179afdaa5612279f9bf2e7d3cf5de850

Download Submit
C:\Users\Admin\AppData\Local\Temp\EEEu.exe

Filesize
241KB

MD5
466db6c20684b6b48d0babb8b2943b86

SHA1
8e00d12b03eb02f0100fad8a4c1cf311dadcb3b9

SHA256
b02b58a28944f1f13e1ed4e244c0888b05107f88fc0780b4d5e3c08ec9a33e63

SHA512
c8c079ce5fa30f2b8a52cfd4989a86fe630efcb3f4922fc480f7b1ff39e7ad536a01044bf2f5b2478d16804f6eabce8971267bdeecfb181834efadc764f93413

Download Submit
C:\Users\Admin\AppData\Local\Temp\EEkE.exe

Filesize
639KB

MD5
70edf935a6667d87072b79d471f01536

SHA1
69ab9bc6a125a0089ab63fffaf53e4e531f8975b

SHA256
1d8806c3dd89d9a9ce5c707c679f543aa63f3758e7a1d6449d7d297cf13193b9

SHA512
c937ea5874302f12a2db3af4fa8e5d9ac166dde1feee6a590898179fdbb93524fe0e22f869b8b5c53f76dea35ce54f2c2cfed650b09ef347cee52609c5f51469

Download Submit
C:\Users\Admin\AppData\Local\Temp\EEwIIMQI.bat

Filesize
4B

MD5
1df1156e8b6f4195bbde0f62896cab34

SHA1
1e45434873e53bf4d6d303af2c7f5185b4675c38

SHA256
eaeff35fef8edd16826c1057f02eef35eefc646cdd15f7eec6e03955b9e18be6

SHA512
a7010b8d84e3fb3d35dc8ccbae4ee483fb0d529d80abf03fe94f5dd52774cd7cb4e4757a6f371d3a2f6f733823d4ca69369ab77cb2fc01ed023c08d1b41e0ba7

Download Submit
C:\Users\Admin\AppData\Local\Temp\EMUkIUMw.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\EQAg.exe

Filesize
243KB

MD5
fe7735f0d70df8bf85d101f7d734d851

SHA1
2a4e864ea1bd98004ca6d542d9a4eba9d72797ba

SHA256
c35cdad4eaddb9f88e0178699bfeb7f31a5f29b4ee07402752be6fb04e93cd3e

SHA512
2ee92b9238a55c5739685fd7d5127f8739941c27ba78fa32d87772f7d5e72338da3c3a891ce23e1e5bf75018450a6af5735250fb825af9699f1800c7e0d3c7f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\EYcE.exe

Filesize
1.2MB

MD5
65ab9f57774220ced44c74d066edfaad

SHA1
e0efc8540929f510e55c6e66346e1d77141ccd72

SHA256
2e533c13ff4f5e80b74d86d0035b5295a55d5d3998b0d2c70b4b6e6e73be49bd

SHA512
8877a9566882e1e151863e19975a1fb467ef52d1e665f72576b0580d8e6a4ac521c0504e3abf182df9d395f2a83dde77c8aeb9479167a4516c23caff018c8e01

Download Submit
C:\Users\Admin\AppData\Local\Temp\EYsc.exe

Filesize
1.0MB

MD5
7a688c6e5dfeb26ac3449971c76b6270

SHA1
a6745860846de1cda25bb31a7749624d352a3733

SHA256
73198e48653dd4ef9769c4c6f4f64fbc475912429d9b9b81dcd369c0ebe0b070

SHA512
344acec359b8ac04faaf431b35b5c6506b858a42514759fb1d633f65a72165527e1916f557d7af91a9753d931634d7fd13fa2d86dce84bb5ba838c516f2663f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\EsAAoIgI.bat

Filesize
4B

MD5
f3d640f1f65cfba3c67ee485b05887c7

SHA1
3f8ad57d5fbed048cdfe67206ab22a5f0134d3ef

SHA256
12d1aa25949a2e6d068f525ca1d23670517baa416e7fb02b54b171043fcdf9d9

SHA512
d9e0fdb7176416c881e0154f73fe39562da4eac4d55333217c621172a078c218f28c9a052cc3717ba9332bf34aae08083a8210f42b0bd5b77507da4f00525659

Download Submit
C:\Users\Admin\AppData\Local\Temp\EswU.exe

Filesize
251KB

MD5
3a68e16025ba3eb1a4513b864b7f83ed

SHA1
1ed7bd59edf6c055a1d53acfb9a1851d15088056

SHA256
f3b1fc4dbc922ae8f639559d01d2ad22c59f7013c3739206d57a1188da4acffd

SHA512
cde4d7ef76298a06a57ef625630c6c945e03a74c754f0c234698d1e4e88f819b2d2fffe1b7546c25a5f1261364f34b369b89187fcc6edacbe3ae21abf32ee027

Download Submit
C:\Users\Admin\AppData\Local\Temp\FCIsAwEY.bat

Filesize
4B

MD5
b8a31edf5179a0172adb59746e39a659

SHA1
f911412a5ad280f162716107553d5e957ca6efa0

SHA256
ba840c311d563a193a9e043821faa71830db1b24447a49e6a04223c45017239d

SHA512
6a29a01ae91e8f24b5eb77de3976276eacc0e2cc1b445c419556cc93ad93f13795f825c5a8babd9ee32873605e86cf1e6b5f37037fe8fa1772df45845cd1dda6

Download Submit
C:\Users\Admin\AppData\Local\Temp\FGYQYEIg.bat

Filesize
4B

MD5
8e8276b5080270e8a819d5c8cc33bd3b

SHA1
8a2b7ba40454bbb4b81f52c81ff11fcb19e066dd

SHA256
d321447c4fedf2cf13d8eff9c2af745b0b7a21e9268cd1e5193e256df1652ab4

SHA512
05c9383d97281bb0464e3cf03d9d99fb6fa7e694b8cc73f53364e3756504b3d53e3d418ccdc6cd463eafafb8f39877da00e14859528aeff47a521fa42bbe6585

Download Submit
C:\Users\Admin\AppData\Local\Temp\FOQwEAUU.bat

Filesize
4B

MD5
a92864543db8c7a90b1b8ba618522ba4

SHA1
85561bcd4b98b906f0c68743f06016c5cbf5bab1

SHA256
ca581c0a8323b264f10636dee6171a1b33e90aa187fed3ab693df900ba478ffa

SHA512
3f4080a5cd91fc36e135564097ce05f499904fd128b6c600f48a75c770ab4da91d7427ac20f70998e6030564b1521a9ed255c74941cb4a7598055c6e6400a9db

Download Submit
C:\Users\Admin\AppData\Local\Temp\FSwwAAYA.bat

Filesize
4B

MD5
897a5611260958575d8db79d6aad1ee4

SHA1
d57a3aa53415202e3e51452fb97b199bde072586

SHA256
3df839a2a62a3c14b534a3adb3fd93c0d226f4cbaf8e6fb5358805938c205648

SHA512
2c79d2fc7ddf5191a4e7ae1fe24b5ba09cbaf40046fb133b25bc8bcd81b3c5975f58302363a726804526524430cca5e70c14aa017c243849e3f4d0e3131b7714

Download Submit
C:\Users\Admin\AppData\Local\Temp\FioscwUo.bat

Filesize
4B

MD5
d3b0aca6be4d5d9e161a77b43c3777a2

SHA1
76708b0555d56f97a3bedbac8f194fca273df41b

SHA256
131755fe12e8202d8b404d05557d9bcf5601a117388f2b2b5377afccaa79b394

SHA512
caf9444c1185b6be026ac05ad8c33c65cc291b32bbce1a9ab86646ad0e159c0c11792da115b13831c7b7b1a3e709224078f3321491da335e052c89fa4a1aefef

Download Submit
C:\Users\Admin\AppData\Local\Temp\FmskkcQA.bat

Filesize
4B

MD5
44534a5b495954233e4826898dde9139

SHA1
0537f5392d75ffef4fb41e9bd96130a17fa0c53f

SHA256
fd77c9f0e838dbe806f8d508703d129eaafc0d27c93b78a71ea69483461b3d6f

SHA512
ebf872447a374ace775dd4a2ada28db41bf27358bf5304c1415e77c79426482180f8cedb214524e6c6dcc388809c9e9c33b4a9076b504e938f7cf1da9284e838

Download Submit
C:\Users\Admin\AppData\Local\Temp\FwEkAAYk.bat

Filesize
4B

MD5
d5b7fa97bd1831ca7869ce7bc2731afd

SHA1
e3141c3563250211a4197a24089c003832b6f3de

SHA256
e4ee19425a1fd771588f104ee168368749dbc3105e83ff2e13d4aabd8506afd0

SHA512
161e9914d5f4344713dfb412c4d16ecd33c8fabf6bfd11de4f1544c019110129358bfc5e0cec4be1a7e05e4ed017d15c0a05c4e3de9ca0816b7e55822f72ad04

Download Submit
C:\Users\Admin\AppData\Local\Temp\GCMEUEAM.bat

Filesize
4B

MD5
feb0559ba748fae6e0c31f466fab1930

SHA1
59a1575ded257520fe1ac6cbdb82f2bd1b0bac04

SHA256
232092b53d31627a2d931dfb075cd4c721a3af2297fbff77cae6d8d451fa0770

SHA512
342bd186c9a4ea8caf67ca2eaa71cef82d033642056d60fc510c114ebb450139827610cc890b2fb8587e2724163a711bc195022d8609be427bad39407951948e

Download Submit
C:\Users\Admin\AppData\Local\Temp\GEMa.exe

Filesize
237KB

MD5
517b1f53c412ebc66013d8ea0f890e0c

SHA1
e6a2b4e987fcdc40f5a4fb616f41bb987f8c14f1

SHA256
0a5e88cf401d4c4e88b13d068ee71af2bdda378a4845718131bd939ee5fcc60e

SHA512
2c6f303eacfeaa5dd37a61739e18c4cf6b3ba8d087bb6e1b1477e028a3b0507ef49750eac933e4010808a40cf39aa4e039f841522b845d8bd7b349985e564cd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\GIkI.exe

Filesize
800KB

MD5
c632badef92203214d9bfe6d6e46194a

SHA1
8fd83a4ba2ee6a83521117ddbc1dfe972dfe659a

SHA256
1d2a4ccf9190e4dc0f3db09fc4a6ad829612c73009af4acaca5e44a237032e0f

SHA512
a15398c9e5c1c5a271bc718ceec4e7a4804ba9526fa87c8c0a544678937b9d024b6b4d7ca205a71990539a6dddc086b4f57747e04bbba883ed09316d71cdf99e

Download Submit
C:\Users\Admin\AppData\Local\Temp\GYwkkcUo.bat

Filesize
4B

MD5
9657ece9c2b656321251d9a4a90da48f

SHA1
5888ee74d815aa43983eabd3711845987ce64a2f

SHA256
4feee62e8b7d488c4b7a47542e67cd70740995023518d76425fa33f246275b89

SHA512
9b80eb0113244404e00c6ffe05187559e361ee593415bb023f51950462a249603221e6beedaefb81462a8d1bf9784622bc8437c0ed3da1aff0d353454454e2e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\HKIkkMcY.bat

Filesize
4B

MD5
9605150c8d4d6109ae0b3c8ca0844533

SHA1
bece85a356388747e24d94d038671f440c4d89eb

SHA256
9d125d4be00a056f9ab8507272ed2327796cf77e39eff16ac9f7757cad264e58

SHA512
5daede53fbeb4aec909766889b487897612fc0fd4cc8f73226f59fe15f8d7ec1c9c0a16288275549aec62729167d8ec5356b5ae0bb4387339dcf5531a94d734b

Download Submit
C:\Users\Admin\AppData\Local\Temp\HKQQIwIc.bat

Filesize
4B

MD5
de3324c10181842823126151729f90b8

SHA1
e3aa9d3f5edf62c39673a955891e1e3335159697

SHA256
ba3678fa66c335f9fd35f87cf5e655e5d58741544142951cc449c13be593b49b

SHA512
881cd0adeebca15d41e1547ca50d04ce077088fd050c2c526e6cccba15883c5432913869a5b5d084fea50323f526a47558bc8cbc945af3b278a6b4032076f05a

Download Submit
C:\Users\Admin\AppData\Local\Temp\HqUcQMAM.bat

Filesize
4B

MD5
2fdd30efe07fc8a6d00a547e75319a03

SHA1
b51796c516b9e524090de70d87f279aa934fc169

SHA256
f04dc105c6e93f4768ecf61cf621043518cd3a2072d4e5d8be3cee3ad8c1ce3b

SHA512
9694c1c49a942a356ed1140109b545e53087ff193475e621d0146954a9f129d58f123062f0da97116c942acbdd258e52163399af4429e842c22f261ce53504e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ICQwoQAk.bat

Filesize
4B

MD5
173e7293dadbef66f9e836b94abb84a6

SHA1
9e5d8109f5f0871bb927837d80dd86731f8e820b

SHA256
c10ff21ba72222d9220797379b87f2e645da43878182729a9b91bbe6ca5ae674

SHA512
c86558fcfd9c93d5ee3a1b9747606f29784c7c7adee947b1b3321a4d9c5b9db3ad84d60b4bc139cf1eefb9b5c5c91a1e6bbd91fc1dbc23dc8da7e6f7e8976d10

Download Submit
C:\Users\Admin\AppData\Local\Temp\IEQQ.exe

Filesize
245KB

MD5
dfc178202764120534612cb1727d5aab

SHA1
78f556b877edf04c37d00e9cb24e54d2e3bc5cf4

SHA256
8c188db7cfdaa317c4b88c28b77e98fc80986472c1c775769427909a7714353c

SHA512
56b150d64218e42c0abcb958a03ee0b01e891de923ebdae4f5abc6c0607379820e07672e6a95b99014e670481b0f40c9c7467d4bbdf465ebfbf7b66d62fad16d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IGogsMsI.bat

Filesize
4B

MD5
64176a0b201ccedc8ac151429727bb84

SHA1
516c318f9618f0e48a2133c910046166b02a35a0

SHA256
e8c7f301b48e390db33219bfe3ee91e7513ed5b2cc10204599e3d376db5150c6

SHA512
946e6ba72dde222b49122420b301f9b9b8cc60171528cd20de885b6f8855232033e46818b9c57c9c275f0a0a01f00793d5e383a2d7ba2b375dd905b840e9eb4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IKwQEowQ.bat

Filesize
4B

MD5
29ac215930d5a34da20d44eea5177b56

SHA1
4e92cf2738bed4a146e78dd8b25a115e8108feb1

SHA256
76a4de244b03339a67a2ae22149363550168773a49815a84ed6216fa4dedfc6a

SHA512
20ad9388464a0dc1f2249105b9fa5b4f3f9fd87b85a88467fc2f2bd3834241497e048b57622e6e693e98ab21d9f92a1170ed53ae40c38d6d5eb8cdcb8958d3f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IQUG.exe

Filesize
249KB

MD5
831590f6f2f4f64198233ae179874755

SHA1
1c1c328b5d2b83616970bbb49f21443fe3adf6e5

SHA256
cd385ae42f9def9b1c6bb8e2e8131bfc27a082cccc265c508efde9e7d4ac6d38

SHA512
071a116283d939ab602c7f93cbd3c0dbcbf6f7bf75ad152dab67d41c774abdd834c6434d0fc03efc907bdf4cc60b8cc9ff700ae85fae459ad1c1d87c81284fef

Download Submit
C:\Users\Admin\AppData\Local\Temp\IoAQkccs.bat

Filesize
4B

MD5
6254113468c76befbcf6130c7479aa88

SHA1
0adfd243dff93d2d56e33f02cc4a47c926e26bf5

SHA256
101542782804544d1cc9b9bd34cd1768f148a78b51a5fe3ebc8a9aecee9032e6

SHA512
fdf7c477326971c719e5942b9e3cef7d2c367d1045063b4ae811ffa05b8750962c7a9d19f9d61e384c485abb10a0b6292020f5d3c342d8795acf036b00feee15

Download Submit
C:\Users\Admin\AppData\Local\Temp\IosO.exe

Filesize
190KB

MD5
f664876614e02e307f2dc5e9477da0b2

SHA1
0a6ced519ff8705d65124fabfee95c320144fe56

SHA256
48dbc7675563089d778fbce576e933bd77d0166e42cc492303994750e0220659

SHA512
456d2b6da0d1ecc0b21dad124e6a6b123bea9ef44bcd6f5794fa014120a6cafba4fe79563e3d2d25dc935128febeedf2c5b26f60787ea44040e0300e47ab78c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IsYIsEsE.bat

Filesize
4B

MD5
f169993c1efd5007833fd01376379efe

SHA1
e744351ba389c52bbef237abbac88e800a698bcd

SHA256
90cbdf7dfb78d727988001096c4cb08dd4ba9bccd2d53e7467cbb559da06c9ad

SHA512
9c5dc603f5b53bd982d0b8adf6826d7eb2f1e9f98fbfb911cea36062d32558a6e6846f4edda9cdce41036ceae73f35bc6bfdae0410e8a1834805a89baec7826b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IuscEEcE.bat

Filesize
4B

MD5
59618daf8327af0c8133c5c2e12f00ae

SHA1
8d123e5d714df7bf3e950de737455a10c4cd1b5d

SHA256
39833dd763c0cbf5222efe814a3d66a4eb6ca3380db1c8f6848c4cf1b0087fca

SHA512
52c23d304b49aa86d4aec55b05279bfc9cb5f356fe51712c91266c799df830e2f160c27c2bf364f4edf9c113dda4c117ac0f72cef67bbe821cff2c5e844a966a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IwUU.exe

Filesize
237KB

MD5
0e810452519a63029bd33b5d292e5b62

SHA1
a497da275cddb8ac455da90269ee251e209aba23

SHA256
1d9a2a4cba10692220d029df4deaa6cbf06e2857f3492b57379ac42c30bce9e4

SHA512
428b8ae079680dc84e8743f3e7ee3467ca3117e81684bd81da09eb5ee67ecd7b65a268f0323689a09da9d972e75977bb534e334a272892f732c889d7e069cbf0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IwgEUkso.bat

Filesize
4B

MD5
6408848e1b23ccfdaef9456b48619f6f

SHA1
7ae75ba240c31a519906476290b229e958bd6e77

SHA256
3a311dda9f0a047a825ecd5bfc5e69ee776b3da8bd069b5b56baaf7ef956d7a2

SHA512
853a2ad2106e90a47a59e6156afbb9c7e17f0681a5ef8a95c89a696131fb91f674bc1814001f196c504216e83ae1cba7a48cb6e75c195791885a49ef0815ae91

Download Submit
C:\Users\Admin\AppData\Local\Temp\JWMMcEoQ.bat

Filesize
4B

MD5
4a8cb0030a073762332d00e308930eb2

SHA1
ea225cad9e5a29dc632416966174dcbb34e94901

SHA256
1c59b6cb286e279b24951ec1c4685719a2895f71fac4eaff5ced15e1ebd8edb1

SHA512
30bd3e91d84ae449669cbeaebdcb99ff78780272bf680a0d79326bc3cc62aeb5b96d39cf0fb1fa67d5b25ae49a955cd8b0000bed7133e159f55dbc1a6f1222a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\JcYEMQYk.bat

Filesize
4B

MD5
d200d5d82a8dad0de8bcd9cdf0dcf8fd

SHA1
21da4eeb71d32c72cdb2aadef26112d33018fcdd

SHA256
31676e12694b7f18e773e31fedabeca22503f925a6ac69f6075e5dc65e9cac20

SHA512
1fda423f0bafcf13e0e7b2492ba78710cc2e2e0ed3e0b3077047b5c8d2d950d2fff2ccd267e916d8e223441dccb66d51cf59955af6297b20cf5bc1a1a967da70

Download Submit
C:\Users\Admin\AppData\Local\Temp\JikYksAc.bat

Filesize
4B

MD5
509ab7dc417d75f86c1432599fccb130

SHA1
121ec9c65dbbe61a269f70210f44e9b8a3ce5277

SHA256
79274ba58e6e966fbef14d005092dc960f658f793c1cbf8bde23030e8f12d3e2

SHA512
789e7ee8c7b6fc672647e6034ef36156522ffb35eb2b92040cb1df80bff44196560988e4fb619bfe9faa8aadc25e8a0b2f1756f336105f47b024bf5073354673

Download Submit
C:\Users\Admin\AppData\Local\Temp\JmMkEUYM.bat

Filesize
4B

MD5
c9d74573fcaf9efb6cf7e9bdcbbc2b6e

SHA1
61936038eee05091a80e60524aec1175194d4e2c

SHA256
86a5794c4997e83e54debbb468279efa545e8be0314871a981cf4a0a52eab3e0

SHA512
a05472f8e097b3704606dca038bba8e4ca8d590cae59c30bd2b79a9e95c4fef5a549bfa8bd0c9052dc2d246b98c27662784e03da0ec1630f688a33d99d6a2627

Download Submit
C:\Users\Admin\AppData\Local\Temp\KAUu.exe

Filesize
243KB

MD5
706ba2ef59eb278a043900004449e442

SHA1
b240f6d7559b9f84827712902dbd55738dfc1a93

SHA256
17d72cb21e2945d09376717486be6e7ef769a0f7fda8c84fa55323ca706de65c

SHA512
cde75bee48fa378fd65db675be4fd2cd5ce78ed698baa3c21f1ae378e70a402e7cda1f7fab8f8e08b2c6212f49c19f8f86ef654696b4ec497e56257567230071

Download Submit
C:\Users\Admin\AppData\Local\Temp\KKQsMQIc.bat

Filesize
4B

MD5
a5787dc7794cad30c243137217a08d61

SHA1
c14a8e9f1d742776ab91b917a6ea6ed725a4b78f

SHA256
db30637061e7fbb2166c5a9fdbed02430e8cc09efb8c46f15643fdd4d389d3bc

SHA512
338b69ee3367b30fbb5f7dfea194dcb512e0c5c52dfc3c356e0865aa768c4afefcf6fcf8b1f5759dcbfa96ba465cae6e5bb7428fa34dd1e8fe18d8e2af166674

Download Submit
C:\Users\Admin\AppData\Local\Temp\KQYc.exe

Filesize
4.8MB

MD5
ef7f6c15a05b6fd06f499d2757aceb77

SHA1
7931454e6143620442e8634f3a4078d895d957a8

SHA256
c9c19201e493c4bcd0c120a0ac62e8aa9569fb13d9b73f373c46dc0696533128

SHA512
9a1048dd3554dd041681851de278982e0c115ab6142476958cb5f67790d896e92426d9fa28e4201e7f3bcf568b3580f543454f320eb67a0eb0c3e6a4cb5630cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\KQcO.exe

Filesize
640KB

MD5
1dd6b4882dc69ed13b82f06a66d132ef

SHA1
aa79702c7922bce68481a5488854803ec1ceecb7

SHA256
b3cd4b74ff042eaa82217ebc474e27be2f890d7d1999bb9b5aa604c30ec82f82

SHA512
a5044334d5202a13e3452dfa77d1dbf822252186a2f778d61b1d61839c158ac229941bd26f1d12e9ba9155cac5ca8e7adc0f94d3e12cb5fcf953f47f8ed8bf6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\KQgAwAIw.bat

Filesize
4B

MD5
2da74ebd65a0c3b19874689153e105a8

SHA1
aae66706294dd796e1e4c0f738a02d6447c300e4

SHA256
a1960cec2ce9ac90c8e60501aa3150eb02453458672ee8ca438336e4acbb166c

SHA512
eb943e53b8e878c24360bfa2219af595fe5597858dc352e10cb1113a7b241158df721119e2d77d83596c79315701cfecc605e5928d0a871c0e5187b6559ad9d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\KWMwcQks.bat

Filesize
4B

MD5
a0bf5729b52c6351adcf7c0079a7bc03

SHA1
e9ed5ce980f85dfe893e94f97b4a6096214e3ecf

SHA256
1795b0ceb904e7d33609bdc3e6c92e1e0585c843ace7e36e7656db084746e239

SHA512
b3b5344e75a568874a7cf0716f0a174888bedbab3305bcac946be1b5aceb72892208e60f02c603ac3a4680f797498b904a4f54627709416056b41bd75a6ed475

Download Submit
C:\Users\Admin\AppData\Local\Temp\KwUE.exe

Filesize
237KB

MD5
59cbe44d75259963e4be8bbe8f87138c

SHA1
5aa1897989bcd0115a0a6c0b794472380eeef905

SHA256
b40613ddd0fc9b2155684f609230dc60556a43320eb81ae8b83054d74c773252

SHA512
6e3dc954e3456ccc95893dc776085aecf5d7b521da2b99506dc966e90fdfe6510aa3fc5e9afea9ddc2232b8ca34712fa9d6ccbd9b6dabce75f0cc87617918928

Download Submit
C:\Users\Admin\AppData\Local\Temp\MAEE.exe

Filesize
950KB

MD5
876115be74d73d7ba3d2b323f6b722ce

SHA1
8b7e665454f183f7bf25fe347a225d0ca6a0b0da

SHA256
33c6e29c0c965b92992e18985747115e97d7088f99239a8d09f2089f618d8ff7

SHA512
6ea2f85b276fa1806dcbe1cae5771cda8db1860c0ffb2cf0e6f7116e9e5bdc106845c6764709d0f6498d1749fad8580a2b39c1844fa3d36d55b50c0d236c8f9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MAko.exe

Filesize
1005KB

MD5
6f23f362f0e5494c31ddbf57af6b650c

SHA1
d78c2d869fe60e5137dc71583493a972822c564c

SHA256
7b32be2559e669b93fdf3301c1ffa85507b731975c444f478c69455e0b9978da

SHA512
e1274bae52d927d7d19da336744b929a9ca73ff59d23f526691a388145df859a211117964e3217dbc089e5d7943e4c2ecfcd644c6dfae03208f3707cadb37d1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\MCMcIUAI.bat

Filesize
4B

MD5
c4a9fdb4242963c19605dba028cfa1f2

SHA1
82a5329a0a635ee28104bed3b68bd49bb78157df

SHA256
b4adee8e45b3ae753afc1508df007f06f510db3e4d8551a33ff0afd27552fce8

SHA512
f1a5ed1d7bab059a52ca56812b1aa3e750df8adeda0a971b06be250a78f13e344439c5f3839b6cab7456008858636711ba354b6564c9c26bff91d46a97aa7b81

Download Submit
C:\Users\Admin\AppData\Local\Temp\MIIM.exe

Filesize
243KB

MD5
2d77c76ee3e2faa71899da41c5994aec

SHA1
38aa5b9a549f42e1c3c3989504d7e1483c2afc8c

SHA256
3d0d0d6025487f9b14b60ff23f95ecd26b7f9b98e410d4f75654e8a26dd736ed

SHA512
7d7c23fc9ac4b87355b98dbcb7d0aab449b4f7926ee752677d500773bce190c557f27595aeca4083a7fd4019a034871a416b5eb5a482a2e9bcc5d115dc1fe590

Download Submit
C:\Users\Admin\AppData\Local\Temp\MIQa.exe

Filesize
191KB

MD5
e1311f411cc21b957d6fef9f5318ded5

SHA1
4e68fd68a9a5038577a814bd588f627279869047

SHA256
ff445963424355a3bac3017c023fc05e70e9fa860274548b2345fb3785026dd5

SHA512
819676d47a0a24e63084fb66925110e04858892d9952c1e1d54dc11a9a98a7ac68b3930edee756e5d88608579cf5dcdf693a938550eb8d4934e4c3a2db2d91b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\MIUO.exe

Filesize
231KB

MD5
c2e0b34d0394a99e43162cd644a41bf7

SHA1
fd0ddb5851757fb289dd5e49bf74195dab688418

SHA256
e70ac16487ca21d591e28fe8a4247294d801f7d1c37cc4c26cb7ce42f207a3b4

SHA512
e98300014469a3887c2271bb2a0a9213c92300b0d9952ad451633039cc1720fa9695d6e1f7245f8cd2dc962e6ecb38cb558b7e8a5fbd6156a9a5ff97a3b3d418

Download Submit
C:\Users\Admin\AppData\Local\Temp\MIkYMUcU.bat

Filesize
4B

MD5
e797320649a1f863ef058606e4e62ada

SHA1
f03c13ad2945f741c50f955ef7970a8684b0fbb6

SHA256
f329ca3d2375d919717c8cf04987c65400036ed820feb1296aa6542f806bee65

SHA512
ee918722061a16cf429731f05fde4f3584c69f8d74067d50968941cd0112c685b024f90dbddc556353e07ff4c1a38e5711cf5f770e364aa3ad4a220d63c27ec1

Download Submit
C:\Users\Admin\AppData\Local\Temp\MkEY.exe

Filesize
243KB

MD5
318f95ceac7a7f956a848361cf56b37a

SHA1
d752d294ea35bd4470447c796bcf3d3650e926cc

SHA256
ee5105d212dac865f9ec5b71f049aa03ab32a18a1a5e3b3318f01096d5de492f

SHA512
880a9648c00e0c3d6db7c1f785a3d18f12247f29af736cb5668b061f72c31637ea9d9db321bf0d08bee4933073e2441bf5eadc6b309f69f2d78581db6b7edae4

Download Submit
C:\Users\Admin\AppData\Local\Temp\MoMI.exe

Filesize
244KB

MD5
173ba27199793ab3ce34a6efce800f22

SHA1
f8bfca7754e4e270872304398c7ad56dc25b222c

SHA256
de5673df5a42431268bfc12946a0b57cf988c284535af97f3ed968603ee30273

SHA512
1ec8ea0074c8575b7ef1a74840e08232e059e8751d37838831b8fde50c302a670eb0f14fd6fb755caf28cc99b2e6f384932e0b756ae7b3baca6c5fc645b58647

Download Submit
C:\Users\Admin\AppData\Local\Temp\MoYG.exe

Filesize
242KB

MD5
a08ae33e1ef0ecc2f8bef6a273898439

SHA1
5308b1a48c309feebf2cf6b9cfb77a8fdf60f3b0

SHA256
917cbffddcd3942ff1f7be8f1a75382f37b4d2076e7eeba4b8dcfa6ccf8619c3

SHA512
06f9ca66248cb7c37e22e3ceb70ffe8a3cc6b4fd5b4f5444e8f51b4cf32eaf706907d7b49384afc00f9fe94bb2e3ed115c7b96c1c1e66fb37cf9106acbb5931d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Moom.exe

Filesize
239KB

MD5
d9a95f76d1e531a76d040368accbcdc1

SHA1
b23268b082fb74645a099eda76835bfb15e38aa7

SHA256
e35d1208f52bfe12eafca04d9240d10d407ae0379e8cc039b4a171d3cd2bbc01

SHA512
d3fec8dd1be7dd459900b9084f8d9c5a90bbce8f798baa3af33129f8f1a943544d033507bf82158d61e65082f81689fa14863414d279a0f4812a2388cbefd158

Download Submit
C:\Users\Admin\AppData\Local\Temp\NMQYYkoI.bat

Filesize
4B

MD5
b17e4c26fb536e1f0c20ba2b91c70689

SHA1
86d769fe58ea8c3de5f91361efd92e3ff091bdd8

SHA256
e41fe8c7ea9010d560090f2445e2def83fc57857fff48795578986b36b5d6cdc

SHA512
f35691997be5f62a10a2772eff7d1645f67e28ba88e6268cf6d6e60e179c400096e85d39e9d725a9f0f047067eb1abc1d08bc3bcdafb63f35e513c7da0b2b2df

Download Submit
C:\Users\Admin\AppData\Local\Temp\NiwsUssU.bat

Filesize
4B

MD5
7693b260040ae2aa053cd98d7ece9a8c

SHA1
4fc56c4d20e7a98a8ae018d6d0c185e7e80186cb

SHA256
bddc14ed8175c9eda30f29b0fe8b79a4b6515b18c7c146f643cf5c7b71f1c284

SHA512
90a69d8400f819f98973bdd80daba8d2b0d8bd374e99e4b1f6e0373ceea04c7dd4d6a5d68e4573b20e61ee49ff2a97bad71cef1029f5a1188f16557cd4b30ccd

Download Submit
C:\Users\Admin\AppData\Local\Temp\OAMa.exe

Filesize
672KB

MD5
9cc7973847ff08074b0c7240683e3289

SHA1
767a946d760ee73219beb3a33565b82507af294b

SHA256
ea6c76af492d94564be22439e6f1a7a245d7b53f6140d84750eb46f71c7d8ab0

SHA512
4384cea10241c9679cbc59dcad9b54a2f03737842a5b3ef3c44d372848acefa18e3c810fb3965565b7c0ae29623c534f407484c7389a120c8475005f70dad004

Download Submit
C:\Users\Admin\AppData\Local\Temp\OUUs.exe

Filesize
235KB

MD5
88ee67826f565308b983b8f9d8c8422b

SHA1
8ce816cb98e9588de008454597fbc6ac9a5ca5ac

SHA256
3da9d9b923d4c5b3ab8b9a75100000aa95d8e636e6d729e497344035fd1cb334

SHA512
77205829b3a59e6cef012d560e0ae9b95362a117979036a2bb5dba77096fa4309efc14a78534e5dd88c818a853849dee5acc847abbc4ea4c96b29228d09a7795

Download Submit
C:\Users\Admin\AppData\Local\Temp\OYgC.exe

Filesize
227KB

MD5
c5b7cbf2653be1fc934374038c628dbf

SHA1
4f33f10049f0a5b8a684b58038c1138dd79eca5e

SHA256
2050a31a4eb8c03209a93144770ffde20ec91fa91931d5b43c9959c70129a022

SHA512
80dfd593a0ef9784f20668292adc0f1d8da7a83a4d5817de24eb84686c2daf3ca23fd3f65dcb59aa7766503740509ffeb4bca604de2fe4dc1586e8fe63095860

Download Submit
C:\Users\Admin\AppData\Local\Temp\OcAQ.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ogsg.exe

Filesize
212KB

MD5
26b826d6d703e3b0532cc8ab3a72bf6d

SHA1
4925c7435508ce8a1e3adeb1ed558b88f0b00d82

SHA256
43cd2f13432590de6fde1a2bc39c10fb3f00985fc1c7bf76f803835b9bab8a9b

SHA512
c614114d4b1cd87b56231f6fc1a5ae4726f1d7eec11d93b5e3d03862ed5c044235c78cf618b74c00f6d98f8e99716d8d05ec5cfecf17750390032b0fb7fe9fab

Download Submit
C:\Users\Admin\AppData\Local\Temp\Oksa.exe

Filesize
240KB

MD5
5291883366cdf2460febfed177bcf0ff

SHA1
d52838122941701ed91c10adf613d4bd62d38be5

SHA256
40e6b7c2314cc4f8e018d9e8498f50b95c82bc95ccaec0ca4167d91967c653ab

SHA512
ccdcff7c9c4c94a216ae1ec1edab4f6a4b37ea5f5a6ccc09f0fd547da92b9de9801d5f94ac0d153896e589457bb3921ff96a691662a4f6d1bd7e2e9b591f6687

Download Submit
C:\Users\Admin\AppData\Local\Temp\OwQo.exe

Filesize
203KB

MD5
38a65ca7b34bd570c25d044179264d7f

SHA1
1765f97013d2d21b7bba910d5e7a62d3a27b66d1

SHA256
2ed611564a10f98ba5788082d9e04117f7b8d8c0b0cdbbd2b1fe0156ee852f25

SHA512
8ed076abea8f1ef26cde9397de437f0d1c3a565ec2b8d54b947195b90536357cbde73d9ccd03ef1a7def30c2340fabdad8bf0a37c7ccfc0b416180971ee9a67d

Download Submit
C:\Users\Admin\AppData\Local\Temp\PIwIckcg.bat

Filesize
4B

MD5
276a85d8c09db6e64485b1623f2a2b35

SHA1
adabff49bc9b8db2266b97652f574de9d85094c1

SHA256
f4b34072da6a072faa26d12790763d569cc5c7ebacf29e1f9225da78b4cf40d5

SHA512
bcfa342114c29cd95569ca69a8a27600ed14682d96f21ec73a854b0f115145676ab721d917d6e127025040a42125f2da15fc8706f9f09d33770379685b80ffaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\PMgIUMUw.bat

Filesize
4B

MD5
8cbe6281fd88d824483cbf8aa47b4619

SHA1
6f84a2a47713960c8791b8fb931adb222f26042a

SHA256
db1c9aa561f2ca0ff1a4dd35317faba89836db238f8f9da275f2640cc8db8b46

SHA512
7a47dff18c7c2cd0bb619e84c61d9c31ab72d5de260a824263f9d8ed51becbbebfa7e1c555048c10ae9ad21ff0458419d377d17e913a80d99c3754c0aa1c6904

Download Submit
C:\Users\Admin\AppData\Local\Temp\PasUcMoc.bat

Filesize
4B

MD5
415d7ec68db810d10b45263172631948

SHA1
e4e34a057e67c6e717acee44515d929f27a60780

SHA256
637878b5d5ab55d23186581f9889b935d3436111acd3d78583a5ddf4a004bf0b

SHA512
c0c96c53a366e8e3a5c6197e1c3d7796ba28af08af3793d59b46a40a2a3bbe6fbfb4baa0e4fe15da3f6ee4f4f202a7c16588619aeac63d259244313f3d0e6c25

Download Submit
C:\Users\Admin\AppData\Local\Temp\QIgy.exe

Filesize
205KB

MD5
db9a42fbb7ae26507444cf760b27dd12

SHA1
a83602a30d2f4c3fc259f006bd17355ee094c58f

SHA256
dbcae7bc00b6d6a4bf29d5a4524573fbc01ebdcddcb7d11fb720c85015f9f6c9

SHA512
ee3252e7526061da7d88cebcc50ab455eacdfccbd31dbc71e6ccb584621db414d6ac391ea6e2fc93d520543ad2b137297461b1e2754cdb6cc331d1176b6d3b77

Download Submit
C:\Users\Admin\AppData\Local\Temp\QOIMgcUA.bat

Filesize
4B

MD5
03e20654c43ae829f158a6b5ba8ad14f

SHA1
8d7a8af93b1892c982a47277225a7b5a2afb5b08

SHA256
8d825f067ef35e71463636291d66349da5b22508ba708e8c5743e028571e2813

SHA512
b54b16e74b2fb7135441429a226d7cf2c17cf058227aee8efa66a764581c406c5a84163f30778d2a118d19ecd3301aa11416ec823b8b899a9b343e3b70781cd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\QUMu.exe

Filesize
244KB

MD5
e4e406c8a66045bccea2df6acb2d7710

SHA1
56f053a21392dd6b989c4fb2d33161ad3ecd9ad7

SHA256
d00a13e0e9db27d4ed7cfca7dc47a989aaa07c825d473b38b0de118680aeb677

SHA512
b4d9c3ce516f70e1d55504686a03254992461e34671cdde0299d7ce1bd499b09c6255c14335607a25733ad5c240190abba0c18cfcfb03441eab3dbce9a38f51c

Download Submit
C:\Users\Admin\AppData\Local\Temp\QaowUkEc.bat

Filesize
4B

MD5
1ff1d5b2d7f61a4f247a3d519b689491

SHA1
a16e04a4669c19a8796acd4d6444a2a5a920163c

SHA256
38697e1a0f3eb52ad84fba8f47bf198b167b72769cf56c208dc698d10ef4ed2e

SHA512
b8007c992c08f83cd9e11e74076425e7e288a923b9f99768f69fc1d2a92ff8b65d0f01f0ac032d3018b21d6410e01d9f511e4ece7fb17e4f2630775f795e4d0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\QkQu.exe

Filesize
244KB

MD5
8cc353b1ff439a7881aee6fa3363c1e6

SHA1
4ce2ab209614f1bc3ba60c914984baa85a74f8fd

SHA256
1a296fea749c0c053f3f36f225de728d562ac6bb8f336f89e653372bf83772d7

SHA512
624f8f82d421cfe4c16016c431df91061f31575ca0523911beba32e9e261ae6f5b7c85011ed127bf3ac18c85202101143cf8666dac0ebceffefe5e23dd36c546

Download Submit
C:\Users\Admin\AppData\Local\Temp\QkgkkcQY.bat

Filesize
4B

MD5
100c1730207d26ad4939f68bfba0fc61

SHA1
fdeb274421c8f2644b3a66f6417674b7f784fb22

SHA256
4c3d7d23f30d32ad1c0338c7721bfae5e4d412f4610612c1223bdd38583eb0c6

SHA512
77563b100a3a0d569b4799f5260787ab8a032b4c9a26653ea889f6298620cbca11a89ddbcbbd3922f964f0db3163b8df81c512ac7da82ac88c78a6b0534fe316

Download Submit
C:\Users\Admin\AppData\Local\Temp\RMMYgYcM.bat

Filesize
4B

MD5
9c2815b88fa162a30a589232cd394bb1

SHA1
b9f81956fc85def1dfd1f2c0b0ec531e59327812

SHA256
31a18da8446d07da0b44954bf97937cb7627e4a6b5fcf978283a18db01aad6d7

SHA512
85854f0579f590e698b15010d75f66c70897d9f2326094f8355d5bb7205b156b5728edcbc857b5c9e59acaeeb08cf4241383a42b66ab9b9147fe1190e8f71ed8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ROsgEQoY.bat

Filesize
4B

MD5
28978e46d4e7e8111ff9c4aa64e06b20

SHA1
e643d9344ec12125065624d8b766df864a0cde5d

SHA256
7a1a967f06699d1b3f1f8232069a03537c88b8aa6b591132a562f61858c20e39

SHA512
0820bea38120cc2819f8c76ee033dcec1432b3fc8974348610a77c280d7be4ae8fd4968cfc3e148c45f1534ff80fbf8104b0ffb47578b27c5a45b85490de96ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\RSQAUYUU.bat

Filesize
4B

MD5
93c28c76b373a3f1dc7914d83d572e1b

SHA1
ab84f57e5d049d06ab9cb17e315e76836864f9b1

SHA256
d6610a17641a0cc4f44f64dad694b32a55e9394bc8ba2b0ad33c05835f7c2784

SHA512
94d61671bdc13aa561e90b8bed8bf3b7b0eba79af14a441b73dfb989e4251ffe234bf4a2cf8aa6a030ef3efc9c4306a9094d0898cef92d621b4ce369f1255f72

Download Submit
C:\Users\Admin\AppData\Local\Temp\RWssEMgU.bat

Filesize
4B

MD5
a1bd9d6cc3431533165dc9f1c5319ed5

SHA1
bbd69bec093510e89976dd58f07d548ca0e52864

SHA256
518ef555ddd94be263cbf70f1a477b4f1cf0915c9122321229cf5a08d8d72689

SHA512
e5d1cf927b113183214f67f616b0dc4255795ac6ac0eb7621de19b38d0220a422f011bee7a2e471d397753a51e18562371d1bc6d695891f4e0943990f8f8a2cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\SEQm.exe

Filesize
199KB

MD5
4699eb35f9e84a0adc69b3cdc97dee31

SHA1
778f4a56cd353a58447548d1f3671d37593b0e26

SHA256
a3941b7fbde29bb9a34f38b887bb24dbc2c93833c7bfd354cf9f41bcd3437a50

SHA512
05f1a97d4c576e9cb4d73c8fdaab15fea8a1c9acc7394d3fa0744d72793b4bdc44b6872604561273e15dca56d8ac9b6c7763c86b8e63eb4549e0f1965ae24a3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\SIMcEAgE.bat

Filesize
4B

MD5
2cf816744aca214fcb280aeff72ea3c9

SHA1
11763e467887015c82b11b05bd5d3c274b6b6d3a

SHA256
d5577b53067bb80e9b2c1a49839097d6db099ce69e4a06bc869b6066cf1575c7

SHA512
b109218d5d3673527ad42a02ad831b0fd492480a6201e0a1ff098f249a3cc558b613311c33198c4513699fb68b2ccb72965d0fb7d8968d6cbf86220766a97730

Download Submit
C:\Users\Admin\AppData\Local\Temp\SOogUEcU.bat

Filesize
4B

MD5
b872d04bd05c7c9108fd3de52145b47f

SHA1
aea5fd223589c4d59bdc1ac9434a5c291f10cce0

SHA256
74e80e4816053d7f90497c57ccbb094eedf326e7d5115fab50fa51fa0331fbf4

SHA512
1d562b7afc6f0078291eeff58993c76efabcd1660015363ef1e9360100765579788513597cd7a1909588aa9bd48a2ad939173675564f01e0b7d4638667c0b538

Download Submit
C:\Users\Admin\AppData\Local\Temp\SSwIgsoo.bat

Filesize
4B

MD5
70a89a1a8b76cee243d25f5df0058022

SHA1
03c1536dc307a521f2a49637f9173678d1a8c294

SHA256
601d331479bc7c95191d1cd74c19a24ece5b190eae1e80297697d3469c7c2e05

SHA512
25a922a28ae8a22b5fcd37d1231c5599b6d79fa5cf1db46e510f89c425e013a613cb12450ae3533898f5078560e8decec10954970184f6908556d001619e2d3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\SgEc.exe

Filesize
784KB

MD5
bb324658b62ec53978a6daf32a878bef

SHA1
c87ab6862caab5b255c91791dd2b29fb7f5f48fa

SHA256
ec08823ba7203968c9d88dda0ee1d5d1e0a388d6b03ce8141424d63e8df4435b

SHA512
d317759f978e155b8c64b15bed673a88cdece1302450e16f11c7489f003b852b5fd13b80466e0a36f7a6a30c290c1d29a850bbb5fb8f957a38100d5b30fec223

Download Submit
C:\Users\Admin\AppData\Local\Temp\SksE.ico

Filesize
4KB

MD5
964614b7c6bd8dec1ecb413acf6395f2

SHA1
0f57a84370ac5c45dbe132bb2f167eee2eb3ce7f

SHA256
af0b1d2ebc52e65ec3f3c2f4f0c5422e6bbac40c7f561b8afe480f3eeb191405

SHA512
b660fdf67adfd09ed72e132a0b7171e2af7da2d78e81f8516adc561d8637540b290ed887db6daf8e23c5809c4b952b435a46779b91a0565a28f2de941bcff5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\TuUkMkEA.bat

Filesize
4B

MD5
d66b7ee9addbac473c521f899974d45a

SHA1
8a882b2352f50a2f5e10d6bbbe50da0e8caeabf7

SHA256
83df937d01f755c3bfa14ca63459f64ef1f92a565290ac66bf30198ebbf31c6b

SHA512
46ed6d962cd22ecd560f67a793765659f326887e05eef9741c6a9d6c340e48d2a24451ee87399648eaa958c05efa3899fb40d4d3d6e5f922200433b49bc6fa18

Download Submit
C:\Users\Admin\AppData\Local\Temp\UAQs.exe

Filesize
240KB

MD5
1e562d3070c7603d259daa2842f28807

SHA1
6c130e7e86d70177f00bcdbc1b0ef0203ef94e6c

SHA256
d42a95501942df820175b8fb1d9da807e187cdccd3bbe9939b09b11498f2f3ca

SHA512
5aec196ccac02006fe4c3444ff450e37a47cf5f5ce4c4482649aebe0cc9db5791eb5a67cd117a58a64d3bb9ff51c9ae5667956d83e2ffa7b09ced2834e8c530e

Download Submit
C:\Users\Admin\AppData\Local\Temp\UAUM.exe

Filesize
251KB

MD5
0fc58bc1ebcd9881ce4d0dab999cbcb2

SHA1
0e89c49f8c657384df6a45353b7d349bb5049079

SHA256
7c9b476a975305519df08416874e2ec402b35645cad451d5c915857d07531dbd

SHA512
0234cd4f6627c86c21a8bfda669608cff4b3b0ec40a838197625aaea83e94b840a0eb8536dfb2733ebbdee5e8c36b1708674c30e3f16611886f40d1f5ec39f7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\UAYg.exe

Filesize
186KB

MD5
d49130dff9bbfed5a3673bda988e7238

SHA1
629224005c21c66d17d3276badcadf210d28a695

SHA256
9a1cc106260218a10f8347162a675e69328225ed3bce6e32327edd45372af35c

SHA512
140aaa6ccde7c946dbfe3b536035f778e4a138c433c78105d9b2e71041cb39375f416653c36a77fcf107bccbd968f321aa184efecb301ba1a7ea3d423a09e100

Download Submit
C:\Users\Admin\AppData\Local\Temp\UAYw.exe

Filesize
231KB

MD5
27a5da14d851e443868a9904d09f2f3d

SHA1
f9c0ad67967f76908e3a101206afcf1774cbdbab

SHA256
9b93575454f42e8ad94bba75a6940c482b522f543474756c8bce1eda707a0048

SHA512
27f9ab79be5a4a5b329e69beea7d922e9941a7bf6bcb5eb45b57b8e027a00d10d73492bca56936ad870a80124645cbf24067fce87a453265571a1484d59dd5fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\UIMoQYsI.bat

Filesize
4B

MD5
e88409a19daca166dead62ab03bf2ae9

SHA1
81d2fa0da12332fb659c7ba479f3c84f93055645

SHA256
7239c5d56d8daa103b94703249852b0e369c05e3867380e0591efe0e979b1431

SHA512
415cf7d1a09624cf6795c98402806cff0d0828dee3d5306a1a7e9880c3e799cbf89d5146aae12d2ef7b618bda6f6fe8bfbe0c223771df2c66ccc5ae9d99b3c03

Download Submit
C:\Users\Admin\AppData\Local\Temp\UIUU.ico

Filesize
4KB

MD5
47a169535b738bd50344df196735e258

SHA1
23b4c8041b83f0374554191d543fdce6890f4723

SHA256
ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf

SHA512
ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\UIow.exe

Filesize
647KB

MD5
2275f9f751b1abe725648e3441b61aa5

SHA1
d6406421fa2097fbc5fb85c61d0b309c1ee12174

SHA256
69603c728c69e436fe528c7b92cbf45548760a3316e246dd3101aad9759128fd

SHA512
b95cf0de640c6e150b29c3948b13cd5b80275413743b8dbc6f320c085e27ad2214b9c75fa7d71c2bb640a959f4b271ceecdbcd7b34b34993101bc54456d6b083

Download Submit
C:\Users\Admin\AppData\Local\Temp\UKoEEMwY.bat

Filesize
4B

MD5
741b1d36a5d1a6428ef4a310a4b63a2e

SHA1
41b3689ce2aa9fdef800769957ab470c6c2fb652

SHA256
9b7ae27b18f0dac1e75939f67a2b4897c0231baf6d06669af98da769ee6402d8

SHA512
b61d00f1cf5df4aeed711d7f394cf19edde201c008227bd63a3d7b835bfb589f875769a5ea5d6b7f87e57304737bf5ec656ee332e6dea4fdf9d65f158fddeb55

Download Submit
C:\Users\Admin\AppData\Local\Temp\USAAkkkg.bat

Filesize
4B

MD5
01b4c8b1942693d43f4955ce540d1734

SHA1
7994a463ade0f972bf1bb59ac236e37b08bfc4d7

SHA256
7854eeecae76db51245704f825f47cfd5052adafffd176001b1ca32c6d79459c

SHA512
1859f5849f024c64dc1681fc165d0a97929cac9b75f6664c2cc1b63abdcf7775c6dcc5438f490483e929dc6e9784375d963981d50ff651f5c2078d302d45a2e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\UWUUAkEw.bat

Filesize
4B

MD5
2a7b73671c4db352c8de96f0689ac498

SHA1
9730f20966691ab49d676aa351a7474ea61f77ee

SHA256
44de8b698f80748908ce8a1b0ebe84af92dec413213651b079961aa7826ef78d

SHA512
1720b789b54ec8beaf3e657478a49745db94e1304f160513cb2cbf22a21a83d803058238021b82f58137f2a66f64a907725cb6a3d33878b9511abe5d2f1983a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\UYQS.exe

Filesize
200KB

MD5
d30cdef21bf2b5799dbbed0c5c084434

SHA1
ab3d930a9efc3e712075d8457365837b1ab6f4f9

SHA256
d1448a9cb0664e50b934354c71fb0e2a99b53932faaa751e564debd5c1febd22

SHA512
d045a902e18949969456089cbf1e78a5f0e4908539c206dc4844c885b32f0f301787ea7d988357006b976934d8d9aca850dc2d78df674daaff6df37451e5424a

Download Submit
C:\Users\Admin\AppData\Local\Temp\UcIcgUEc.bat

Filesize
4B

MD5
f5b2a7e5283f3e11e9862f3a1f6b3c87

SHA1
a03de00bcf879dc28ac7fed4b4a28972531c9011

SHA256
1f073d22e9c414cb84a13c6378346082f265b26a3c07f4e058afa753792d3ca8

SHA512
c6b337300874baca50676989cc390fef91f1b0c5b11cf43c1722d6a0a747145f90fec4ece38230ee3315e50c00a95abeaa9d26301fdbb077b70be4e52b5405cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Uckm.exe

Filesize
212KB

MD5
fe8d82bf6544d8130b60fa2d58d79cc1

SHA1
a868ab3d8dfa8f15432b14544273d7f2c5a19761

SHA256
068a6a7f1d31b7019503458eb8978243eaa184a8dd7430a5d96b895c4bdcf2a7

SHA512
5f73bade0fa023247569ad9169a6c084929739f2af8405ca99a71879ff27235c71d7d8ac055f097a1c3d6f0a280038899897ce03b2228db412bc6f0a74af48f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\UuYUsIUo.bat

Filesize
4B

MD5
c8ffc703fb02463ce9c3fb3231bfa36f

SHA1
b0aba4de4eb2d4a2c29607e72c6d643a5d58fcd1

SHA256
eb82f432d20ad0db5addc3881dd880e406ab2912b2da5af9c67f152fa7a8a3a2

SHA512
f551c7b06c242c4ad66ef6e0a76037c3e0a88bbf486f28a01c129c99324c58c66fa0157936b49e2ee5f17d9ed65520182ace680b8f9738d84c8ecb6a3df9e215

Download Submit
C:\Users\Admin\AppData\Local\Temp\VIIwkEQo.bat

Filesize
4B

MD5
ee0f8e193681526ac3ae9797d7540f9f

SHA1
a8249c60c6ada00b8c979578b60da51649f7d9e9

SHA256
503dfffa1c19de8aaecaa80a25e066f7ad3ed76a2384a6a72e78dc347d18d09b

SHA512
d47ae9e9a9e093f8a9fc668601aad319de6e98cfb16a8223f08fef962efa01a1227b0bb4514f39e69ebb2827e10cabb0c6141880a77bbb7d2e45d71fa0959c2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\VicIUEgU.bat

Filesize
4B

MD5
3e257108514a7129f1062d2afb5eb1ff

SHA1
e8f04eb58ca2c836e9ac64db44bf357d5b46a37a

SHA256
0813defcc2a5fd028d6a5e68070cace0c0813586c3c9b70dedfed3879d551dc8

SHA512
f23b552279679f127dd9d06c665242bf621512b78cca7b42f50f2ce610c2dd57b352cc39784db9026bb69fe395ac3dcf218bdb3237c38614403786beacf2f2c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\VoowQAII.bat

Filesize
4B

MD5
94dbb3326529e7277160476042a83ba9

SHA1
bc366c3fe74b686eaf465caf910a297929af62c7

SHA256
60b31e4aa813c6a5b0b11a90f73f7fc73f46f508783a92391aeabf01551fa3ee

SHA512
656a822d6abca8738cb88c6c9eaec096190f3538084824f0a492692f16d29b8b2467c6caa7b9b06a1b96d049649555580bb2d4b196c85413e94dcfd8cd3e6ba7

Download Submit
C:\Users\Admin\AppData\Local\Temp\WAEE.exe

Filesize
197KB

MD5
45841001ae06bb120df4064625c05a52

SHA1
d33294274e8bce345981c9775db496beb530ccb0

SHA256
f4d53e4033dc3e0ba31abc6fcaaae1e7bf035c60bfef1004941a66e42dbe9ba1

SHA512
67ca0f067b6c1ce9e8cda5a8a48d129b95623718bfba55dc397721bb8d0686e63311880623edda34abdec081c8090c1d4962039af93552e1c95183c531a0829c

Download Submit
C:\Users\Admin\AppData\Local\Temp\WEkEowkQ.bat

Filesize
4B

MD5
7d5b52ce5113454b596e9eb81020ee01

SHA1
8e8a1667abe436f952deea7b88d580085554df7a

SHA256
5cb3e689b0a4972c6a154828c1f79bb485500643239cba7f1b073b7134b7c6f4

SHA512
93c6c1c01846b80f7decbec342f82cd4607ad9cd79834f512b6ccb43084bee3796ab71d3a669d42202f3f7bcfccce333181272a500173d8e84f6e20122b8a49c

Download Submit
C:\Users\Admin\AppData\Local\Temp\WQAc.exe

Filesize
246KB

MD5
d63075f708ba888f090d95bcd6203493

SHA1
94fb5c098d3d2c1797f7649c0caead2cba687a86

SHA256
6504cc3039deb0ef6ea51189b6d53fe65c833afabb46d20ff3e98ff1b8384d4e

SHA512
861a94da0a3247d8f9fac6968b22bdf3feab49f4b48c271fb737a5a8291ac5fdd3594e7d8bc047256e3e017729b7812549da915ffae3d9abcca2bea5a9cc6507

Download Submit
C:\Users\Admin\AppData\Local\Temp\WUEu.exe

Filesize
216KB

MD5
376669750c88353e64c862d7f1b00381

SHA1
44f4d4ab49042bdcb1c625ac47f015b8105226b1

SHA256
b4f36a918e8237b1d451492886e2128978d3351c6d6d0c2634c4b7dffb1ffba0

SHA512
1dcddb23ee36a9681cdb23ab63ee6ed997f3688de22d3773d4c7f6628f7beb2ff5bc5563a00804dd4178f1af57f088188eac44ae50c4f4d5a1a60bd1599e8f07

Download Submit
C:\Users\Admin\AppData\Local\Temp\WWwUAAEk.bat

Filesize
4B

MD5
c5a52aac316a0bccca4470c3b60111d3

SHA1
0a3bae12714dacd0004eaa9e284b352e8b9cfbbd

SHA256
610d3c21638cbbb0786aea34d2a54aa96be2f0f29d07c9a079f7bf80a22a1a31

SHA512
0e6f9297e7e1afeff40eea4ee63007a7df6d9e767793944d8676e247249bf2be3135a9d25fe7414572208ce74f5dbd143f022e8a2399562375e7f036ebc528ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\WkQU.ico

Filesize
4KB

MD5
6edd371bd7a23ec01c6a00d53f8723d1

SHA1
7b649ce267a19686d2d07a6c3ee2ca852a549ee6

SHA256
0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7

SHA512
65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\WwQO.exe

Filesize
192KB

MD5
5d4a588f6ad1b7c3bf7f23a4bd55db34

SHA1
ae87ef7ac3a32274ca9e6ab201c6fe726def37cd

SHA256
2be3385248db1b52b81a380f7b5c723503c477ef3e1bea7660d69aefc78bcf01

SHA512
a8aaa86684984c8584bd8c6e8fce068d1a243fb84ca31c561044f221b7a57001eff394a0de77cbd91d88db0f348b110f5c9b0d93fbea5847d66c26029fbe2076

Download Submit
C:\Users\Admin\AppData\Local\Temp\WwYoEIgQ.bat

Filesize
4B

MD5
986e3538c5b364354cdb0b38048102d5

SHA1
e38a29050f6c4af52c7b714d2726dac783b94fb3

SHA256
1bbfa1d2eba2483d89e1fc9475b5110c9fa0a4916fa78e91803a84a5029ef3ff

SHA512
c618fe1a3127e6f0ae371845c71151bf4a781662014e570251f6953076b13bdba8ecb6729631bed397ebb91f84baf42bd5bca4a61307852696fde45f5921720a

Download Submit
C:\Users\Admin\AppData\Local\Temp\XCsYgwUE.bat

Filesize
4B

MD5
148760c63fe03fcce1b2dce9cc859b15

SHA1
c56e164efc754e264dfe3a6f7b1cd3059a4bd7b4

SHA256
8d532fb092d35b2d08e71588951a46b694ecae65ad0800516cd7ce20af8b7c9e

SHA512
87b44e0e19ea121b54d44cf9387dfc65162af735a9ccda907026f6418d6299503817f3616154ee9ee59e9c1882f09ec4427bb5a28274bfae4476d3e8d2599eaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\XUAcgkQc.bat

Filesize
4B

MD5
0a5bd3d8272a707f15b91fed82608957

SHA1
f51d93e1f1eef4d6f5ad764a6af16dd84d74509e

SHA256
1e918533b35cafc9c1c6bce20e082e81fe8b3238ca5aa355934522c45f05cd29

SHA512
bbfaff58b6240a2dc502e123fcda754843c4519d69dced042d2aef2c6bba5da2d161e85ab342df6104ef91388acb1fc55719e912f2774d328f3f122f6248f2bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\XsEkcAAU.bat

Filesize
4B

MD5
a25ced9734ead2bc6acaeeebe9a4f6f8

SHA1
66e3d5cf19a9f9a2c68bf15ac716b286200256a7

SHA256
fe7c42387fabdab2dfa8de409b9fa1254aeecc266d427f28f69d145ad063df83

SHA512
8773f8fe2763fddf0cb9f5ce13bbaf39c278b1f91f7fb7a7bbe61df022ff807623237c7200fde5f11eabdbb57c1c14aee0207d3349978252e9c40efad76d33fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\XyAoskMg.bat

Filesize
4B

MD5
2155ae39d56b9206ca827721adc585a3

SHA1
9c2b1f67612021d18b91c52b282275a4da15b981

SHA256
8bc5dbb6ef5a1f8820b76cc952a678dfc2e34ef1dbda08554e64cd9584dc3cdb

SHA512
365efd63235be92ae2cce852648bf69b117273dc6a0ee7b2e4d6e65d8b807ee5d306aa96dda96f211f161d661165aa95ddfb4063ee0807a502ccf51f844d4485

Download Submit
C:\Users\Admin\AppData\Local\Temp\YEMoIUQo.bat

Filesize
4B

MD5
1b0ac56a3b8ef50625c9007e44f23ab4

SHA1
51cfc1c63f4b6e0cf5ac31ab789bbde1ccef8906

SHA256
6e1f70222e87282e4e1fcd363b5521610bdd19827afa6d3f4337e55f9f88a0d0

SHA512
8221dd302f27a908ba8a29d49f7f108a3b82429f8fe1b2590a3fee8ff1347b51a9d5f8a5939ad760ecebd449d44d152f10b0bd7739ed8f4a723f847683f66265

Download Submit
C:\Users\Admin\AppData\Local\Temp\YIEs.exe

Filesize
194KB

MD5
03c4c8eebf1759d61b055c5ed905481c

SHA1
836f39f5cb816e5992149028677f8553ad168cc6

SHA256
2934186d2e069ed1bf7bb43c18db1560761e2460a8a7384b36920b155cc163f9

SHA512
5440db9a94f15f2350dafc29eed390eb008e85c352170d008cb2470ed0dac38576e7316c8f01d67909896034840e47ad9eba69e7830bfff1fd1880d3732e758f

Download Submit
C:\Users\Admin\AppData\Local\Temp\YOIkIoAw.bat

Filesize
4B

MD5
471157213ce9a7415aa1ceabc2250611

SHA1
41e009c8b831b2b865b6dc004d1bc056412d093b

SHA256
d3b000e314d72f18a49f8efee9b6d6ac069b8259920199986e33bb287aeb1b37

SHA512
51ada2a23763b43e0d940829f55ed9ec70892099dfa26f29ff26dddd9bdab31a496fa8acddef25b1ceddc6fde4abe4b8e3168840d6320bbc6ecf5aa35523d802

Download Submit
C:\Users\Admin\AppData\Local\Temp\YoYi.exe

Filesize
250KB

MD5
44927c1a379db05d97130aa32eb58b40

SHA1
6781bdcb38265f0980f9ef68ae649cd1756c8c22

SHA256
d963cd5577c25a5da47010dec30e3cc33830a1fe24a252045e1a8bb4d770c047

SHA512
72d7577de9e0a5934a134a04815cea2137b38da198194a99e2edc2d6ab567cb69922e472d3d2d13c1796cd30301cd2e43ab203622c5abd005308ddba5fcebd1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZsUIMAkI.bat

Filesize
4B

MD5
688db38c2e1a23e88da4dc20a405c20f

SHA1
ad8617d7cdb2963eca67bbec45593db01cc1f549

SHA256
9ca3417bc3a8f6a3f873e1dc40875808b073f6d49392fa03feacede2865e3f7a

SHA512
383acac51ba48e2d7e09c96b7a939b6c8c207dec45fe2986463c7a26b623e32714099451afbf99ac1ba60dbfcd61c2e58bdfa40967e8484208c6b1bc9ec40526

Download Submit
C:\Users\Admin\AppData\Local\Temp\aAMi.exe

Filesize
236KB

MD5
46cb403ec1ea0cc6229d58685444acb6

SHA1
74286d4d066815a6c25dbb636396e70077f40ef3

SHA256
2bcb72c6d6dd28ead98eca1a365a74c24afb71a6786d5bed2f86b763872a7c3e

SHA512
2c4146a8e120bb145a2f4d3f09e38a72bb956b4ed992c32c3b60e4ac3b4572be1caef6df47670926a327a424ad65a2e32baf29027b07ec8c253e79afa5b553f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\aGsooQMY.bat

Filesize
4B

MD5
7c8891c3579452ed7a013871505b3acd

SHA1
25e593cd033377ed527de00d74af6af4427f9e1a

SHA256
ad9b66ceaa450808f9211fb905d34de54878317b03dec061d79be1ae1b55a8aa

SHA512
91882bee4f1f5fc4641143b423ff12353f87c40e70d625b3c9ad14439afc179ebfba67ac66473d732279848fdaf1ff02449f3399010dacd8ab4d772580c3546f

Download Submit
C:\Users\Admin\AppData\Local\Temp\aMwYAMUc.bat

Filesize
4B

MD5
8df83f1f64c8bab66266bd8b876b833d

SHA1
d85df518c176ef843b8ca5d0809c04a69ae3fd79

SHA256
b22eac13a4e24ab200c26e3caa1dda68ee4bd668b026dfc3d37a80f5a80eb477

SHA512
55a9d733d528c771c3a8a7830c52feeef222fb3232dae9db39d255482479293aee01f0c6e4a913fd4d5f8ba1e18ee0fd2b9c53793fa497df24e848da439e6b86

Download Submit
C:\Users\Admin\AppData\Local\Temp\aOIEMoUQ.bat

Filesize
4B

MD5
9cadfc8075ede0c544ebba42a20856ae

SHA1
154eaea7a88687a796eda31b3626b1dd77792afc

SHA256
89178cfb346cdbb22148c5e5ab787712c0d32156427df5dd515e02c98c60500e

SHA512
fa7ae10d36385c8531c8f6e77db705af0f6529179ecdc4b00ff7c01273befe92f8ea7099d2daa1318b72f28b5f0331f1dc087283280974094f552105e4d8d4d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\aQwY.exe

Filesize
251KB

MD5
3f304a5977f0181ff6bb6db33fe62931

SHA1
cba5dd4b1966517bccaa94988451c8fad2dff6b3

SHA256
9706894c2045b494e23e89e1c6cb35e116e94c6bfb5f3984f2084f7f6c2b574d

SHA512
122685c6b5cdd10b0eee5b4c13d13be70f1c84bbad391687b44054a9cbfe6dead8963153b93b85b49eb2b5cae1671af183c2728e7d6c7d03b3fd7b9001470fd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\aYwoIwQo.bat

Filesize
4B

MD5
e9719b4c30d1fa482d2c40f097696130

SHA1
ac82e9cfde365c70b82d088b5bf1898f40cc1789

SHA256
0e5a6360b057c4988d7b4e00b762ca4e5d2dd6f91fe46fdf58b3bd15af5e61c1

SHA512
16d87826ddcc1d4d005cecba47376fb2625c728e2be3c058dc3dec6ffe9690314f72d05fa31adf23b68cf48a9bb535a88be3f7e83fda6117ebdd147b16ae37f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\asgo.exe

Filesize
187KB

MD5
16b25dc0263b88e06315b5efba812a54

SHA1
a5c03af7038ce84b7f1538a1d87e2feb768873ee

SHA256
a7de077d4453611df8f44fd152af39bd6a594cb8212e055c534f635528ac93fe

SHA512
a8753865cc859ecae873db7789c51cc99e35b9fbf8330a06b22706b61abfee0be2226141b314468c32fa0d12e2a5348176b108cd3a23a44e637338797fb9547d

Download Submit
C:\Users\Admin\AppData\Local\Temp\bGokwkYw.bat

Filesize
4B

MD5
b1970839e5b5eda171a75a079e559de6

SHA1
80e811652d6413474dd9d0997b93a56fa6ccdeac

SHA256
d686ebd5e915544c44e706d94575bda8855593203c2fe83ea34f7277561b0433

SHA512
c3f1eb67fbc906a8a119c0e290ea1371c5099c05ca98f02f153d186c3b6f7707a85ff2e8343436adbba5ae8f91d59fce890b081440ace07b2a3474b0bfaaa9b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\bOgUcYAE.bat

Filesize
4B

MD5
784092b0f844b24a2d3513b5dab4400e

SHA1
d19075c4d8d7d1901035c3c47cfd2a69798de277

SHA256
7e28af4ee704fc6b5c7675c52b359c4316f632477690213c4148f3a01cb84458

SHA512
63c686c2cd63f1b1750af114782b5feb6c721acf683cd914601d5e4a806279953d06bead366637dabb4ceb36250a2f6a725a08e0fe45f73b1c251ac71002e361

Download Submit
C:\Users\Admin\AppData\Local\Temp\bcAIkUYY.bat

Filesize
4B

MD5
82790b35f022202b30769bb57e8c0b5c

SHA1
7791ecb42bef8964f38308eb1a141787d9f0c36b

SHA256
0c2b68d5ede21d1348ad7d563de24f98c791eac5d4328c6258421905ca61dd3b

SHA512
5f87db3ac0c7fae21f1c8d23c764aa9a9d7335615b849d46b9f1317caf177d09f7b10c047cc9d85228283501f5f40b13aeb3832b63142c00c41b3cd62219f896

Download Submit
C:\Users\Admin\AppData\Local\Temp\begkMkwE.bat

Filesize
4B

MD5
9c61e41c378e74e4deb010c93a228834

SHA1
fbae541aa109b4517758b45880de2c1e75e5040f

SHA256
eb3570ed5ac8bd5a1d5f7879a344105302b5e3efbdd39c1dc56f842299043adf

SHA512
39eba67644dbd77d71d3110148474283f444c0697121b13b40eb90eb573c3ce20ac6b8ae24975690ad7b6c8d069b0a6dc3c87c53e0393c98285e5f0e8147ec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\bgYcUQQc.bat

Filesize
4B

MD5
0800eb1a85c2a24592df36cb09847f4c

SHA1
921f992dc7befa6a4e350b3eb87e106e34375c66

SHA256
5c747cbf4fbb1ecd8e003eaf28223fcc038f8c9b5c3c228ae812e9b4532a4115

SHA512
60fabdb1c64a30f48dc2344c10e71e486dec4e0d8f065f8990a8654503a61d48b98eab693540f356c2ccb6fa1e19b41e0c46d41adda37eef74fa445c3a054d3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\bukEcIEQ.bat

Filesize
4B

MD5
d18463ba54e4c0c39bbb58f371c5d229

SHA1
e9d2da88f49b4bd3c6a86773660cf8f9ab43f109

SHA256
7c01d9cc172156125a5986fb0a2722ae66e4ad4fe57ef9c9846564e2cbbad78e

SHA512
6c1f35fc50dabfa324e0013fc9eeb6c116bf61492f01d85f4f30f6f7d75358866158641a92432ab3738e4a94c6e20ef8993df0ce5a0c3ec69a931253f985f7cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\byQYkUwY.bat

Filesize
4B

MD5
9e27018c8427d4ec1d24739334bf7c53

SHA1
67c5fa734302470f93450412520518851cd3b6f6

SHA256
b6fd5c8123403f95d1e7208227b6071476ee6b56ea94445d5eb2f776a9dbd4c5

SHA512
a2a14cfd51f7aa8454aa6522dd78cefbd541b9b70f39050f9bc64fa58e9dca175b294c5676124b27ad8a79cad8f257f3d75f2b9920fdba3af2d9b7b73eadcd05

Download Submit
C:\Users\Admin\AppData\Local\Temp\cAAY.exe

Filesize
231KB

MD5
62c86df6ce2bd7c8723a5f755cc75c5f

SHA1
0ca202586c5aa3c78297ed421ead38de72f43b25

SHA256
adff69e2868865a8cdb4651e354b335da11ad81f1dc0ca87d49d61eace2ea716

SHA512
4dab1aa5f24c07a04112e0ad643f6ea25031f7b15452e4a7fc73e520daf95e68d74e3b84ae104018d51b3734d7b6ef8dd7744c49284021f0fd0695db9983f0be

Download Submit
C:\Users\Admin\AppData\Local\Temp\cIMQ.exe

Filesize
241KB

MD5
4dce1a9994e77658e2a4c7fa73e7e905

SHA1
046c96d26e579b6692169b0b1bf19abe217008af

SHA256
a2d41a618dc70b0c9d711a2a505da3db4e297ac6360f00f6d6688cb32630b158

SHA512
582f5d3be74020261a0a31c1af25afb78356e719a7050d7861c8134a87718e887973c5bfddbdceb4be2c7c1b89df7489ef3549e355685b50401ce9970d942416

Download Submit
C:\Users\Admin\AppData\Local\Temp\cKYwUUUg.bat

Filesize
4B

MD5
4c74f197b7f298dcf38490d6f5839d8b

SHA1
e05722f5812deb4c1caa82cccc5978524def400a

SHA256
7e62d9b230166f3e0de23bc292eae6b1b0a62ce8f59c7db6c79bb9c1e82da30d

SHA512
1d5a4a1c635ac035c5a19c0419be8b920f7d8af412da040bb2dc65c593ec50fef215a385dacf1e0432d7ffaeb2a12565a824120601885d99b097c108b3405929

Download Submit
C:\Users\Admin\AppData\Local\Temp\cooS.exe

Filesize
433KB

MD5
4c4da7d341fd43fd22c33e0eaef08fac

SHA1
07ad5bd36e216be07aae4d723270e64543a19d54

SHA256
519211982227bf8de359f8f0fc44cee0a38625e7edb5c8e2a4c81cf16809fa04

SHA512
8b62aacd7403adf5ff7cfa8960d1b2447f9b83ee667d187cee17249fa367eff41c9adf44a26e30fcf6f0ff4085e64cf74e243c6f769686108983b7d9a444919d

Download Submit
C:\Users\Admin\AppData\Local\Temp\csgm.exe

Filesize
4.1MB

MD5
dfe60e601cdfc1179fff4230f90d0d1e

SHA1
0ecdd4aebe8646f56aab9baf8648b95606df220a

SHA256
068754826dbc97ad76522689d79c7f7f79762f919256fc90a5f77b9365715889

SHA512
2b033460a854d86e6b706bed6644e7aa11cddb808c99301f37a37e9e388d0044e2ccf4ae5315b6d959664180ad071450b4f41457563d702ab4f0119867aa7689

Download Submit
C:\Users\Admin\AppData\Local\Temp\cwko.exe

Filesize
227KB

MD5
822817d8af8ee5926523eeaca897d1c7

SHA1
b5dd0e0b6a0e26e84be218c72a3ff7af0cb40267

SHA256
366bf61b3fbcfa06af1302f928ecd802e804f4df7ff6fbcd56cbef8a648bde18

SHA512
16cb3a00bda09501c6a201c4a45aaf981380a83baf909aea54774d345dfb1adba25ee5d1fa1ab2f4d03cefb173c51a52f79b8d40cc52bc1750546d2fdff5020a

Download Submit
C:\Users\Admin\AppData\Local\Temp\cyAwcAIY.bat

Filesize
4B

MD5
5656c99d0b38c2b64d412e49f3a47b53

SHA1
959b8ba468937fe5afc8c0582b27c67993bc6f17

SHA256
bafd77c3d2ea641a928fadc548de2f4102dc32d45614b30796e6b8688eefb5ed

SHA512
10c592de8936f459091cffed8078e46ff8cc08e5615286582dbb7fe3afa4852b8d85da6b894f3a58e5242d55c271a5efb4101488c501405e1ead879a3e9cc728

Download Submit
C:\Users\Admin\AppData\Local\Temp\dEwIokcs.bat

Filesize
4B

MD5
b39903045386a69e5966886ca5e25723

SHA1
2a89da0b9534f66b035e3bf861bd03bf234a49b4

SHA256
0ae841031c37eba2845f563866910ede7eefda76829103e58c82f817e1fac793

SHA512
0bb991b77a02efde60fcba3a0040cecf4a3e47ccf6fbb03b4b930887ecbe19456887163f06e53d0d4d45302404fc5c1b960bb68616cdeab9a0250843c6f55e48

Download Submit
C:\Users\Admin\AppData\Local\Temp\diYccIAY.bat

Filesize
4B

MD5
eddcdb03f62775876fe4a9386f8ec43b

SHA1
0c805ac727d20a25940853cde5e9e20889d765dd

SHA256
744725996cacda8f59d27b61b232f019da6236ffb70d09131afc6d5387f01199

SHA512
9911453a0b962f1e22ebc1d45e99efe83cd0ce836ac10675f3be763ef001575c2554437004583c5f3ab29c628cad101e3c04b771a2c66d054ec3d13ffbd93edf

Download Submit
C:\Users\Admin\AppData\Local\Temp\eEgY.exe

Filesize
205KB

MD5
815663c14383a1fb7367e8b3e980e734

SHA1
e26391390dcc9794b434ac847dfc8aba903bee9f

SHA256
337324c2766a10d1330728887139c3028028218d4c46943edba412b54d35be64

SHA512
1eddc526f2e2ca4014ddae378c2bbdb58f36c145f0ef8e9c7ba01bdd370e0c68dfde76851288a70cd76ce7117ece08399c334a45251f8e3632d3d0b41da49123

Download Submit
C:\Users\Admin\AppData\Local\Temp\eGkcQIgw.bat

Filesize
4B

MD5
fe6dde4fff04e7b82a0a1a4cce4fa58e

SHA1
41401790b009b6fd519101d17a6a0ac2cc845199

SHA256
2b0026585f29cf67805245c06d107ad8fafd9fe891a9f299868329f365cf46ed

SHA512
25d19d83e0dd7853c3108d3b3a036a4ff02265764c744440a5cf15a475cd3e8776bfaf92d8b5fca120167d0a40a92a54e4cdb6b1bbf1766d94dab797d53cfda3

Download Submit
C:\Users\Admin\AppData\Local\Temp\eMEQIwEs.bat

Filesize
4B

MD5
745414dc3ecc8438ef46c9eb98d2d29f

SHA1
26ce7c0b097758c4e8a2a8b8ff8f146456da57b4

SHA256
6400cce85c42b67cda3226ea9de074b7d7fdc538f3edab098132b33377a4d913

SHA512
7d313b03522402d62ba1eface7e79c58e484bdc12d6a94c685a3f25b13d0a95ba5f9dab63fde0ff4622a0173d14f43d4fa60656480f621038e5706e01e553bbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\eSMooAgc.bat

Filesize
4B

MD5
e182ec8b063ce2d3fac059188f08b989

SHA1
30eaf01dd49a99224e665bb858008e0c557b5c71

SHA256
f5052950bbf3502d4ae4afd15e2ed05e86dde5daddcbb4305bdc11149ba99794

SHA512
60664a951471bd0c13aa6f6b35defe2b6947afc46b19d0bbaa8489093bf10ab0010fa811139cffa63411f5ade18355fbb952ac48845414b15429cc2990f449f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\egsQQwUo.bat

Filesize
4B

MD5
8beac25d9cafc074337913c620a575f6

SHA1
7078b6799bf83946939d6b350e4e952732b82955

SHA256
79518288b40f7b5caa41493d9c94b29b6a203661ee9af5929ca2b2f98e4c4f11

SHA512
7705106d76747d6ce3470e50f68d33f4ec26cd07032f0e7afde828c46ab93363aff6cc209b6945beb7ec2a7dacd87ee4bcee9d7ecff7c0aab881a9a4ea7576e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ekEK.exe

Filesize
827KB

MD5
41d1db4f649445a34e17170114f31352

SHA1
95c287fabe3511c164c4ac582d286677766e02ee

SHA256
08bacab7ea76217f85464a5dccd07ea9500ea8619a468f7402433be6c442495b

SHA512
b5c3e843b7ad9a70123a56ea7b11b8fb3497b900c813886f30376f3363e4f667cf77054962218c240fdcf657d955fb1cd9699f314f635b722f468ffc7105bd86

Download Submit
C:\Users\Admin\AppData\Local\Temp\esUc.ico

Filesize
4KB

MD5
f461866875e8a7fc5c0e5bcdb48c67f6

SHA1
c6831938e249f1edaa968321f00141e6d791ca56

SHA256
0b3ebd04101a5bda41f07652c3d7a4f9370a4d64c88f5de4c57909c38d30a4f7

SHA512
d4c70562238d3c95100fec69a538ddf6dd43a73a959aa07f97b151baf888eac0917236ac0a9b046dba5395516acc1ce9e777bc2c173cb1d08ed79c6663404e4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gAAkUooY.bat

Filesize
4B

MD5
a94bf25bbca702bd913320438e2823ce

SHA1
b849922930f1fa251ab31ded452dc6802b8352f0

SHA256
c4ad577c0a4c13217af250d86887a41b883660196b319ac84a61252b15fe8502

SHA512
0b1b1343e645d7b447223de633e500d0987776d243d113563a6ffaeaab2a728dde220d1a7d5d8530166c3fb05b66b70305dd9f23c690f68ce162f417d8276965

Download Submit
C:\Users\Admin\AppData\Local\Temp\gAEQUIow.bat

Filesize
4B

MD5
599727c1d216c2cc37accc54d502396e

SHA1
abab9100634bd9705404e965e5e5388e51464bc6

SHA256
e06454dc542627d9dab3af12d3851dbb5292eaf6abd824bb7dc087361c779724

SHA512
2178e5ce4bf8b18e7a410d29f9d6831a34b60a86b6aeb71baf9426cd8c510f41a755fc38a86a766f1ffff990b358e2979ca738849d759fcb7b193b0d44215a86

Download Submit
C:\Users\Admin\AppData\Local\Temp\gEcC.exe

Filesize
235KB

MD5
2fc69f17da2aaf35eababe677be86040

SHA1
478aa4890b04e8505956bf0fe65766a0543bfff9

SHA256
02dea9249a328ec9e1ae129c596f66f163a6b4dca2e3a8e3b1534973ee1cd397

SHA512
3d10510bf955039df4d1b81f1c54fb9d07e9ef557944035a0fda6bbdca234a4e44c1dceab5d358a53203eb27bf15abf28862a7c42b33e6a6e99e78b6b9e799b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\gIUIYwEM.bat

Filesize
4B

MD5
12e687673e42bc89061c794f0e5c4c4c

SHA1
450a207e1282f5aa3ce12360548fb0db88365c9e

SHA256
817dd8cbf6ae24f6594beba7dda747436bd3566fba3f5b1b0fd0cba2bd06ab15

SHA512
bb8c9c64a173e54c710e7bfcc99be0ac695e4036452e21a01cfe2e8f7bc3c0c0d88d1cb10daee70a0e5961f334c4ba39acb701cb34772f2b5702675ff4298fb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\gcgg.exe

Filesize
530KB

MD5
ddef3d7ab8ffef1a27da1390eea3cc5b

SHA1
94e25537a30675adc8381e497109375464a38a14

SHA256
cebe464b1867c6500ef50da55aad880be9c5b9fde61063bcc80f797c4a7a10e4

SHA512
bb90a73ee8e05c1af3aa980426ef83fe99262de3400e5f56fbd03d16f9f081e86fe5a1cac037b87c5aeee0bb0247f00fe0b9f629d008679bb620864ebf5ec4c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\hEYkAcsw.bat

Filesize
4B

MD5
503f691b390c0058037d2544a6be3761

SHA1
b5551dca27b413b1f097715a507d1c33f9fdf98c

SHA256
f3141b81cb36dcd3ced9a1248ab64542d265cdb7ee7987ce437bbc9fdf447415

SHA512
d398800c0465c713b209824b0d159db6722580965b27b488a3323c50cc1dcee7d4d8df56c801050d86a1696d4ced7425851e148fd92b3ddb93665ca7403d52ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\hGYcEUII.bat

Filesize
4B

MD5
f95d6b351d330155e424a0b845453a02

SHA1
05b460c149d09d81cda34ada5dab44d5147fba3c

SHA256
be41db342583daad81484964ed3ea0d23b645c8646d03e0f974af1f8b640cf09

SHA512
ec721b2f7d0ceb22e1d12e2b2338386973ac6b82ac200ed2d1e2ca7d17223d1ba9d31d7aaf10be5c0da28bd4b98745488539485bb923ec860c05f53d63222890

Download Submit
C:\Users\Admin\AppData\Local\Temp\hKckUsAw.bat

Filesize
4B

MD5
32efac07f294db9207bde12dc827f026

SHA1
87cc193f25f2900594be759d1c12279b4539cac5

SHA256
faee32f2020d3ec0748184df57ea091d714a112e34fa37c6620bafdbe60b1e59

SHA512
e2f2bf6541d654ed5957980eb0ea9d08ba1c99d1a9d29259e40adf88c9fadb7a3a9d2a5bf7a3a9e518a21e65b17ba4b6b7ff975398a6269cc0f1ffa2eb23771f

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsoYIcYU.bat

Filesize
4B

MD5
d1bd0f7451158a4d00cd536b600a8b79

SHA1
9aa62f5689481e01fe8ca4980f1a24e872c3966d

SHA256
e4c1ff804c93a0fc76378dc2d6a1395b3cdfb06147a636db53587e809b41329e

SHA512
8833448346599da647c91daa68659109d76694df0e19ad8cfd917eb21e0eaeba1110f90bf71fb47b6619036787c1bdf7ac44267d189c47f39378a6d362947449

Download Submit
C:\Users\Admin\AppData\Local\Temp\iAIAwUoI.bat

Filesize
4B

MD5
3efd402c48dbb3b92b0d60043719e1f9

SHA1
b354c0bff1c60b30637f2286076ff7cae00215c2

SHA256
36cc5049e0c7e19a80854c26e656aa66c21ef045c4ed39e7a2cb28dc6a2d41bc

SHA512
7d28d142ce09070102639b6fed9bd7a52aa438450a898ff1dc5bd4adf5bdb4b390a509572a53a676e5486f98e0abab8d6e331a2dd5d8f2e9b4090f0ff604755a

Download Submit
C:\Users\Admin\AppData\Local\Temp\iGEcsEAA.bat

Filesize
4B

MD5
3c0b51ed530ba865dc36434e455797d5

SHA1
7c721cc0f5316799beb1f6eddf61a2f8dfa3e2a3

SHA256
64fb88881c4f814d053e811258ae6229586887f61f315c6d9da963d119abc230

SHA512
bcab0c6714556ad25055be6f23aaa200d2f45a18e281ad3cf71ef62ba7e7f2d1bad184c1a7e48b8daa7fa4aa3fc3f8a1f4bcd30a1a339fa081e4bc43473d5cc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\iQcIIQMM.bat

Filesize
4B

MD5
c4e223b5d6e3973c1f39a3081dbd2056

SHA1
0ca61f4473ceb550893978eb45ed118ad205458c

SHA256
ff0243f03354593a4000a9ac1af2d254a848ce3aa8dbb2d75202ada38903e122

SHA512
d2289caec445309fdccd4fa58e2385569129756af7ddad0923d87475d474e8ebd9e7866bb3b1e776a6312b3711845639ea8926459a8f36d902d13f38ed1eaa72

Download Submit
C:\Users\Admin\AppData\Local\Temp\icYw.exe

Filesize
187KB

MD5
9915b5d788715aeecd6894a9e2927ff8

SHA1
5538443a78818594f0d8425f7dcc2c530ffd7ec8

SHA256
a5d76761696f9a94ca21f4ddfe5ddb809a68dcb9aff0b4a1aa0901871777c76b

SHA512
2151bbb15f46cdb537d306b4b942c0d92330e3d5e295b7dd868a79df3e96e43e904a4e6c9b5c0cffbcc3dceed57d3b43d9b9e99590694e0429f0d24b648c6592

Download Submit
C:\Users\Admin\AppData\Local\Temp\iessAsMM.bat

Filesize
4B

MD5
b4549a8a4f2e654c4cbbb14d4ec698c0

SHA1
c35fb3ca057974d7450047cd84732ae7a1d697b7

SHA256
367eef28be0f913767f19f90f3984d420d3f2306d5d861fa3c21f535167b668b

SHA512
374437e7994e3bd77b280126d1b85e4239401fa4e9103ff1207389c5449da5dd2f58d16136149894e0a5140238de1bee57c5e6b0fc9b340b2a50f7729917d3f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ioAI.exe

Filesize
203KB

MD5
14467065d00159111823e7d9bc946e1f

SHA1
6fec52fee820a740109afaa6170f5aa10a4071b0

SHA256
824ba4e2307cf1b248770fee9439e3eb5a50d7e7eeddab82cb5bda5bff7edfb4

SHA512
7d66c1b225613e303c768c8cc550a9f83130084a7eba56474182786c3ce0676b971552cc264aa559804470322f8ee1e116338bbf093f007c44517c46e5a4733f

Download Submit
C:\Users\Admin\AppData\Local\Temp\iocI.exe

Filesize
196KB

MD5
2a98084e3bcd1336650b0342a6fd663c

SHA1
e3d6cd7a04b2d3286df992414fe043cdaa7592a7

SHA256
a4c6eb88c8dbf59cc4e5a1c62c401dbca2731ceaaa38ffb30dbd7fe8c4b50263

SHA512
abf9e38021030f05a20f271092a8a2f36dca2a32c74648fbec85edc6fb1f4838e3bbda05061c7d62f222a2fba3b42ba19e9b9794b7e425d442f9aeeba09910db

Download Submit
C:\Users\Admin\AppData\Local\Temp\iowEAEEo.bat

Filesize
4B

MD5
8e1d9bd0ab405b08e759052318b1d893

SHA1
8def88359d2f158be1545a21ebd85ad972d08d63

SHA256
abd953194c0f963b39c23c789fb51cc8150d90899a3f15332d32258e5067d5b1

SHA512
8010d93f2002a8442a7ade951c7877dad2108c5cacd2f95864d597c748a8a5a1f89c5e75625f9214b8498037156a09b3ec19d697d8a8d1eeda605fe55ccfc891

Download Submit
C:\Users\Admin\AppData\Local\Temp\isEAIoAs.bat

Filesize
4B

MD5
83768f484ea4fd05331ba3f53cd4f514

SHA1
1664aeb8f28ff55353ef2a6471584f2b5e758e24

SHA256
1aa34f7b6194f56acac6e1f735891dbd14f3abec8b5aed4ee010a8d840228dbe

SHA512
f9f081f253d84e3fdd5280fbb32206623e31b10d0a6b760b54b224ab571b943a6677cf79841ed91b0b08f899780b60652c57bede73897553f455e38681c3bd1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\iuYskQMI.bat

Filesize
4B

MD5
7f02a7504eed67583e1b1801be091960

SHA1
3b7423885ef8c92aa7ee52aa38f5dae023fb9830

SHA256
bd637a35c50bdc65057d7315a0453a7c3fc5d3064b234c389a6ffeede0ce43f1

SHA512
1cb2623d95cd4bf67669c332019827e2ca2903fb63d54f490c6c2dfdfa8260a140522224c7eaa0b315509bd6cbb5370baa82b0bc215da5720a4927f33580f799

Download Submit
C:\Users\Admin\AppData\Local\Temp\iwgswIUI.bat

Filesize
4B

MD5
574ed0592db3e00da1a5e6370ded5f60

SHA1
bdfddf0f536ee064e8b0986a9dd4f81cfa7d5336

SHA256
b327d5f8cf54d1d46ef821ff4e0c5ab0fc23f46286feb65d46736fc4c40e45dd

SHA512
ce00ebd1d5af5a27bd7ed8d7772620e68a7334490c5cd3027659f3bb2d475db3d3eb1b0d5ee11a2b3ed0b96cf832b0120bf6e11e44064b024971fe9b0c2c4530

Download Submit
C:\Users\Admin\AppData\Local\Temp\juEAEUck.bat

Filesize
4B

MD5
1bd187a88a19b5e320f05b9d9782505b

SHA1
ddf6790eca55dc55de919d1c9a01489109303904

SHA256
f35937840ed1cc201fa251f55bbf7c815ae5400ff15b425e7a1e3a99cab6664a

SHA512
97dd7e8562b601d1bb27a6df98555c66f3b98fda48602c9e564eda47d0b05e8455564a54d4fbf3e6a1c632db2568b154148f3bce6e1a9557c1cd05d7a1dbc896

Download Submit
C:\Users\Admin\AppData\Local\Temp\kAYI.exe

Filesize
244KB

MD5
61fbdedf211e841e54f8483e35e575b6

SHA1
e737b616c37f06f1322501ad5602b86ddb1f2097

SHA256
2d3d1917e05f09f252ca3bc6d483dfe978b7819abf87a45d985c960a500017d1

SHA512
41b263de41eb3f5d67b86f8c69c58af9cafb0e952d663f5a25b54d5a33cca6d737c06a78046fa2a7c10765cfb1ba001008fa20895347fe600b77fee72f58a4eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\kAom.exe

Filesize
377KB

MD5
c99cdefa80b1e718a742cc5227b3b490

SHA1
205b94479a5d491a846e9cd891db6faa4bf30330

SHA256
f2859d28ce835948604560b228286d565b4f767104582ada0f4b203e00678cb8

SHA512
5d8a699c460ddc23210d09f95164e72726b8723dcc003b079b01490d8084967a360a68560124f1c4a76e142d65f0f941a4c47c06b15439e517d0e475dcbec083

Download Submit
C:\Users\Admin\AppData\Local\Temp\kEcS.exe

Filesize
241KB

MD5
e7c6fee05394e0ad66e95a8e36a1364a

SHA1
a11e1c650b87b4e99076cf1e1d1503c28e0e9d8f

SHA256
6006e0fe4c22403d1fee8b64718f740ae67a53d0016ed54725d32ffffa29a2dc

SHA512
0e869890f851c4b51b39171b1f2a8f4de4967eaf6919f59b0c338e18e3f6ec36f6b9fcecb02c46aeff066875b2ee1cad49e5810e545fee6e91b7ae0e3d719698

Download Submit
C:\Users\Admin\AppData\Local\Temp\kIUcwIYU.bat

Filesize
4B

MD5
1bc0defb5d21137f11f419e4597e79ee

SHA1
393c007a8004745ce1f90ea2702d9b5d932c84eb

SHA256
48b9fe53038f2d94e24ec02ebe7e661fd680f2a6af521be8dcf75e0c782a391b

SHA512
61c6f6b96a5b262a19f766d928d523aaf6bdc0d04a149b6af91afc6d606d6f5ad424b020d865daf4d3c0db8dd11a1fff55b2e52d4c3b57f68d9172a6110d8ca6

Download Submit
C:\Users\Admin\AppData\Local\Temp\kIcQ.exe

Filesize
200KB

MD5
377c9d8a1e09cbca8d2e31262a3afb88

SHA1
fae43c428593590c402d3a4b6e8695eaba46c608

SHA256
e58670d62754813f15a9706a34391813f903e50ff0709b4a1fa36f6011547831

SHA512
9eef6890d16e96264a6d7c92c4b8ef3fb81b95f1adecccdd1654bebd2ea989d9132371f915cd532a1ff41206aaf74a8504c941fdded11bda7be716818a6fc498

Download Submit
C:\Users\Admin\AppData\Local\Temp\kMss.exe

Filesize
634KB

MD5
3aa1f1dd560d7e1603bb6b416b7135f9

SHA1
fc6ddc4d9397a0adc650385a3d05d6150bdb93fb

SHA256
010ac30dca1103c4ec16341881b98af8e7fa7decf6219015fe9da728d89e7027

SHA512
97f87de8dda925f5abb15a17219e01fb76bf7cea7624db52fda8b00d1ca85c6ad4f99939b17226385a061f080271bcd75e27a7a6fd74b693a12a4689410c313c

Download Submit
C:\Users\Admin\AppData\Local\Temp\kOskkQQQ.bat

Filesize
4B

MD5
8816ac807155cf4841426cb8f9208b4b

SHA1
3252e7675663a71a884b30f293e1b63ba3cc9e16

SHA256
6029bbc165946f0eb276db05526f93ee033448d6136a945244b74066097628f6

SHA512
eb678568a73ff389a9389125468df891a16323021aa9ea6a5beb7b7848897dc3f5b48a0a1d24ddd0ebe03b18babe812b2d03f573a6387e81a9c95e09d4a06279

Download Submit
C:\Users\Admin\AppData\Local\Temp\kwAK.exe

Filesize
233KB

MD5
f972a860963dac9be111253bf7a7b807

SHA1
04107ca9e5d924f48298b18172d4b971e3e2b3e1

SHA256
f88b93d3b20808171dfbb4c86eb98b1a1f582baa0a6fd2bdb92a301accfc1887

SHA512
8d0dbc64941b3404273ecfd5c97141fd8f6bb652c2f7ffe5017bb9a79bdaab8eca983e744c3834b44f05e900886a432c47f2825fdf3b4c85b359af2d4012ed67

Download Submit
C:\Users\Admin\AppData\Local\Temp\mAMUwIcs.bat

Filesize
4B

MD5
7a4141130e8c000fa5f014e7efec0e79

SHA1
685e9c356a83aa2b069fe5bcba86c1cb2bdcf514

SHA256
1e291753c6e324033e92aaff1133f97bc46eeb350504dfde9d512877e0541f5d

SHA512
4d27437b4c2c9e4b9d10e3c4e89891453b2ecce5a6b04a29ceb9594273d91778b5214276243b2ecc916b1edc856bf0ad951cfcd7adc7aba7ea981c2e0c33c120

Download Submit
C:\Users\Admin\AppData\Local\Temp\mAos.exe

Filesize
233KB

MD5
3dfeac8869f497f531c6885224f74a17

SHA1
06a92b165f49102ea6b58ce0b6abb158802b324d

SHA256
f083a4d37bde315fbb42835bfa05842ea3e0f451d59d4393c65636bcf2928035

SHA512
1b7ec081abc894976ab78def6c09279716ba9cdbfebf3125201bcadf3805d928cf82c7a6ab5803c6235aaf5cb24a0eb7c12979f7a69eb8745f77c6fdb24083a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\mIUgoAQs.bat

Filesize
4B

MD5
5d7425a833f1a4e3a51692cc96276b30

SHA1
45b60bb280d02afbaddae48a5ce6bc959e63b9ca

SHA256
b5c897afc410977b79eb452419f34d9485177f6a48dced7a515fe02f8340fda1

SHA512
feed92d2e39ad648964eb51005d520bd1826e2bce589c576f76f3d57145c1c75c6afed91873a2fd38a72710e410a4573fd856aeb6d446e1633f6c43208399d51

Download Submit
C:\Users\Admin\AppData\Local\Temp\mUAO.exe

Filesize
506KB

MD5
8692d621228fd9b57e33fc47a4ca2546

SHA1
0a6a4828971c8a958e63448ee53aece33c34fab7

SHA256
8b409c32494a4a84587a405d13180050a18c8575889328d7960a9a4952d6e110

SHA512
eea9e1b26bdb24105d030d097db608bc7b58d3efcced771a065e161d6d3ef4c043c31dbcdc331ebe3978fa136aa3d581e78da09faee82cb9383121ade3f56b6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\mcIcsAkE.bat

Filesize
4B

MD5
015244bc5ce61638372a4dc2926d9f8e

SHA1
23da7df1f990f6414b060008a1ca8ee1aa759164

SHA256
ea259f5fef4ecd7dbe8973efa71c6c35f5ae672eacb4acf01850ac2e01aec5ca

SHA512
3a9237cccb19922f94131d47c6ff19a4adae092b3ae2f632c12ee5f0437542280702fa35605dbd8f61b7921be7492989757fda65a37ec957d9e87bbfccc61258

Download Submit
C:\Users\Admin\AppData\Local\Temp\mksE.exe

Filesize
231KB

MD5
1f9f372ba921e5b289cbc9b869a8368c

SHA1
b560343eac307d82e8acffc4fd1ca18beedaa76f

SHA256
79dea1584962efea964eaf8908186be53d381471dabc0c01f6e5c6f4581c3453

SHA512
161ba60c13a3dd4d67ce20e1725df378abad4c9db2bfe19e66e87566a3ca105c54b76d20922fc6827d13da502bd08bbca20a551ea3ba733b8a08a3a8667f6a34

Download Submit
C:\Users\Admin\AppData\Local\Temp\mokq.exe

Filesize
237KB

MD5
eb6dee359766e8a41ff53d8a772f679a

SHA1
befca027c4e3f8f1f2f051481185f32c6af64b6c

SHA256
8e2900b2e3e34baeca19283d59dc920077b74cc28a87733f98e70e3e21afbc4a

SHA512
0a534c507898bd98420b51ddf945efc63ffcd2e61055b2f5bab37e4569c6b5222f5553119befac3169e6decfdbd08f5742f13ae8e4a9c155d43b84f2c1757f91

Download Submit
C:\Users\Admin\AppData\Local\Temp\mukMkcoE.bat

Filesize
4B

MD5
84fb13bd1d63e455be72f0e7dcadabc4

SHA1
2429b519b5d14fe4df240bb56dfc1a1edd6098d2

SHA256
8258995471390f05b76f47b32bf3ab35a1c411c28879e5f5d6ba34ccd90484ec

SHA512
a19427b4d69896b0f649c7589cb30cbd51d918d151f2c3060110298922a8d87fb18e5920d75071a040b8f8eed0761830afeb8d4e2ceb1dd8cf3008adc938004e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nYYcUMEY.bat

Filesize
4B

MD5
274ddf7b93e693077be96da97c44c61e

SHA1
61b21d514a2e4dea319471f07e9da4659d049b4b

SHA256
a98eed9e82de90a578ee3d65fa4d91dfabfc0aad69ca228202b89428df71baf0

SHA512
a374ce1dc3f870851fe80f3166d9ae8889af2a8ba170b265722c0d9a38f359f4bb2640b22aee07f509dd86c618c96d817a27d53f0bf31ed2e3ec9219c9603929

Download Submit
C:\Users\Admin\AppData\Local\Temp\oYEO.exe

Filesize
785KB

MD5
020e509479cd5e9cb2501548cd10c4ea

SHA1
680a504891f89ce2f40decd591bea11d4f4aaa54

SHA256
cbabdd504bd5e1610bdd8a8b9554289cc03ca6af64fafe25d82061a7058224c1

SHA512
f83743ede476c1002d014687c1a599aa649e8522f1a8968aab63070e6ed41dcb45169c9041cd57182d0ccb3a31d83260d542da7920e78b22aa98fdd761b077d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\oYIq.exe

Filesize
189KB

MD5
efa462a54b2bde9fee647227e107d841

SHA1
4087eb690daca8005be891106ee715bab08421de

SHA256
7e61c9154013d74f121f8869a3f35b91a4b302d6c892e94debf7962340f8a930

SHA512
7020c8ec87fd1cd633c559efffda4b9e018a539824f324cfb8bd18267c7135de7afd93552e125d8bf4b2b66576d81792f6e1ddac5b40f0775aaa5bc00398aa48

Download Submit
C:\Users\Admin\AppData\Local\Temp\ocIo.exe

Filesize
8.2MB

MD5
f8aeadf24305f923ad5151fb9ef8855c

SHA1
0ba3d72b6d8592b6f2b19aa9ed179e2295fec814

SHA256
92b9f90b14be696e203c0539cc59d5a189098c5480743a525ddd08534a6aa52b

SHA512
bdbaa9d62125b8ce5fbcfb221e6273d6381be9dc75b20ed3d2f61e9050d58c4febfff6d03ca443192b71bfeaa015ef02a4aca5193b0dcf9eea5256cacbb54274

Download Submit
C:\Users\Admin\AppData\Local\Temp\ocowwAkg.bat

Filesize
4B

MD5
ad1e45fe968fddb0bbb6c517da8e5e09

SHA1
363fbe9f1a36829df9e864c89b83bb35b66f39ce

SHA256
2d2e8298985a55a304f9a36ded2be71b5659cd6e0633dbdd1cbedac484f85b17

SHA512
ca5b5e6e784ef17c2c271d893f1176710379b1c2034e5ef4594e65d6b27c1a9c2a88f11fc57b5613af00dc5a30cc1b32f68f26b1932e18fac9dca7bb3feda359

Download Submit
C:\Users\Admin\AppData\Local\Temp\pGAUAwkM.bat

Filesize
4B

MD5
c9f560ac9f4b6632eef39468cc4fb3a9

SHA1
ccb71c4b37d6092d6c5527ef98f2e930b19f5163

SHA256
d4e0ad70d38aeef344f18b4fa02d64f81c1cfec0c72b86bcf52c0293aaf8e186

SHA512
d56971764efbe352a2c07b1f46a71cfe162fe437189877365d621f05c5fefa39f15330fa1a531462cdda279f46757f6bffe1688628b1b1d315bb013f24d59695

Download Submit
C:\Users\Admin\AppData\Local\Temp\qgMS.exe

Filesize
228KB

MD5
8f5472fc53483ab8690be840827b397c

SHA1
7436fa7b609ddbf76ecf3e4acf8032f39011ba9d

SHA256
6b74f53292bf37bd703fa297b5c05b7bbea6562971cf18cf322bd3a734b3dea4

SHA512
010f2c93c00b79489a0fcd94de4da8208c64df9def32ee47205d658fd1b0b47d70b1993e2cc5eb0975bafd05e13766e3ee67bb795b3bcfed2e1bdd944c8e19eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\qgom.exe

Filesize
236KB

MD5
7bda98e8ab4ede272d97689df3442f0c

SHA1
e156777310167bbb9f07539210d5631d2fbbbe28

SHA256
3db0c372be1e75fbeec61e4cecee25c136e8ac11f5fd87324f94031c65f58213

SHA512
7e6ca4c3030d1f44da756e32bf4b506c96e048eec534727b777b5360ca87c4dd3c8f564d057da837d1eb267971471681ee58b1f6c3a7e16994fb48e868bb39c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\qkIO.exe

Filesize
949KB

MD5
8aa98d7e79e5629020a069f5435682d7

SHA1
619ef0591e42122aaa4125abc1fdc7e3cde7b75e

SHA256
b31da7fbca817b585364fa2e1789ed4b13ca55e9fe92c8f998b5356b4c3f16ec

SHA512
b14f35b85e231ce677a045cda261651f983d936ed42c467bbc575d23f615b59333b1cfe9d275b1981d03397e1ac9ed378d729415826fe5b7c0576e84f3aea11d

Download Submit
C:\Users\Admin\AppData\Local\Temp\qsIG.exe

Filesize
252KB

MD5
816c017d31d948344a7cbc7de10f099b

SHA1
37121add7c2786a09738ffc69ec2916c04505dc2

SHA256
78458e19216d18636a01a4d003176d5d6207f788d9bb527384a7d001d1224d12

SHA512
b71914d7e3dc3ef2733403bd00baa66a88d92c068b55909e5f8357844a62752867b9cabdba32f0bec4def954a76c270ef52ae6d4f330c714742f813ceb981a18

Download Submit
C:\Users\Admin\AppData\Local\Temp\qwwE.exe

Filesize
231KB

MD5
759549be5c43fba519d69f6143c4daff

SHA1
9e16d50ebacc3a8f300108e485cbe827f8bdfef2

SHA256
56a9c2af2fc58f2348d23515ddfe3627d659c0d08884da90bf1f5ac3ad2ab768

SHA512
be424dbfe0fc42700ac2b4f95f1d1efd0f81b11b8b2f905f66e7a1e6439df94a6cd95256ba0826f10643839afa23ec3485758bdfe08200c2d968d1e86261f6d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\rGMIIsgQ.bat

Filesize
4B

MD5
d94a6113e4747f2123ec804bc70b8b39

SHA1
b524ef41569bdeb78de7f1b79a93101b9a86f892

SHA256
7db9edfffbd0e008ef7b0ee46b7f2c7bfed548a351ea8e8ff2d79c1a355d07d2

SHA512
df7b0aefa011eca126e79a128b641312362ba771028caaf948a485c3a08daf6ae16893aa0dfb9ce90c20c5ab554426dfee55162f71a6dd4cd8a1b8e04e240c6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\rUgMkcwE.bat

Filesize
4B

MD5
8f3544af82ebbe27882a2cc0c3adff2a

SHA1
eefaf96968680702d2bb9e5b20ebf01a1e9b23a7

SHA256
db70417cf1e1066763b215d4dcba085e7cf72e3293422da444c1ea6224816c98

SHA512
635f0c42134dc40f45af5b1a737b1e596665e5faca9d5eac8e78c238493c3a67b2c10d268b54003af054545a0ba2ac2538eba9266747b70e767e388a7e5af20f

Download Submit
C:\Users\Admin\AppData\Local\Temp\sAoy.exe

Filesize
902KB

MD5
15c4dcc10e3861088a989cd3eef7ea46

SHA1
7d15c287ef6a3465eb471fa7feb05eb61f5182bb

SHA256
f83500b1e97f0099fc6f92484fbb013a43b4dad8f3ab3a37280389142b989761

SHA512
0c4338e09d5c4d0d9d7da394c13e3339a305cf0ba298b6ba30355cd4f5b103d203146af8cbbe1c1d5f2edc146b2eaaad660d0e1f9c81b280dfcbf28c2317cfdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\sIQy.exe

Filesize
198KB

MD5
f1587c493a5d58d18fcc1ab1ec28fdf2

SHA1
ec1f629ef27d35a6f24255b26af45ba4c035f228

SHA256
937007532d823e5631320991aaa19bc4182b5b0b0bf96a2ea856fc37c9ae7fdb

SHA512
5dd53be8e8ca4f72e15ce60d20662739fdd8288cedb14e69f1cfa0998434215602ca0381b4107c84b618a6796b715c93490b8bbc48f7f0501e10a9c1d5885dea

Download Submit
C:\Users\Admin\AppData\Local\Temp\sIgsIEos.bat

Filesize
4B

MD5
a5945a7b3f3382179c752e22685795b9

SHA1
bc7f5af9b45ce7a5d5db3e15318ab20359a2c550

SHA256
630ec72fd0eaed7a6ae967880959d46e09df178c6f760f6c7dd7486b54519ba8

SHA512
a01c5d95dd9d397c519766d716ce487bfc41e2f0bcfe59ca9b67506e5e54a50a53481665af421efdea2965e3fd8bfbb54e92748a5ae5d5bc4e5a83f3bdb4fbeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\siEYkkso.bat

Filesize
4B

MD5
bfb4739a1661a28f7e7a5a57cfac640e

SHA1
b2a06cfd90e3a35aa245b12cb8aec3fe9397fc42

SHA256
44e54635776626823f13192fac5f8939b7bcb6877ebec33bb01ec0af68081f11

SHA512
7ffc6792a080c2bd6b0c5bd44a0602820ade405a41572d0e69c5ff9647d0c74b926ced4841f6c638482d6f4932813d4128161dbffda9ec0eeb3e35f3181cf1bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\ssIoIQMo.bat

Filesize
4B

MD5
6ab6eab1c20e55971a01121f9d4c854e

SHA1
d704fcaae0bf54e1edb571e082c845f6ea21862b

SHA256
a745b46785ac37db7e61a8e0bb1b66583660162a17c7e9038be0b0a8436ac599

SHA512
19d45c70eb4ab09617f5edde58395708e9669be0e9062fff38d9a6ffa53eab12b70b8ca98451ba60b09aa348073c8e1a34b7defb91134af949796e70d7f72da4

Download Submit
C:\Users\Admin\AppData\Local\Temp\swgG.exe

Filesize
547KB

MD5
e14afff12445d6c517b6358aa6b14add

SHA1
008bc0a19ac26714d4dc81baf26e303fbbdb8c47

SHA256
6101706b042a016b473dac23c3aaf4a31817bdebc6184c6d6a7a5673f767a5e8

SHA512
3a873e06d45275b15762bcf34f1c3f63fc9d565e5101c81f39fa2bbfe0ee637af1fe223571e2c3dc8ee8a08dd17ef5592255ddd4c6b4e8b1719b9fd3a47881d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tSQoIIIY.bat

Filesize
4B

MD5
4a2892d88daedcabdaa73878f2ff6959

SHA1
d3d179555b7f91e20a2643662e1ce405f960525c

SHA256
0dc16ccb69ef9d18a85c73d68b051e46658a024f285b9b289ba98fcf5f2a644d

SHA512
4aa82af1f70db641c2c6ab625ed50d42a43dd84c83052b8260c5c4dc23bfd1b5f9964c320610c283bb8ab535c65e586b564dff0643e3b88f672254666f58ef75

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmkogQcw.bat

Filesize
4B

MD5
423de5b0a1a3bfe7c5a19408ed3d7596

SHA1
d42800c4816044f4cfd90a2b35b43b4601dcd8e2

SHA256
d9315cb30012fded71747639f992562deb4264ff851edd174211db271b0daa19

SHA512
39a6a6cf884635906142a6d9c39cc06d511f12119a4d660a5254c36108a8fc34534e0bc811a662c562521eb8987954f96ef911c88f273e242ca5b196ef135e52

Download Submit
C:\Users\Admin\AppData\Local\Temp\uEoU.exe

Filesize
242KB

MD5
1b8e43575ee0352f124f50718d235108

SHA1
c15207c937802471d6575b1299d162f1d284b1d9

SHA256
5d095e1e15ca9763f8675b04fd33f769fafdc6612be09caed7d6cdead4a8ab66

SHA512
a726dfd3c74b6ea2b7ba327bdbbff91de041e6d92a666a2d045b28c6eb9789d419169a63755a9fa283b1ff8bd3d106931c1ebc17b88e9a2a4f3c05da5a3a0590

Download Submit
C:\Users\Admin\AppData\Local\Temp\uIUw.exe

Filesize
564KB

MD5
c5bfdf085d03733d6b2382673355f11b

SHA1
499b3b99b31d9b5c589b3e1aad0edd78247fc658

SHA256
ba898c46b4e93ebe8c80dac2901f4f0182d1826a9655c3bfc3b6ae03f459c9a3

SHA512
5ee6973f49d6600cfefd0a48b2d41a9b3befe09ef4bc73a33aa3d09b84db0f558ca1639ecc96aeb0ef16898161be08b22ae8a2abaa522c020e481886e4bf21ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\uMAQ.exe

Filesize
236KB

MD5
3c9177c3bc4f857d6a864bd6c61a6df2

SHA1
5bf99b341dd896c63345feb0f7a6b61fe210cae4

SHA256
51acff7dd7d3c195731b5884a64beb23d77659fb90c686678a273f3223ca47b0

SHA512
3ce3af7915dc3b51753f50ba7729f60fcbe6bfc8d4f2d84c911f6083b39e4094bc8ec9df6283e87b619b15adeafe967e4a41acb5a550ea2b2704ff5c0dfed27a

Download Submit
C:\Users\Admin\AppData\Local\Temp\uMcg.exe

Filesize
193KB

MD5
0bf88e9ad0fcf5be21c819d7bed53f46

SHA1
948805052a0388059b8fbc3d34b93b155371dc7a

SHA256
011fc98ed44f873dd7796332ee4d7caf2ccc175618dd0b63d497b2953362fc26

SHA512
af1287afadc5ead636f5b65b168552364399f2c0e474ec1a156448e5c9a3591c92fbaaa4af41e87000feea33974c331dd85bbc5c9ea681d87c4c8d8ab921f212

Download Submit
C:\Users\Admin\AppData\Local\Temp\uQEW.exe

Filesize
312KB

MD5
5822adfb4d1276f2a3405a30fae7c166

SHA1
3e78e27c90d1960a94f851da0781e84c5e240936

SHA256
60f439c351c5472865b89909ed041958b502561e6b0330dfe8bd335615bd8974

SHA512
3fa5dcd010b6cae3c3fb9853e4c2a7705e83df51ee5a5f2dcc1078dd7c2e8c20fa09031b571400feecde5eaf4e2b639fb43fb7ece963775cb3c311d32c3c3193

Download Submit
C:\Users\Admin\AppData\Local\Temp\ugsG.exe

Filesize
613KB

MD5
ef20c784bdbeb89f4ac317ea6369cd4d

SHA1
8c219d68916a855866afebaccbd6b79250a76051

SHA256
8cf7832310e22965a07bfb7443cf0fb6a54f2cb114bc00765253adfd63981645

SHA512
0c5f4cc56c304a7b8ec35ec14ec73f080539f37456b6d6a6533a80f4de20ad924595509214b5363eac9eeda5debfd3b2440590996ae8cab87c8f183aff596b3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ukEW.exe

Filesize
248KB

MD5
38ee56eec7a1086438e7fc64b08b9bc5

SHA1
2757ac0943148e5c9ea9bda442df0ccd9fd74e53

SHA256
d7cf7eaedc8412b7043d734355a2cde6abe633e4c47c700e577a18cc5fdc1702

SHA512
95b46453c57fcdffd3f94e36cc4ea984fba877680e6155e63c825767afc114cdf572457fe4dac5480fcd9c996213192facf813e4e2a5fe349cf734717ed24e0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\usky.exe

Filesize
486KB

MD5
fbd04ea546b9b787d714d58a35f2535d

SHA1
0018a7addd42536a8b2b27eee32e5dfc4c1cfe91

SHA256
aaf179caacb9b1767aede2658f6d5b736c84e650169596efd95288d77756f4be

SHA512
6cee03abe9e5dc9270af8053ce49a08f8818bc7de54f94d0ac72a694af64d05a59827c96c2c3803e5eeece10467628bcb7bc7d2b5fa0752660a1faf13262b21f

Download Submit
C:\Users\Admin\AppData\Local\Temp\uwcK.exe

Filesize
195KB

MD5
e4ec5788347b2d70179b9b19918728e7

SHA1
b221c65836f23793f1c1f1209364fbbad6c49711

SHA256
35775df65c3a985806fcb2bbe671987d1db5af37e9cbb7c12933af5a4b163560

SHA512
42a1b74ac17dd4348ebd69b83a98d847d9fe758420a87d74229757b1f6d69903e368acc12857cee858e27fdc674c303881157f4d87be3df7bf0db594bdb66195

Download Submit
C:\Users\Admin\AppData\Local\Temp\vQYUUooc.bat

Filesize
4B

MD5
58c8d906d7629b4276a8e2c0fb731d8f

SHA1
51c9fd8eeec3c1d839d90d6fe1f184499d852fbc

SHA256
84218aec2345fb3202b5fd3fe3a034fefd8a151d6e0eb012a3bc0633993f6712

SHA512
d39d9c6abc7619bcf1b3f291a55ec814f25c328e853023ecd47fb2689509a53303ca1d08a0709ec2dc8589445de4964724e39f2796796fa491f756390acad479

Download Submit
C:\Users\Admin\AppData\Local\Temp\wywMQwgo.bat

Filesize
4B

MD5
fb84d75d11823e1acc99169382c07406

SHA1
fda11be8ef9c066f67e9252fb5719598406621bc

SHA256
464e5a28a2eb11efa1fd24288e5e5438355253b587354f5fce4b601a4e3ca8a0

SHA512
bb92d07c1d1a8fc38ab53bf25d7ca35b06baef642d4dee341ebdc0b9e02c03aae76b25134e957afc9358ab241378cb888476013ced0dac0368a66fe51abfeeff

Download Submit
C:\Users\Admin\AppData\Local\Temp\xYoIkAAQ.bat

Filesize
4B

MD5
ac678494c9ddb335eddb5bdc066fc68d

SHA1
21f3785db6f8481a4cf656225c64826c16be4edf

SHA256
a4c8bee42209732511c6ece39f784b5e0a0ee0da4faad053119bdb04d7a7054a

SHA512
d055f73892e465160e422360fbb7c55a1e0ccf9f546d4e601897103a93478fa61f76872adccdb24c39059da204a2cdb4f09a3c4313a452bfff0b63a213be7c86

Download Submit
C:\Users\Admin\AppData\Local\Temp\xiMAQgAw.bat

Filesize
4B

MD5
6c7a0f0087e7d2946374749f266ed12c

SHA1
917730efd46ee9a23b3cbc5e82046f5ad1f00ab7

SHA256
6304998c627baef8608e5d8b95932d12b814c2dc0d9f6d4a441ff74daf232240

SHA512
6eb603c5cd94778f4b700eda0d333db78ceed940d44c4a2c51eced08b0161f662beb281721e58d70575a367fbeddec572824e6d018acbe6c63738cad76b95f80

Download Submit
C:\Users\Admin\AppData\Local\Temp\xqwYIYIA.bat

Filesize
4B

MD5
98c99a257d4009e81259bb51d6022fe7

SHA1
2f904d9962728f0adf1ac542475d1708aafe04f7

SHA256
bb8f6f9c7c262b98a9520dd50a51abe0abdef9d640ee1f52d86b721b52b3cad5

SHA512
be7304bf27888e6e3014724ceabb24edd27eff8420982ef7e71abd46d68e0e101ef7228af1d8c24452119db1655a6677c57d21b7c1e07085566fccc6d86ef3b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\yMQS.exe

Filesize
591KB

MD5
08d18a74c6d2b0ca497729434e0cc2a5

SHA1
42ac69c761b0bbf95a1b94b44ad06df7c68d5bd9

SHA256
19dd97c73c3f1d1affa68dc0ce076c6ca7af64055654f3cd10c43b1ffb35079d

SHA512
9ae88452651412cfb0bacb100053a937e1ff448a3356460bc96c2b14fda73c406603e08c3dba83628b8bb851f0c81e9b9c7504b2ec3f4180b1d5318aa87ad9af

Download Submit
C:\Users\Admin\AppData\Local\Temp\yOMwckME.bat

Filesize
4B

MD5
30d5fd3051acc96c75c111dbd4542d28

SHA1
9877319573ad7b6c47a2bf4e67b02905c7695de4

SHA256
273264815cdf0ee897df70bfac64c837f2cd8bf1f80583fac15e7f84bab6e398

SHA512
8044c2c8e31dabb397bc88d5d2fb77f98dad6813f3ee798fb982764f5d26703630afb226154a0bfbe5209ac1f0164d83e867820a48298b5a730edd28bd370846

Download Submit
C:\Users\Admin\AppData\Local\Temp\yYck.exe

Filesize
204KB

MD5
e766177be18bf283ac83a49d1ad9a2e0

SHA1
3ce70a69002f8fd14a76b27b60545e9919a3e7c1

SHA256
37e82ec6b66216c4f168c753714cf01577fc1686cfb15711b7ee9041ffdbf54d

SHA512
64500eec7dffb84e5746ea982b593b5e44f70045905426e95a5f830789dc280cc7762ed3930ac83be822b870565a1ddf072aeb131ca9b827efad7182179754b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\yYoK.exe

Filesize
240KB

MD5
71690eef3eff4bfe20137ce23c7b1997

SHA1
1a441a06504b8a8ac891c0222b1ed84acada35b5

SHA256
5a66f7e32acc435d07a60df809b0e71c50cc24345da4573f09a2ed00ae0e5ab7

SHA512
933b5fb03455cb749a718a47a26a3da39f82eea906b02378475f39d561a9397e347c10006a8a64b3ff3a8500f9f83e3b6279390d43355d12a5a946c21b7bb406

Download Submit
C:\Users\Admin\AppData\Local\Temp\yosk.exe

Filesize
238KB

MD5
310577fefdf7ac0677f1d22e30412b7e

SHA1
4f68d0c8a15e46f23e069773fd3c4d9630d2b059

SHA256
a11573c4f9fc42341a4aec05370b4bc2690f114dabc64d3ef1e2865121eab438

SHA512
d4e00c97f422b63f5dda336e809419221b5aafc8841779c6734e53bc3b669113510de62309fbe0974eebc1bd3283c9ac5eb79187caa73d3aafb460c6b60464c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ywUS.exe

Filesize
249KB

MD5
0d3f6a736f3ba871aa79f8561c1fd4be

SHA1
e481a3b431e19071aaf4aad02fc6ad66521a3742

SHA256
d445e70443bff029cbe7dc3b5604fd4ae8d228e677b8dba5ca3611cecb872102

SHA512
ab42f65955d90e53871a4248fde25a0661efd9c92c0ad89aa0965c7585cba758b650966e0820b2ddfb52389d86558ab74e9ef86dc52e519581faba590e017b57

Download Submit
C:\Users\Admin\AppData\Local\Temp\zIUIgcIw.bat

Filesize
4B

MD5
4d9150463b53b0d85e6637fb68464299

SHA1
c975797ea3c80552fedc3ddf81be04e912c6b843

SHA256
37b6eb619c12254906cff398f28ef13b18d312d59af64d95c91b4be963673d74

SHA512
e16b20bcd119103870cfb0b96b1b759314a5470a080bbd7154411ed8de527c99381a581a1651f03906c9aab938566c49a23ebdcb2dba609e3a6b7c41479825a3

Download Submit
C:\Users\Admin\Downloads\CopyRepair.exe

Filesize
458KB

MD5
4d4a30af8fec1f4ab2330282c8f0c3f0

SHA1
e0f46615fb0b5e5d34f2eb9d273879469bf8b5e3

SHA256
0bd65d2ac4f36fff1c0f82fbeb6f11d8df1a4fb7d58c0e295a3bbb2c60e39baf

SHA512
159e677bf1f9133ffbc911538d3c08ed0aecb2a29ff009a0524d6f9a6309fe3a01ab5341e4bde515d18b1ae61ee5b28fd4a030597da04bae764597b80c4b9fbf

Download Submit
C:\Users\Admin\Downloads\GroupResolve.mpg.exe

Filesize
1.1MB

MD5
9efd41cd919fb9ea6862267819f74c28

SHA1
249cd35ce6e6742622223cbdd4d4f507e82f9c83

SHA256
9ee3784083faf9d0c1fb44136bb4e270ba4b6abe3a4859f8267a62d115639f1f

SHA512
9b9b5585efa0a7293c5d47fd5b81c7f406d020393c1a7dcb7fa548a7763567f80addac0d2205ec3781784a369b0c32ad32676a9d6958366e72c518a9a8f78004

Download Submit
C:\Users\Admin\Pictures\ConnectConvert.bmp.exe

Filesize
513KB

MD5
98c1330c69f75128daf98509b84a7b20

SHA1
d5c81ce8b7d71397731ed784952a11f506b3e2c6

SHA256
a109943c08820948b76748ef7ab092417f057be3aa72ad413fc848dabbe1fdd8

SHA512
2ed148eb08ecf724ed34083b8b793a101098f0e4594608e0d1e0ae6919389d7825b2a5125259956b60c1284ff154bed845020c185db0637aa595c731d7ecf06b

Download Submit
C:\Users\Admin\Pictures\My Wallpaper.jpg.exe

Filesize
213KB

MD5
851b343e080f3c06681820c61227c1b3

SHA1
70dcd2cbfc6eae69415c926680de52b536fe3402

SHA256
db0f9b69df28b78b629b2ee3c17be035c9c86e38fd4e9783c3e4c0400ba79ba9

SHA512
aa4c86362d83c18e5a1332351b6ea72bae0335a04eca2c98bb02e7ffea51d6143145a7e3628339d580cd275d59bffb1494b8bbfc31add122e5355957fb8d6ce6

Download Submit
C:\Users\Public\Pictures\Sample Pictures\Jellyfish.jpg.exe

Filesize
949KB

MD5
5744f367540e94562b6aaa8436b7091d

SHA1
8074bd9d3dfd0d651d83fb0a721a08548c4eaedf

SHA256
af4862bde62d37e064050bd42bc938a488e0d6c1e943e24b9fd56869d3969ee5

SHA512
d5da56a6ac7f09ede9438e8398d76fbfe930ee9a7aeba858811e2479707cacfb3fabe2b00d2274ba69308799fafc3530bcacdf6d6519ee7e01ea576d1717ef08

Download Submit
C:\Users\Public\Pictures\Sample Pictures\Lighthouse.jpg.exe

Filesize
748KB

MD5
3483e74cc6ca22765fcbfe0a6f207ac3

SHA1
95097e1874a1bfe940b92a026cc61129c7af6cd1

SHA256
4ab276a452b529c2f849f7ce78d13f2ec3fe44115527f5d4ee5829b6765e2ff0

SHA512
3457908bf23cc4bdad33ab709e635d3625dd9c23e635082c36d1aebccc38da21326b55610330737e5f036d6964524aa735b816bc5942ce103fa816939c3efd89

Download Submit
\ProgramData\GYUgEcgs\LYcccYkY.exe

Filesize
198KB

MD5
af71bd2f28f3b000cf51e1a7d1382757

SHA1
813f7c15e0afe7dcb565311b33f6fb2e3da7e37d

SHA256
0c682cf99cbc6b1ac7cf7de767833be89081219814ea46f5ffb05a8a7f931dec

SHA512
abfc157ad48131c9865cba5edc784ce2711cf679128a2b9c4d0f2ab945122dfc274518d3f9cfa64f8d81c138f602af9d722cbdbd459527fafd92b2f590cb6db6

Download Submit
\Users\Admin\JcsQgQIA\IEcoAcUc.exe

Filesize
182KB

MD5
6f777dd98ab54837d2c836189a610aa8

SHA1
4c7cb461abeae36735f5370c83d694a657afc46b

SHA256
14d77b0555dbd6fe5b3e55ff43756702b299eba0706f86d4aa0e762732912c63

SHA512
285d578f7cb36bd37484db86cd0a7c3ea95e438bcfe9791d05463ffc2c5713c8259d3df10fa3074be181d3632d3261cd5914f383b0cca05c2179eedcc3cf7f25

Download Submit
memory/564-101-0x0000000000280000-0x00000000002B6000-memory.dmp

Filesize
216KB

Download
memory/580-133-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/580-263-0x00000000002A0000-0x00000000002D6000-memory.dmp

Filesize
216KB

Download
memory/768-123-0x00000000001D0000-0x0000000000206000-memory.dmp

Filesize
216KB

Download
memory/848-382-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/848-414-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/880-295-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/880-264-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/904-478-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/928-454-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/928-487-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1008-156-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1008-124-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1220-332-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1220-333-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1224-404-0x0000000000110000-0x0000000000146000-memory.dmp

Filesize
216KB

Download
memory/1272-240-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1272-273-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1332-79-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1332-110-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1468-344-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1468-310-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1620-428-0x0000000000120000-0x0000000000156000-memory.dmp

Filesize
216KB

Download
memory/1620-427-0x0000000000120000-0x0000000000156000-memory.dmp

Filesize
216KB

Download
memory/1656-226-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1656-358-0x0000000000290000-0x00000000002C6000-memory.dmp

Filesize
216KB

Download
memory/1656-194-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1684-216-0x00000000001B0000-0x00000000001E6000-memory.dmp

Filesize
216KB

Download
memory/1744-180-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1744-147-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1876-66-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1876-88-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2040-477-0x0000000000160000-0x0000000000196000-memory.dmp

Filesize
216KB

Download
memory/2052-287-0x0000000000180000-0x00000000001B6000-memory.dmp

Filesize
216KB

Download
memory/2052-296-0x0000000000180000-0x00000000001B6000-memory.dmp

Filesize
216KB

Download
memory/2308-381-0x0000000000260000-0x0000000000296000-memory.dmp

Filesize
216KB

Download
memory/2372-33-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2412-319-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2412-297-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2460-65-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2460-250-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2460-217-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2460-56-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2488-203-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2560-498-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2560-499-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2640-193-0x00000000002E0000-0x0000000000316000-memory.dmp

Filesize
216KB

Download
memory/2716-13-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2740-464-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2740-429-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2744-391-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2744-359-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2772-368-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2772-334-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2796-30-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2840-453-0x0000000000190000-0x00000000001C6000-memory.dmp

Filesize
216KB

Download
memory/2840-452-0x0000000000190000-0x00000000001C6000-memory.dmp

Filesize
216KB

Download
memory/2904-405-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2904-438-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2908-32-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3068-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3068-5-0x0000000003DA0000-0x0000000003DCF000-memory.dmp

Filesize
188KB

Download
memory/3068-41-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3068-20-0x0000000003DA0000-0x0000000003DD3000-memory.dmp

Filesize
204KB

Download