bad6a5b82befc8bb82bf7010221f9a1f047dff4c44c46113f6a7cb4fd969b094

Analysis

max time kernel
180s
max time network
135s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
18-04-2024 22:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
Size

165KB
MD5

401dbbf4b8f35ef9f4b5fdc9ffc5ffe0
SHA1

0a777fe216b7e5489e1955274510465b1a2a911a
SHA256

bad6a5b82befc8bb82bf7010221f9a1f047dff4c44c46113f6a7cb4fd969b094
SHA512

40a663debb5642b38fc7b2a6ef560842c455410441bbe9f02dd8ca38b28604fbb41cdb15252bd7194c4e598df85d37a135c7dae4c315f6c71767c84fb9190e9c
SSDEEP

3072:jRDc4/N092Bi8NhWIBCoO4gN5qq4eN7d/wXfa/FI1ey0j1C:NDTbBi8NsIBCoOhblN7dJivL

Score

10^/10

evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Control Panel\International\Geo\Nation	JOEIcwgU.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Control Panel\International\Geo\Nation	imsQUAII.exe

Deletes itself 1 IoCs

pid	Process
2632	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2432	JOEIcwgU.exe
2504	imsQUAII.exe

Loads dropped DLL 20 IoCs

pid	Process
2392	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
2392	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
2392	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
2392	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
2432	JOEIcwgU.exe
2432	JOEIcwgU.exe
2432	JOEIcwgU.exe
2432	JOEIcwgU.exe
2432	JOEIcwgU.exe
2432	JOEIcwgU.exe
2432	JOEIcwgU.exe
2432	JOEIcwgU.exe
2432	JOEIcwgU.exe
2432	JOEIcwgU.exe
2432	JOEIcwgU.exe
2432	JOEIcwgU.exe
2432	JOEIcwgU.exe
2432	JOEIcwgU.exe
2432	JOEIcwgU.exe
2432	JOEIcwgU.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\JOEIcwgU.exe = "C:\\Users\\Admin\\rsUIkksI\\JOEIcwgU.exe"	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\imsQUAII.exe = "C:\\ProgramData\\pqAoUsYQ\\imsQUAII.exe"	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\JOEIcwgU.exe = "C:\\Users\\Admin\\rsUIkksI\\JOEIcwgU.exe"	JOEIcwgU.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\imsQUAII.exe = "C:\\ProgramData\\pqAoUsYQ\\imsQUAII.exe"	imsQUAII.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
864	reg.exe
1468	reg.exe
1476	reg.exe
2864	reg.exe
1676	reg.exe
1960	reg.exe
1572	reg.exe
2108	reg.exe
740	reg.exe
2068	reg.exe
2496	reg.exe
1944	reg.exe
936	reg.exe
1884	reg.exe
320	reg.exe
1932	reg.exe
444	reg.exe
1876	reg.exe
2756	reg.exe
1264	reg.exe
2288	reg.exe
2420	reg.exe
1128	reg.exe
2476	reg.exe
2260	reg.exe
2980	reg.exe
1960	reg.exe
2572	reg.exe
2056	reg.exe
1476	reg.exe
1888	reg.exe
2860	reg.exe
2824	reg.exe
1680	reg.exe
2500	reg.exe
2164	reg.exe
2324	reg.exe
3056	reg.exe
2928	reg.exe
1384	reg.exe
1776	reg.exe
2860	reg.exe
1660	reg.exe
2676	reg.exe
1752	reg.exe
1516	reg.exe
1508	reg.exe
560	reg.exe
2204	reg.exe
3044	reg.exe
1984	reg.exe
1068	reg.exe
2096	reg.exe
1072	reg.exe
2372	reg.exe
920	reg.exe
2120	reg.exe
1676	reg.exe
1968	reg.exe
1724	reg.exe
2064	reg.exe
2172	reg.exe
1704	reg.exe
1104	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2392	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
2392	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
764	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
764	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
1000	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
1000	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
2972	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
2972	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
1884	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
1884	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
2968	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
2968	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
2708	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
2708	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
2492	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
2492	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
864	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
864	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
1468	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
1468	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
1328	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
1328	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
2140	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
2140	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
2704	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
2704	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
2856	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
2856	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
2956	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
2956	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
792	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
792	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
2772	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
2772	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
2372	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
2372	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
2924	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
2924	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
1452	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
1452	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
2980	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
2980	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
764	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
764	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
1532	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
1532	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
1348	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
1348	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
2372	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
2372	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
1176	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
1176	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
1640	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
1640	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
1816	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
1816	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
1540	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
1540	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
2928	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
2928	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
1068	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
1068	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
748	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
748	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2432	JOEIcwgU.exe
2504	imsQUAII.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2432	JOEIcwgU.exe
2504	imsQUAII.exe
2432	JOEIcwgU.exe
2504	imsQUAII.exe
2432	JOEIcwgU.exe
2504	imsQUAII.exe
2432	JOEIcwgU.exe
2504	imsQUAII.exe
2432	JOEIcwgU.exe
2504	imsQUAII.exe
2432	JOEIcwgU.exe
2504	imsQUAII.exe
2504	imsQUAII.exe
2432	JOEIcwgU.exe
2432	JOEIcwgU.exe
2504	imsQUAII.exe
2432	JOEIcwgU.exe
2504	imsQUAII.exe
2432	JOEIcwgU.exe
2504	imsQUAII.exe
2504	imsQUAII.exe
2432	JOEIcwgU.exe
2432	JOEIcwgU.exe
2504	imsQUAII.exe
2432	JOEIcwgU.exe
2504	imsQUAII.exe
2432	JOEIcwgU.exe
2504	imsQUAII.exe
2432	JOEIcwgU.exe
2504	imsQUAII.exe
2432	JOEIcwgU.exe
2504	imsQUAII.exe
2432	JOEIcwgU.exe
2504	imsQUAII.exe
2432	JOEIcwgU.exe
2504	imsQUAII.exe
2432	JOEIcwgU.exe
2504	imsQUAII.exe
2432	JOEIcwgU.exe
2504	imsQUAII.exe
2432	JOEIcwgU.exe
2504	imsQUAII.exe
2432	JOEIcwgU.exe
2504	imsQUAII.exe
2432	JOEIcwgU.exe
2504	imsQUAII.exe
2432	JOEIcwgU.exe
2504	imsQUAII.exe
2432	JOEIcwgU.exe
2504	imsQUAII.exe
2432	JOEIcwgU.exe
2504	imsQUAII.exe
2432	JOEIcwgU.exe
2504	imsQUAII.exe
2432	JOEIcwgU.exe
2504	imsQUAII.exe
2432	JOEIcwgU.exe
2504	imsQUAII.exe
2432	JOEIcwgU.exe
2504	imsQUAII.exe
2432	JOEIcwgU.exe
2504	imsQUAII.exe
2432	JOEIcwgU.exe
2504	imsQUAII.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2392 wrote to memory of 2432	2392	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe	28
PID 2392 wrote to memory of 2432	2392	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe	28
PID 2392 wrote to memory of 2432	2392	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe	28
PID 2392 wrote to memory of 2432	2392	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe	28
PID 2392 wrote to memory of 2504	2392	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe	30
PID 2392 wrote to memory of 2504	2392	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe	30
PID 2392 wrote to memory of 2504	2392	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe	30
PID 2392 wrote to memory of 2504	2392	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe	30
PID 2392 wrote to memory of 1992	2392	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe	31
PID 2392 wrote to memory of 1992	2392	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe	31
PID 2392 wrote to memory of 1992	2392	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe	31
PID 2392 wrote to memory of 1992	2392	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe	31
PID 1992 wrote to memory of 764	1992	cmd.exe	33
PID 1992 wrote to memory of 764	1992	cmd.exe	33
PID 1992 wrote to memory of 764	1992	cmd.exe	33
PID 1992 wrote to memory of 764	1992	cmd.exe	33
PID 2392 wrote to memory of 2520	2392	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe	34
PID 2392 wrote to memory of 2520	2392	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe	34
PID 2392 wrote to memory of 2520	2392	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe	34
PID 2392 wrote to memory of 2520	2392	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe	34
PID 2392 wrote to memory of 2516	2392	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe	35
PID 2392 wrote to memory of 2516	2392	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe	35
PID 2392 wrote to memory of 2516	2392	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe	35
PID 2392 wrote to memory of 2516	2392	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe	35
PID 2392 wrote to memory of 2636	2392	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe	36
PID 2392 wrote to memory of 2636	2392	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe	36
PID 2392 wrote to memory of 2636	2392	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe	36
PID 2392 wrote to memory of 2636	2392	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe	36
PID 2392 wrote to memory of 924	2392	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe	38
PID 2392 wrote to memory of 924	2392	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe	38
PID 2392 wrote to memory of 924	2392	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe	38
PID 2392 wrote to memory of 924	2392	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe	38
PID 764 wrote to memory of 1888	764	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe	42
PID 764 wrote to memory of 1888	764	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe	42
PID 764 wrote to memory of 1888	764	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe	42
PID 764 wrote to memory of 1888	764	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe	42
PID 924 wrote to memory of 1736	924	cmd.exe	44
PID 924 wrote to memory of 1736	924	cmd.exe	44
PID 924 wrote to memory of 1736	924	cmd.exe	44
PID 924 wrote to memory of 1736	924	cmd.exe	44
PID 764 wrote to memory of 1196	764	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe	45
PID 764 wrote to memory of 1196	764	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe	45
PID 764 wrote to memory of 1196	764	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe	45
PID 764 wrote to memory of 1196	764	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe	45
PID 764 wrote to memory of 1740	764	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe	46
PID 764 wrote to memory of 1740	764	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe	46
PID 764 wrote to memory of 1740	764	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe	46
PID 764 wrote to memory of 1740	764	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe	46
PID 1888 wrote to memory of 1000	1888	cmd.exe	47
PID 1888 wrote to memory of 1000	1888	cmd.exe	47
PID 1888 wrote to memory of 1000	1888	cmd.exe	47
PID 1888 wrote to memory of 1000	1888	cmd.exe	47
PID 764 wrote to memory of 864	764	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe	48
PID 764 wrote to memory of 864	764	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe	48
PID 764 wrote to memory of 864	764	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe	48
PID 764 wrote to memory of 864	764	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe	48
PID 764 wrote to memory of 2496	764	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe	49
PID 764 wrote to memory of 2496	764	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe	49
PID 764 wrote to memory of 2496	764	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe	49
PID 764 wrote to memory of 2496	764	2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe	49
PID 2496 wrote to memory of 2200	2496	cmd.exe	54
PID 2496 wrote to memory of 2200	2496	cmd.exe	54
PID 2496 wrote to memory of 2200	2496	cmd.exe	54
PID 2496 wrote to memory of 2200	2496	cmd.exe	54

C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2392
- C:\Users\Admin\rsUIkksI\JOEIcwgU.exe
  "C:\Users\Admin\rsUIkksI\JOEIcwgU.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:2432
- C:\ProgramData\pqAoUsYQ\imsQUAII.exe
  "C:\ProgramData\pqAoUsYQ\imsQUAII.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:2504
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1992
- - C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
    C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:764
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1888
    - - C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1000
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock"
        6⤵
        
        PID:2132
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2972
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock"
        8⤵
        
        PID:1404
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1884
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock"
        10⤵
        
        PID:2100
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2968
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock"
        12⤵
        
        PID:2472
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2708
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock"
        14⤵
        
        PID:2956
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2492
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock"
        16⤵
        
        PID:776
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:864
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock"
        18⤵
        
        PID:1732
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1468
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock"
        20⤵
        
        PID:1324
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1328
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock"
        22⤵
        
        PID:1900
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock
        23⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2140
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock"
        24⤵
        
        PID:1996
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock
        25⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2704
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock"
        26⤵
        
        PID:2348
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock
        27⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2856
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock"
        28⤵
        
        PID:1108
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock
        29⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2956
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock"
        30⤵
        
        PID:1876
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock
        31⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:792
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock"
        32⤵
        
        PID:1468
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock
        33⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2772
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock"
        34⤵
        
        PID:1944
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock
        35⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2372
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock"
        36⤵
        
        PID:552
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock
        37⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2924
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock"
        38⤵
        
        PID:2444
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock
        39⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1452
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock"
        40⤵
        
        PID:2472
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock
        41⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2980
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock"
        42⤵
        
        PID:2956
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock
        43⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:764
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock"
        44⤵
        
        PID:1776
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock
        45⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1532
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock"
        46⤵
        
        PID:2900
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock
        47⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1348
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock"
        48⤵
        
        PID:2056
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock
        49⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2372
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock"
        50⤵
        
        PID:2124
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock
        51⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1176
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock"
        52⤵
        
        PID:2180
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock
        53⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1640
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock"
        54⤵
        
        PID:1984
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock
        55⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1816
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock"
        56⤵
        
        PID:2084
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock
        57⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1540
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock"
        58⤵
        
        PID:1468
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock
        59⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2928
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock"
        60⤵
        
        PID:1628
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock
        61⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1068
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock"
        62⤵
        
        PID:2024
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock
        63⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:748
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock"
        64⤵
        
        PID:1096
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock
        65⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock"
        66⤵
        
        PID:2828
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock
        67⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock"
        68⤵
        
        PID:2264
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock
        69⤵
        
        PID:624
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock"
        70⤵
        
        PID:1964
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock
        71⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock"
        72⤵
        
        PID:2392
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock
        73⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock"
        74⤵
        
        PID:2108
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock
        75⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock"
        76⤵
        
        PID:820
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock
        77⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock"
        78⤵
        
        PID:2456
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock
        79⤵
        
        PID:1196
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock"
        80⤵
        
        PID:3052
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock
        81⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock"
        82⤵
        
        PID:3044
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock
        83⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock"
        84⤵
        
        PID:2552
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock
        85⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock"
        86⤵
        
        PID:328
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock
        87⤵
        
        PID:644
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock"
        88⤵
        
        PID:1868
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock
        89⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock"
        90⤵
        
        PID:2736
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock
        91⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock"
        92⤵
        
        PID:2084
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock
        93⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock"
        94⤵
        
        PID:2704
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock
        95⤵
        
        PID:2332
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock"
        96⤵
        
        PID:1600
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock
        97⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock"
        98⤵
        
        PID:1808
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock
        99⤵
        
        PID:1004
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock"
        100⤵
        
        PID:932
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock
        101⤵
        
        PID:524
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock"
        102⤵
        
        PID:2912
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock
        103⤵
        
        PID:776
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock"
        104⤵
        
        PID:1548
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock
        105⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock"
        106⤵
        
        PID:2816
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock
        107⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock"
        108⤵
        
        PID:1660
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock
        109⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock"
        110⤵
        
        PID:2472
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock
        111⤵
        
        PID:600
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock"
        112⤵
        
        PID:2564
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock
        113⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock"
        114⤵
        
        PID:2904
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock
        115⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock"
        116⤵
        
        PID:2540
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock
        117⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock"
        118⤵
        
        PID:2708
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock
        119⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock"
        120⤵
        
        PID:2176
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock
        121⤵
        
        PID:2772
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock"
        122⤵
        
        PID:1640
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock
        123⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock"
        124⤵
        
        PID:2676
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock
        125⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock"
        126⤵
        
        PID:2420
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock
        127⤵
        
        PID:2544
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock"
        128⤵
        
        PID:396
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock
        129⤵
        
        PID:444
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock"
        130⤵
        
        PID:2740
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock
        131⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock"
        132⤵
        
        PID:1768
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock
        133⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock"
        134⤵
        
        PID:2848
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock
        135⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock"
        136⤵
        
        PID:2956
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock
        137⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock"
        138⤵
        
        PID:760
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock
        139⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock"
        140⤵
        
        PID:932
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock
        141⤵
        
        PID:1300
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock"
        142⤵
        
        PID:2552
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock
        143⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock"
        144⤵
        
        PID:2684
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock
        145⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock"
        146⤵
        
        PID:2772
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock
        147⤵
        
        PID:864
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock"
        148⤵
        
        PID:2040
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock
        149⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock"
        150⤵
        
        PID:2912
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock
        151⤵
        
        PID:344
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock"
        152⤵
        
        PID:2300
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock
        153⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock"
        154⤵
        
        PID:2964
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock
        155⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock"
        156⤵
        
        PID:1808
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock
        157⤵
        
        PID:900
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock"
        158⤵
        
        PID:2624
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock
        159⤵
        
        PID:924
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock"
        160⤵
        
        PID:2580
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock
        161⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock"
        162⤵
        
        PID:1844
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock
        163⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock"
        164⤵
        
        PID:1044
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock
        165⤵
        
        PID:1064
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock"
        166⤵
        
        PID:1444
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock
        167⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock"
        168⤵
        
        PID:2676
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock
        169⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock"
        170⤵
        
        PID:1544
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock
        171⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock"
        172⤵
        
        PID:3012
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock
        173⤵
        
        PID:1292
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock"
        174⤵
        
        PID:1104
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock
        175⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock"
        176⤵
        
        PID:2524
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock
        177⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock"
        178⤵
        
        PID:2444
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock
        179⤵
        
        PID:1084
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock"
        180⤵
        
        PID:1900
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock
        181⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock"
        182⤵
        
        PID:1192
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock
        183⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock"
        184⤵
        
        PID:1068
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock
        185⤵
        
        PID:2436
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock"
        186⤵
        
        PID:1740
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock
        187⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock"
        188⤵
        
        PID:1724
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock
        189⤵
        
        PID:1228
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock"
        190⤵
        
        PID:1980
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock
        191⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock"
        192⤵
        
        PID:2560
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock
        193⤵
        
        PID:1084
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock"
        194⤵
        
        PID:2568
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock
        195⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock"
        196⤵
        
        PID:2280
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock
        197⤵
        
        PID:1000
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock"
        198⤵
        
        PID:2520
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock
        199⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock"
        200⤵
        
        PID:552
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock
        201⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock"
        202⤵
        
        PID:1128
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock
        203⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock"
        204⤵
        
        PID:1868
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock
        205⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock"
        206⤵
        
        PID:868
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock
        207⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock"
        208⤵
        
        PID:1788
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock
        209⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock"
        210⤵
        
        PID:1408
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock
        211⤵
        
        PID:2564
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock"
        212⤵
        
        PID:1388
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock
        213⤵
        
        PID:996
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock"
        214⤵
        
        PID:2348
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock
        215⤵
        
        PID:344
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock"
        216⤵
        
        PID:1472
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock
        217⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock"
        218⤵
        
        PID:2900
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock
        219⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock"
        220⤵
        
        PID:2244
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock
        221⤵
        
        PID:644
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock"
        222⤵
        
        PID:3012
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock
        223⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock"
        224⤵
        
        PID:2520
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock
        225⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock"
        226⤵
        
        PID:1376
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock
        227⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock"
        228⤵
        
        PID:1672
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock
        229⤵
        
        PID:944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        230⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        230⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        230⤵
        UAC bypass
        
        PID:1472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        228⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        228⤵
        
        PID:1452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        228⤵
        
        PID:1084
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\UqYYsAoo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe""
        228⤵
        Deletes itself
        
        PID:2632
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        229⤵
        
        PID:1208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        226⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        226⤵
        
        PID:2572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        226⤵
        
        PID:1096
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\CUUMAIoI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe""
        226⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        227⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        224⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        224⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        224⤵
        
        PID:1456
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\pyMwMcQA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe""
        224⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        225⤵
        
        PID:1908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        222⤵
        Modifies registry key
        
        PID:1104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        222⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        222⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\sKYoUUQs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe""
        222⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        223⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        220⤵
        
        PID:1884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        220⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        220⤵
        UAC bypass
        
        PID:1904
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\LCQwAsgI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe""
        220⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        221⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        218⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        218⤵
        Modifies registry key
        
        PID:2056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        218⤵
        
        PID:936
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ceEMMAok.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe""
        218⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        219⤵
        
        PID:864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        216⤵
        
        PID:320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        216⤵
        Modifies registry key
        
        PID:2420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        216⤵
        UAC bypass
        
        PID:2752
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\gGYkocAU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe""
        216⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        217⤵
        
        PID:1444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        214⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        214⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        214⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\EKccoMYE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe""
        214⤵
        
        PID:1008
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        215⤵
        
        PID:748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        212⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        212⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        212⤵
        UAC bypass
        
        PID:1908
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\GUcEMoYg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe""
        212⤵
        
        PID:760
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        213⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        210⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        210⤵
        
        PID:2740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        210⤵
        UAC bypass
        
        PID:2108
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\vicAcYcA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe""
        210⤵
        
        PID:1404
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        211⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        208⤵
        Modifies registry key
        
        PID:1704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        208⤵
        Modifies registry key
        
        PID:1932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        208⤵
        Modifies registry key
        
        PID:2860
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\jAkUUkgQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe""
        208⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        209⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        206⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        206⤵
        
        PID:1448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        206⤵
        UAC bypass
        Modifies registry key
        
        PID:3044
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\WCMkIEwA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe""
        206⤵
        
        PID:2772
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        207⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        204⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        204⤵
        Modifies registry key
        
        PID:2120
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        204⤵
        Modifies registry key
        
        PID:2204
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\kwIwogos.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe""
        204⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        205⤵
        
        PID:916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        202⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        202⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        202⤵
        UAC bypass
        
        PID:2464
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\kSQEgAsw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe""
        202⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        203⤵
        
        PID:304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        200⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        200⤵
        
        PID:2476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        200⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\qGcYMYIA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe""
        200⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        201⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        198⤵
        
        PID:1588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        198⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        198⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\BoAsAwEk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe""
        198⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        199⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        196⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        196⤵
        
        PID:1876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        196⤵
        Modifies registry key
        
        PID:920
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ywIEwAkQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe""
        196⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        197⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        194⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        194⤵
        
        PID:936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        194⤵
        UAC bypass
        
        PID:1568
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\gickEMoI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe""
        194⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        195⤵
        
        PID:2544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        192⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        192⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        192⤵
        
        PID:748
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\FkUEEwQo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe""
        192⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        193⤵
        
        PID:2232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        190⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        190⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        190⤵
        UAC bypass
        
        PID:944
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\HgQgAMYY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe""
        190⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        191⤵
        
        PID:1452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        188⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        188⤵
        Modifies registry key
        
        PID:2572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        188⤵
        UAC bypass
        
        PID:2136
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\XSoYcoso.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe""
        188⤵
        
        PID:2124
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        189⤵
        
        PID:2332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        186⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        186⤵
        
        PID:2580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        186⤵
        UAC bypass
        
        PID:2712
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\zmMkMwYM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe""
        186⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        187⤵
        
        PID:2476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        184⤵
        Modifies registry key
        
        PID:1572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        184⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        184⤵
        UAC bypass
        
        PID:2500
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\hgwAAYAA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe""
        184⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        185⤵
        
        PID:1240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        182⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        182⤵
        
        PID:1888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        182⤵
        UAC bypass
        
        PID:2468
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\BEUYUoIg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe""
        182⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        183⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        180⤵
        
        PID:1156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        180⤵
        
        PID:484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        180⤵
        UAC bypass
        
        PID:2116
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\pGYckoEc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe""
        180⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        181⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        178⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        178⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        178⤵
        UAC bypass
        Modifies registry key
        
        PID:1072
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\cGEMAkQM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe""
        178⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        179⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        176⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        176⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        176⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\GkggMYws.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe""
        176⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        177⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        174⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        174⤵
        
        PID:792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        174⤵
        Modifies registry key
        
        PID:560
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\bQYccwUQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe""
        174⤵
        
        PID:1228
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        175⤵
        
        PID:1524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        172⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        172⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        172⤵
        UAC bypass
        
        PID:864
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\xUIIMgIU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe""
        172⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        173⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        170⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        170⤵
        
        PID:1516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        170⤵
        UAC bypass
        
        PID:2460
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\yioQYgMc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe""
        170⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        171⤵
        
        PID:1448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        168⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        168⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        168⤵
        UAC bypass
        
        PID:2964
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\XSAEosYM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe""
        168⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        169⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        166⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        166⤵
        Modifies registry key
        
        PID:1476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        166⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\TOIkMswQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe""
        166⤵
        
        PID:1792
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        167⤵
        
        PID:872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        164⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        164⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        164⤵
        UAC bypass
        
        PID:2956
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\GKQYsoAM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe""
        164⤵
        
        PID:1072
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        165⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        162⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        162⤵
        Modifies registry key
        
        PID:1724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        162⤵
        Modifies registry key
        
        PID:1960
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\CmQEcYQo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe""
        162⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        163⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        160⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        160⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        160⤵
        
        PID:524
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\TaYgIcsk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe""
        160⤵
        
        PID:792
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        161⤵
        
        PID:3052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        158⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        158⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        158⤵
        UAC bypass
        
        PID:2292
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\lkIQkQUU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe""
        158⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        159⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        156⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        156⤵
        Modifies registry key
        
        PID:1776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        156⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tScAcQsU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe""
        156⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        157⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        154⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        154⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        154⤵
        
        PID:1092
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\XuwYIMYc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe""
        154⤵
        
        PID:920
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        155⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        152⤵
        
        PID:772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        152⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        152⤵
        UAC bypass
        
        PID:2388
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\hyUYgQUE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe""
        152⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        153⤵
        
        PID:1272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        150⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        150⤵
        
        PID:1004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        150⤵
        UAC bypass
        
        PID:1608
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\gkwEIwQE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe""
        150⤵
        
        PID:396
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        151⤵
        
        PID:2556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        148⤵
        
        PID:2608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        148⤵
        
        PID:1000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        148⤵
        
        PID:2440
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\cucAcUAg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe""
        148⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        149⤵
        
        PID:1240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        146⤵
        Modifies registry key
        
        PID:1068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        146⤵
        
        PID:1516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        146⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\aCscwgQQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe""
        146⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        147⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        144⤵
        Modifies visibility of file extensions in Explorer
        
        PID:868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        144⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        144⤵
        Modifies registry key
        
        PID:1264
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\NQQsUsoI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe""
        144⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        145⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        142⤵
        Modifies registry key
        
        PID:2676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        142⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        142⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZUIgoUMI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe""
        142⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        143⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        140⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        140⤵
        
        PID:1008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        140⤵
        UAC bypass
        Modifies registry key
        
        PID:2756
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\QaMwYkcs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe""
        140⤵
        
        PID:1472
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        141⤵
        
        PID:1376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        138⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        138⤵
        Modifies registry key
        
        PID:1508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        138⤵
        UAC bypass
        
        PID:2628
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\kkYAgwMQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe""
        138⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        139⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        136⤵
        
        PID:792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        136⤵
        Modifies registry key
        
        PID:1960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        136⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\jgAgkIEY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe""
        136⤵
        
        PID:1072
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        137⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        134⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        134⤵
        Modifies registry key
        
        PID:320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        134⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\jIYAIgwc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe""
        134⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        135⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        132⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        132⤵
        
        PID:1192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        132⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ycYYMoEY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe""
        132⤵
        
        PID:1348
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        133⤵
        
        PID:916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        130⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        130⤵
        
        PID:932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        130⤵
        UAC bypass
        
        PID:1044
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\KegwEUos.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe""
        130⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        131⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        128⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        128⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        128⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\rYAEMUAo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe""
        128⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        129⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        126⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        126⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        126⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\oEUMEMwY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe""
        126⤵
        
        PID:1744
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        127⤵
        
        PID:1060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        124⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        124⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        124⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\PAMAMEQk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe""
        124⤵
        
        PID:1096
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        125⤵
        
        PID:1404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        122⤵
        Modifies visibility of file extensions in Explorer
        
        PID:864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        122⤵
        Modifies registry key
        
        PID:1876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        122⤵
        Modifies registry key
        
        PID:1884
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\susIIEwE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe""
        122⤵
        
        PID:932
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        123⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        120⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        120⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        120⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\nsIUUwEc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe""
        120⤵
        
        PID:740
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        121⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        118⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        118⤵
        
        PID:1476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        118⤵
        UAC bypass
        
        PID:1988
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\PygsgIsE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe""
        118⤵
        
        PID:1272
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        119⤵
        
        PID:1300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        116⤵
        Modifies visibility of file extensions in Explorer
        
        PID:644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        116⤵
        
        PID:524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        116⤵
        UAC bypass
        Modifies registry key
        
        PID:444
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\KOQcsgcE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe""
        116⤵
        
        PID:1416
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        117⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        114⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        114⤵
        Modifies registry key
        
        PID:936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        114⤵
        UAC bypass
        
        PID:320
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\kUccMIQo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe""
        114⤵
        
        PID:1104
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        115⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        112⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        112⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        112⤵
        UAC bypass
        
        PID:1508
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\rIoUIogI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe""
        112⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        113⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        110⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        110⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        110⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\VEYAIYEA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe""
        110⤵
        
        PID:1516
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        111⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        108⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        108⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        108⤵
        
        PID:936
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\TWYUEAww.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe""
        108⤵
        
        PID:1348
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        109⤵
        
        PID:484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        106⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        106⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        106⤵
        UAC bypass
        
        PID:1664
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\YowsoQIE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe""
        106⤵
        
        PID:2536
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        107⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        104⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        104⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        104⤵
        UAC bypass
        
        PID:2636
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\hSQscAIc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe""
        104⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        105⤵
        
        PID:2500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        102⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        102⤵
        Modifies registry key
        
        PID:1968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        102⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\sYcUQQMo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe""
        102⤵
        
        PID:960
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        103⤵
        
        PID:1448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        100⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        100⤵
        Modifies registry key
        
        PID:2980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        100⤵
        UAC bypass
        
        PID:1984
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\zuUQwgwg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe""
        100⤵
        
        PID:2892
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        101⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        98⤵
        Modifies visibility of file extensions in Explorer
        
        PID:844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        98⤵
        
        PID:964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        98⤵
        UAC bypass
        
        PID:2560
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\yUEEUwYw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe""
        98⤵
        
        PID:1264
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        99⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        96⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        96⤵
        Modifies registry key
        
        PID:1468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        96⤵
        UAC bypass
        Modifies registry key
        
        PID:1384
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\TMskMYQc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe""
        96⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        97⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        94⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        94⤵
        
        PID:1472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        94⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\YiEcIMUQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe""
        94⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        95⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        92⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        92⤵
        Modifies registry key
        
        PID:2824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        92⤵
        
        PID:2740
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\LUgsQMAM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe""
        92⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        93⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        90⤵
        
        PID:1876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        90⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        90⤵
        UAC bypass
        Modifies registry key
        
        PID:2260
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\lccUMUEc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe""
        90⤵
        
        PID:696
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        91⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        88⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        88⤵
        Modifies registry key
        
        PID:2860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        88⤵
        UAC bypass
        
        PID:760
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\CwEwAgQo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe""
        88⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        89⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        86⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        86⤵
        Modifies registry key
        
        PID:2928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        86⤵
        UAC bypass
        
        PID:2512
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\SWgUEMYM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe""
        86⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        87⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        84⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        84⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        84⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\JwEgcgoQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe""
        84⤵
        
        PID:1208
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        85⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        82⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        82⤵
        
        PID:1328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        82⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\VMUoEYkk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe""
        82⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        83⤵
        
        PID:2444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        80⤵
        
        PID:872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        80⤵
        Modifies registry key
        
        PID:1944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        80⤵
        UAC bypass
        
        PID:2860
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\CAcoskkk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe""
        80⤵
        
        PID:396
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        81⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        78⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        78⤵
        
        PID:1096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        78⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\qIUscYoY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe""
        78⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        79⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        
        PID:844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        UAC bypass
        
        PID:2536
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\PgYwIEMQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe""
        76⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        77⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        UAC bypass
        
        PID:1952
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\zsMkQQQo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe""
        74⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        75⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        Modifies registry key
        
        PID:2496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        UAC bypass
        Modifies registry key
        
        PID:1888
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\MGcsUccE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe""
        72⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        
        PID:1856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        UAC bypass
        
        PID:2500
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\oukosQIM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe""
        70⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        
        PID:872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        Modifies registry key
        
        PID:1516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        
        PID:1344
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\mwAgckgc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe""
        68⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        UAC bypass
        
        PID:1744
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\roIcEUso.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe""
        66⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        
        PID:2324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        UAC bypass
        
        PID:1708
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\jiMUcAcg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe""
        64⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        
        PID:268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2184
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        
        PID:1412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        UAC bypass
        Modifies registry key
        
        PID:1752
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\iygckIkU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe""
        62⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        
        PID:1884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        
        PID:2480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        UAC bypass
        
        PID:2560
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\UGMEMsYU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe""
        60⤵
        
        PID:840
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        
        PID:2232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        UAC bypass
        
        PID:2440
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tIsgsgUg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe""
        58⤵
        
        PID:1348
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        
        PID:1508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        Modifies registry key
        
        PID:3056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        UAC bypass
        
        PID:1920
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ecIgocQA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe""
        56⤵
        
        PID:1108
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:1588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ckYcIMoU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe""
        54⤵
        
        PID:1912
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        Modifies registry key
        
        PID:1676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        
        PID:928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        UAC bypass
        Modifies registry key
        
        PID:2864
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\GMcUUYso.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe""
        52⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        Modifies registry key
        
        PID:2476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        UAC bypass
        
        PID:944
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ACcsMYwA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe""
        50⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        Modifies registry key
        
        PID:2500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\eiQMQQYc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe""
        48⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        Modifies registry key
        
        PID:1128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        UAC bypass
        
        PID:2816
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ueUswEoY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe""
        46⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:1208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        
        PID:624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        Modifies registry key
        
        PID:2068
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\hwocgMYg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe""
        44⤵
        
        PID:1376
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        
        PID:940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        
        PID:920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        UAC bypass
        
        PID:2892
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\kCcwQoMY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe""
        42⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:1060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        UAC bypass
        
        PID:3028
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\joQMcgYc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe""
        40⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:1264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        UAC bypass
        
        PID:1692
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\myEIwYQA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe""
        38⤵
        
        PID:1088
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        UAC bypass
        
        PID:2128
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\cuMEsIoo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe""
        36⤵
        
        PID:2332
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        
        PID:1476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\liQwUAkY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe""
        34⤵
        
        PID:1768
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:2440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        UAC bypass
        
        PID:900
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\kaoAgwkA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe""
        32⤵
        
        PID:2324
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        Modifies registry key
        
        PID:740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        Modifies registry key
        
        PID:2108
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\uuAAcksc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe""
        30⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        UAC bypass
        
        PID:1636
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\cCkAMcos.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe""
        28⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2356
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        UAC bypass
        
        PID:1880
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\noMUgkck.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe""
        26⤵
        
        PID:1448
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        UAC bypass
        
        PID:1948
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\OockgUQk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe""
        24⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        
        PID:696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        UAC bypass
        
        PID:868
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\QKUcQcMo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe""
        22⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        Modifies registry key
        
        PID:2324
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\uYcwIYoY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe""
        20⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        UAC bypass
        Modifies registry key
        
        PID:2164
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\BUYoMowU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe""
        18⤵
        
        PID:2772
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:1060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\NYsgMEAE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe""
        16⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\NYYsgkEQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe""
        14⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\KSkIUkEQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe""
        12⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        UAC bypass
        
        PID:2204
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\beAgUsEY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe""
        10⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        Modifies registry key
        
        PID:1660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        UAC bypass
        
        PID:1964
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\jMYEUYAA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe""
        8⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:960
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2720
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:1128
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        UAC bypass
        Modifies registry key
        
        PID:2064
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\QEMwkscU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe""
        6⤵
        
        PID:1324
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:1976
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:1196
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:1740
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      Modifies registry key
      PID:864
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\vkgQAkMw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2496
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:2200
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:2520
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2516
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:2636
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\qCAYEggs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:924
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:1736

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1240257979-132414818206993238110657350787535778193958266706391128291896117423"
1⤵
PID:2492

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "6441247947299383336916286410532495-18408392722109498218-1807523042091751934"
1⤵
PID:776

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-388411823-1042755263-14060198681146670341-20945660542081183354-1117405031-1277677661"
1⤵
PID:1732

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "111385753216006708801465819428959549200-9928358945488894711016147159979495104"
1⤵
PID:2560

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-793288777964751657-145321979721439918216864245023331258331013665681927710298"
1⤵
PID:1628

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-466302195-7181201707063239772122803626-638553542-2026346042-1889671341830456303"
1⤵
PID:2184

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-114097592189457280617633036051846370656790948638-1953312106164301657-705324734"
1⤵
PID:1408

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "16314096651322596012-1873444962-989007267-1016780878-2140025646-8697820492135628950"
1⤵
PID:2764

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1358042396-12629535401538280645-940063199-70395213559279448-2110638057-2009691002"
1⤵
PID:1880

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1839520611-1468632557-850881455-1707158544907354621003689296-1899547743-1698321526"
1⤵
PID:1596

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "612469353-10101447491749054170-2998274022461462581544743159-1645144705404695853"
1⤵
PID:2132

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-924443633-7595092191315212931915965890-586242010941885139-1689407649-88068470"
1⤵
PID:1856

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-94115394156541604211890520401037274547-436533652-1299259572-17771997663061803"
1⤵
PID:2640

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "8204703991306677991-20419910731034430226-103711944-4085885382450174581522555025"
1⤵
PID:2036

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "63272235-1350126823-1375442596-16158939493734091223376594116241798501850188940"
1⤵
PID:936

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "644687328-1966634683-2042333743445218501251453964-946848197-270711451901250291"
1⤵
PID:1988

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1920461063-15990610002080814459-9418347231412786776-2123509207-6841095721987207783"
1⤵
PID:2156

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "997623123-1865789234-89531485-331256730-67354362921219362601138180258-1097596180"
1⤵
PID:1900

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-4857198161306120642970658758-3149263018051027801481281681-2027538314-1159977617"
1⤵
PID:2904

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "785265138-2060557482-141490808113883209181763142244-870974270388737877341543963"
1⤵
PID:2420

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1694896943967543631931470748308274492-7099384276784023271394922657883419358"
1⤵
PID:1044

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-925107433424867798-5347112471926523418-254204325-45984716718687147551433987541"
1⤵
PID:2136

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "889247076863394596-1945096762-1296097572-1098776935-20072625451784723141493600773"
1⤵
PID:1300

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "20974400716482972721747510261328159101-1063925059-117624517664267395927133764"
1⤵
PID:932

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1151595337-1068959690-1230456452025472195-8949776671477918271-1438197870-1480755803"
1⤵
PID:1192

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-564723221789484522-1269807059-1971603321-1285339329872523609-684070070-27697573"
1⤵
PID:2848

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2018139583-1523773377-1117603380-1940972572413495855-722631109-10496453101530739449"
1⤵
PID:1092

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1243229327186227575139667826-1580275235-1882441473-1260817093-4166238752080656891"
1⤵
PID:2200

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1406230893-2059074581-12681779528044067861499556526-14910797329680688061814395471"
1⤵
PID:2696

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-442887966-1325005100-14858298693412944431699089520-154519344612690220241932057124"
1⤵
PID:1744

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "37300543-5826016771757844713-917447391517329894105518598275825184546226923"
1⤵
PID:2624

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1742827399-1045932790382000767-17374518465528600965324695741093923395791138547"
1⤵
PID:1272

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1426493620-208109363484083248-1507722941353488109-1903388181-2119271504529495881"
1⤵
PID:1044

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1553033708-10922719611617385798-132093363610028301331978697169-86153986-525051051"
1⤵
PID:2392

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-721929998-1038074783-1097096356-1826417822-1916569173-1474174318-1844877855663072263"
1⤵
PID:900

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1035848872983752788-142524948585174065-1316297226-14429539981174581281499422531"
1⤵
PID:1328

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2064190528-8072480331146275072110989029117846384029352520171536734108606239969"
1⤵
PID:2032

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1184557832-36689012066398839297204050-505482450578844612-1883343151-1686245333"
1⤵
PID:2040

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-962193906-17186322841723765222182476890310435208761047522715-1874009226558777650"
1⤵
PID:344

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-825906971079307671-439367421-10900065051918751364-1847561604231792847204930745"
1⤵
PID:396

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-3762826183467743362006413898864102195-8177856910363148941365659940825918149"
1⤵
PID:1064

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "35065131629446048-1361397010-930060457-679724302-1930975354-107735407286533244"
1⤵
PID:2304

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "112851310-131791612011898307533176916-718815669173068972311451845701042939467"
1⤵
PID:2116

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-178461973-1290451739-18213599031661178841-117377847-1352914534215943381871355297"
1⤵
PID:1900

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2138101605737082940132320951631230796516261089291078901724-698465102216553489"
1⤵
PID:924

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "118893351718819663951306181185984412122-1279153606-9280699801372837092-1054136903"
1⤵
PID:2736

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-91508673717421063674414819211220638392934165847-17132603955646305841858305271"
1⤵
PID:1952

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1954637657434265889563359459-76608469543968596194862076910742871751253894776"
1⤵
PID:1228

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-944841228566516095-921121883640155882109334350-2099833924-1705028826-4789297"
1⤵
PID:2560

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-5032031101869041170-530586293615325163-1841478912627874811381121691401232304"
1⤵
PID:2292

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "47873203739185551511490071181785812377-7055362481901316539-181202631855438338"
1⤵
PID:1876

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-18553032601653615087596470834-1707875433521802226-186452644734855582-1523410330"
1⤵
PID:1960

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1375756348-101905346313382838911873413127446692802-2587628512036131164-957907752"
1⤵
PID:2764

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "20996330561950801962-316130772765980635-56012106-761146719-1816239381440080221"
1⤵
PID:1240

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1544237160-1888912576-2112151236-1053087959-15887186991696749377-954078554-910981475"
1⤵
PID:2592

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-710399955-1022106221048898347863513000-1716539665364264544-658685565-1404681597"
1⤵
PID:1996

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1153867315-264295031-98262150810271899702007337619625672145-12074835671334336341"
1⤵
PID:2524

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "13562848881979269500-5306054041445979849-192952470617124318481594187712-591585282"
1⤵
PID:2164

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "3613075548480952-99660376777166781-1700153679-1149944621724801397707275266"
1⤵
PID:1724

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1762877240842386290302579420-325213088-20450020-1819713614-675140648-1284999848"
1⤵
PID:2392

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1799515560-19856968062065566270726357118-66811284886191191015681256281928436562"
1⤵
PID:3008

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1767312501679332425-1372704073-93159328615711451491040153917-7072200941942087618"
1⤵
PID:1192

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-222911302-1692793675738907020-87590438319017944681891314937-12350834821079915"
1⤵
PID:1620

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-15125874641247767368-1745829674677821358-352322594-2018416281277023692464897564"
1⤵
PID:2856

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-362486571-998045492-1483504779-1546764852-319395064-9849814431669371931-962928313"
1⤵
PID:2340

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1835163779-1173267689-909395738-1773202959578224151677108763-9353543121919144984"
1⤵
PID:1844

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "826124901-515695070-1383050373-1617432076-297747999-656469718-594772708-1446606540"
1⤵
PID:2964

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1475073169-1216802081-21234807242078517866-2114454772-1233683162-930316690-1711785097"
1⤵
PID:748

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2014210831580736839-264479136-414008367851469951-10280402743230013312058018728"
1⤵
PID:320

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "400693751661277123-1250553230-61729223149023650103270548-452026699-1076090293"
1⤵
PID:304

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "12641491131640943994786421751-1590805598-2120561688-17422895621129174931-1790127387"
1⤵
PID:2444

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "8182653321314467911575394474139170667418919380761057761407-1180178593-809365579"
1⤵
PID:2544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2024-04-18_401dbbf4b8f35ef9f4b5fdc9ffc5ffe0_virlock

Filesize
48KB

MD5
3b20f5e18b71fcd1d72cfc04349c721f

SHA1
3438a78d3c3b5a9c65a0f5f1d0110adda4d501f3

SHA256
8bf0705e02cfee4457efbaef3cc5f5aeb680d20dcbd7c8d893f386da85baafa4

SHA512
d7eed3b09ebcd4d9e9dacb4f306d5dea2283ac855242dbb66236547666a0699844a85b3edc21ef0b5313ad050465dd2b7184f8cf0b264b981fc85bdd455cde28

Download Submit
C:\Users\Admin\AppData\Local\Temp\AIAC.exe

Filesize
671KB

MD5
a732c0bcde458905f52633bd9732e368

SHA1
c9316595eb4916f0498934453edad5484e7bb3d3

SHA256
d1d25a29797506f15d3fc6e49a56e46ce3f4888e25140db00558b2f842aed20b

SHA512
8f343fa2c5f4a9fe1cc332e1799b170d1a8bcbc664e37598b622e704cfc212a2e379b2d7821e01fb27001b7a69b4529bcac896182f28a3522627a3106393d149

Download Submit
C:\Users\Admin\AppData\Local\Temp\AMwQ.exe

Filesize
157KB

MD5
3be6c128988f9e8a83e10d42f4fb1490

SHA1
43f09d587b7431ba0736afbf2baec2aa4c2875be

SHA256
c18dbee6c6b9ee2f41f6628e91e9f700346caf1f9d5c337802a282ab842d7f4e

SHA512
a78e062032b07a549122778bb901dc848da0fe3869c2d8408fbaa686daf19b01f5ee1c2cfb84b13f03a28f39e0c275bd383a6b956a42c7a0d99a1a3d4e25524b

Download Submit
C:\Users\Admin\AppData\Local\Temp\AQoS.exe

Filesize
158KB

MD5
88046999f1d1861a25e46cf3987d7d2a

SHA1
b9d8773a3102c17fe9858980468e592a2d31fc80

SHA256
5cdb265332b6877cf6e44a22d2f84a914fd375726811c0d6479322a590d63e44

SHA512
736c467f93494c200f6f3e4ee9ae882c58bcf46dbdffa55e52b1703680af778b8f584b247c1bfb242742faa32f68683c74ec39a4046e023234c2fe7430311fd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ASUUwMcw.bat

Filesize
4B

MD5
46db89aef0b783b32177470528a5b6d0

SHA1
ec03aef68c9f414e0fded14a7a5a0c79a985a6f5

SHA256
8179aa6195f55ac3791ba1a8f54ba200df3314b123727dcb035eea886fe8259e

SHA512
f36b806fcb3f123835fb7d17c408a04c4143a2e689b01f415724ca3ef9ae146f003c8e16ea3ef62c43a881d3d6d036d7ef1ffeb850936f8fd1f20ebc797d3c1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Accy.exe

Filesize
159KB

MD5
9d4a296bb309a07a97d3cc7e7c9571ee

SHA1
baac5901c6755b6ae3124b5011632ce0681693de

SHA256
dc6236b7375415ee4533aa12c51f7298eb26fffdd5d6ead29061e5fc68bbe878

SHA512
fe08e1c6c264349049370613a3de922973c3127c50fe7a4439449761056f3bd33f9490b18d7f7088fbbe4eb63391e3d40c1b3a1222176d698b0fff3ea4955d46

Download Submit
C:\Users\Admin\AppData\Local\Temp\BcYkIAQk.bat

Filesize
4B

MD5
1bae3c76641c755f42a4a4b51310d2a8

SHA1
8d6e8eeb3a599d91df21321820550a16b634de40

SHA256
7f964ccce6b14a86cabf5f8de524b576dd53d2b406282b8d8aa98a6a37c48435

SHA512
46bc317f7d75ddf395c98fe3a44a73e63ad28e66207ee7776447637c8afe1ec8bf0c57b6d15324e7e4c92628bd84a96fd8c9a06c4b6758501b88883e60dd9ef4

Download Submit
C:\Users\Admin\AppData\Local\Temp\BmUIQAQQ.bat

Filesize
4B

MD5
15a83545a23edcc3d9f007be0424fbd8

SHA1
66f6bef2175bfb0d5f0844759763822941cc6abd

SHA256
3526e879a076b43c008417a751191d53d1e023c56574c8ed07411e4163a1b479

SHA512
01621734e2b7d308e1717bfd17fe8e1e9ecb0fc0864e42ce065dfc9f7a6e6e0a69cb3155ec88e10c0f4183a1ce1cc993b01d980e3799a4ef49ea59af09f6df8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\BuwsoEoA.bat

Filesize
4B

MD5
df794f32507710fd03943e7aab43b20b

SHA1
eaa32ea9faaad8001e7b6e8a1a8699a51691d1bd

SHA256
3e9906b7000476254b8ce68a4b76bd94b4b0f36d43d75f4533d85c67491f905f

SHA512
cbe308799ba07e890b7466ce8bb93bc6daa5aa756ca8b8f01570ee0b454958fe1513d676b86eb9b23b30c2780ae24a47b5f3f4f9328d072362b10d1074433596

Download Submit
C:\Users\Admin\AppData\Local\Temp\CAge.exe

Filesize
1.3MB

MD5
2e2d66db228e8c961482826ff75c5df1

SHA1
65397855f0b66b131a407362cf78eb4a01e40b8e

SHA256
f8ff6e0c9edbe82717c8ac3c66dc51a49fc1c986d09f905472d22b7c76f658b4

SHA512
3153d953b51d463d5ee4948cb52c8924ebee4c292113bae64056685ff9fcb26abd10b60e2e20b6fc83e7fba5479b6fb7c3ca39161b98e1b468bf8b29ab8f5d79

Download Submit
C:\Users\Admin\AppData\Local\Temp\CEIQggAI.bat

Filesize
4B

MD5
b2d4ce8748d35c2d635da334ecb61ac8

SHA1
c41a8cfc26bda83517839b7d4d69231cd7793d08

SHA256
0d382636bf42918104b59a9427ada0ddfddfeb031f0a359cb4d32fa3bcd390b0

SHA512
77be05e435372f8ae65e376334d9b878381d48c38448b24b74e554584dd30fec0c1f1d6540a203e28499e048324434d520d307da68943ef52dd11281ca390b2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\CMoY.exe

Filesize
159KB

MD5
f2f896b52baf89e3730bad3fda4c2de3

SHA1
2bf728ee1c8e54765febdd319863f810494fde03

SHA256
bb94ce28d07cfb11e6c8ae1e617d0a6ffaf2d380c4a5102758c2a5377d900a4f

SHA512
08361cdb4d1a1785c4db26831618c7440a2914e4677e4986321358cfee3fbe74e92eb0d7e684d31ad20c92d71798348002246170b6a857c7a2317a0ee16310ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\Coco.exe

Filesize
717KB

MD5
776f50bdb4ded143c286a50be219ebf4

SHA1
dfa67c7ecd01959705adad2612681d6e74a0fb47

SHA256
c73c7995fcb1018de2b4f99c9aedbe18a922c2d73f832ea5f4adcd7d38f1010d

SHA512
b73ce3309431427254fb3b76cc82b2073e939366c1d68145203dbfacd263e972af3a58b7226ebb90186b1d8dcde6d70d506255f71972403e5e75467822b92ae2

Download Submit
C:\Users\Admin\AppData\Local\Temp\DAYS.ico

Filesize
4KB

MD5
47a169535b738bd50344df196735e258

SHA1
23b4c8041b83f0374554191d543fdce6890f4723

SHA256
ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf

SHA512
ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\DIUsMUAM.bat

Filesize
4B

MD5
6b0df48d875c13785f3256d31fc030ad

SHA1
c8bfd0c9ccd3d98ac768c728cfd163349e3eed1a

SHA256
823cf7d8fbfefcb3368f8ae3ff205f4ddcc6645e07eb3320d2bf33c3c2adc233

SHA512
a1214ea0e7a723a26ef9f9e2e3787bf9319645375cf43d78042d7e5497e92187d18124706ced8fc96980b35306e5d2d65196694c90a7b65e2774d5f7954321f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\DUcE.exe

Filesize
554KB

MD5
8c6d5109e58608e50a40da64c48bf564

SHA1
1e74eed5f869aaa32ca326d963b9df8accfb3729

SHA256
f278cf4c8787403b16f70480a93d6f7cfd3cedc261feec8053a074d57daa772a

SHA512
22fa2672d6273b484f82dbf0989ff79dc5fed1ba29cd3ecc617e1120ed194110b75284abae8042c95aacf65301d40dc8e729b6e9d41056f685ad192ab50499fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\DYQocMgs.bat

Filesize
4B

MD5
4189e996f36df26a33f07ba30dafb875

SHA1
9ee605e9039fd2a0279ac64db454df7512b67981

SHA256
0608080f79f43ffa14261dd8c86015e1838673a38ff5f23952c9d047fbeb098e

SHA512
fa4787828c265cb0efbd694883e2ef110f9112b83e9d850c7707cb49693acc13c03c588df70fee42bf10100b4fe8cbefc231ebfc6b9e604fcfa16f70dc958ce8

Download Submit
C:\Users\Admin\AppData\Local\Temp\DgQQ.exe

Filesize
938KB

MD5
8c3ee256e7eb98017dce703ba60f193d

SHA1
0b99632c2695d86234bd9e880f0df34fa8fc3e71

SHA256
c67aed8c9c594cdd22977060912010142979ee2cb0a221914e309bf6047c0d28

SHA512
f1a822e76c49c57fafc08b48580585785b6640c0a0492efd453666004b3dba5fc77fa39289dfa1c84716e2e7c816f539dbdf81437e09e158dbbcbe43752defb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Doki.exe

Filesize
4.0MB

MD5
117bcc8609e2e17a18109de38e291aae

SHA1
a0703cc778c2d830b1dae157fbd585ab8371e3c9

SHA256
a2810904892e1c5467e73609ebe34aa49f6eff59c4f825d3a587a721a166ddf5

SHA512
44daf50b156d5bf59a0c5ab9c833e09238129dfd38bcd79a5055cef38e1231e221c9d0a1572f5f6b7efba625241d3d2387c3412042733b9fe3f89aa1be29c912

Download Submit
C:\Users\Admin\AppData\Local\Temp\DsEMYYIY.bat

Filesize
4B

MD5
8ccc795c40bdec96b8365b4b2d390643

SHA1
5c9c2c36f9d9f02e554904a56da36eff4b5faf02

SHA256
11ef63893e8d46c588d4f3fd7d8c78a4aaf85f83e9db971aa61bd77da30b8b66

SHA512
28d44af6f1430ec18b365680e58a082256b1804442514795efa1b2678663ed79206d36df3bfddd2151a204cc020da1be9e5c2b213e49c25edbb7dae321929f02

Download Submit
C:\Users\Admin\AppData\Local\Temp\EwQQ.exe

Filesize
238KB

MD5
1bbb1a910862f025a994760232cc6f49

SHA1
a6dc78cc22a3aa956cb2622e0bfed46b5714916d

SHA256
e6567c18e3b54e1c803a32b74b6d5ef90d21f196a0674e572099ccd836c5481a

SHA512
50fbef92e9dae2a8b83ab5f3dd06bbb5f462e195f41048bb5255c52d0f0f9548d92c4c5c5aa9de124f6e658bce51401efc8eb76a9e9b019b1197115ee33a5b3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\EwUe.exe

Filesize
157KB

MD5
5ffb66ce42fdcb0cc276c81b6d8006d8

SHA1
6571cd8afe0f5db985b76ac0706c2229d7d76c40

SHA256
a06359dcd18e35b5bdb58fe17845718e973e8bc8ddd6a5f5f03c1cb20741031d

SHA512
b6afc603039a7770c26cfac87e8b804eb6f2430d0120188e99e8ebf8247baa81d568235d19925e2bd533ced487bb609d0d06fb6b03b9777561a50e86d948b53c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ewcc.exe

Filesize
158KB

MD5
9e6ac7920605aebb11d01b231e2a43d3

SHA1
d5838678aa16126fa310d7a3b740e63d838b0c07

SHA256
9a88123ae3e04bc6011fc54dc8e34a4617dbde0944c0f01f772d79c4a2d3f9a0

SHA512
7e0620cfbf296c7d81a915a2f44a00132ebddf3375c8f814fc0680a919d8a30877ed18e6fa06748b7e7fe185032c1a0e2711dabafc77ebd0e0163c6e36ab195e

Download Submit
C:\Users\Admin\AppData\Local\Temp\FEYe.exe

Filesize
158KB

MD5
11f13b432ec58ba5b86b21f369e0804a

SHA1
445e852ce2f47cb5374887eed4c42c224182d769

SHA256
1237194afbc03afecd9b7841cab37445428b009d81b5e5835d967a7fc1507b4f

SHA512
afc9d27c4d204c0e324d88947badbd7634d4cd097a7870733134d0917c1e45b45a4d7a7acab7d8b81fb9dd92b2de7f47ab09f1591a9a693777b273ab7e47310e

Download Submit
C:\Users\Admin\AppData\Local\Temp\FQQU.exe

Filesize
156KB

MD5
5b969b1b3e9bdf1f4529a6e54bb35523

SHA1
829939ce885424c32b73f55f7ec939452bbbc5e0

SHA256
3c94041c6df9237377eb50c0a68118bc90b1000a4ad2d9a8ed59f54342a10e6a

SHA512
baef29893ebe2370fa160f9b66b962b9af70c9cbc4387be972244872e80e661372e3b2e7a0e0a91dcbb57fd3e5b2c98112c0ced37943c3c43dc4f8adfe0cf17a

Download Submit
C:\Users\Admin\AppData\Local\Temp\FcQw.exe

Filesize
237KB

MD5
3da5f20a40c8f539d05bbce44aac9cad

SHA1
4dd32b8e8ecb960fbf05bb45bdc92cbd41ce189d

SHA256
c9e7e6a1ac4ab7f64ac3714a25ca5a39062e9b93a39a430d66f49e629b7a09a5

SHA512
29d12c166fc3e9a346f72976fc6060ab05e76bfde26de53c5afd78efe917ce9cb3dddb6e69b6cb9ffc0f34ef0ec5a0510b1ce52a2017d833b98cd50e381bc390

Download Submit
C:\Users\Admin\AppData\Local\Temp\Fgsw.exe

Filesize
157KB

MD5
cf9b8ab8316f60d07afb6c06f83a28ef

SHA1
7fd84a6ff7f584cb3df7fdcd05ef0016beb603e3

SHA256
472b4d665a4149eb80e8eb7703618943ddbef3f2448bf1fab9367253bfcda324

SHA512
84954e942285b302c1488ed799a931ecb96c78fdea0e106b352d008867f17bc0b5cc60b5d9947095bd02963139ed054199e0e4e4d901bc3c7e20871351633ea5

Download Submit
C:\Users\Admin\AppData\Local\Temp\GAEA.exe

Filesize
158KB

MD5
c89c26aa07fa93816908c8685d3649bf

SHA1
eec8b2f26e2aeb168d55ae562ce7de84578c9879

SHA256
bdb0b4fd5dd2e1831a192046623e3bd8bcf9f7793b724d925f04a33bcdf200ea

SHA512
fef87856042eb38a9d9f6766aeb3522cc4642a3a10dd78efb5d59f10c92bfcfb69dcc3406e7a2ab6ac27d17ac098ebef5e8bd98cf466eacea1e3f5b0756c4e36

Download Submit
C:\Users\Admin\AppData\Local\Temp\GCAYQckY.bat

Filesize
4B

MD5
fa3d0dbc1b2c913e46f911ef54d2fdb6

SHA1
42d0383b4df7d0f32115babfb02d2fa3ef0ca0a3

SHA256
0cbd9c25e06c7b75db7558892a47a83cc86dc1d9fa4d6fdff16e3759bf5a3c12

SHA512
dcf6b0a7878fe7ab4b4afa6ff8cbe698edd2496c7c2cb6d7bd84355dcd661fc9af957bce4e613e8e93a137fe034f34a1cc12de158bd843a2bbb5a79e2ff73889

Download Submit
C:\Users\Admin\AppData\Local\Temp\GQEY.exe

Filesize
692KB

MD5
852b75ddc2dfda3cf0d3de3988139a85

SHA1
cf59c32da1b5ab7a8482dd2aa3387579f760d256

SHA256
4c7fb212f4c9103f0b87186277b05e9459f6674266ee8ee7c6c3b30e67c2ee6f

SHA512
15d6d27ece91b9895d95442df5ff03894c62d959a8597e0e957ada165596cb0eb445c9649168a82e543fdef6bd7c70c438eaef43d99c8870e75debe53f281386

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUsokQwg.bat

Filesize
4B

MD5
535dfb992830c89dc3571166004d596d

SHA1
f16a60340f1513a9f97954ec5417ff7cc64bed2b

SHA256
28879a49fd299d76f78035d6e461a9dc5466f9954bf1056e852bdb3847e23cd9

SHA512
53a8a166460cb44e4ed279b9d2df32dd8a1c46d1777adc90a829c441941d3e5fe0777c7cdaeb6ee1e82244c1ea9a6e5a3e2c86c2432606b418aaf06589a06f72

Download Submit
C:\Users\Admin\AppData\Local\Temp\GccA.exe

Filesize
160KB

MD5
5c313a487f6ccd81fc282876109cd091

SHA1
fc4681fec468578191cf4ee26a09901382688847

SHA256
5262fde4419cfa7b2893a96b2f90820ba966294da07b7e1018e425f5eb66db32

SHA512
7b7d20120ba02a9f733fd0eba1665ac76b2fef5fe182b68b458f5784ba37e4669dc5eb1074234598ea8e497af1e97f14d266d31faa1e654c22d255f93ebfa4f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\GgQe.exe

Filesize
159KB

MD5
ffadfbcdffce60a4884b0bf663b84900

SHA1
dc8b54c16ae2975845aa05e9d23b020a26cf1b12

SHA256
049f04f395d07730e1f3f1dd3981907fa7d88f598fc9f2a22b00a88436173713

SHA512
61f5055e27401d163fad4eb910dc2376f86e83cd89038dcf717a8ca182d8326bd5985164adaaf096894e94bbfea638cb6f43c8253f39a14cb2ad9862ad356890

Download Submit
C:\Users\Admin\AppData\Local\Temp\GgYK.exe

Filesize
555KB

MD5
4540821fb4103ac9a1b4c162e6f7ef9a

SHA1
8ad79688b40b834330273eed45cc3979b65078cf

SHA256
8be6f502199a98d773414ae6588028eb563eb6b8c3fe1f1294f51c652bf077db

SHA512
3f1d13f74a75331c6a6dfd6113bcf85ddf25cfb07239ebd00f9e6ccf01edf37989c43c61044e98fb52bce4201fd587f167de71e0f77a5b037778b7849dddc21e

Download Submit
C:\Users\Admin\AppData\Local\Temp\GigQcEUo.bat

Filesize
4B

MD5
84c391720003d48a30a79d1fe5048f05

SHA1
8c91f803b89c09f439dc8011bbc2f98644d3d958

SHA256
f3df8fce73d708d509c1408a4c5b06ea0a0b4dd055a5eede61197f487b49828d

SHA512
8e99cb291e1401c014362b006ae95855cbc2a42f3d094f79bfdcb8f6b44decdd1e976c6b5046a792f53389c2785eeb3888316168c144ab1dad3281f31219d517

Download Submit
C:\Users\Admin\AppData\Local\Temp\HAUg.exe

Filesize
745KB

MD5
b6c2e939d54d07fadc5c831cce275b42

SHA1
7477df5afec32817281c1cffafaa4fe2dd27359c

SHA256
9fecc9df3a25fbe4cb63cce305be25a0cfb35684c0dd48fa2cdf45f252d2112e

SHA512
f2f790ad563dca10ba6856e2a37ad25792306f7526760387e99124b6c1dac78438a3d2503a535fb07ed6120dbfadc86b54970ef770d078559dde933df6ba6c38

Download Submit
C:\Users\Admin\AppData\Local\Temp\HUUk.exe

Filesize
866KB

MD5
f94a026d02ea9f1fd72f8ccf3e07f496

SHA1
55a4837676e3c4fc877f4ec12911609ced4cc674

SHA256
bb9f3535ab64c8dea0a6b6587439d161e8ec09eda00710e0ef7b025b946a9d34

SHA512
4d2134012b29ce0c590d9de8978e66fb25699c474297d4c37cf32dac61d85ca0b6d59a8441b2b62ec243e6e770fd87cb602f60b2fa9cfa7922b380a07f0db7bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Hcsq.exe

Filesize
159KB

MD5
709e80c2886f6fa8f41cdeec93e8d213

SHA1
c50e7dc6c5d9aa9612bedfed89303bb4ee0b9c61

SHA256
82831cd94cb8d5599ebf2416dff0c9b93e6b96a793241ccc6f105c32d79f26ef

SHA512
d451797de00148d7d8742524516a6f5de846d8ff902e75903f897260e69ce780d86d1d71f314f8f663f915c2135664cc51d4f49317cddc08d1d0ed1bee00dfc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\HcwM.exe

Filesize
155KB

MD5
24b5acf7c75ba76a1d7fa8f3de169b24

SHA1
71d5b53d59feec4f7d59ac795088a9dcd634e29b

SHA256
5089d4ab1147cd8da19866811300fe12942c00658fffde36c56c822831fcdb13

SHA512
9df77b1c2dfed4592fb717aec44e8cd79d2a0e21305877861f095ca26237c66243d6711abc349fc90cbdd34dfd2a15f19f74d5ae445c1f046d750a0b32b87c6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\HgAa.exe

Filesize
158KB

MD5
4f32db123642e3f7c796395d7bf0e6ed

SHA1
ebf59264080a7b23ae9eba2cbb345ab5133cbb64

SHA256
3d0742e0c1e7ab9ffb6bfb7bae2d5c1ee944ef214ef868349da8846fbaf7a824

SHA512
aff8d946ae05cd9b57430ed5f3fe66b8f80581d170fdfdcea7b41360a9b2b9fc12ef34e9486c4526e35c77ad0d6acbe5400da77f41660f89c87bc8a954003dc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\HsUQ.exe

Filesize
157KB

MD5
f3eed92d3badf8a48e1fab89fe61df44

SHA1
e176f57ff85fb0045bfcab06e231071820dd5d8b

SHA256
33e36ce3224a16d3c335bbc0e96cef6d40a1e8c9414b2d9b3f7ff7bc35394bd2

SHA512
f4e20b89952559b812625af44a57c074f99f835868cb45a56d22624a03cabb94168bfc01e6de4e0586afb1b74ac5738ae45b92427a6958c30ba3cf0fba3a2ab6

Download Submit
C:\Users\Admin\AppData\Local\Temp\HwQm.exe

Filesize
157KB

MD5
4201983a2aebdd7df612fa5f54ad859b

SHA1
78cddd74842d7cca3673089cc803cb575faab956

SHA256
a98c47b3f03fbb338694433fac4190981894c47086c2f186ca006357b4c16425

SHA512
aeae6e0bf825e2854e78b1af26f5f04a6fa85a18c7362ae0fb7210bf8c6054b23704f5d5a143d1a12540eb08258ace6ca8bbd1d9e94c1ca5bb2041037898e629

Download Submit
C:\Users\Admin\AppData\Local\Temp\IEUg.exe

Filesize
484KB

MD5
7a7679189d6cf254e51ea64afdc3b325

SHA1
e91f742654dcc8be23285e4c8d5c6969dff4b6f8

SHA256
b813daa6fed146944dc949775df7d7fd1bfe73366bb31db3c87ca29fd7848772

SHA512
20399a9fbbecd63df57b17298190c18962f0db9dacb12850de9bd6e3eac4c8af92a159e7062322f4a12f32a2c982a54ff90dc0ca7967e0d898395f8cb8c405e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IMsu.exe

Filesize
1.2MB

MD5
50dfa1dbe17ccfc35e7bf8b5abbebffb

SHA1
0995c62de8e0a191102bc5119abaac72d769d36b

SHA256
3df7e9c246a1dc082e43aebdb53db4f8760e61adf17ca759cadfb8220d01a500

SHA512
8bd0e6cc1224eea439ac5d959e84183d97ba7be2215a3bc371aef14ec2fc92f73628e051bce4ab364dac4595fb6d505b8cc2fa07b9b1f4dd93e54988ac58366b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ISkEcYIU.bat

Filesize
4B

MD5
78afe7a4aa688ad64c3225ff6f49befe

SHA1
152edbec65e3e2c22c9bbcac2eabeb958a39c391

SHA256
4856ecf3e52271e3db78f2546307655d92293204f5e6cfa406bbf8c1207855f8

SHA512
a748937344b951df3763baee9e53ad24e7e884f52e2b627c2c005fb2cdec72ed88a687df2cb31c471ab9759b3165e8eb28a2c01be59a5531ad618bb379f861c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IUAY.exe

Filesize
159KB

MD5
f3b48833271beb0e55ae3128bd6370c0

SHA1
c5a0e2eb1a5283920cd63546494a682a674904dd

SHA256
e1e80fc4a9a5c3b5d59146d0718923f34c86cf795bbff515b0ffcb585198f80a

SHA512
47638837e5ce917ca844fd31266b5c13f9aeb3f837154624f30b471db5d08851d0086fed0000b456d4e6e420219e5d123b77f2e8446121df13cfe54474ac2d5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IcoY.exe

Filesize
157KB

MD5
3324d94f6252c9999fa4063e4246785d

SHA1
b4e2fdd4197f76a1137a92fef108e91c33b3d3d0

SHA256
a7d7a231d9c1d92d9af850592cc63fdf6c5c2ab16ec89a3d6d0f9a7b75001f8d

SHA512
62d0acb5b6cdfa48d119e41cc0a4b804b03762d1d185ec944664bbee5ddad23c0621141671ee8b01c61a431910844c8faff5f30b20290903be631e44acfa034a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IowYQwsM.bat

Filesize
4B

MD5
d334114607616da2c1ede19ed8570247

SHA1
bad4812c098822e614dab17f7d8e00490dce6398

SHA256
715e7801d8c3f77480b7a69413018ddff7886bb02f4177648d122d9cfb411e7e

SHA512
94b6743c648b225c3c844cab2d53127a7d6cda8e5cd9228e0c67a5f0d194491dfa3de31846573fee4e4a0863f2d44a7c59b4c3fa3031a07fc8851c31710f2507

Download Submit
C:\Users\Admin\AppData\Local\Temp\JasQYokE.bat

Filesize
4B

MD5
0692b86c9e3068726fbe383e173afb95

SHA1
45c69d39f470f54323a101d44af7fabf1c4af60d

SHA256
ccd97c4e0ce0fc3dcffa316cdb7eb2926b1ffd8494653e3a2e28fd6c0863058a

SHA512
7c669c527b6a60cd61774bb3c11ba2859adadf44b018a669912216c747d925b93b93fc3f56ed521650eaf380360659c98756c81ac81dc2c5d4ca0b9c7df31e9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\JqkUYoQo.bat

Filesize
4B

MD5
2d2a316a661049b7f20ead9c644a28cb

SHA1
4b1145aed0b96d0b909787bc78967f7aee97a6cd

SHA256
5455b0836329e9f0415010076dd3ebd3e08393541b9ec5cf2313d09b1df2d689

SHA512
a1c3ab8e2b22d5b40d5d031da4e932000a9cb6976b542000b7da5d4eccab7eae2ed4a24a08c3c398f449842d2f94799ec461e97151224ceb4261e967c5882ccd

Download Submit
C:\Users\Admin\AppData\Local\Temp\KaAkMEwU.bat

Filesize
4B

MD5
49e8db986d658cc6bc400f8aa5b90b66

SHA1
7853178cbe23068aac41fca992e37a30ccc3606d

SHA256
8ae3e8fff184d44d80d8253482fb4040cb22c13251579e8c9184bfa93be1b497

SHA512
fe2b1e65874953f8b568d5ca7040c103b2cfcc214cd2a6e93e1f214b1423614f3e8ce4d464b0ba04b77c036a5cb080bf3bf294355ebf5503368cdb4a2c263831

Download Submit
C:\Users\Admin\AppData\Local\Temp\KcgoAYQk.bat

Filesize
4B

MD5
fae49d046636a047e6d9196668e69799

SHA1
c486cc62febdf3e5b18e83dcbf5735c0330d2b48

SHA256
5d41aa83ffe46800e690c255b74e451b298214f0af3f027aa35c9a8f1e843968

SHA512
a5e8b698f5a9ebbb4f20c93e4698275203d54893305b2298a42e0796e8e258248b1527d5511763327f6a06b063fa948549c657bb7a41330129525db875022aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\LQsA.exe

Filesize
237KB

MD5
313cad961a68d2284f1711373e230427

SHA1
0936540637d259e255127f3334cc96c4ce05dcec

SHA256
944da1e655d663d2419ddd51f0834a5082187b8b7260e374fc6b3c1ff3101e3a

SHA512
188c557564ff39432463c789572e65480349fa215c0abaee52313aa3a91c5640e260a550f48129f1641b0ce46cfd2a47b278c51cc36d417ec229220346dae830

Download Submit
C:\Users\Admin\AppData\Local\Temp\LekUIogg.bat

Filesize
4B

MD5
0d18759ac1adcb97f5d2036422667e6e

SHA1
9e5010936c50cd8d4509c5821a6a59bb88ebc986

SHA256
a4330d93cbed58a31bd54c0b36afdc8f17ce8096227cdfc40b9808c7f9d4e5d7

SHA512
9098cbaa897a7b82accc27689cdfe0a0f74b4723d6f01f96fdb551e97fe2409d2e84c8fe312fd31dabd66ebd20856e74285dfbc6e72bb0ac0efe23d18b4fff81

Download Submit
C:\Users\Admin\AppData\Local\Temp\LicQwEMQ.bat

Filesize
4B

MD5
62effc16bc225518ce31823a115e2980

SHA1
5e0c14f03851198cb4dc37156fd29011c1c116e8

SHA256
b3450baabd63079ea263049f6f16ce283bc6466807fb11b5055df51d002fdbd2

SHA512
1ac368687cbbd4f68482e7a5ac32202c4a9475cc9f7fba9d9cf8f8339382afb75d8547f111d53e5542bf2b71ef59fe248d3e68242c4e6c7fc3a5eb9f43efb58c

Download Submit
C:\Users\Admin\AppData\Local\Temp\MAoO.exe

Filesize
149KB

MD5
a6be350160973c08a7e00bf845a7e264

SHA1
04597d21d219b037d9dfb06c522d7c36ebc529e8

SHA256
06f4ec6811a1d534dcfcb336a060045061e5142b025acd6372b60e216ed2bb0e

SHA512
17eca3925692a6c82634f94e78f0d0a1c76c950ed6af96a5ee2092f305ef1e753d650d83422c14a5603fd9159bcd113ba5d089bf3ed6088ca11ec1a73ba40930

Download Submit
C:\Users\Admin\AppData\Local\Temp\MIcoIkAg.bat

Filesize
4B

MD5
0c63cf95332bf0241c9fcc1ad3452d8c

SHA1
242ba627e3c4b46c9b125b010d3bba1c3404e211

SHA256
8b93454a6795a2e3bf3a065cf445a892d020744d25ab0d5b3b2c18784bd183b1

SHA512
0e38a6ba45265646d3411954c4e34c33b1545f792d938c9d6972ef6e014c0e149a364e5935537ebb996a1898a4660e18e85b94f9916bfbcde5f1dc111806ca82

Download Submit
C:\Users\Admin\AppData\Local\Temp\MoUkMYAA.bat

Filesize
4B

MD5
2058984b31f545239666f677080d33d0

SHA1
a30d5b68c42cb86c6d7dfeeda822c2c929834304

SHA256
dbdda4f4994ff9adee161b998857efa26e59182cfbf117ec0c42bc674b14bd21

SHA512
0ffc0c9f3e1dbd148378de40e635faaad2d680943789f3f78d374b3be60fb758b0c6819c189d47cd2d8a12a847fd612466b126e25331588775efce7cfc3ff5eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\NUIO.exe

Filesize
159KB

MD5
71b556688912d59e8bec780558f00190

SHA1
6892f82b52a976b662eb7f5a07804c3ca8beae3d

SHA256
41339474e624404f606c6f86c2b8d59c65ba6b46330c0dee2149960db8e2251d

SHA512
bf2f5cabe2186f70cf50bcad1c02bff41d3f58d37300f6ff901a3abbc68777da2b5aac01b8da68f2283be3325bd36b79cb31d0744ec7e9a71b283484c250d1fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\NqkUMIYQ.bat

Filesize
4B

MD5
a5f3511b615c5c147f2b44e047bd4d05

SHA1
09e340ac96ae41e12690d77e181efc7058048eba

SHA256
5d86d84b44c0a1058933542653b7e7a0dd6bac4dfce461a0ff5d478c1870ac8f

SHA512
cb463f002f4ab0b09fb1a7f53b2314eb2f6a780d494290c3b1d78024a40f301e5ea0cb243e2de8f2eb1219e826cd49271b29202972bba2166a1d1a6a4ab3b02b

Download Submit
C:\Users\Admin\AppData\Local\Temp\OYMC.exe

Filesize
159KB

MD5
f3fc8087666c546dfbd86210d51da3c3

SHA1
650c9a6c41ee40f5319414a2bf27ca9fd47a3cf9

SHA256
41c8942336e3983fc8cd3e7e8a2b05bb34b805872c62f27994846ac140b18348

SHA512
59cccae680f8bc92ac1b375ccd475924e57ba2bdcfa703c6ae7d32a2eacc75d9417ab56b31a229611703febc998f43e48714e7d54a4f6168871120ad6840d27a

Download Submit
C:\Users\Admin\AppData\Local\Temp\OewwYAEg.bat

Filesize
4B

MD5
f4fb6f6ff256d9e2402e845fd3f6e93e

SHA1
2c05dc2c83d20685591d17c9a1bbfec09b7e5c82

SHA256
db8a3a45e87339b2cc1d397d1b2a2ae7f40de29fb5b66d0a511b459fb812f04a

SHA512
c9092c861b10d30a258d004dcbd1c17aa2039a95828d582887daa2c027f5e33e1dd112219221c5db4474c4f26c8ee72ce886c5d369c1af00cd9b9ec746cbd817

Download Submit
C:\Users\Admin\AppData\Local\Temp\PIQk.exe

Filesize
968KB

MD5
e07e1517c3600b64173018d4d26d4f6b

SHA1
81c7a875527b14511b85177900c5e562e484cc29

SHA256
3424945e813d5c0c2dac51c32fd9cd46ecd1b86126545cf4bf5900a96567d899

SHA512
b2e8c84f9b0a4e2c4d44df1ab97cf0a24a229a45039d07c12344eccfd08ca587db253b3022700c79d44b97f1720e03e84b9d3963bee47cb333e8865152cbffde

Download Submit
C:\Users\Admin\AppData\Local\Temp\PUcG.ico

Filesize
4KB

MD5
9752cb43ff0b699ee9946f7ec38a39fb

SHA1
af48ac2f23f319d86ad391f991bd6936f344f14f

SHA256
402d8268d2aa10c77d31bccb3f2e01a4927dbec9ea62b657dbd01b7b94822636

SHA512
dc5cef3ae375361842c402766aaa2580e178f3faec936469d9fbe67d3533fc7fc03f85ace80c1a90ba15fda2b1b790d61b8e7bbf1319e840594589bf2ed75d92

Download Submit
C:\Users\Admin\AppData\Local\Temp\PoocIkok.bat

Filesize
4B

MD5
4c4f78a6aba8fcefae59efc1cec13221

SHA1
a25408fb00ee77166b369400f070362f4386af9b

SHA256
a287ce24daa7e865da5685687ccc3ed87111383eee058c0e845c95f48d95b312

SHA512
ecef08cca61579cfdec17f139f66d1db2f1f7d0917a6b47e72374c7ad2fe919aa09cb22b4dc2abf293b5564ecb9e57fb27e87b69f1a036f84d91b87867a37a96

Download Submit
C:\Users\Admin\AppData\Local\Temp\QUAgAgIw.bat

Filesize
4B

MD5
b2fd0a0b506120f8b751106851a5bc61

SHA1
e52dd1b2fdb58aa1c62c2b64e97dc0cf6a280b5a

SHA256
18e49668d4bd679f0bb5111271d17a2a9d9fa85033e5ca566d5b82fd4b97fc3f

SHA512
491e22849507325459888e6bc5261036011bbd4d616326401160b4a6b8577cff8c40f00cf46712e4525a50c70e986b37d458c7cf7d5aea239511e2a28477011e

Download Submit
C:\Users\Admin\AppData\Local\Temp\QikIAEwI.bat

Filesize
4B

MD5
04c4a93c10c4110f904dd80634072d41

SHA1
e597a9d180167397c164b3c0851e16fefaaae7fc

SHA256
7b31b5e3f295ab09be06c1171599dce58d6bde6abb0d609122757d9999b113f2

SHA512
1e487e6fad2c10c48f5c0597b9c581045537595a9aeec538fe4e582a522a9fc160f0f4d02de55a87b0c04fdec17dfee13737943f55bcff3c12305d296ea43593

Download Submit
C:\Users\Admin\AppData\Local\Temp\QoMMscQQ.bat

Filesize
4B

MD5
679fa4c9d5ca31ce2a5255f849342778

SHA1
11b61adf6bf50d43140bed67b6107f28c7334455

SHA256
8afda3b0dc95db1245988bc9d274c2dcee1de381b039f053734de1fcb55290ff

SHA512
c4804876b2b16cf8e5a236348090b3ec9101ac209fac0eda3494ae1ed0faf3174e40a6656952aa6cf75bf81267e8efa4fcf94669de61e2995f532de30f815246

Download Submit
C:\Users\Admin\AppData\Local\Temp\QosG.exe

Filesize
158KB

MD5
3860b88e87d7cec2342a017dec60e3c2

SHA1
58f1bffad680d6f0a88e5cdbb4cbe17e30b3862c

SHA256
142f7ed4e1deac205e3d5c66280db4c28a8bc535cc56177546fbf36d45b1cc84

SHA512
9939e23ded62d4c75a144196173c70e02aac0d4b1e40ec1809dbe6634fd5a5e7f9e4b5733bead0db0201a90d5862ae0db0cea9f6f5202d978ae4bc4d9e36dc67

Download Submit
C:\Users\Admin\AppData\Local\Temp\QsIQ.exe

Filesize
158KB

MD5
844c0697a663395510546d343d4d1b75

SHA1
5d528640cf047469fc8fd941f1c53524c829510e

SHA256
a79a41684cbc9ea9e454dea0cbfbfbef2d284b5c2bb5ae95f76b70b90503a139

SHA512
f24accd672a937409042be2b9b498a2ffd79c686ce0450b193443d3ed296aecda17f59029fc337b3b0505788ffe4308f2dc6d821a866a9be4d63f863c00a1b8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RUQEMEwU.bat

Filesize
4B

MD5
9384262794845af5e0adb89579e7bde6

SHA1
010314e54507f095f653edc0979311cef97430e0

SHA256
6f4184d8183126264f6d0ff0b4f7ba111c22fe605b39b654120b2a3d5472835b

SHA512
465d60d2fd50e5a4a8bad59f685f7a4a6a2ead3cddc2a25bc149a7339293c61268f5752425a1d981b5f93f9febb819aa7374584b0c86ee7339c3515bb6d039c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RuMsMIcM.bat

Filesize
4B

MD5
b2ae845c144ffb35dcf6369a330f959a

SHA1
19703dce40e984ba630fe5e2d29022183428beae

SHA256
bde7a6e3c2df89a7a1dd26ee84737bdfc3520f5d5125a19f67ef4f500dea5e82

SHA512
62f1424c1f22c03596f37513aa023e63e0416894e091bbc0cd73a7b03778f4a198c54267e1c363c72ad5dc484b65d0d4e73b313f019da6a8a26fe8a058a1b578

Download Submit
C:\Users\Admin\AppData\Local\Temp\SAQY.exe

Filesize
159KB

MD5
e3d22b078b6b00f9e2d5b1c465ac78a8

SHA1
96394628674e156767c409a0e654623cd4cba468

SHA256
4a1dd24f0d4e6667dc08c2c00f71acd6953a272973fa5a527584be2dfe2e406b

SHA512
e30e2ceb99d2b973826b808942520ee8ea4ca8487a60d2d756dd7ff56121983d4d73a3567a1a2d52e6cc98709488cff94ab3eb3b672e57dc402c24f56a226f3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\SIwA.exe

Filesize
158KB

MD5
078e048708a3846da44ff34a80f6e67f

SHA1
d88b1f96600aaa25984f9e9c3d8279aee328ab65

SHA256
6f6afabe10ba5806489a8bba663fbf62aa017d08f84aca1e211675be44beb1ca

SHA512
ce6c4e7bb8d7c3f969b694146e1e3e2f837cfc28deade038a6a82fc793a672b8e856f0ba9dd7b0e5842df1d045f27d937363b028313a0fb66cfb22781ac4e0f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\SMEI.exe

Filesize
158KB

MD5
e243b05a4065a5037e3e7eb4409c8399

SHA1
aa598387ebe7e82dac4e167a91971f5d67a46660

SHA256
0026636a7844372f24bf68e848cf0aebc48116bd21692f61447b9e8b4ab6d961

SHA512
c827dc2d284ba828f22e54241b57465c5c57815f1d9c980de138d6cf0fd61386298ce6b74821e564caad01886428931e9c77519f668ed609b10fb0069acd1d4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\SQYW.exe

Filesize
565KB

MD5
51604abad33ae54b191287fb1e8c10fe

SHA1
c3bc5edf9d35a7ecf681dfe517350df5e4231ffe

SHA256
f9e1a85fc622f172707d76f8ce93d6806a7b589d182ec74963030eed532d72a8

SHA512
5cb6d9e135f5ba069474cfb5454db6cb52d3a5c01f0f1594740543251e2c580cfa8edc6465ab2ce2df21e178bd19de68c260123593579b1e6dc9db755a91032e

Download Submit
C:\Users\Admin\AppData\Local\Temp\SQwG.exe

Filesize
157KB

MD5
da9a4d9bc0561db88438462267a3ee0a

SHA1
3ea2eb13b4c622d3a9bb94166f451e7218fe51ef

SHA256
a7445d9cc9b8c0ec5d7d58c05116d6bf304f8ebb264becc4b462534c79b07520

SHA512
3aa58c5c00680a7268e196babc72d7c976cad6bf2e9c08230aed8791faad84c69944ccf60d16130d3c5267985887042d0353927b52796f05877ce8acb68b2859

Download Submit
C:\Users\Admin\AppData\Local\Temp\SUcUEUso.bat

Filesize
4B

MD5
d3074709282c11f07b68dc1c5b397988

SHA1
97c0cce655e1f682c9a7de1c936a79560649f021

SHA256
80147b8d47ec2ff41ca4b3ebfac5c13e7c1764fb822259fe6edda25b2a52a436

SHA512
32a659d8b2cff34b6648ac413a679bb85bcc78132256d1646f69fa64c101eb491d66279ee453e53356f71eb8ce095ecf263cc0e01605190f28e2c27368dc0483

Download Submit
C:\Users\Admin\AppData\Local\Temp\SYUO.exe

Filesize
657KB

MD5
b018afd5485ac3791848602aac01a62d

SHA1
4fd58ceff171573be8d86aa273ba0ce320f2b713

SHA256
ec5a1b00738b30793a90826c5ee9e2d4bbe017daf210929eb40fdec9c8fa0319

SHA512
f98c8a58caacbf006fdfb9bf278ad0b8fa11a2735aef78a60e8ad90693e7d28db3e1b5b28dcfe1eabfe77f443502a17fb574482066f407921d59da238e44a02d

Download Submit
C:\Users\Admin\AppData\Local\Temp\SwEc.exe

Filesize
8.1MB

MD5
8422447594f09e5c5175f697e5ed6103

SHA1
6d74be2c0d4840cdc8941b2c013c44429ff6da5b

SHA256
66f0263dda418741d432e7b4e1902d92f03ead1f552cffb86080b362541f2b05

SHA512
1822b1bb2e5993fb7b17878ddafc37d6d483933d7e6aa15da0f70c4af2e54efcc94546352d453f9105365df30e18c3f3f5e943e133e9c2dcde0bd73397e5a5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\SwIQ.exe

Filesize
157KB

MD5
c6040b95b4545a5f27964a0f01baebcd

SHA1
6f78a715f723e4bf2a2720d3bd5d91fad27bde2c

SHA256
30c6443278840e5ba93968283e9e896e03eaa8af66cb09039efbd686918cb1e0

SHA512
631155d4efca7d7fc475f53332c9c8dbe6573f019af376ec447f80127c121c2c36cbdf83406b198860e8152ff41b5f36d8633b4ae11d6d1ee10251ef78b37b3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TAUogEMo.bat

Filesize
4B

MD5
c85e9fb21222f99eed0fe817ac09fc45

SHA1
4f63ae53f54eae28aea51c138bc8f2fe3752181a

SHA256
f599dee88ad557b226133c4c49109bf3c58fc86fec80e202a97fbdb927049bb7

SHA512
f14d1d39a0e1ea4f02224d0211893f19857df419a0ae34290dff49b90a318e07916ca6c2c9620f5a8342780799680e53c63383b0e2ca50d0947ce3a86ee3daf2

Download Submit
C:\Users\Admin\AppData\Local\Temp\TEQi.exe

Filesize
159KB

MD5
4e75a4a0bd0a825c3f9be37a9a9e111e

SHA1
fd4f5582008c8e7684324df2f4e4c7df9bb720e7

SHA256
4a6abbb4e4b36de2bab8668059f1661383d97917b738b01305bcf8f45fdd1fbc

SHA512
0be23a67c4839168d82f98d95252f5a606e523ca23d5a130cd94ce5c0d30a49737057b717eb1f5d9aacd3d819f8d5d52cfaeed6e34b5ac052956914093fbd7c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\TigcAAso.bat

Filesize
4B

MD5
16338f37caec423d9960c0fd41942050

SHA1
40407e2479e437994277a3ec959d431a29e0a80c

SHA256
f47eff0e5a762d31a59f599e4344ff78a59864fd3501da45e76d89d077e21d2e

SHA512
e570cfe317d684bd4858b8e90741cb63fd66f3e5afd86803cff08c7ab5f7da78c5244dc3690a950e044ecc26176db934859ba9cd86221e9aa1f5b43859774d95

Download Submit
C:\Users\Admin\AppData\Local\Temp\UIEA.exe

Filesize
159KB

MD5
c986cb6b0287a1524f3e748cb77473ec

SHA1
cb46256546d7bc30569c34abcf969d57da940bdc

SHA256
fbf1b966d6644e53634cb82b0cbab9f4222f2a89a3848522293ae530cc21c5e3

SHA512
07e4befe4314eda8edfb4611dd787590d36a96370a2cb552e80528e4a009f1c2c63e220cf88cd969491a9864df5e234a8d8833fabf75d83075b4cfce0ec172f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\UaAwkYEs.bat

Filesize
4B

MD5
05422febd774c876bcd72dbf31d00fc5

SHA1
0155fac0fc00ab7289c4af3431e92b564f98311e

SHA256
e558ba684ba361050bd555ded212c4335c99cb619e4e1ee7e40917c01edf93df

SHA512
c83c124b7acca07f577f4db624f7f9c607ae77d95780e6be3fd5a1c7a6bd3545afb247fd768957223ddfdf7dcb36a43f795a686efd3d6d7d2c0e27cb56ebeb40

Download Submit
C:\Users\Admin\AppData\Local\Temp\UgwcwAgw.bat

Filesize
4B

MD5
09da04f5b134b7dffd4a20111da42528

SHA1
c3c1d4a097907105fd1d528fd110671a48319916

SHA256
8556a48b5eac994e61efe613fdb80695af35741b87378e91ab3a9e486e23a1af

SHA512
2c6ec05a0cf99df67520c6c90c35863584fb2ad24e886f680ef11df5b3bdf4b39abe2a23b5a456a60ad929652447d2bdf28a3d779effd65473a16cc4f44846bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\UwUy.exe

Filesize
872KB

MD5
e560dd2fd5ef4426744ef88b1b7422ec

SHA1
c1b2352fc24f8f1684cacdc0588d92395c7a13f3

SHA256
3e569f41cb7962f4d1e22876ca5aa5716df66b5716a7927ea1fd505752002074

SHA512
836cc3b211e94de22389e828b87bc62fce811b17b448098a9e6d0b986391b392d2e767cc28fb4bee2dfeed569f3a877802dcd7c6616a6affdc10313a45d07a14

Download Submit
C:\Users\Admin\AppData\Local\Temp\VgMM.exe

Filesize
432KB

MD5
ac7f0fc59ce884908750c58576c28624

SHA1
827b16d446a0018628fdc2a3946cea933ff9193a

SHA256
b96962a2be38b41ebe5c59f39b1f14204f1204f8b667fcb02f5d3c681fa164d4

SHA512
83fe188bd3619a69c9c431033432723c2564527c0975d84c6f724fb7bfd469b76f8cbefc158dbd6bfcc7b33d9d20257cf8c4e00e0eb6230a81cc7229d29ec8c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\VqwgAckI.bat

Filesize
4B

MD5
fa8609590cf1c7e52e6da4677a536f07

SHA1
42dd531985b1f89963468cbdcf8a2f5b75bb8355

SHA256
fa430e87c7665cf8bfccecf451a1bfc832aca0aa08b8b4757004da66b1bf40dc

SHA512
3505813fff06eecc732cc29fc8219e80caebe968a0bcb72fec899dae149f4ff5433b0dd8bcac590c3d801813fd974da069cf2d3d07edcb4641faab76e4d1f6e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\VwcY.exe

Filesize
157KB

MD5
d93e853e3b80a0bb934b490262a8b4e4

SHA1
c586989df4ea64e542d1c7eaf4ad5ba0d5ab9bff

SHA256
08b2de25af2bb7007f348dcb1b3fdbe0dc2b3e8a57b1743fff1406fd36c36682

SHA512
57da5d40f8298f45fefca2de1449f272740aeefbbf2277f47e4b3ff5e562f15c18ddb6aa48d1a6ff97f5e1a478a0b8d72f616186f6a9a2a68449a0bd06cb0353

Download Submit
C:\Users\Admin\AppData\Local\Temp\Vwgc.exe

Filesize
137KB

MD5
a598cacc2659af5152464e7abb7fce80

SHA1
90c055df88e25017fb6b09dffae1aa3951f74a24

SHA256
697736dd8d1aedaa7d3b67dbcfaace3bdfa91a4583757d0b3830cf167cbc0bd4

SHA512
021740c276f4ccb06ff6bf7d5d7cf7d441ea753a2fc38dc803c409928b29cc95659d609ac02bbd4a34c5cd14986cec8118dfce1c6b043bc02aeffdb559de7f9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\WIMsIAEA.bat

Filesize
4B

MD5
e55b1418bf8a33f88c0b43ac875314e5

SHA1
2566861aad34af77626fd73df8b156554d1f4d10

SHA256
dc1726d267c7836c52c5b34f9d6368a7929781b4c9703f7d82a2df015ab5e31a

SHA512
112ae02ec49f86337d890bda57f900bca711eaa04d24012dc5697dc4b1ee69cae95dec2aa05937d45fbd6632129751439e3ad3bce22bef80b07f83401a2a7e2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wgsa.exe

Filesize
159KB

MD5
29bbf7b0a2a3ae6b73d8e93d6b435f68

SHA1
876a11cef6489d2516e327e6bcf96d42774f3d1f

SHA256
e0582acd9887eacbc87b6d85d50fec43581f4c1249ae8046e31feff30fbf2445

SHA512
7dce3471b42c6516ea3bba9e0de20c80e1fb7a35d07457026f555e7a91361bcd8aa7b675498c05bc5bd8e07cf343c548126443675f319ec867be310430126a61

Download Submit
C:\Users\Admin\AppData\Local\Temp\WkEcAsIs.bat

Filesize
4B

MD5
71d8327250f7c03de509400187ffdbd1

SHA1
5d4cdbc4a45300429f01b2729ecdb0ec60d5042a

SHA256
d2fe27616eba432e3998f0a7882d5fdbce70a66e5f10cb2408b63ebfc9fbfdb3

SHA512
20dbda49416ce597b7fed67dbfac5c202e9fa8ea5b4c5b4104dbd01a3d1c8cfe05c912c592e1e330bc2a7e6f26a6d9c3dca3050d12b05f2088c86b7c5306cc2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wkws.exe

Filesize
236KB

MD5
ee7d473a73387a72a24471943b48441f

SHA1
bb54e79f1eeb1f6beaa4e41713a107c014aacee8

SHA256
e6dc727de9f55950b15d71f820a4d140405de01709dc5b5cd0c499bcc9573e37

SHA512
85eaaa4d64b04d220392f8cd54e34a5ed9e4781641c3ca64ecc8d39875f957093155aea6d79f63c91814bdaf2fd091383e4dd214575ad237eb2121d3290b0fb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\WsYIEUkY.bat

Filesize
4B

MD5
ca35eb94ff55787cac2a1f14bcb3d72e

SHA1
72196de7b65bba28c48434cdab85af0461cd8d96

SHA256
db3fbc578a3e366e5be13da672581f22f90d2fc7ee16ddae663c5ee73f5b1f01

SHA512
72ccd9560c37a108f7642e353a947e895098a9ebabe14b47c71ec8a57e1c14d3043a7eb87bcedb708505b8634d1962491528a91bb233f5ffa87feaf287084e44

Download Submit
C:\Users\Admin\AppData\Local\Temp\XEom.exe

Filesize
416KB

MD5
6390a7a2c29b8a92878b8aee84695d45

SHA1
8f999b1f55631fc99b50cbcc8b02c6159fccc2f6

SHA256
bc35208f8c949c8c65236742d65530e583b438c3f2129393cf7a5566cf4725bc

SHA512
31e9f4c412bda544c76ef19bbbb7e4f29557c69ffd711596fdfd059ae81822f9b8d58e03ed302ddd2948c9676337a9e56a25fb4134d55cd6275c1094b8904b1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\XIMU.exe

Filesize
157KB

MD5
1ce516eaa1e8a3ee1f2d9ccd19e2bd45

SHA1
14bcf6714308e23d6b1c2570f26e2482a6ab3a78

SHA256
be6200593e45247ddd16e60f4f453af37cbaaeb0b963be1417d28f45bccbd005

SHA512
0c4dec85e08badd814df37bc7bf544d1787c2538daecbf8c9cc37a5cfc176c4bdcf7b0bcbd355fa0a09affae62143b089698dac88f7b78883f7b8198e6596f67

Download Submit
C:\Users\Admin\AppData\Local\Temp\XMgC.exe

Filesize
157KB

MD5
49235778b0a163517c8aea08d5731a9e

SHA1
72a2b201bb22655212389739dad16f8bddeabbc3

SHA256
9145344cdc24fabc4f724a18604c32f17eaed38c93351e8e4bd21fbbea225114

SHA512
902d885aecfbe7168310e565508f2b51017c835337145f0074e3f7036373001a127643d2c9d3258eb8ca220e404bdd05f1872b6c4e986759b2079a5cf8f5ecd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\XQUc.exe

Filesize
138KB

MD5
315c4832a794acbe9f318f091d888433

SHA1
87894081a5944da631bc78c54df3d58fce556df9

SHA256
00798dba83f30ec0d9606991f2f562ea736a03007a35facf8f96cd5279173e70

SHA512
c2712fa2f023ba25fac7ff4faabf1b2fe926c7594e58e94b9220f2802a80e8c5b29b495ed900f4be5c29606350b614ffcea7cc8e06483f79e1d227356904a6dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\XYgcIUMc.bat

Filesize
4B

MD5
1fc6b74e43d92db443f588d950730679

SHA1
a06d6b8823311f190ba6369305c0f6ee48734a17

SHA256
ec9413c3fd73ee27c2be6d0e5c0296f5d89f096becba3a6fa03c0e341e87e90c

SHA512
97ae4a86f7a964af88482bc25d457245290b34b68f0c0eca6c2681edd437e840f7a889c43f3b0024285882e0bc237a09f1fd618ee84cf57ef1749421f6b723cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\XgQc.exe

Filesize
158KB

MD5
16b6085d95fc6290cb4b77dafd50dcfa

SHA1
db5845e66480e35bc5a50aba4c9ccc82301f39a6

SHA256
e6db512492b3703fb1400ee88569e56c934b93571e4c5c8ad4ce2e213c13e3c1

SHA512
d2ad9e882df1e1b0333909710f056e351e9a42c77434c91a4048746fae478560c1a85229e4c752b60077c8f066d4fb68bf2035223575232a87c229ab4e6e1dea

Download Submit
C:\Users\Admin\AppData\Local\Temp\XkcAIUwo.bat

Filesize
4B

MD5
1aa1944c3dd108844b124b1963310ce6

SHA1
c4bef5ba6c1f8bb2bba2b07a1dec38e3ee7dfda0

SHA256
224cb5c50aa550b89e3bd4d57cf5ac783936c2e7b764374a1538cf92b06903fd

SHA512
794c71399b8d03747c27f28b1c39cc2319e4946a42713770e45d69f568db78be5c1b703437b107a74d6824f522bd5be0fff9c82ae3155b5f09fc76f52d5c2353

Download Submit
C:\Users\Admin\AppData\Local\Temp\XkgMIEMQ.bat

Filesize
4B

MD5
b35d2b1a14d7e725c4ddca8f0e9d8e1b

SHA1
78dbe6ba19c7aa24428f165527559959cbbe9f08

SHA256
3248a2e8b054e20e24db7407f75a8bbb43deaf49f6a3c89be11855848b83a123

SHA512
0f9003d6af50c3d2441cd67e47b6de7ef3105321a0586bb11c540ded56121c0b09f5205b1324239c736cbaaecf635a59ad849abaa38d1bf1bb8d0a1a96bd4911

Download Submit
C:\Users\Admin\AppData\Local\Temp\Xogu.exe

Filesize
743KB

MD5
4049e82ec0f1554b596f83cdb441f84c

SHA1
a60477e3f12f58fdbd7b29b9b9447b334dc29df1

SHA256
00e00a953abbe0999df070dcf29c6a5bc58c2729e00c2f8cb689b357512bdfe9

SHA512
ba96391e395cebe2ed4349b974dece6feba797e56d67d9396c8de9cb8d27cd47207d229af11fc8c681793fd28966355961e4f70da877fc7248fba69e82a74a7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\XyQAAcQk.bat

Filesize
4B

MD5
7621aaa81f6c9feebd34e636ea559336

SHA1
cf4f06674d92304b5e1228933c127fbffe2e8ec8

SHA256
ffe52d01fdb930c8b3744abdcafa72d9fbc0f8de65376320275f880480609366

SHA512
2d5df8c9ade680b7e77fa713b4bd24abcfb847e8d3c5be8978a7af559b34ba9cdb7e2717e0b2b660da43fc03bb6f82cf349df5a3ef5055bdca43c87b8e54e2d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\YAsQYMUw.bat

Filesize
4B

MD5
ccceb2656999851c2418ffa9ca4b6c9d

SHA1
101a8e0b8c78b8b0bf76425a796f65a5ca5fa224

SHA256
ac20a3d8ceee7fcc257d0217d5f3df0eea377e88a53f2c7148f085adf234a89a

SHA512
175a10c4952d5d3a3b330bef9008e9cb12ca61feac62e01c948cec4e4f10a54ac3f464d11fe51ec78b45c921f82bb0ea59c84f15dca143a41d3ce0fba9291218

Download Submit
C:\Users\Admin\AppData\Local\Temp\YEQW.exe

Filesize
1006KB

MD5
07a795da21276579330fa427845106e3

SHA1
0b4d80f7adabb6f3e396847333e6d3d6b05dc522

SHA256
bc23f799b07184a13a84661f464aad9bdd4c40dca5d071f145c5013d648bfc98

SHA512
3117fe7db4149d295db1d46fff65f99e80af3d7b11c9d04875e9a063cd733953528b9b9fc6765b82b5272322bae9b9d5919f8c000c879189cb9ae3ae73d3a677

Download Submit
C:\Users\Admin\AppData\Local\Temp\YMIW.exe

Filesize
150KB

MD5
b51e80940ed1329a1e4495f6d3d0c977

SHA1
8a4fbd16d44a0a56864fdb2ea44b85b3b21abcb5

SHA256
8b60c3379fc54812d219393b09e96f0b370ce44fd80f3ef96cecbb95402c813d

SHA512
dc2a41a21873f1ac412c99ca73acf80effe9767d87b117412442872c2fb22f64fc18ead9fbf7f3de84dcc41df2dafe398eea4a5adbe6bacdd8f906863d93e07d

Download Submit
C:\Users\Admin\AppData\Local\Temp\YQIe.exe

Filesize
139KB

MD5
135e382188aa3681cc0087029c89be74

SHA1
7a54a9ba083acc23f75fe3051c96b94ea32fe07a

SHA256
728198712a62dcf205236246c5ca894b876dc9e1dd864f7d19536eaab7b839b0

SHA512
f219096920dd078dd736e8c2ef2d7bb6a48fbc809001eca7db676fafb828bb2c060f9c88b5af0ac5d26fe17e37ae45b4b447c0617106eb37cfcb1e9ff0036429

Download Submit
C:\Users\Admin\AppData\Local\Temp\YeMcgQkI.bat

Filesize
4B

MD5
fe464d3763653f8c9c00257a3d69dc88

SHA1
a1c333ddfa5fc116fd0c1341b037dc0b9438de90

SHA256
5651ecb1cacc3f1e646bb49c937debeb3fd4d10f578cac9d44018ac086cddd7c

SHA512
ee798107627c4d6a6b00c2ddf4c1f4d3d090725157dc00d530f74f5c987a328bbed51a39c5a2e56928f3061b50179be68608193db246d2c188f26112b0d18a02

Download Submit
C:\Users\Admin\AppData\Local\Temp\YgwMAgco.bat

Filesize
4B

MD5
36f22346a6f744cddb5fd00af06a9a6d

SHA1
29f9d6279d10b2280eb0b2265e395307fc90a437

SHA256
feb44abef5bfab1a53a44cbb082930730bd6f4cf63de659d693ac358dba38cb6

SHA512
f90e8877b1fc9bb47cf94f3d6ba6f7fe041b0a69c745ac440a6c3156d7c5a76531baa22e3502af5fd2eaded2da2accca534232c4bbae8bcf4981300711e98355

Download Submit
C:\Users\Admin\AppData\Local\Temp\YmMgAwEI.bat

Filesize
4B

MD5
6849f2c9397bf39df075b81671ea4dc5

SHA1
3b645be62b41271bb3aa274f9dfeca4e68286b5c

SHA256
1a06ba5a651e3865071b8306bf07bf7776b3a4323da394e668a311400721a9c1

SHA512
5331f8d79cf38fb59b8be932c3171efe3aa95dfe12ffad79f9761597c5fd1e7dee629a6bd59d6384c4af55c2f79b0848523a84c1976204c9fb490800f7fbb33c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZAcYQQIc.bat

Filesize
4B

MD5
b7cfecc2172677621dec3a9fff40bdb8

SHA1
b21d2566e177d394e6341d2540f040d1f6655586

SHA256
50ad7e6671a752dc9e0dbf1b31f1aa7e0026c80b79552579701b62437f3c2c1b

SHA512
10ba053eae0668c3358cba87ee2992e41a09e3f00ee0680ccb9625d1b70e31133e3873d85a7349d3dec67aa5df489351ab05919278f9589dffcac7a4648d020a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZIsA.exe

Filesize
157KB

MD5
d82f4e6d99137c6f97d91976e1a46f6e

SHA1
1a5d29910a3ef2645727a3189a6a8f0ac418677c

SHA256
56a45d2593d8a66e9c1205fc4ad4c0a55944c0d562ab3eafa71831a9c98f05a1

SHA512
99a7eb225b81187c34c89bb411fce6f2f0ad44a0a984c671f172214bc6b0741414d75420215d668511d7f3d35114cb9f9115b023ecdff5cc47f740dc78d3840b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZMsEwcII.bat

Filesize
4B

MD5
181530bdaefdb4da27dc87d90a3d5ad8

SHA1
59a4ee1155fef8dedff94140a9bd89b5461ac477

SHA256
2def107074f1233d2949aa4c36febdce0b1d55a03b4af5e4ae299f45732b2762

SHA512
ed017d5919e2a73b7a8117425656118018f1d537f13133c4825bc400bb94b07d792f8f88711c8e3e4e56ee42fa0e4202680e84be55729835ff51c6f0890248c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\aIIW.exe

Filesize
655KB

MD5
49f889d3558c8c08d02d9eebd49e2068

SHA1
e7512f0ca874834f639b788ff1f85619452c9fc4

SHA256
865b413dd4b6fcb1cf5090cd7295a005dcd1aca75d703cc7f0b3a6026f3668e2

SHA512
c4ed051198fb244fd6a8eb1c58cddd8a10efb36d94de63c09565810e5fce0165c6c0e594914b5aaeb64c8b27ea4a1cf89941e191cf41fcb055d6a13a38f4c00e

Download Submit
C:\Users\Admin\AppData\Local\Temp\aQIU.exe

Filesize
159KB

MD5
8037fe2c26ec010a3dd4fbbca3fef7bb

SHA1
e7f90cac0b00c4a4e350b794d5c1df3e51344784

SHA256
a94d56eae000c9a795a8cb690f27f0e0c67e8fc28153f61332a68699a605b179

SHA512
588bb7789bba8307d0bb78b6bc99a370d5f95e8cd000775ff912efb532611c5f8e8d37bb08effeb70a4d597b8f5daaaa9bb4baeab12cf674ad63a11accc423e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\acIg.exe

Filesize
160KB

MD5
06adfbb0a5aad0dccbf4202dd7fdd044

SHA1
0733202b35c115b0ece50ee26ff018909b6a8c23

SHA256
80af6aa51ee747bea339af719b755da30e74a3a088b20ff7ee9f3693cb50004d

SHA512
bb5401c262667934b77d6c6752fd23a49ddcf6802a3dada4852c59a1f2f709a00421bf41715eb35bf84b75cbbe71d1af300faaca89b673b0ddec10a0577f1c91

Download Submit
C:\Users\Admin\AppData\Local\Temp\agssIYsA.bat

Filesize
4B

MD5
2788f530c6d69b9dbec51b7f888cfc2b

SHA1
034544d7716535a517531f4301fbf789941bb5ae

SHA256
60ce68bdc6b359a37de05117468b67ccf64afd78e5caab46c26e206c176b45b7

SHA512
17a02758cbafaebd6da0751898d81a327cbe1c7ee2d264637f3f94f308e89e7e65bec3ed203e6c34af92f49bb140e945f573ab19a6df579a9eb7d97150709417

Download Submit
C:\Users\Admin\AppData\Local\Temp\assa.exe

Filesize
158KB

MD5
cb1b26f75aebd8f40c43a765bfbfd86f

SHA1
3a9b620a1c18932db2712488637e5872bb6b0923

SHA256
76b162cd54c161ddd7de1b311b948c9a6fa142fb403506db1fd6a853ef984bcf

SHA512
2f8c3dc0b07c3fa68f886685abc6db4747d45cda4342753ddeab65ddd05e61594597a5eea6b4a719d983575f655de297814fae931618145daf68d72734ff2071

Download Submit
C:\Users\Admin\AppData\Local\Temp\awwsIwkk.bat

Filesize
4B

MD5
a2b4d0fa73e7029568645f4633ed6656

SHA1
595d975a925b8add0198a639a99efd186b16cbb3

SHA256
ed015e4e5c60414ec6127a4d03a9d3574aefa46a0577328d5e085241773b144d

SHA512
df46caaff754f01cf692081e03e3e99a309a10cce06ced8419c571d37e4f61852aa86b11d07a9f27bcf9f5b2530a6cfa218355e97048f9513884fd255271f249

Download Submit
C:\Users\Admin\AppData\Local\Temp\bgUY.exe

Filesize
870KB

MD5
292a1001b5f3cd9b0cb9bf19b90b10f8

SHA1
6333322088b05e45f7b8d1f18825891d79a490fe

SHA256
9d0e9264dea2c0e8ce60b09c41c5df65b024189a1c25c4bf64b4e0214df4f8e6

SHA512
0bfa59942f29c628380a37dc1affca4ab93dbd1cb5f7155ab680b4bb5291cf9c9569199033c49d31007f65ab70d079ea5962585dc4880b17f74e32078ca5fdc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\bsIoookY.bat

Filesize
4B

MD5
15cdfe8a76ba2e257182f1bb2af04b49

SHA1
35c303e5c71ebc54e83060dca91f52118a0d53f6

SHA256
ad322de269adf80896eb492f4dab46f47860844d71e51accbe09b4f5de39d98e

SHA512
8e2615613efb3abd5a79a14ed562135e0a3304b7c82d1518b8b9bb90516505d4c2f6ac3cf65026095f9adf1fdcce729cc82f6e0835e153a7281b82bf9d2c89a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\cCkAcgYM.bat

Filesize
4B

MD5
05149095cb3f050bb0211edfdffe963f

SHA1
09e38687d50ef4fae1e64b6d65b3d48d5714f83a

SHA256
e20a8c185d34e464611c7fb752c13c31285381409319f9b0a636a3f05a24500b

SHA512
3c66fb8820ec7e14b4b468fd49a0e823ad166da09b68b0845dad2b573e80093e2b96a1a77433a611d46bf1b555f214ee32493b68aeb691da75ea99c2e3e370df

Download Submit
C:\Users\Admin\AppData\Local\Temp\cUEAUgUY.bat

Filesize
4B

MD5
ccce0f65a61d411b22a8342046cf1cfe

SHA1
1f62b4b162528096e771549cd9f168b4f15854c6

SHA256
8813b3accc2be67f10627bc5c080b639a33bf4bab16cc4f472bc7338a0f3fbde

SHA512
4b649f892afd28c7dc5a88affc87f85aebbe9a7727b88bc3859942f04c05f7923f3695849607259ce7718808bcbad7e1e3cabbf0525d095509971dfa444683c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\cccU.exe

Filesize
160KB

MD5
b236abbb47a6d2e9b5a78b1745c082d2

SHA1
b7259e73ad7190a1d1b50b4920394495969636b7

SHA256
84f408e7f78debc772e86d0cd6370165c4db12b3ac3d50b51d1fbce867c8c39f

SHA512
a6066950fd62434e374664e4c9ab6e29f62eaa8543dde9efce73a2f248a16cb65f7ae60d06cff0d3ad45cc682ea601952412f85044d079d859c6ad4ea367f523

Download Submit
C:\Users\Admin\AppData\Local\Temp\dEkg.exe

Filesize
159KB

MD5
9deeeaca2a64818ce1e0cb18bb66df16

SHA1
8ef8617a352e6028003a8a94361b88e66fa49750

SHA256
4f27d87e4c36bac911b8475691e937a3c164529c1c36e176c4337a8597081b3f

SHA512
860898df221a3345200838a752e785730c1b7a48cddb39d5fce45124654c6988a5d4771a660b5b7c4ba7e3fbd9e3d8695eef7d1dd2fcdfc5219b90818eae7da5

Download Submit
C:\Users\Admin\AppData\Local\Temp\dcMEEMQw.bat

Filesize
4B

MD5
a802507c7e43d64681c9fa8b0506b2a6

SHA1
62047b20ca988e7add2cd29769d520ef685b4362

SHA256
ce5636f86f790f85b78f57d74a8b7407a151c37db5b1ac8de3cd741e5c29ecd3

SHA512
798db045c46d148fa7f83f3b3ceddff5db02f461adab1208ef24bbb363bd8838502f7f67fb495ca94cc088c1d7f86ac0d30374242d36647cd4e10dd1ca9f66c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\dcQEYgwU.bat

Filesize
4B

MD5
72f36415d364079f952ac0a2cab3251a

SHA1
fbb4335ea45db6175cf132fc9d855a84ef0d646a

SHA256
c6f4bf58070dfa7d03d0998aee450c92dc1671e3687bb155738bfd8ae43ff3fe

SHA512
34db86cb710b8e5397e007c8ec435662b288e28f53eb1197a69e88e433739cd6fcfbb1587f959eaf9046e21a9703f6f2d718e1c29dea9f08710b76e6e2aec024

Download Submit
C:\Users\Admin\AppData\Local\Temp\dowY.exe

Filesize
158KB

MD5
ab881c91dd859f08dd817612a3e887b0

SHA1
d494a871dd89e7a308b22838256f2da327e70ce1

SHA256
484d9e55eeb0fc690381f098683aeaddd38512c8c4b95f7ad2d68fa127026356

SHA512
fc37c0d11e417d3f9a154491a3dba7d26856ea97f66d482737358bdb68270ee98ea28d7bda3906471dab93173e1d54a0ed9f3566248517f11860234eaddbb886

Download Submit
C:\Users\Admin\AppData\Local\Temp\eEYk.exe

Filesize
157KB

MD5
2ff95f84f2b398461c09f7a01c835c7d

SHA1
8d890fb5a0887a1c662bcd574dbe645450e483b5

SHA256
57402c63c0d05b4f7072e05263c1e585f11bc6118823e5923b0886be7a9a8713

SHA512
3d1fb0810a59bd43c68bf2d3a29d879d27bdbfc20a26e115285029ab71d19856a03c4d5c474c02e11468d92593defb7e89fb4349ff259e5a7a913791224f98e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ecEa.exe

Filesize
160KB

MD5
d535034d580d06c778dc75829fc663ba

SHA1
935f55c7e404b2dd6d33614463bd5ce6c6bdbe39

SHA256
69ad8f8616e808b89fe3d53a1f18cf68e3a465f53a6998e364fff34b9cfb185a

SHA512
a6e5355c6d4ea3f6d3906ff8e522ee010c56877a4b5036af9ecea60b6909f4eda2c7a5d01af5d9e7e76ac41c6b9ee2d5ea47f25efb08ed302f1f080e62c9fadc

Download Submit
C:\Users\Admin\AppData\Local\Temp\esYa.ico

Filesize
4KB

MD5
6edd371bd7a23ec01c6a00d53f8723d1

SHA1
7b649ce267a19686d2d07a6c3ee2ca852a549ee6

SHA256
0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7

SHA512
65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\fCkIEgAI.bat

Filesize
4B

MD5
03fdca11d1cf4f536aec124e1819d551

SHA1
fcab14cb638b8cbbf514e2a05aae7e1c34068b2e

SHA256
67fd769fb949340675082f78f90fc30ebe41a407a3549b62621a82021d701358

SHA512
1cd9b777dee249ff724b945945c5040527c5435961c0a2a3506ac72808aa480171c93a0e91709bcfedf2fe4911b79b1fd1b0d6461c28f0687c47409210ebbfe8

Download Submit
C:\Users\Admin\AppData\Local\Temp\fMoAgIQQ.bat

Filesize
4B

MD5
d584df5b62cd1c8d78b2f73f9448bba7

SHA1
3ef90add90da79f5b662c11f644d7f6a5334ac64

SHA256
2bef22450ab237e0faa2667c6619bc6ceebaf3df8e0d80def9fbc5f4f4c0552d

SHA512
afffb568196d7dd9e521f34e4f91b2c308a1f0f7a715c5124a7342d826445f7356e0832770becf169e06f635a4621a0ed8494636cc5f36fad07fdeecc113bf54

Download Submit
C:\Users\Admin\AppData\Local\Temp\fWsEkYUU.bat

Filesize
4B

MD5
f1ce09935c6783c5d06d91ee14aa8ef9

SHA1
d60830eba9ca9ccee4425119f3685b6e1bfe8565

SHA256
d1d094d8eabf7635de3e49d57834fd7646a07501779f526ffc44b1e787c2db9d

SHA512
57c45e47724b40422334118a65afbffa49b6dc81743d09cdc7271ec9204f927f8ffc9cf5e21e59e46a82e9712fb539b15bdcdb1f9654effee02d0fef56f8a4be

Download Submit
C:\Users\Admin\AppData\Local\Temp\fesMAsMs.bat

Filesize
4B

MD5
c00506015b36346a701befb1abc2a045

SHA1
75d14c13fb6cfa130eeb3374e4d60230587d5144

SHA256
221c9a0505e476884d877e916822ea3a387c098a7abfc2f10fd0548a4c7512df

SHA512
7fdaa4f980c1ab3c5a28315d2358d8e2ae3b971eb7568ebdb8c46b0099b9e8e37f9a703a6a7c66ac387503e0a3ceeaaa57bd95547faff6fd28cbbe1d5aa2d5c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gYUS.exe

Filesize
318KB

MD5
59ba242a6d2896c88873d91f64036fd6

SHA1
fc4e2e92cdd769e4c2d454403e8234f6052d4e23

SHA256
d99b22537d639c7075ed15a736a67787282c34924adc4de8f7b0482cb19c658a

SHA512
6a74df680a41ec057861c96a2b8a30c37388b006a3da6498f0e1a7f21eebcab2dc5668f17c74e3d2c54c2e2c97bd11f65f03265d361757b1e2b75bfeaf127df4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ggMO.exe

Filesize
159KB

MD5
b258720ca3c342588b4afb0fa1fce770

SHA1
db41b6245f3c37a87e25b2f4478ba113d2943039

SHA256
d67c59120b2231c8e41d710b611d98d1c720a815c246e5bf6ddc9a4673026bc1

SHA512
81bc2f9a1ebe62761895e411742a210317c8d54bfc45f2af172693dc8867bcb12cae8fd4187e18546d16da5c626321b5778e562ee94572ee2b13c6df8f7c076f

Download Submit
C:\Users\Admin\AppData\Local\Temp\hGwUQcAU.bat

Filesize
4B

MD5
88d6f983da20c5b43060b5921025c6ee

SHA1
fe57663c91e8cd0782e67236a33c4f2584c26363

SHA256
3c70421309867e8f4e6f2d98a28d893cee2402cff9a8e5ddcf160009cebf726e

SHA512
c91aaff34002e811cee5fed30387c33fa06e44ba4b9b07e8193c26ba86c07bdebc3b179467080dc6ef233a23d8fedcbbd58246e5f8e3c739741c6c22d20be99a

Download Submit
C:\Users\Admin\AppData\Local\Temp\hIEggkIU.bat

Filesize
4B

MD5
7a3c7a86aa17839e5e7f35148b04a24a

SHA1
9dc3c3be5d803e2541a088dc3335296ff99a8373

SHA256
6e8e4d2649a5d6df07d61d612ee2d5f24449a7e9b88b6e24799b6a7789f45f9b

SHA512
90f33ae02fa710c2cc10832b97c3e165b4db2c57206f43498e65859cca2c6749461d1802667f3237d67ef23b471208de4eb89adae66f1da540090fc6729796da

Download Submit
C:\Users\Admin\AppData\Local\Temp\hIcU.exe

Filesize
4.7MB

MD5
ebf2167b03f95a16ef375711d3b18913

SHA1
a8008ca4799612f8c7469cd17913366da98f0663

SHA256
8e7c164713153dba5a2f315febf72cabbd460828ef523396543b07985220b968

SHA512
942d8ad689bc776d2d2b1b92ecead272d1b0ff503d9ec613ea8a2db310789582782cb3a0852ccb76b04b39a3e595aa76d55a32fb2d309579c3b82eb6dd23c5ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\hIsc.exe

Filesize
140KB

MD5
2aaa2f354aa8eefb2ce54fbc5887ff6c

SHA1
9a1ae259b0ee2ca014e19def2e338a90c423bd1f

SHA256
cbd2d41009aa0c364c55aeed7866f869ff0d2ecde75fa230e0346c31ab7be856

SHA512
dc87cdab38e716a9743c6f40f41c3ff6133276092c431f8aad3a4c7b7f6a24cac5e3d7a68f8086dc1bba0289d2470cabeed8386e1452161ecfa0e57852551a44

Download Submit
C:\Users\Admin\AppData\Local\Temp\hQEgoEUI.bat

Filesize
4B

MD5
3bc91171a80b9b8eccb108efdcc74cb2

SHA1
85ba0a68a94aa543bf5f1b4feab4264c76318b4a

SHA256
a1b951b9f370a00f4098ab7c4d2e3b7166887fb91f4ea2d48b3ffee973bb8f1e

SHA512
cecfa9e366031414d7af3e9149d5102db678c9cda06d4a377b4c6f19aa84b7ed89a427fb3e0a8c217a17d5e02ea0d723b7d9b071ed3da66279db5962640320b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\hYwG.exe

Filesize
159KB

MD5
458b3320b2b9c38ef8284ec9005adf44

SHA1
174c783891b00d0210fb1d408bbf029cbe59fe69

SHA256
136a9cc7181fa384238537674658d7395b97a7a2f4f79c9719b385c96f4686b8

SHA512
9dfb4ca375742ebe70c8a16b331e00c44cb0209bc7b11f410b131eff739ada48ab5919934cb1f899a302bc511ca8dc30a45a13580b2ef206ea28d16e86a31d0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\haMggcUI.bat

Filesize
4B

MD5
bb17024cb1a7336c7ceb1be8ad5a711c

SHA1
0f6c6963e25029c59081fbc91861e3be5b466b73

SHA256
f1f541b6ad8dc1dc5b453a46d1036607779ca8002e343ad6a2b3ec0881dd361d

SHA512
8a397b99cbe3c43bbb8891094016f84afbbe77c36d681e73d136bd466e24a1a263f3495482ec828edd44ae4439a3b02b04cdc891ba463f0be57911463147c239

Download Submit
C:\Users\Admin\AppData\Local\Temp\iEQk.exe

Filesize
160KB

MD5
7230163f00f11933e5bde8e7b1428157

SHA1
bc63a5453970736eca0daa15cd770e74a1c2440e

SHA256
32bedac51344a6f07f01168f0d4357709c8ce20f7797feeef9ee126dde15abc7

SHA512
67a9b92653d249564cd9e58cb7836469bd5b5ffa84a58d4814de462433b2931df80ec04003a180a01c0d33dc55afe4706fbce4b95406d583084c2b3432a75c81

Download Submit
C:\Users\Admin\AppData\Local\Temp\iMYQ.exe

Filesize
158KB

MD5
1c236ab3dd08fe35258b93a20ae43569

SHA1
85813d481e9488b18760bd034780efcdd3dd358e

SHA256
3616418e5693c2ff05f3b1e048a498828a617138228b363c0931ac10818166d2

SHA512
48a7f2336f7453df55c12e9f5518c488512914d2ff18bc04d50de85ba45672c873884a65e5996bb987c2705ea37a59022b1b857cc84fb7f6ba644383ee1c4020

Download Submit
C:\Users\Admin\AppData\Local\Temp\iOwsgIEc.bat

Filesize
4B

MD5
235e13834a88af387b01ea53e7eb9775

SHA1
108eadb5f6d257dfc6ff7ca0b35f5d9a3c248f5a

SHA256
3f6811e539cce387975536b647c8b18546aceee027c94afbf0ebc62171b28cab

SHA512
f52e45087d0396ce7a080519d7aad93a00267bf0fba83866a81797e255d1e89293208539d4a30923f30553a85ffeebddb36fb2d9fcf001b4d8289aed3dcc85ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\iQkQ.exe

Filesize
160KB

MD5
02c5cfcaa45a9e5b070b0157c4c2e474

SHA1
7012d91e4fb11351f571621a9215da00bf7bc586

SHA256
febc8a6a0a676ea3eaa453456c51e2b9af94155acc30579de8a75eaa6b415706

SHA512
5ed7887191461b1e3951264b0baac7e3e8f7d982dd4649a4059057ac404f36b70cadfc0ccadd904ed6d2273201f1903807607172dbd5d01e57d1df514d241030

Download Submit
C:\Users\Admin\AppData\Local\Temp\ikUAsAco.bat

Filesize
4B

MD5
3d5df3c90dfac180fc22a03d4924b156

SHA1
78cbeab6f106b2cb1bf296a3d11f6fbe48b936d2

SHA256
21c810b10088797c9d406d535af542bd76ace664918f10f5655a1215cb468316

SHA512
74d1968a72c8c6aef20583cf224dda9a1cf1001439c5c19568bb7e587da526cce0d030114a8d6b8a8002f74ae5e0d9f856c536726d817b3725e796d24183ed41

Download Submit
C:\Users\Admin\AppData\Local\Temp\iuYoksUE.bat

Filesize
4B

MD5
64b483aa1b70f6e4f9b459de91cc9ddb

SHA1
95d0264f56f545184821f99a213228b8b60344f3

SHA256
2b45bd4b138a5b536314d1e3453412d4d10e791f6ca9715b7bc025916a3a4055

SHA512
8519ae27d583f818fd44d5cc1fa447f0e45f40945dcf1f4aef431ba4bdf852b971dcc7597b578d2d5874bb22b6532aa1e955b3a27ce37372c4cc8f4440f14224

Download Submit
C:\Users\Admin\AppData\Local\Temp\jEIo.exe

Filesize
565KB

MD5
d4743896aa77d9bc3c7f58e450045fba

SHA1
b0ae59a563cb2852c33d39064bbc7ab722e1efe9

SHA256
594b76050598f9aee2fda047ec9b6c1ff6a7c576f95e0317104d07fb8df90136

SHA512
2a790223ff2b7509b83c2749e1080b4c876795df4023ac2683cf36faa0d55ca58045bd92c0747d282d0ee95f0ed43f614bab1cb89432c8d089640a700536ed2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\kGUQgAwE.bat

Filesize
4B

MD5
28e4afbc976861ddb126f6724ca43553

SHA1
5cebf106b732235401ae6ccd03ab450264ecf497

SHA256
6d7bb9a972148d3b3d67fd463ecd64122e7f279a8e7e12c81d61baf182b5c7a0

SHA512
640ef7d6c9f10ffdd0d593d3a153e6a4fade658955ae3340d5df6271ca3ec74517523ce1ab3f0df98a9c125fe818f946774dceb906df6c2ef3e9316aab48d951

Download Submit
C:\Users\Admin\AppData\Local\Temp\kkwIAgsg.bat

Filesize
4B

MD5
fe45155e84ba94bd70728c00721ea4f4

SHA1
69aa46390755f9c1635a2ed918c9a3f162825b83

SHA256
94771e49bb21743ef597825d288ba4755c9820b0dc4f7a2c7d8683188349b770

SHA512
6ef30080955600f5df01793386ca5f19692fa08ce97aa25db6baf61384c605f2fc3957c3f25290acae29ad6f8cfac6af7a77966bd0dab44d9e689cca624e3014

Download Submit
C:\Users\Admin\AppData\Local\Temp\kyUsgwos.bat

Filesize
4B

MD5
efe20387e5516c69151eb2afb7f9e23c

SHA1
884243e2ee745f2958a17c9fcf4c1e8425a3c9b7

SHA256
d7c9c6432249282e2ca06690cc6e7e75c4838f5632e47efcaf2f84a2f8219d6b

SHA512
a2d3fa879ceb0fede1bfb3437d4b0752117b29e226bf797b3e91a0969444496c1916b2177815b27a6f153e304a3df9e35460d689e26bafeaf52a44d1d3b7109a

Download Submit
C:\Users\Admin\AppData\Local\Temp\lGMMYsgE.bat

Filesize
4B

MD5
7f8eae776e734f6b7749b81a61c6d8ff

SHA1
a4bb293e6e7fc92b7c610f3ba26fb943a7d17826

SHA256
b322c26e0b888cfedf556a5edb1bffd5782cf52c030fc0dfceb5e24df9deada9

SHA512
c8ebdb7cc01e1b99336a6733e4a9d19e2f7a2c6280a9993e61f8c664f6118814a6fc74faac9d561ef58afa77d3ffb44eb6e639137f014bf14bd76fbcf6fdfd87

Download Submit
C:\Users\Admin\AppData\Local\Temp\lKcsIkYY.bat

Filesize
4B

MD5
2627aac90f8f5ba060d0bed0a2ff6c01

SHA1
beff3003d8c61d36f23ad0918645e7b792e3b650

SHA256
9e593c6651980454ce02e8bae98c8b1219776a8a03fc20e0e4206e1363d39458

SHA512
5bcf960b73339f8853fe1cab64188798d20e997d8e622901af2bbbf2e3965b138a50d71f9599783b41f32e36e5324f82a64312311d7cf471e60f283143ccd71f

Download Submit
C:\Users\Admin\AppData\Local\Temp\lMkA.exe

Filesize
160KB

MD5
3d9af8240ec5f64aed90bf2b9db6b08f

SHA1
ac7e5b011e81f7427101c7e5630765517e9265ef

SHA256
ec503af30bdc300699c3ea75c07c3870581d0972a293824a708c6d4ea8acad49

SHA512
3943c76209fbe1921649b2e7f6f964e1faba705dd6ba0e1ffc15ff106e8358a5ff4b3ffbeae9b859082c1cae3b37591dabd18023a14c778fd84b6c6c528cb90c

Download Submit
C:\Users\Admin\AppData\Local\Temp\lQEAsoEU.bat

Filesize
4B

MD5
743e8cb92d63e25b623b86f92247fd14

SHA1
b081c0571595a0c04ac8de904b39359befb35e88

SHA256
ac4a0816d407547352b3d7cb245de4ff6cc3c7bf39dbfb269d95476d48b77ea5

SHA512
afb174f91b752cca59db65babe926496c290ed49639d259fe7dd1abf6282c58c02377b105d104dd26e20649e551af871814b529e27a0bde73e0379805dd26142

Download Submit
C:\Users\Admin\AppData\Local\Temp\logscsMc.bat

Filesize
4B

MD5
2165e4fa5bddb65a31f6a0c495c2fa37

SHA1
474c797713f37901928aafb6adbae0241d1750bd

SHA256
98f38f12db221a8cf8ca7aadfdcd759b01d52eb4ebb3eedbb2d97e92805c6960

SHA512
48def738e2d0a1101c1a1d96279a624d68ac73a2ffc8adc528db5612d2e8760ecba148e48199a7db4a7751815f07806255af1c13b2b5a337ee8857d3d6d3e91e

Download Submit
C:\Users\Admin\AppData\Local\Temp\lwci.exe

Filesize
157KB

MD5
ca9860eb050504109ce990141d9b7d71

SHA1
6825e7381b024d8bacec2af5ac9cd1c790fa18f9

SHA256
6d4c61760ce021e93a84d89e0b1e93a9781b7fb2f462b8ea8cc0a9b4827ac6b6

SHA512
6426d39578a04b7af6f33263603017238bc586e42bdeb3f9e2411f7a42802b8187631518ad047e226cb7e1c25a7cc3b8a56e490ce7d769ca1539734f9429cc2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\mAYy.exe

Filesize
158KB

MD5
fde920419ce62bca868b4ad4ce4851ae

SHA1
804abb47a543858cc45b41e7d56915089f482349

SHA256
0a08e35dade84dd6c1fea79df6e9582d05f3763a0fb3bd2bdaa005d606078a22

SHA512
47bb13fa2f6b5cb4bd4e299d4b591e80d680fec0f87de4827b3d25e439c9acdb73a6bc6dba153b5291b7d65c1b349fcf8dc4c13a2a5cc74deb83918c4c37df0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\mOosYkUI.bat

Filesize
4B

MD5
b0b161825940e81c15ea75eab3f7fea4

SHA1
176b6749d3e2564051928fc71df0845eeb2f986a

SHA256
0cdb3198c20fc383093dbb4d9990b510a4b1d927c8bb81b3f21e2fa6bbb99134

SHA512
a3fc8585d963ccb3079ee0ff73539b2fdd819fc5595223e39c7c546e315bc1861adbaa55c9c184289eb81dd2a8ae87329fd1c0213a754d75d346ce46fcb16bd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\mYII.exe

Filesize
158KB

MD5
e7bdce88c9232c3e59ca0a947b9cb694

SHA1
564c415d302de7819c8fe25ef851f2a285836288

SHA256
af2043f824c0c8e6291d3ae2562f6a5d6040ccba904fc2040c30a0c853157171

SHA512
c3e90f0788e9b78500647ec672d8d13be0b17259cc2011ce80862a0a33d84afe70f453f12a0bea8ae5bc0c080a3ec4ef3f9c91fb300dc0f25318bca925e6b97c

Download Submit
C:\Users\Admin\AppData\Local\Temp\mcoI.exe

Filesize
159KB

MD5
3c5b63d9f19298388073a6f2c34b51a2

SHA1
6e5767cb7a33cbd836d764f8cabf427fff6ec449

SHA256
6739c2b7e2f3d00eac104043c1c8d47265ea76d485ea97c3cc48bd2c66fb4d8a

SHA512
592e89bcddd7e7925b390442b5178cc3f6d52d0ba5bdfa7af2f3eaaff1cf7bddd8ae0d505ecdb0dca2f6a6d90d3eaa6c6d25936cfc00c3018aa26e7712c8662b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nUUi.exe

Filesize
158KB

MD5
5def046c1fd2c6aad5b90d815b1fa088

SHA1
0342ca12a7c79e8af5d16ff8dd516ed3edaccce3

SHA256
7a9cfa9047db25b83dba2cf676da0d841e7ec92a5a8017d3350bd9696e05756d

SHA512
0bcf5593804b8bd4faf8a4d05831c8781040adcbf3200554bdd17eaa3f9be4664a835a04c42a0db5a581afe625e09092ed755f6a456359ca93cadc41291ae8fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\nYIo.exe

Filesize
159KB

MD5
90d69c9330f8c7d8e7e87b5f41ff9187

SHA1
e6522671a7832644c06b210366d8da458133dbc5

SHA256
d6ea846d1da28c7e9a243911aca15f45e919174e4ebd6f6b7da59add327783b3

SHA512
4fae7e4483356c88305ec2dbf139e9511008b2596495abb6274906d38608afdc2177467b7af5d7829e54f7510ef1bcfd1d489e2972ae6b6b5b0354bc80ef1597

Download Submit
C:\Users\Admin\AppData\Local\Temp\ncoK.exe

Filesize
158KB

MD5
18079f01aca69d9baf84ab3bb20f3bc3

SHA1
56bd16406bb8e5107fc57bc25cc34b4ee33b30e1

SHA256
e032dbf147a0a89383d8ebd04b6f8dad67cf1c34976851654e39b3d6afdd10b6

SHA512
d1d8daee78b18d317fbd1ced24885d9abcfed5d9200ae5646b4d9a33b43fc14811aa6e4039b9d11631b2e56cf020fcbf251af53ce80475e1508d72b305918902

Download Submit
C:\Users\Admin\AppData\Local\Temp\ngwYMMUg.bat

Filesize
4B

MD5
51c3953cd903b928bb1bff0a956c8593

SHA1
3d64069bf4a452ddb8362defe8b260f252566352

SHA256
8783dc5289b708e7cbd3c5c9eab0054a13a08416197b1331e67cac89ba33e074

SHA512
f46101349c8710f57ba03b336009a91b1579cfc056d01a3a1e4033ee33bd7ff3a15c2f42fb00b75c8da6b77ca4afb57c58227d9e095dabc691dee7b70980e971

Download Submit
C:\Users\Admin\AppData\Local\Temp\nqkcIMEw.bat

Filesize
4B

MD5
5dfcf4d360e6666c3305bf72c27489b2

SHA1
182734bef2e602839962dde2e93b1cf3f53416db

SHA256
ebaaaf8605f6a0f7d8ada4e4af4ef8a0e6e8e99bce94f1af042ebb7ce226b4e5

SHA512
f576200102e4b9302b68fcdb2492f580b9478e67e474338142e478df21c9cbdfc7d98f2ca99777bf5d02b3c3e326272155e7ca60942557049e53eba8ad2f33c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nqwkAIMs.bat

Filesize
4B

MD5
dc6b722cac474acd31afe9caa32b0e69

SHA1
c696dd6667dabffa684cf04855ccce4cc537bf83

SHA256
5390e3c4b0e6a97990713f8d8641cb91a7ce2eebf8f6437f148e195d5ff84001

SHA512
79b1609d6a9e90e80f1bc535181f48a52a4d664c7c2d76410f87bdb6e5bd3ab8fe6bc4fe4e3bff727bf24fe4b7146b1701952ecc4c282894458dff3380250b4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsEoYQkI.bat

Filesize
4B

MD5
119d9865a19f37a6bae2146523cb2564

SHA1
dec4c50b8c0185b548488e5d6195209ef257c8d8

SHA256
0d31994c94cbdbcb5b3ac6913cebdf0dfa02e136cf40311fed0afb6939f88276

SHA512
e066eadf6668034a2ffcf8435c75daa379a9ca7f695df5e4a90b44d53d04bc3d96def75df79054df6ec9df5375f410bd3b5df4e3f1303e0e4edcc9302db17ac8

Download Submit
C:\Users\Admin\AppData\Local\Temp\oQYkQYwc.bat

Filesize
4B

MD5
39f2ab7d6d77eb686dcd99b1b40cbe31

SHA1
86f8f6e78dad36c3cf922d9770d1134b861f801a

SHA256
f877ae7ce2783ddef496480d173c42c3cf7b3a0653bf6281fffa5c1256b30fb4

SHA512
c298e0f38b540a1a6cfc1120c7019207d899e053e7aa154f93d23df6436dfe42f6c926b4c6ffc646e032a1a5071be39e8278dc5c971d0a48cb838f8b1a96fc4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ogEsQYMA.bat

Filesize
4B

MD5
91a65e2fc76a8d4a3d2635ee50308a21

SHA1
af6dcb89f725fa5ce45a15a322195233c4dd53f2

SHA256
dc8a9328bd84b2926a8e03571f7e2ff4ded21749830adf41c9ed769e4898a0a0

SHA512
9b754fe9643958ca67ed3ae46682e587aec8305c2e6840d399460819874b90394c16f904d65730a9520822bfb3a9c20c8a98c1a3a663ca1234f99f0de791b784

Download Submit
C:\Users\Admin\AppData\Local\Temp\owcW.exe

Filesize
847KB

MD5
d02695b556837c26a4e281b3706429f5

SHA1
45cad138f299b8d08cf7ed56ba6a8aadc9240424

SHA256
e4759ef1816cd2aacef75c42b63b5fbba46d23730ba5c5255381e97a8482b197

SHA512
1c99775bfe8318ac9df0a19697b26a2863b72e3ee65987a8b89ed6a1daa917e54b566db29fddd6b7e748252380140f392be89e386a619c3a48ea0931bf1f55ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\pMEu.exe

Filesize
158KB

MD5
1c45dfe58d9733718aa08f53baad2081

SHA1
388ef25ffc06ad31b1d1ddf70ae8f95a4c7bb020

SHA256
1ee27a263e68d54a2169047af5914ea87cfc6a5601579d62a286865aebe7ce78

SHA512
6ab6bd3ecdd0022f83c0eee0b55d60fdde009779ec2394f3f025b5abbf14efd5a03bb607e213d09fd03b0b910f445fd2aa0beaa6f148f1db8200d3962c94efda

Download Submit
C:\Users\Admin\AppData\Local\Temp\pQEgIoQk.bat

Filesize
4B

MD5
ef7736cc5d13f0dc30d30a57839e7c78

SHA1
178e08dc77c8bedd18e47b9666710f09b5d89f7e

SHA256
265d7ff1c9976f04ef28de840bbfaa2849bf1585540ea99a9a1a1c19728e3584

SHA512
3037d7a7e03834e28f0222e3a1a5dd65219644cf900f4e4fd4071a5df75d60357f4c7e2e3ecd4d556710ca82b804b2947ff25a2395f998a084bb43c3dcde285a

Download Submit
C:\Users\Admin\AppData\Local\Temp\pYwgYQMc.bat

Filesize
4B

MD5
5ba179941a93e0376ceca56243f0b982

SHA1
a9c40a27db0d4674a804f4e40ffdc63b5a6869eb

SHA256
0a66af644825be2e65439c945634fdbd4108e9f808a24f3125d81058ae42aabd

SHA512
7d144ccc4eebc9382e4ff9c0a0769cbb62851e676d50a9a6ecefac4320181bb6417ee8fa01ae5caec09535afbac6da1819f6db5d13cf949eba7ab21c81bd358e

Download Submit
C:\Users\Admin\AppData\Local\Temp\pcIIgYMQ.bat

Filesize
4B

MD5
6640dff4529fceafdb6680784aff8142

SHA1
87d3aaf4ed47379eef88292070e3cb0454a34604

SHA256
2cafdc9ea2645419b84d67b50a03255a5f79ff61f5b035bfbbbc4142a2b3a63c

SHA512
6a8af5474a6e48afb9519aaa6dde962b09d604efd982a62ebee1fa1746cbc8dd90af08f3e9a5e560446356540285dd60a2061bb84e486f046374ff5ae91e22c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\qAcIcQUs.bat

Filesize
4B

MD5
726b873d72aedc74b38e32328149e1c8

SHA1
1458fd157ffa6676ce1d3d76475e5de19e652b90

SHA256
d7eb9bdd4c45f00c8f6e7a79de2020670915a58ec9bcd6ce78d0940ea1926da7

SHA512
e52004fd0f1b00f58ad8f5a58ba8538a54444ffb1d6073102fd7350e93d269391a3b9c30c5492624ddbf16e9e5b30187557c8d901274e81e616dbf51792ca46f

Download Submit
C:\Users\Admin\AppData\Local\Temp\qCAYEggs.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\qEIosAco.bat

Filesize
4B

MD5
baa0674f83ebcf9decaa02c0c0128ba0

SHA1
22cc03ff61290cccc2e76b1d0d206474200fee8d

SHA256
7b4ccc0f316e91d9bfba208b42ac2a9f131a9a2fdbb9a9e8023a984cf2366357

SHA512
e009d1d053a9a95dbdf7599983757eac2a1e236eabbac9e46a5643df2733640386f0a649da12d26c2d327abdb61826863bb2abf67df7237860824dc72797c93e

Download Submit
C:\Users\Admin\AppData\Local\Temp\qEYQ.ico

Filesize
4KB

MD5
f461866875e8a7fc5c0e5bcdb48c67f6

SHA1
c6831938e249f1edaa968321f00141e6d791ca56

SHA256
0b3ebd04101a5bda41f07652c3d7a4f9370a4d64c88f5de4c57909c38d30a4f7

SHA512
d4c70562238d3c95100fec69a538ddf6dd43a73a959aa07f97b151baf888eac0917236ac0a9b046dba5395516acc1ce9e777bc2c173cb1d08ed79c6663404e4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\qUUswMoU.bat

Filesize
4B

MD5
1c8d191b8a4f39301888cac523ab3edb

SHA1
d42811313d3127ea9383fb531eb01a41adc847f4

SHA256
bdc114f35d46c5008620639cff1c753e9bf9548989091b0f70c0794f575b0f21

SHA512
4f69f4fbcb7c3bb6ca4a4467c3efaa7f9dd95734ccfc49fa9fc5e4cee283924102e5cfe173ef8182dd165e22ea3356227cc4d55da707be33112540248dd90987

Download Submit
C:\Users\Admin\AppData\Local\Temp\rAAi.exe

Filesize
158KB

MD5
fac3e519fea0f0db63c0a4a763d0b921

SHA1
d2ce1cd655a05da8aeb12b8a6b7f1238c9c4d6e1

SHA256
fab6dcbb66aa571f325fa508b79680e8424f71634168613e8cd37877e205c3ee

SHA512
91786aeaa7df32be89bc7cfe2e712c644d9b7cf8d8738ca7cf9f9c8ac16a6438c1b8147f5a175f9d51e1c7ec3b6ff082ec8858f05bd018ac461925a0cd0ce227

Download Submit
C:\Users\Admin\AppData\Local\Temp\rIEgsUYw.bat

Filesize
4B

MD5
09d0a9322dd9975a258d65f782ae13ef

SHA1
ea12d2ab8a216c667d8ec9b11c1fae46723b838b

SHA256
3fdb71d6328ce271679b0af5fd34cedfdf1f00cf2097e87a0b530e88dbae5e1a

SHA512
6138ff75f124b8e22019d62f6a2314461ace22059535a1c946e848e7211b33c22a50f3173fe5fdb1b5e5eac9c4eb30922f57b4507567a230b4d28135d142d50d

Download Submit
C:\Users\Admin\AppData\Local\Temp\rIYEQocY.bat

Filesize
4B

MD5
1e4289a8f412a86420dcf598fb4a5825

SHA1
31f45fc7b1fc96daa3eaba3da6362281941c96f9

SHA256
23b7eca3fad53610a90de702a9425cd811849a1d101817cf9438db6da43e0d88

SHA512
547dabb3a11822d0c4d65bd186a2a9117a98a65afb802234cc030defd7d55e25bcf4e583fa78e62e04403a4c3f1fa99bc333bd71beae7b0af1e18e2745d5abc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\reMAYwsY.bat

Filesize
4B

MD5
05cb29db823a3adef6934a17f68d84c7

SHA1
010eb7ab0e76df7a59b461ea22809cfa5dff7d06

SHA256
f5fd5c5c9d5164c71e2f1692bd37fabe680cf6b3627f46f1e67c89a04001a886

SHA512
09cd70eba88bb4170d0f0d19ad4ea9efe12bc95dac7b8a20e8d3d0c4dd5dba4e6123b5a5c852669ef00bb57b6411845ec5252f5594bb485c1d095486c48ad7a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\rigAYoAk.bat

Filesize
4B

MD5
dc906b3e73bc043771ff46a76790cb41

SHA1
fb00e802b4e424b623334b9732a5f43112549d66

SHA256
fc2ed41535f793e9113ebee5f997e47d582981c3b2aa5f338f5a23bde20679cf

SHA512
c8fa571e1eaa9c16ff035734ab430c286e439fecdcbe8e0ba86608cd1388fcc9b615ba3600d2c1cbc6c3f9044b3b3390646ba787f391d5d8cb0b1b2dfa40091d

Download Submit
C:\Users\Admin\AppData\Local\Temp\sEMW.exe

Filesize
160KB

MD5
9e2e5ed05ac5a71796d5af9f1d739138

SHA1
139400e108a4120a4ccd91575a77eff518f52b05

SHA256
13daa7c96750262f6b0184615c91b463b80949e1987a985a3db4249337cda754

SHA512
c1fb3fb12e6ada7e18ada892422e14e81771abe376def3f8dc34aeaa6d9195484521fb730ee624582a1c492917589ab4c40d53c947f69f10d29cb1db1485f216

Download Submit
C:\Users\Admin\AppData\Local\Temp\sGMAQMYg.bat

Filesize
4B

MD5
7eb5178e5d575d4676b97e4ed36da5fb

SHA1
e0f88f1b7185227480f22f172937157472a835b5

SHA256
d39fbf680e217b0fe494839e60910f6b9117c3242b3297e026a4f2abb5e0c9b1

SHA512
8da43d791fdcb94c3cc4ca76e7fea77c4f7b971648108853f74b77f34920230ff5c639eecf6875a260b48554ce2c0b75aec1826703006b48240ee473fbf4b521

Download Submit
C:\Users\Admin\AppData\Local\Temp\sYYsUAMg.bat

Filesize
4B

MD5
840b3a9e9de4cf80594cb702bdfb6635

SHA1
ded6a540dc2b8d3f765433529116a58f7a697f9c

SHA256
8b5562cf8cf266a3bc9ce5538a4886a95c7e0bd57310bdc87fe2694d5ba9624e

SHA512
7fa64d9e8fa4da6accce17f863dfe3e78d7381a361db97f56e541b5ba8401e5db97e0cd35daa8e3638b1e53ebbea5e1b27bbc1cdd620fa631aa590bb29b5e790

Download Submit
C:\Users\Admin\AppData\Local\Temp\sckMMooI.bat

Filesize
4B

MD5
beb5e8207ee9f8ece897666b0ac0bb83

SHA1
e4e551badec2badc7acba583595204f6f2ca6c88

SHA256
51c4f3c80c15f795576f8af22f49502318f3f4d5dad2df8520fd0bc263a4d575

SHA512
001869e9f1e4cde15027308071045e4f14264ef8a434cc2ddd2ce1eb4450ea32f2286d99db7f1276a7e6430e463c8a61d035aa9dfac1a4d8b6a6de4a2f87f62d

Download Submit
C:\Users\Admin\AppData\Local\Temp\sggk.exe

Filesize
157KB

MD5
21e618cfa4bd86b6b2da35a9abf80b48

SHA1
032496366d2ca108d69180e50bcaf5b13c4a8068

SHA256
36d93464111e7435c4332470585cbcbac288053bf4e5c767e2b62dadb37c420f

SHA512
34adb2fe8a9ea7f1d78d4d9183058a7228c2674a725a6d07aa2ad2eef2f1025bac26dfa88cb1f6f9e08dca5d5b2eceb5e3f167db0dac4c6e3bbe9482f12f8df8

Download Submit
C:\Users\Admin\AppData\Local\Temp\skUQ.exe

Filesize
157KB

MD5
26dea686458b14bc58a873a0ab32dd88

SHA1
406817052797102de24243880a6de632cd28b52e

SHA256
228987e735211bf3aa1b82f923411d9431c976c101113328b2a90cdd02f89a80

SHA512
b85c6c536364c01e66b7986a2d5907d680351ac2081d1f5d361987649a2a7972f301aff157322f06a5be7481a7c10401e984da766fd991097ccfabaaaee9279f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ssEq.exe

Filesize
159KB

MD5
c1bddafbfc76ac7db347fe07e06893f8

SHA1
b77289b9c64eebbf996dc844debc617c291c8f61

SHA256
0d26e46365b042b2ce35cec5fceb55b090e391419abbac08fc94f57929f41609

SHA512
f9b9569d875da8e9b9c08d6fae8a613150dbe2fd833d53d72c4a3cc238646dc2d840a94db5cf73a5575d1bfcb76b3b32e787e3a0255e959bc0a031bed4433fbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\swIk.exe

Filesize
155KB

MD5
e529b85cbb1fc27fff653db84d99387d

SHA1
30a0c33a2529d9ea2d19d9a3b2a7c9196905a354

SHA256
520efe4a63bf6141dd325641c582ef2d3e8c2ca3e3fed1c3bc8b183fa60da524

SHA512
9dc3233cc003e7c1ee4ffcd42210817d2cfb549ba191952c522cae8b4a6e068eabdc91aa4d87917011cc202dbbc85a48101616edb71564024b6be6df4fb7139c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tgccoMEw.bat

Filesize
4B

MD5
a22a5f8db54d170d15d5cb38ee66e69b

SHA1
f819b5ce8f712b1ec7379b5551e2870a636b1a61

SHA256
44d5ceff85aa5b8e21c84a70d5a78499e953ab06f84df45d6c0a522b6c735b2d

SHA512
4dce67ade78afcc580d7c012ac0bc9a29d13c1ce1969655a91a39ff703022190026d0b9b7d9ebb76a0e05a4ccecd4eac14a9bb5bade4cff0ad2a78c7255aa8d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tggg.exe

Filesize
158KB

MD5
bbfdfd8da09007923ae82d14b1a3b074

SHA1
b8e48ff72aede8ae5733643459e0d9ebed3b0b6a

SHA256
71b74eaaf720f6cb8cc2330e0593bc01647bce0be1bcd552b5ac06330034c1d1

SHA512
ccae1f3286aa00b51a6ce3854db7a16bbc9b599ca54d647f73769b1a9ea95b70349dc72c29559fd6b1defb01c6e1dd9d5422c34bab0fae04a1b9bb87cdb8aeac

Download Submit
C:\Users\Admin\AppData\Local\Temp\uAsYAwQc.bat

Filesize
4B

MD5
e1d52d54be6cf23f9a12c8c2ff630022

SHA1
6c2891bca040cfa719d388d31e649c3b32670234

SHA256
0c4153a705e14685d319417191796b3f54da11596b347b81dd4d9fdc4312de26

SHA512
964f5453d75d14c68907fd780d2366c0fd7fcb643aac6be566648971bb1f5a937eb4c543881f18bdb2b896972520f866a6de254d68ae4a0b754b4d59e40bc2bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\uMcoAUQw.bat

Filesize
4B

MD5
0414c1c166b616b98ad19ffe240273a0

SHA1
851f0bf3c73428f011ad3ad0db278b9e8e04bc15

SHA256
b46b67c0596d646cd950684daa705651a5e8a546f43f79ba5922e9b588d80dec

SHA512
189582ee7d5e993dc9599e3eca5b3333ad787bd01bd3957b00f3d40acb3b0759617752ee215c652c91d5bcf38b2330033ccc495d5c3f98f9905230bf5b66851d

Download Submit
C:\Users\Admin\AppData\Local\Temp\uQccQogY.bat

Filesize
4B

MD5
6ad111ad7d460879e0e88822f53cee62

SHA1
67dc6c55f0923f5f4a8e7eeb78ebc85746fe96e8

SHA256
30d3cae27f74245722d9b84792d72841a3e2b4fa34e209bdec0e01655daa6e8f

SHA512
5709571e8dfd5e40fe43cc2eb5ad442513d3cecc802bb695ee799a45a5646518ee6e26feccc3fe67f84f6ae62cd0baf2e36e91c6afc7cc4056be314a1962b834

Download Submit
C:\Users\Admin\AppData\Local\Temp\ueEEAgMg.bat

Filesize
4B

MD5
23d268dc20f8699e21cf6942b470c8a8

SHA1
5d23c2ad0cbe67677fdf23ea7439cb85dac3520e

SHA256
fbca9bdaf41ce87f3894c4aee3b17be8afeb5c5efd3f6d3cbe559e0065861116

SHA512
07055f7f4b9c1ad4eb37f42756a79f4b0a5eeedc715bb5dfe7c70ba38bc76baa4d8e4f69b74146f3797bfe5011e2c6f7c962755433166ca89a5205072aa1b292

Download Submit
C:\Users\Admin\AppData\Local\Temp\uwwW.exe

Filesize
160KB

MD5
d5005a9b2df243e97a713a068549f3b1

SHA1
54794ad857f45bff03e8efc8ebcc44b2aefda46b

SHA256
89f386469ac90336b8e683c6cda1ae83a08a7bcbe4e48bad456c533b72511ac4

SHA512
a96f18749b24beb6af379980990aa9523ebef381b332a42fe34dcfd308ed87358c5c46d122b53bc4b8fcc310eb08d88fc32e6dc442239f8a1cb49a746cdaa558

Download Submit
C:\Users\Admin\AppData\Local\Temp\vMcW.exe

Filesize
157KB

MD5
63e639b4897f4b91c27bdbef38ca7760

SHA1
70f560641f49d2c99e568a0bf0e2a6e3a1ddd600

SHA256
b05a2a5161ca37fefddeea40e5f7ecf5cb12457824f3f4c612c866b0bad7679c

SHA512
d7b8601af051e2e276915a20099bd3510a4bd208235c6142ca9122fa6aacce71ac4f2438a518726bc3871d05bfa7f8175cef6e4ab02032c46069f8a267df2ba8

Download Submit
C:\Users\Admin\AppData\Local\Temp\vQcMAUok.bat

Filesize
4B

MD5
5b1c5fcbe342c2a808b5f226eaac5853

SHA1
6d71452195f2e8e57bc09298660fb34b0d8146df

SHA256
b95a3d0195b00886c4ef7f2e8b56d068405c02ea3f891129c3a9e9ee8c0ba2a0

SHA512
6b54c81f02e4489b2983f72b2ce8b08915ce77b4c6c5e5ab8207249ea0cbc9c03b6ea9db7c70ba32ebbd53d5f5ae1162538410664c61b400c7f5501ce5991b37

Download Submit
C:\Users\Admin\AppData\Local\Temp\vSUEEUAc.bat

Filesize
4B

MD5
63b90dfd78c32e556021197134690852

SHA1
9fdebd51c5ff0e9449e49c8a0a154dac87b48b81

SHA256
f40e1e146da09b7dfb646c091d9a6c779aa12e5be24c2297863ba67bf1ae5258

SHA512
cd94f05d55357da6fcf40e0b587f845810650d0576cbd9c8070a796f9cde79303bbe16dea8483ccc2ed1714ee9cbd869c291236207f689784b88a455412aaeb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\vgcUIcYk.bat

Filesize
4B

MD5
fbbb63d3fed115bdcf3c046e747813a0

SHA1
a8efcabba933a9c53c77518c9acffcad4b50e364

SHA256
b042a65bc347b2aea625f5ebdba4555889e3d3b65bce26e414cfecc5cdff5258

SHA512
9e6da1530b5e2d8b56b28d909432a28b77dd6941ed3e0894dd36ed1b492c83105a7eb069b068c6c2c27abbe8f9cc94fca0d0b9d0d0dc2fd2d336bfd6ac0dbdca

Download Submit
C:\Users\Admin\AppData\Local\Temp\vggMQcMI.bat

Filesize
4B

MD5
00c442e3a7a1e8869320fda90769aa45

SHA1
0994bd5f647827d07625f1b79455bbfdfaaa7dee

SHA256
80ff185515a3ceddbda484fbe45464684a083694c1a698b83f6aa0960b27d86b

SHA512
bf2f1646800a7a73084fd7227c833103a81016a53317fe2f5c374c74f15feed41a623397effc3b9924ce92a23d00953570f511164ff2195047214d6cb421dc0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\vkYq.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\vsgs.exe

Filesize
160KB

MD5
9bb9d443cdfcc7b132bee8998de24efb

SHA1
b524b82998073a4d48f61285552d50d600993af9

SHA256
8e14d7152c82a0424233a238a6b0b10ad7180f31b06cd94e656bbf1402cd9e25

SHA512
ed71fc7a5e2d40bef502a20341bf938c8f0c98629c24f850698b6d5c2c67bc1ddcb48e55f46e9ea396d6ebba1c98feceb4ece351a8bd277234d9f3224d17e350

Download Submit
C:\Users\Admin\AppData\Local\Temp\vykQgoEg.bat

Filesize
4B

MD5
45c39b55fcaa8861a89218239adf2706

SHA1
53d65f5877b67563a4fd16e74b1a3e2c1c8addf1

SHA256
756874acb142b1996fb2b069c69e57711452113898a64dbfec8c92aa2a3c0a74

SHA512
aa83ea169115bba52eace0cbc7d6d73fc99d15bdcc6e7d649a942a42c6f93314117013a4b7b3db3a58034a012b6c17bf969d433388a8db8b02ddd4dbfa5c34cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\wAAQ.exe

Filesize
134KB

MD5
eea9a0ea0490e6e794fb25dc11aff77a

SHA1
f8a7ae070833def531b50237503370450bf7c6c5

SHA256
879b6d2837d32d4352843b51a1d446be465b51af56291cecc9930255d8834302

SHA512
da97ae5720347c09c59247fff477d77544281c17fe821eba66639643af25010a44679bb0827b3bed009e95b48b4d2171d8a01e55b69aeba47af3c9fd91f17cc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\wgMe.exe

Filesize
157KB

MD5
7c8f0672ab5637bd71e1b2ca58150324

SHA1
cd50e0eb839afb30e1ef46b35b419d7bf8cc474a

SHA256
eda0b5a97ed25c633b4adfac3acdcca0affcddc8b76f3bda6490d1f374bcf436

SHA512
8c1a0590572fbc485ab5de681fd330de69cc17dd52e560cb4aafc8fff1d7970409741f8f0931ddd3557cae64de5c2eeb93f20d97e5025668645bdd06c2601660

Download Submit
C:\Users\Admin\AppData\Local\Temp\wkwy.exe

Filesize
158KB

MD5
ebcd0c3351e99f02d0b1afa3d843eee6

SHA1
3841329ec358e2bc7f8c290b651dcb3a9dd4aac9

SHA256
d1ee17b3feceb39c97f686769cd3d2156f66895b77f14c7b68a1185124881331

SHA512
fe44a18ca5c1fb1f995963ad58666509c47fb1456741c9286deb03534d709e95db86a9a7d8e7b1cb86ca0f9493768fdc8926beb16704e9d318ce63974423e687

Download Submit
C:\Users\Admin\AppData\Local\Temp\wqEIkUYI.bat

Filesize
4B

MD5
95ed8ef57458d832bf1522d36907003c

SHA1
c9022e6c186114bc5219bfc198fe11017d8c7c00

SHA256
a0e6c59e9fa3a244a6935e488a891c28d44650b774c1ee464ec4ccf94c4f08db

SHA512
0e87802258a4e05d1eea1e062c7dd1808854d3d096143aeb525705cac7b498bca53f29954ab15f5b990c64296ddbbfc7a759965cb28b32639a176da97d23e115

Download Submit
C:\Users\Admin\AppData\Local\Temp\xAQi.exe

Filesize
157KB

MD5
5bd5e68536b47180d70ded3041c88c82

SHA1
c6b1058eed8d3ec0883bc3300bb2b80c301a1735

SHA256
7e9e12aad0f0673b135dfddc81df6784e8ff6aeb66fe3457a96bcf639028aeca

SHA512
718069d8815af568e3ac5101ade07917ea1f7ae4153f119cd63e25b3756b9e03e4b7db1e8482e8ff32dd78e61e85b9a1a78c2f337c0fbc5c17a68e988bd91e99

Download Submit
C:\Users\Admin\AppData\Local\Temp\xsEG.exe

Filesize
159KB

MD5
b546707b9574be64b496d98cdfc984b9

SHA1
8106cb1cf7d9943ba404fdd245ab6461009f672c

SHA256
6d33a631c9fc2afa9f7d94e774f563573ae1a660528f194336140a4521644e59

SHA512
8fc07c76812b47760eb21c1df532a7a13070a5f61ef936fe7acd6853f7b9443f52d39db72483eeb418683549414ce759a4489cb43e744987fec9ca5c12b142fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\yCEMQsoU.bat

Filesize
4B

MD5
b58889ba6e681cb02c1fde78ced2aa50

SHA1
d55fb1bab7bcf927425639888005cb60d14ac83d

SHA256
77a4901f37c13156577a689a2fb5e60a237749446af3b5dc94765705717ccd41

SHA512
5f31bd4cdfbca31b4b3a343f44b95c093f68ef7ce8e325bd9f13cb0398b8470d3e942db271a2cba14be66a0a9a54a73542cb2b9bcdbf947ed27e1a5ba2f50002

Download Submit
C:\Users\Admin\AppData\Local\Temp\yCIsUogA.bat

Filesize
4B

MD5
b43c8381e9e22560f59021506a9396e9

SHA1
a35c136bf692e720877b4a737e34f8320af2e82e

SHA256
e9850a2715c11577b20b8ec29dd398350bbc3056ebb915fb699daf2c186d7814

SHA512
e8e8298cfc0cd1d034b31c93cf512fadb2901b5fc47911d102abdf4e677195ac6f04cf41717e4daedcde12f302f07c33c91f9af1bfc463322f1adc949e93e496

Download Submit
C:\Users\Admin\AppData\Local\Temp\yUYoscsM.bat

Filesize
4B

MD5
a9965615804b031dda3717e73a3ef868

SHA1
3054c307f046489df7533eca1ebc09bcaa9e415a

SHA256
631df1903dc02a7d2d49d3cb6f5bf41126ede665d4358f8ab4cf014b269b8a35

SHA512
83f004737e5bac727f1a338b8afafe8474c5b816bde5bc05c4313cfb3d0aa1bb1cfcbf2e3f94b0b02a4592770e29e9059d60bbeb31823115ef813414777abecb

Download Submit
C:\Users\Admin\AppData\Local\Temp\yyQYMccc.bat

Filesize
4B

MD5
6dc6e7ac104dcbfcf0bf80cbe64bfabd

SHA1
23c1c801f5af7311f5fc78b5b6fbb01d72129be1

SHA256
d297922e875d12cca08adaf2fce3df41446b2abf282aa81d4837fb7f6760b64f

SHA512
aac42582010383a187910c4542721205537d176ed9e6d24f7c1e123b3433e1370b1f37298fbccff232a8b6a7915bda3ed86ee3b1cfe38b6c3af9592d777c399e

Download Submit
C:\Users\Admin\AppData\Local\Temp\zMckUMwE.bat

Filesize
4B

MD5
94e52e5a0349b615a169d6f16cde5068

SHA1
7a9edfacb1847e2f2fee8db8af6b2bda02104853

SHA256
35e8bc9b994ff4d3b1361a09a87b0eb052ed05443b905db216e9e1c8cd978f1c

SHA512
1d7fb954b4f7009cab98c4d60ac4cfb704285b4083edfdc606b401fb1f4708c50eb2a4da00b95c2eb6526987fe7f054fcc22e5a65736ed39fb16cfd37122b516

Download Submit
C:\Users\Admin\AppData\Local\Temp\zMsc.exe

Filesize
466KB

MD5
3f851cebfb084775ebbae6c1462a6e90

SHA1
6943af04e2d05ba7fa184fe42ccd6992261eab74

SHA256
72ee5808b03f3706337ea670152e9d70293fe0c4d6eeaf3c8fc9fef36cef5f4b

SHA512
774b5b0133ffad2afb1fd03c0bab7c92b2e91150607313e4ce2e974202c7aa8ab889ffd88e759ae23cc89d3edbf0388e5e06d57667c99f15101ef4f3f2c1cf8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\zOYQgkYs.bat

Filesize
4B

MD5
7b66b5e47a7a850ba976d0a13212685e

SHA1
e3a4a3f1954333d161f53cbb266ab37ae051034c

SHA256
5be76bd4a42c60bca0f01c2d1af00da857ec95d9fb46fc2ddcea53ffbf973daf

SHA512
7cb30310a8cad7a376f2cf23ccd0765d777b8f2e23f4c541af3ca6c1b09b40ca8262d7f758bc7b042546861e574d2dde052df41170197d3083e276e552324826

Download Submit
C:\Users\Admin\AppData\Local\Temp\zQcQ.exe

Filesize
158KB

MD5
b35cf46858dbbe9d1ec798ec3c6e843a

SHA1
d82f076f41778f93d6f314dc52cb6d33709edb3b

SHA256
268d718025a0ec65063e07d456718855a84a191465d5720a086d3a87a1a80945

SHA512
c4b2db74e0d960064ecfd70fd0180769f2d35038a5a617cafa72078c16992d55b73380db697c2667917b35041a97619d611f39a5ab5bcd08502925f322c1cb3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\zeYksQos.bat

Filesize
4B

MD5
f24fd8cdd5b76fe7b538b3b943ae8b48

SHA1
33d6625b2cb56133d695445bd53b070e1e01366d

SHA256
772e1a3fab87f598b670edb7f214cd572f6d345a207e3d50080fa0da6e0b058d

SHA512
ec60a9d3b3c878399658d135e78a8e954893cc229d6eb20384eb918add162869a2a3124f08324c2677cc8e9ae414d78329b5f640748c7d31bd1334f238a6b12f

Download Submit
C:\Users\Admin\AppData\Local\Temp\zisAMwUU.bat

Filesize
4B

MD5
c2808b3ade9ee0b26547a184b9aa7453

SHA1
ce7814167dc7101e345d56f6d3fc9388807b726a

SHA256
bb0a18909eed4aa71294c71291e52aca959052cd9010304ef031f08df1728998

SHA512
cd7c7bbbffa67c75c7a34a40e58769c50e6f65ae3f0e06ff0f6214c4fa87539f2d88a0d01b40fe273b73df75e133f0334e808ee593f45e4952af80f774261300

Download Submit
C:\Users\Admin\AppData\Local\Temp\zmsIsAYg.bat

Filesize
4B

MD5
6343e1df53507f7a43e2b035c52bec71

SHA1
258c8a414bbe00a963466abe52cb70cf16b9cd7b

SHA256
952f41431dd779f18877a5cc09d09b5f5d4f9b901d00ebf4c0042cd8d327cbc2

SHA512
647b02eb69c7100276a4cc84214591953070e35f24c6bcabbaf1d258a1989e4990edff45e1b21824a7a00a63e8fc1a1f6d1d08c70cef7eca891df689e1822c2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\zoAIssAU.bat

Filesize
4B

MD5
db501b323e79469e27eeb6313d487d7a

SHA1
5159a184c01145b98cef862db50bcae3d8b880b0

SHA256
1d3cc9d5ca88acb270efe545b0e969f61dc0d21feaf7d0055a52c0a88c6108a1

SHA512
e537f89422af7d88999b3fb33f3988faf4aafa3dd6b476043f8db98d3ea142145980be7711eca0d6ee92638136bd18702d6025e1e66d21e42160a500a6e356a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\zwQq.exe

Filesize
157KB

MD5
8cc3f2a72652394b6f0151536c30fe88

SHA1
00d09242d1b767a0eb83c9c91e2985b739712735

SHA256
ccb1d713af25f7b4ce7e2fc37dc3fac381e7d80975eea88218a65a8554c7b7bd

SHA512
35c09bc96e4eedbd6f3a9f242bebc4e04f358eb9812e622b60e7d26686281d012d7e794154ff9b18f38b2e953009c41e8d40c2df095a4052a885a31fef74e59c

Download Submit
C:\Users\Admin\Downloads\ConvertFromBackup.zip.exe

Filesize
849KB

MD5
cb1c7688a4d877d24cfd03d529f005d1

SHA1
c2461a708780134e18cc37586236ad3278301da4

SHA256
67aeecab09ef7377888fcd059c507290745bb26ef4b9c0914f634b70d0324d6d

SHA512
83937c4ff3da38d50d7d833ddb8c923573a34f0fa76f4aa8120ea814fd6a4107ca4a15912310b8633e19f72e4076643ae16b69c97f1b8ac37199a8585886d536

Download Submit
\ProgramData\pqAoUsYQ\imsQUAII.exe

Filesize
110KB

MD5
ed3eef7012fae0aa377874cf2a79cd56

SHA1
0fa9dc8ac4b3f5fe135da3ff5f15880d3455a31e

SHA256
6e7f3e37069c7b05cac228486bc39131babb0607199ee51befc85aa4422efe74

SHA512
d4d4c70a39dcf3a94c1a0ff65c05a15d9f1df99ba9385113b9b47e8240ef469dc61c2fed8ea38922851b9434164fa1e7ebdd19fd7345c8de122952a07dbddaba

Download Submit
\Users\Admin\rsUIkksI\JOEIcwgU.exe

Filesize
109KB

MD5
8df2479c54441def4dff5430d2ada6a2

SHA1
53071fc3151f32b5de113307cc9882c794b0ec43

SHA256
eb3ba188577f8f0d8859703234cad8279ba571a2b74bdc824dd4a46a241f3d55

SHA512
b5e79d1792bae3dec45e76416279f4a7b0259aab36836f86a8d0fe0ae47c889df1225d0098002f11f436865814fbbc8cfbfdae9e5e9af365ba030064226f1a16

Download Submit
memory/764-63-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/764-35-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/792-393-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/792-370-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/864-207-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/864-231-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1000-66-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1000-88-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1108-345-0x00000000001C0000-0x00000000001EB000-memory.dmp

Filesize
172KB

Download
memory/1324-246-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1324-244-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1328-277-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1328-255-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1404-103-0x0000000000260000-0x000000000028B000-memory.dmp

Filesize
172KB

Download
memory/1468-230-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1468-383-0x0000000000120000-0x000000000014B000-memory.dmp

Filesize
172KB

Download
memory/1468-254-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1732-221-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1732-228-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1876-361-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1884-134-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1884-112-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1888-64-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1888-65-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1900-268-0x0000000000130000-0x000000000015B000-memory.dmp

Filesize
172KB

Download
memory/1944-415-0x0000000000270000-0x000000000029B000-memory.dmp

Filesize
172KB

Download
memory/1944-416-0x0000000000270000-0x000000000029B000-memory.dmp

Filesize
172KB

Download
memory/1992-33-0x0000000001F30000-0x0000000001F5B000-memory.dmp

Filesize
172KB

Download
memory/1992-34-0x0000000001F30000-0x0000000001F5B000-memory.dmp

Filesize
172KB

Download
memory/1996-298-0x0000000000120000-0x000000000014B000-memory.dmp

Filesize
172KB

Download
memory/2100-135-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2100-136-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2132-79-0x0000000000260000-0x000000000028B000-memory.dmp

Filesize
172KB

Download
memory/2140-299-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2348-313-0x0000000000210000-0x000000000023B000-memory.dmp

Filesize
172KB

Download
memory/2348-314-0x0000000000210000-0x000000000023B000-memory.dmp

Filesize
172KB

Download
memory/2372-417-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2392-29-0x0000000000320000-0x000000000033D000-memory.dmp

Filesize
116KB

Download
memory/2392-12-0x0000000000320000-0x000000000033D000-memory.dmp

Filesize
116KB

Download
memory/2392-5-0x0000000000320000-0x000000000033D000-memory.dmp

Filesize
116KB

Download
memory/2392-43-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2392-0-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2432-14-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2472-151-0x0000000000120000-0x000000000014B000-memory.dmp

Filesize
172KB

Download
memory/2472-158-0x0000000000120000-0x000000000014B000-memory.dmp

Filesize
172KB

Download
memory/2492-185-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2492-206-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2504-31-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2704-300-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2704-324-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2708-160-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2708-184-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2772-385-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2772-414-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2856-315-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2856-344-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2956-369-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2956-346-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2956-175-0x0000000000120000-0x000000000014B000-memory.dmp

Filesize
172KB

Download
memory/2956-174-0x0000000000120000-0x000000000014B000-memory.dmp

Filesize
172KB

Download
memory/2968-137-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2968-161-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2972-89-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2972-113-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download