338148932ece144ab27de71918a610fbf2c249b0f7b673277e9ef0cd67b27b18

Analysis

max time kernel
150s
max time network
120s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
22-05-2024 19:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
Size

204KB
MD5

70b44f5eef4df1621e863e49c01402c5
SHA1

dd3b50bf475c08766a72f668228d940f6ccdbb9f
SHA256

338148932ece144ab27de71918a610fbf2c249b0f7b673277e9ef0cd67b27b18
SHA512

d19b3ae5899aa07fa7179ec9df62368a3c62f28ed52f02b266c4e47f2aeea4e77bfcdc2a4218faaaa2511ea330f7faa64f7cf6fdb33e1059319ba6424e74e002
SSDEEP

3072:IWsoKycRpXJ1TH/feRWJhcnYajlENhhyiP8Gbv7WwZ7:hBKL51TH/fPhKYajlENDy0vKwZ7

Score

10^/10

evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Renames multiple (57) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

qwUMcEkc.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\International\Geo\Nation	qwUMcEkc.exe

Executes dropped EXE 2 IoCs

Processes:

qwUMcEkc.exeFKgsYoIA.exe

pid process

2936 qwUMcEkc.exe
2204 FKgsYoIA.exe

Loads dropped DLL 20 IoCs

Processes:

2024052270b44f5eef4df1621e863e49c01402c5virlock.exeqwUMcEkc.exe

pid	process
2868	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
2868	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
2868	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
2868	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
2936	qwUMcEkc.exe
2936	qwUMcEkc.exe
2936	qwUMcEkc.exe
2936	qwUMcEkc.exe
2936	qwUMcEkc.exe
2936	qwUMcEkc.exe
2936	qwUMcEkc.exe
2936	qwUMcEkc.exe
2936	qwUMcEkc.exe
2936	qwUMcEkc.exe
2936	qwUMcEkc.exe
2936	qwUMcEkc.exe
2936	qwUMcEkc.exe
2936	qwUMcEkc.exe
2936	qwUMcEkc.exe
2936	qwUMcEkc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

qwUMcEkc.exeFKgsYoIA.exe2024052270b44f5eef4df1621e863e49c01402c5virlock.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\qwUMcEkc.exe = "C:\\Users\\Admin\\gusYEoUc\\qwUMcEkc.exe"	qwUMcEkc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FKgsYoIA.exe = "C:\\ProgramData\\LgoEsUww\\FKgsYoIA.exe"	FKgsYoIA.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\qwUMcEkc.exe = "C:\\Users\\Admin\\gusYEoUc\\qwUMcEkc.exe"	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FKgsYoIA.exe = "C:\\ProgramData\\LgoEsUww\\FKgsYoIA.exe"	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

Processes:

pid	process
2916	reg.exe
2052	reg.exe
1492	reg.exe
1928	reg.exe
3008	reg.exe
2840	reg.exe
1804	reg.exe
2124	reg.exe
1776	reg.exe
324	reg.exe
2968	reg.exe
624	reg.exe
2304	reg.exe
608	reg.exe
2612	reg.exe
2660	reg.exe
1676	reg.exe
2716	reg.exe
2120	reg.exe
1728	reg.exe
2304	reg.exe
624	reg.exe
1052	reg.exe
608	reg.exe
2076	reg.exe
1960	reg.exe
2560	reg.exe
2280	reg.exe
472	reg.exe
2476	reg.exe
2268	reg.exe
1164	reg.exe
2640	reg.exe
2360	reg.exe
1820	reg.exe
2596	reg.exe
1300	reg.exe
2540	reg.exe
1100	reg.exe
604	reg.exe
2980	reg.exe
2500	reg.exe
2492	reg.exe
1364	reg.exe
2388	reg.exe
2732	reg.exe
688	reg.exe
2240	reg.exe
3008	reg.exe
1612	reg.exe
2616	reg.exe
1856	reg.exe
2600	reg.exe
1544	reg.exe
2616	reg.exe
2640	reg.exe
2184	reg.exe
2172	reg.exe
412	reg.exe
2748	reg.exe
3064	reg.exe
2180	reg.exe
2096	reg.exe
2964	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

2024052270b44f5eef4df1621e863e49c01402c5virlock.exe2024052270b44f5eef4df1621e863e49c01402c5virlock.exe2024052270b44f5eef4df1621e863e49c01402c5virlock.exe2024052270b44f5eef4df1621e863e49c01402c5virlock.exe2024052270b44f5eef4df1621e863e49c01402c5virlock.exe2024052270b44f5eef4df1621e863e49c01402c5virlock.exe2024052270b44f5eef4df1621e863e49c01402c5virlock.exe2024052270b44f5eef4df1621e863e49c01402c5virlock.exe2024052270b44f5eef4df1621e863e49c01402c5virlock.exe2024052270b44f5eef4df1621e863e49c01402c5virlock.exe2024052270b44f5eef4df1621e863e49c01402c5virlock.exe2024052270b44f5eef4df1621e863e49c01402c5virlock.exe2024052270b44f5eef4df1621e863e49c01402c5virlock.exe2024052270b44f5eef4df1621e863e49c01402c5virlock.exe2024052270b44f5eef4df1621e863e49c01402c5virlock.exe2024052270b44f5eef4df1621e863e49c01402c5virlock.exe2024052270b44f5eef4df1621e863e49c01402c5virlock.exe2024052270b44f5eef4df1621e863e49c01402c5virlock.exe2024052270b44f5eef4df1621e863e49c01402c5virlock.exe2024052270b44f5eef4df1621e863e49c01402c5virlock.exe2024052270b44f5eef4df1621e863e49c01402c5virlock.exe2024052270b44f5eef4df1621e863e49c01402c5virlock.exe2024052270b44f5eef4df1621e863e49c01402c5virlock.exe2024052270b44f5eef4df1621e863e49c01402c5virlock.exe2024052270b44f5eef4df1621e863e49c01402c5virlock.exe2024052270b44f5eef4df1621e863e49c01402c5virlock.exe2024052270b44f5eef4df1621e863e49c01402c5virlock.exe2024052270b44f5eef4df1621e863e49c01402c5virlock.exe2024052270b44f5eef4df1621e863e49c01402c5virlock.exe2024052270b44f5eef4df1621e863e49c01402c5virlock.exe2024052270b44f5eef4df1621e863e49c01402c5virlock.exe2024052270b44f5eef4df1621e863e49c01402c5virlock.exe

pid	process
2868	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
2868	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
2600	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
2600	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
2792	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
2792	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
2724	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
2724	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
384	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
384	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
796	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
796	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
628	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
628	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
2744	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
2744	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
2916	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
2916	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
2116	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
2116	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
2896	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
2896	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
1688	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
1688	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
572	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
572	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
2500	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
2500	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
2300	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
2300	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
2880	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
2880	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
452	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
452	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
1776	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
1776	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
2892	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
2892	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
2988	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
2988	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
2780	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
2780	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
2980	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
2980	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
1664	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
1664	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
1788	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
1788	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
2676	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
2676	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
1672	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
1672	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
2832	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
2832	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
1040	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
1040	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
2964	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
2964	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
1644	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
1644	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
2648	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
2648	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
2772	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
2772	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

qwUMcEkc.exe

pid process

2936 qwUMcEkc.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

qwUMcEkc.exe

pid	process
2936	qwUMcEkc.exe
2936	qwUMcEkc.exe
2936	qwUMcEkc.exe
2936	qwUMcEkc.exe
2936	qwUMcEkc.exe
2936	qwUMcEkc.exe
2936	qwUMcEkc.exe
2936	qwUMcEkc.exe
2936	qwUMcEkc.exe
2936	qwUMcEkc.exe
2936	qwUMcEkc.exe
2936	qwUMcEkc.exe
2936	qwUMcEkc.exe
2936	qwUMcEkc.exe
2936	qwUMcEkc.exe
2936	qwUMcEkc.exe
2936	qwUMcEkc.exe
2936	qwUMcEkc.exe
2936	qwUMcEkc.exe
2936	qwUMcEkc.exe
2936	qwUMcEkc.exe
2936	qwUMcEkc.exe
2936	qwUMcEkc.exe
2936	qwUMcEkc.exe
2936	qwUMcEkc.exe
2936	qwUMcEkc.exe
2936	qwUMcEkc.exe
2936	qwUMcEkc.exe
2936	qwUMcEkc.exe
2936	qwUMcEkc.exe
2936	qwUMcEkc.exe
2936	qwUMcEkc.exe
2936	qwUMcEkc.exe
2936	qwUMcEkc.exe
2936	qwUMcEkc.exe
2936	qwUMcEkc.exe
2936	qwUMcEkc.exe
2936	qwUMcEkc.exe
2936	qwUMcEkc.exe
2936	qwUMcEkc.exe
2936	qwUMcEkc.exe
2936	qwUMcEkc.exe
2936	qwUMcEkc.exe
2936	qwUMcEkc.exe
2936	qwUMcEkc.exe
2936	qwUMcEkc.exe
2936	qwUMcEkc.exe
2936	qwUMcEkc.exe
2936	qwUMcEkc.exe
2936	qwUMcEkc.exe
2936	qwUMcEkc.exe
2936	qwUMcEkc.exe
2936	qwUMcEkc.exe
2936	qwUMcEkc.exe
2936	qwUMcEkc.exe
2936	qwUMcEkc.exe
2936	qwUMcEkc.exe
2936	qwUMcEkc.exe
2936	qwUMcEkc.exe
2936	qwUMcEkc.exe
2936	qwUMcEkc.exe
2936	qwUMcEkc.exe
2936	qwUMcEkc.exe
2936	qwUMcEkc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2024052270b44f5eef4df1621e863e49c01402c5virlock.execmd.execmd.exe2024052270b44f5eef4df1621e863e49c01402c5virlock.execmd.execmd.exe

description	pid	process	target process
PID 2868 wrote to memory of 2936	2868	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe	qwUMcEkc.exe
PID 2868 wrote to memory of 2936	2868	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe	qwUMcEkc.exe
PID 2868 wrote to memory of 2936	2868	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe	qwUMcEkc.exe
PID 2868 wrote to memory of 2936	2868	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe	qwUMcEkc.exe
PID 2868 wrote to memory of 2204	2868	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe	FKgsYoIA.exe
PID 2868 wrote to memory of 2204	2868	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe	FKgsYoIA.exe
PID 2868 wrote to memory of 2204	2868	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe	FKgsYoIA.exe
PID 2868 wrote to memory of 2204	2868	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe	FKgsYoIA.exe
PID 2868 wrote to memory of 2736	2868	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe	cmd.exe
PID 2868 wrote to memory of 2736	2868	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe	cmd.exe
PID 2868 wrote to memory of 2736	2868	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe	cmd.exe
PID 2868 wrote to memory of 2736	2868	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe	cmd.exe
PID 2736 wrote to memory of 2600	2736	cmd.exe	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
PID 2736 wrote to memory of 2600	2736	cmd.exe	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
PID 2736 wrote to memory of 2600	2736	cmd.exe	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
PID 2736 wrote to memory of 2600	2736	cmd.exe	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
PID 2868 wrote to memory of 2576	2868	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe	reg.exe
PID 2868 wrote to memory of 2576	2868	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe	reg.exe
PID 2868 wrote to memory of 2576	2868	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe	reg.exe
PID 2868 wrote to memory of 2576	2868	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe	reg.exe
PID 2868 wrote to memory of 2452	2868	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe	reg.exe
PID 2868 wrote to memory of 2452	2868	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe	reg.exe
PID 2868 wrote to memory of 2452	2868	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe	reg.exe
PID 2868 wrote to memory of 2452	2868	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe	reg.exe
PID 2868 wrote to memory of 2636	2868	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe	reg.exe
PID 2868 wrote to memory of 2636	2868	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe	reg.exe
PID 2868 wrote to memory of 2636	2868	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe	reg.exe
PID 2868 wrote to memory of 2636	2868	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe	reg.exe
PID 2868 wrote to memory of 2608	2868	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe	cmd.exe
PID 2868 wrote to memory of 2608	2868	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe	cmd.exe
PID 2868 wrote to memory of 2608	2868	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe	cmd.exe
PID 2868 wrote to memory of 2608	2868	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe	cmd.exe
PID 2608 wrote to memory of 2440	2608	cmd.exe	cscript.exe
PID 2608 wrote to memory of 2440	2608	cmd.exe	cscript.exe
PID 2608 wrote to memory of 2440	2608	cmd.exe	cscript.exe
PID 2608 wrote to memory of 2440	2608	cmd.exe	cscript.exe
PID 2600 wrote to memory of 2776	2600	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe	cmd.exe
PID 2600 wrote to memory of 2776	2600	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe	cmd.exe
PID 2600 wrote to memory of 2776	2600	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe	cmd.exe
PID 2600 wrote to memory of 2776	2600	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe	cmd.exe
PID 2776 wrote to memory of 2792	2776	cmd.exe	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
PID 2776 wrote to memory of 2792	2776	cmd.exe	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
PID 2776 wrote to memory of 2792	2776	cmd.exe	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
PID 2776 wrote to memory of 2792	2776	cmd.exe	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
PID 2600 wrote to memory of 2916	2600	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe	reg.exe
PID 2600 wrote to memory of 2916	2600	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe	reg.exe
PID 2600 wrote to memory of 2916	2600	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe	reg.exe
PID 2600 wrote to memory of 2916	2600	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe	reg.exe
PID 2600 wrote to memory of 3040	2600	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe	reg.exe
PID 2600 wrote to memory of 3040	2600	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe	reg.exe
PID 2600 wrote to memory of 3040	2600	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe	reg.exe
PID 2600 wrote to memory of 3040	2600	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe	reg.exe
PID 2600 wrote to memory of 2388	2600	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe	reg.exe
PID 2600 wrote to memory of 2388	2600	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe	reg.exe
PID 2600 wrote to memory of 2388	2600	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe	reg.exe
PID 2600 wrote to memory of 2388	2600	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe	reg.exe
PID 2600 wrote to memory of 1560	2600	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe	cmd.exe
PID 2600 wrote to memory of 1560	2600	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe	cmd.exe
PID 2600 wrote to memory of 1560	2600	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe	cmd.exe
PID 2600 wrote to memory of 1560	2600	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe	cmd.exe
PID 1560 wrote to memory of 1628	1560	cmd.exe	cscript.exe
PID 1560 wrote to memory of 1628	1560	cmd.exe	cscript.exe
PID 1560 wrote to memory of 1628	1560	cmd.exe	cscript.exe
PID 1560 wrote to memory of 1628	1560	cmd.exe	cscript.exe

C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
"C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2868
- C:\Users\Admin\gusYEoUc\qwUMcEkc.exe
  "C:\Users\Admin\gusYEoUc\qwUMcEkc.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:2936
- C:\ProgramData\LgoEsUww\FKgsYoIA.exe
  "C:\ProgramData\LgoEsUww\FKgsYoIA.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2204
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2736
- - C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
    C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2600
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2776
    - - C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2792
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        6⤵
        
        PID:472
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2724
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        8⤵
        
        PID:2540
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:384
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        10⤵
        
        PID:2992
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:796
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        12⤵
        
        PID:1448
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:628
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        14⤵
        
        PID:2696
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2744
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        16⤵
        
        PID:1932
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2916
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        18⤵
        
        PID:1224
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2116
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        20⤵
        
        PID:472
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2896
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        22⤵
        
        PID:1304
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        23⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1688
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        24⤵
        
        PID:2972
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        25⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:572
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        26⤵
        
        PID:2820
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        27⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2500
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        28⤵
        
        PID:632
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        29⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2300
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        30⤵
        
        PID:2028
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        31⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2880
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        32⤵
        
        PID:1928
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        33⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:452
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        34⤵
        
        PID:2676
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        35⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1776
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        36⤵
        
        PID:1552
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        37⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2892
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        38⤵
        
        PID:2440
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        39⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2988
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        40⤵
        
        PID:2784
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        41⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2780
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        42⤵
        
        PID:1780
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        43⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2980
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        44⤵
        
        PID:1824
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        45⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1664
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        46⤵
        
        PID:1808
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        47⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1788
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        48⤵
        
        PID:2728
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        49⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2676
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        50⤵
        
        PID:1552
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        51⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1672
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        52⤵
        
        PID:2512
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        53⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2832
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        54⤵
        
        PID:2036
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        55⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1040
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        56⤵
        
        PID:2320
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        57⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2964
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        58⤵
        
        PID:1764
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        59⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1644
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        60⤵
        
        PID:2588
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        61⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2648
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        62⤵
        
        PID:2972
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        63⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2772
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        64⤵
        
        PID:2820
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        65⤵
        
        PID:1512
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        66⤵
        
        PID:2832
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        67⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        68⤵
        
        PID:720
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        69⤵
        
        PID:1040
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        70⤵
        
        PID:2044
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        71⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        72⤵
        
        PID:2592
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        73⤵
        
        PID:1056
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        74⤵
        
        PID:2676
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        75⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        76⤵
        
        PID:340
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        77⤵
        
        PID:1828
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        78⤵
        
        PID:2432
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        79⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        80⤵
        
        PID:1292
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        81⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        82⤵
        
        PID:112
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        83⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        84⤵
        
        PID:2632
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        85⤵
        
        PID:2580
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        86⤵
        
        PID:2556
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        87⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        88⤵
        
        PID:2772
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        89⤵
        
        PID:888
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        90⤵
        
        PID:1316
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        91⤵
        
        PID:2532
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        92⤵
        
        PID:856
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        93⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        94⤵
        
        PID:1128
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        95⤵
        
        PID:928
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        96⤵
        
        PID:3032
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        97⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        98⤵
        
        PID:2788
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        99⤵
        
        PID:548
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        100⤵
        
        PID:2604
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        101⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        102⤵
        
        PID:1224
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        103⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        104⤵
        
        PID:412
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        105⤵
        
        PID:1232
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        106⤵
        
        PID:2160
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        107⤵
        
        PID:1236
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        108⤵
        
        PID:2660
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        109⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        110⤵
        
        PID:1648
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        111⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        112⤵
        
        PID:2792
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        113⤵
        
        PID:1320
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        114⤵
        
        PID:828
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        115⤵
        
        PID:1840
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        116⤵
        
        PID:628
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        117⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        118⤵
        
        PID:1252
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        119⤵
        
        PID:632
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        120⤵
        
        PID:2068
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        121⤵
        
        PID:1492
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        122⤵
        
        PID:2588
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        123⤵
        
        PID:1392
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        124⤵
        
        PID:3060
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        125⤵
        
        PID:1124
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        126⤵
        
        PID:2976
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        127⤵
        
        PID:856
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        128⤵
        
        PID:1200
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        129⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        130⤵
        
        PID:1932
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        131⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        132⤵
        
        PID:2004
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        133⤵
        
        PID:964
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        134⤵
        
        PID:1632
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        135⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        136⤵
        
        PID:2932
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        137⤵
        
        PID:2548
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        138⤵
        
        PID:2560
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        139⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        140⤵
        
        PID:2912
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        141⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        142⤵
        
        PID:2728
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        143⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        144⤵
        
        PID:1332
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        145⤵
        
        PID:1300
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        146⤵
        
        PID:1128
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        147⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        148⤵
        
        PID:2928
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        149⤵
        
        PID:112
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        150⤵
        
        PID:1644
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        151⤵
        
        PID:2508
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        152⤵
        
        PID:2296
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        153⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        154⤵
        
        PID:2604
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        155⤵
        
        PID:1224
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        156⤵
        
        PID:3000
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        157⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        158⤵
        
        PID:2800
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        159⤵
        
        PID:1824
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        160⤵
        
        PID:1296
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        161⤵
        
        PID:1780
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        162⤵
        
        PID:1936
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        163⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        164⤵
        
        PID:1068
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        165⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        166⤵
        
        PID:2612
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        167⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        168⤵
        
        PID:1320
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        169⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        170⤵
        
        PID:2544
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        171⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        172⤵
        
        PID:2824
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        173⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        174⤵
        
        PID:1564
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        175⤵
        
        PID:2948
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        176⤵
        
        PID:2740
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        177⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        178⤵
        
        PID:2720
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        179⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        180⤵
        
        PID:1920
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        181⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        182⤵
        
        PID:1052
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        183⤵
        
        PID:2580
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        184⤵
        
        PID:1300
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        185⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        186⤵
        
        PID:2464
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        187⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        188⤵
        
        PID:2000
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        189⤵
        
        PID:980
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        190⤵
        
        PID:3008
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        191⤵
        
        PID:3000
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        192⤵
        
        PID:2420
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        193⤵
        
        PID:324
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        194⤵
        
        PID:1984
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        195⤵
        
        PID:1832
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        196⤵
        
        PID:1580
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        197⤵
        
        PID:2532
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        198⤵
        
        PID:2600
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        199⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        200⤵
        
        PID:2448
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        201⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        202⤵
        
        PID:2476
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        203⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        204⤵
        
        PID:1388
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        205⤵
        
        PID:1416
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        206⤵
        
        PID:2636
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        207⤵
        
        PID:572
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        208⤵
        
        PID:1544
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        209⤵
        
        PID:452
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        210⤵
        
        PID:288
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        211⤵
        
        PID:1348
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        212⤵
        
        PID:2404
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        213⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        214⤵
        
        PID:1748
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        215⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        216⤵
        
        PID:292
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        217⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        218⤵
        
        PID:572
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        219⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        220⤵
        
        PID:1056
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        221⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        222⤵
        
        PID:2312
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        223⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        224⤵
        
        PID:2280
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        225⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        226⤵
        
        PID:2472
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        227⤵
        
        PID:632
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        228⤵
        
        PID:2320
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        229⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        230⤵
        
        PID:2644
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        231⤵
        
        PID:1448
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        232⤵
        
        PID:2752
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        233⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        234⤵
        
        PID:1200
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        235⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        236⤵
        
        PID:2772
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        237⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        238⤵
        
        PID:688
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        239⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        240⤵
        
        PID:768
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        241⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        242⤵
        
        PID:1956
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        243⤵
        
        PID:1820
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        244⤵
        
        PID:2912
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        245⤵
        
        PID:572
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        246⤵
        
        PID:1044
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        247⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        248⤵
        
        PID:3064
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        249⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        250⤵
        
        PID:2216
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        251⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        252⤵
        
        PID:2452
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        253⤵
        
        PID:1876
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        254⤵
        
        PID:1748
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        255⤵
        
        PID:1272
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        256⤵
        
        PID:2736
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        257⤵
        
        PID:1292
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        258⤵
        
        PID:2276
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        259⤵
        
        PID:980
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        260⤵
        
        PID:2432
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        261⤵
        
        PID:1492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        262⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        262⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        262⤵
        
        PID:1416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        260⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        260⤵
        
        PID:1044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        260⤵
        UAC bypass
        
        PID:412
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\pQUgIwQY.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        260⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        261⤵
        
        PID:920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        258⤵
        Modifies visibility of file extensions in Explorer
        
        PID:808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        258⤵
        
        PID:452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        258⤵
        UAC bypass
        
        PID:3000
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\qiAMsEMg.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        258⤵
        
        PID:2480
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        259⤵
        
        PID:2052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        256⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        256⤵
        Modifies registry key
        
        PID:472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        256⤵
        UAC bypass
        
        PID:1932
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\IAggwsYI.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        256⤵
        
        PID:2576
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        257⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        254⤵
        
        PID:1236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        254⤵
        
        PID:2320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        254⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\UUMgkcUQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        254⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        255⤵
        
        PID:2540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        252⤵
        
        PID:112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        252⤵
        
        PID:1540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        252⤵
        UAC bypass
        
        PID:688
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\SuYsIQgo.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        252⤵
        
        PID:2840
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        253⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        250⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        250⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        250⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\zQEAEowg.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        250⤵
        
        PID:1256
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        251⤵
        
        PID:324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        248⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        248⤵
        Modifies registry key
        
        PID:1776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        248⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\neowIcEY.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        248⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        249⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        246⤵
        
        PID:1444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        246⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        246⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmkEsEgE.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        246⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        247⤵
        
        PID:2160
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        244⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        244⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        244⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\HmsIUoAE.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        244⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        245⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        242⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        242⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        242⤵
        UAC bypass
        Modifies registry key
        
        PID:2184
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\vUkQMsAU.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        242⤵
        
        PID:928
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        243⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        240⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        240⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        240⤵
        UAC bypass
        
        PID:2584
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\wusckMwo.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        240⤵
        
        PID:1840
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        241⤵
        
        PID:1064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        238⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        238⤵
        
        PID:340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        238⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\QukYkQIM.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        238⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        239⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        236⤵
        
        PID:644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        236⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        236⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\imsYgsAI.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        236⤵
        
        PID:2544
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        237⤵
        
        PID:1568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        234⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        234⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        234⤵
        
        PID:2480
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\eygwUYYo.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        234⤵
        
        PID:548
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        235⤵
        
        PID:1164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        232⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        232⤵
        
        PID:1872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        232⤵
        UAC bypass
        
        PID:2272
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZMksIkQQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        232⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        233⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        230⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        230⤵
        
        PID:2948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        230⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZIYowYwk.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        230⤵
        
        PID:2568
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        231⤵
        
        PID:856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        228⤵
        Modifies visibility of file extensions in Explorer
        
        PID:112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        228⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        228⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\JEUoowEo.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        228⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        229⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        226⤵
        Modifies registry key
        
        PID:2600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        226⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        226⤵
        
        PID:2504
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZgUkwskc.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        226⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        227⤵
        
        PID:592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        224⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        224⤵
        
        PID:2544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        224⤵
        Modifies registry key
        
        PID:412
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\aMgcgEsU.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        224⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        225⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        222⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        222⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        222⤵
        
        PID:3000
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\OUIEQMMA.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        222⤵
        
        PID:276
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        223⤵
        
        PID:2476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        220⤵
        
        PID:2440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        220⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        220⤵
        UAC bypass
        
        PID:820
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\KWcIUYgo.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        220⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        221⤵
        
        PID:1120
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        218⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        218⤵
        Modifies registry key
        
        PID:1928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        218⤵
        
        PID:2740
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\UccckUIY.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        218⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        219⤵
        
        PID:928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        216⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        216⤵
        
        PID:2840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        216⤵
        UAC bypass
        
        PID:2988
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\NMcUUIYg.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        216⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        217⤵
        
        PID:796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        214⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        214⤵
        Modifies registry key
        
        PID:624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        214⤵
        
        PID:1856
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\VeYsgUsw.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        214⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        215⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        212⤵
        
        PID:596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        212⤵
        
        PID:560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        212⤵
        UAC bypass
        
        PID:1628
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\PgMMcgMA.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        212⤵
        
        PID:1388
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        213⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        210⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        210⤵
        
        PID:2548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        210⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\VSsUsAAA.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        210⤵
        
        PID:2572
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        211⤵
        
        PID:1004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        208⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        208⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        208⤵
        UAC bypass
        
        PID:1788
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\xOAkkAQs.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        208⤵
        
        PID:820
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        209⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        206⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        206⤵
        
        PID:1780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        206⤵
        UAC bypass
        
        PID:2224
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\SkwUQEsY.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        206⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        207⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        204⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        204⤵
        
        PID:1004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        204⤵
        UAC bypass
        
        PID:384
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\aCQwkowI.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        204⤵
        
        PID:632
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        205⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        202⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        202⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        202⤵
        
        PID:2480
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\WSAcIUIk.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        202⤵
        
        PID:896
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        203⤵
        
        PID:2608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        200⤵
        Modifies registry key
        
        PID:2660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        200⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        200⤵
        
        PID:1544
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\TQEgQMgM.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        200⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        201⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        198⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        198⤵
        
        PID:1164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        198⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\pigcoYwc.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        198⤵
        
        PID:1568
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        199⤵
        
        PID:1864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        196⤵
        
        PID:1348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        196⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        196⤵
        Modifies registry key
        
        PID:2120
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\xwokckYw.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        196⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        197⤵
        
        PID:2440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        194⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        194⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        194⤵
        UAC bypass
        
        PID:996
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tSsgwMMM.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        194⤵
        
        PID:828
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        195⤵
        
        PID:2324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        192⤵
        
        PID:1340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        192⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        192⤵
        UAC bypass
        
        PID:608
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\uisAwUUY.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        192⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        193⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        190⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        190⤵
        
        PID:1448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        190⤵
        Modifies registry key
        
        PID:2500
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\awoQwocc.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        190⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        191⤵
        
        PID:2540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        188⤵
        Modifies visibility of file extensions in Explorer
        
        PID:796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        188⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        188⤵
        
        PID:996
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\OEEkksss.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        188⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        189⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        186⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        186⤵
        
        PID:608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        186⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ykMEUsgo.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        186⤵
        
        PID:1232
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        187⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        184⤵
        Modifies visibility of file extensions in Explorer
        
        PID:112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        184⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        184⤵
        UAC bypass
        
        PID:820
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\lkEEMEUo.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        184⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        185⤵
        
        PID:928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        182⤵
        
        PID:320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        182⤵
        Modifies registry key
        
        PID:2052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        182⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\jooYAoYY.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        182⤵
        
        PID:292
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        183⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        180⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        180⤵
        Modifies registry key
        
        PID:1364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        180⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\hCwwEAkk.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        180⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        181⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        178⤵
        Modifies visibility of file extensions in Explorer
        
        PID:308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        178⤵
        
        PID:2556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        178⤵
        
        PID:472
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\zokUkYcI.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        178⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        179⤵
        
        PID:1744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        176⤵
        Modifies visibility of file extensions in Explorer
        
        PID:964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        176⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        176⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\IQEQEIcU.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        176⤵
        
        PID:1876
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        177⤵
        
        PID:1236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        174⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        174⤵
        Modifies registry key
        
        PID:2492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        174⤵
        UAC bypass
        
        PID:2328
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\CAwoEccQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        174⤵
        
        PID:2432
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        175⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        172⤵
        Modifies registry key
        
        PID:1492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        172⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        172⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\yaogMAYg.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        172⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        173⤵
        
        PID:604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        170⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        170⤵
        
        PID:964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        170⤵
        UAC bypass
        
        PID:1616
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\QKUkEQEk.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        170⤵
        
        PID:1300
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        171⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        168⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        168⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        168⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\QswwQEok.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        168⤵
        
        PID:2512
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        169⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        166⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        166⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        166⤵
        Modifies registry key
        
        PID:1856
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\XQswwgYg.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        166⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        167⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        164⤵
        
        PID:308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        164⤵
        Modifies registry key
        
        PID:2304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        164⤵
        
        PID:2440
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\dWMsIIEA.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        164⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        165⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        162⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        162⤵
        Modifies registry key
        
        PID:1300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        162⤵
        UAC bypass
        
        PID:1552
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\DAwskokQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        162⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        163⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        160⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        160⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        160⤵
        
        PID:1200
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\HaEEEEAc.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        160⤵
        
        PID:1864
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        161⤵
        
        PID:412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        158⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        158⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        158⤵
        
        PID:2468
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\OikUgoUM.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        158⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        159⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        156⤵
        
        PID:1272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        156⤵
        
        PID:2444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        156⤵
        UAC bypass
        
        PID:1252
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\UEkoQckI.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        156⤵
        
        PID:1332
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        157⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        154⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        154⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        154⤵
        UAC bypass
        
        PID:2308
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\QUUMMsko.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        154⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        155⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        152⤵
        
        PID:584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        152⤵
        Modifies registry key
        
        PID:1960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        152⤵
        UAC bypass
        Modifies registry key
        
        PID:2612
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\KMkQwwYw.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        152⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        153⤵
        
        PID:1856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        150⤵
        
        PID:2500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        150⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        150⤵
        UAC bypass
        
        PID:548
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\KYUEEgwM.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        150⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        151⤵
        
        PID:880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        148⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        148⤵
        Modifies registry key
        
        PID:2240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        148⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tMgwMoco.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        148⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        149⤵
        
        PID:2324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        146⤵
        
        PID:2052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        146⤵
        
        PID:540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        146⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\bmocQsUk.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        146⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        147⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        144⤵
        
        PID:1416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        144⤵
        
        PID:1364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        144⤵
        UAC bypass
        
        PID:1932
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\LiUgMQQM.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        144⤵
        
        PID:1348
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        145⤵
        
        PID:1544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        142⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        142⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        142⤵
        
        PID:2512
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\nqgEAYws.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        142⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        143⤵
        
        PID:1120
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        140⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        140⤵
        
        PID:856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        140⤵
        UAC bypass
        
        PID:2080
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\fCcYAkcU.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        140⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        141⤵
        
        PID:2948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        138⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        138⤵
        
        PID:1340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        138⤵
        UAC bypass
        
        PID:2876
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\iiMMQYos.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        138⤵
        
        PID:852
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        139⤵
        
        PID:1492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        136⤵
        
        PID:2988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        136⤵
        Modifies registry key
        
        PID:2716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        136⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\UQkgUwcc.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        136⤵
        
        PID:2228
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        137⤵
        
        PID:308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        134⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        134⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        134⤵
        UAC bypass
        
        PID:1868
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\AyoEUUgY.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        134⤵
        
        PID:112
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        135⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        132⤵
        Modifies visibility of file extensions in Explorer
        
        PID:624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        132⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        132⤵
        UAC bypass
        
        PID:2964
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\KQIMAkIA.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        132⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        133⤵
        
        PID:2772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        130⤵
        Modifies registry key
        
        PID:688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        130⤵
        
        PID:1048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        130⤵
        Modifies registry key
        
        PID:2748
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\fcUgIIcg.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        130⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        131⤵
        
        PID:1332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        128⤵
        Modifies visibility of file extensions in Explorer
        
        PID:644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        128⤵
        
        PID:1064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        128⤵
        UAC bypass
        
        PID:2608
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\VgEwwoEE.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        128⤵
        
        PID:1412
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        129⤵
        
        PID:560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        126⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        126⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        126⤵
        UAC bypass
        
        PID:2508
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\JGUwwEwQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        126⤵
        
        PID:1872
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        127⤵
        
        PID:880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        124⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        124⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        124⤵
        UAC bypass
        
        PID:2460
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\HwMIAsIE.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        124⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        125⤵
        
        PID:2668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        122⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        122⤵
        
        PID:2892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        122⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\cCIUUkYc.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        122⤵
        
        PID:888
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        123⤵
        
        PID:1364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        120⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        120⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        120⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\gWoAYQAA.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        120⤵
        
        PID:928
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        121⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        118⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        118⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        118⤵
        UAC bypass
        
        PID:2948
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\eiAEYgYQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        118⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        119⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        116⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        116⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        116⤵
        
        PID:2468
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\geAkMcME.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        116⤵
        
        PID:1340
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        117⤵
        
        PID:880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        114⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        114⤵
        Modifies registry key
        
        PID:2640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        114⤵
        UAC bypass
        
        PID:2076
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\cggIEEog.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        114⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        115⤵
        
        PID:1236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        112⤵
        
        PID:604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        112⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        112⤵
        UAC bypass
        
        PID:1924
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\HAgcskEo.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        112⤵
        
        PID:1160
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        113⤵
        
        PID:688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        110⤵
        Modifies visibility of file extensions in Explorer
        
        PID:320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        110⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        110⤵
        UAC bypass
        Modifies registry key
        
        PID:2560
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\vowMUkIo.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        110⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        111⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        108⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        108⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        108⤵
        Modifies registry key
        
        PID:2476
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\PSEMAggQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        108⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        109⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        106⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        106⤵
        
        PID:772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        106⤵
        UAC bypass
        
        PID:856
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\FKYgQcQo.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        106⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        107⤵
        
        PID:2984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        104⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        104⤵
        Modifies registry key
        
        PID:2124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        104⤵
        UAC bypass
        
        PID:2264
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\eQswwAQc.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        104⤵
        
        PID:828
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        105⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        102⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        102⤵
        Modifies registry key
        
        PID:608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        102⤵
        
        PID:1432
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\IWQsgIEI.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        102⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        103⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        100⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        100⤵
        
        PID:308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        100⤵
        UAC bypass
        
        PID:2172
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\aCkAMIsQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        100⤵
        
        PID:1272
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        101⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        98⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        98⤵
        Modifies registry key
        
        PID:2596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        98⤵
        
        PID:1872
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\iOIcMkoc.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        98⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        99⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        96⤵
        Modifies registry key
        
        PID:1052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        96⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        96⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\esEIQcYw.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        96⤵
        
        PID:2704
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        97⤵
        
        PID:2444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        94⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        94⤵
        
        PID:2668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        94⤵
        
        PID:2984
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\pwQsEQQw.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        94⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        95⤵
        
        PID:1100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        92⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        92⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        92⤵
        UAC bypass
        
        PID:1816
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\PSgUQkwI.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        92⤵
        
        PID:964
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        93⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        90⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        90⤵
        
        PID:604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        90⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\jSUcwQUQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        90⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        91⤵
        
        PID:1324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        88⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        88⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        88⤵
        UAC bypass
        
        PID:1416
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\xCoEQMQQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        88⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        89⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        86⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        86⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        86⤵
        UAC bypass
        
        PID:1056
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\YYIwwQwc.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        86⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        87⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        84⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        84⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        84⤵
        
        PID:2480
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\KcIoQAIc.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        84⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        85⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        82⤵
        Modifies registry key
        
        PID:1804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        82⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        82⤵
        Modifies registry key
        
        PID:2980
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ywkUkgkw.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        82⤵
        
        PID:2468
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        83⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        80⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        80⤵
        
        PID:808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        80⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\eCwYIwcg.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        80⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        81⤵
        
        PID:980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        78⤵
        
        PID:1412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        78⤵
        
        PID:1044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        78⤵
        Modifies registry key
        
        PID:1820
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\xAgIsUMk.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        78⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        79⤵
        
        PID:412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        UAC bypass
        
        PID:1652
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\zCgEcMEw.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        76⤵
        
        PID:2124
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        77⤵
        
        PID:1060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        UAC bypass
        
        PID:1340
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\VuUsMgoo.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        74⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        75⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        UAC bypass
        
        PID:2476
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\rKMwgkko.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        72⤵
        
        PID:548
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        
        PID:292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        
        PID:996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        Modifies registry key
        
        PID:2964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        
        PID:1100
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\HCcwscAg.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        70⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        
        PID:980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        Modifies registry key
        
        PID:1676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        UAC bypass
        
        PID:964
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\AqQksIAY.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        68⤵
        
        PID:928
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        
        PID:1128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        UAC bypass
        
        PID:1256
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\wYUUQkQw.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        66⤵
        
        PID:1004
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        
        PID:2532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        UAC bypass
        
        PID:1672
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ICUwUcwE.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        64⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        UAC bypass
        
        PID:2672
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\KgAgMIoE.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        62⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        
        PID:592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        UAC bypass
        
        PID:2480
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\DqYcUwgE.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        60⤵
        
        PID:2444
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        
        PID:1824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        UAC bypass
        Modifies registry key
        
        PID:2096
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\HuAEcQQs.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        58⤵
        
        PID:796
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:1052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        
        PID:1856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        
        PID:1348
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\BIEUcQsE.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        56⤵
        
        PID:1524
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        Modifies registry key
        
        PID:2840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        Modifies registry key
        
        PID:604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        
        PID:1820
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\twwUcIws.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        54⤵
        
        PID:768
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        Modifies visibility of file extensions in Explorer
        
        PID:572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        Modifies registry key
        
        PID:2180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        UAC bypass
        
        PID:2304
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\fWEYMQAs.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        52⤵
        
        PID:1200
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:1316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        Modifies registry key
        
        PID:3064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        Modifies registry key
        
        PID:2616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\mckAIocw.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        50⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        UAC bypass
        
        PID:1728
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\meIoIkkY.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        48⤵
        
        PID:2772
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        Modifies registry key
        
        PID:624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        UAC bypass
        
        PID:796
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\qeoUUEIg.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        46⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        Modifies registry key
        
        PID:2540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        UAC bypass
        
        PID:1864
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\sEAEwgoc.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        44⤵
        
        PID:1840
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        
        PID:1096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        Modifies registry key
        
        PID:608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\vsoEgYMQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        42⤵
        
        PID:1544
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        
        PID:1252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        UAC bypass
        
        PID:1416
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\JUUUcUUg.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        40⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\vAcwQEMk.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        38⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        UAC bypass
        
        PID:1612
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\JMokMccA.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        36⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:2556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\HUwkEMkw.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        34⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        Modifies registry key
        
        PID:1164
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\GWwoMYgo.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        32⤵
        
        PID:1332
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        Modifies registry key
        
        PID:2268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        UAC bypass
        
        PID:2036
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\AQkEIYIc.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        30⤵
        
        PID:376
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:1160
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        
        PID:1568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        Modifies registry key
        
        PID:2304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        Modifies registry key
        
        PID:2360
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\IMgcEooE.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        28⤵
        
        PID:2432
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:1316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        UAC bypass
        
        PID:1340
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\IqoUQgAc.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        26⤵
        
        PID:276
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        
        PID:2588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        Modifies registry key
        
        PID:1612
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\hqgIgwcY.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        24⤵
        
        PID:1744
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        
        PID:1876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        
        PID:1236
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\PoMwsEko.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        22⤵
        
        PID:948
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        
        PID:596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        UAC bypass
        Modifies registry key
        
        PID:1100
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\dGUUYkkM.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        20⤵
        
        PID:1120
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\DYcYkgEI.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        18⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        
        PID:1300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\mKEEYYkc.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        16⤵
        
        PID:1044
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        UAC bypass
        
        PID:2788
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ACAkcIgU.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        14⤵
        
        PID:2508
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\WmkYUMkU.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        12⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        Modifies registry key
        
        PID:3008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        UAC bypass
        
        PID:1688
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\gMMEEkoE.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        10⤵
        
        PID:624
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        Modifies registry key
        
        PID:324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        UAC bypass
        
        PID:596
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\iuAMIgUU.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        8⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:1164
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2404
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        Modifies registry key
        
        PID:1544
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        
        PID:768
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\bYEYEcEs.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        6⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:2836
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      Modifies registry key
      PID:2916
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:3040
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      Modifies registry key
      PID:2388
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\hCIYwwwM.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1560
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:1628
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:2576
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2452
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:2636
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\BGYAsoQI.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2608
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:2440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\LgoEsUww\FKgsYoIA.exe

Filesize
189KB

MD5
2a59b1c053b9be9ac2e5081f9575f5a7

SHA1
e556e692d0113721bf20a5f8bcb7b2a74f92beec

SHA256
abe955e726f8cd4581d8bc3951c0decac3574926dba80237e8693409e0bbbcb1

SHA512
ed0b92c1645dd8b2da1b00686fe4e8fd5f9da56ebe9af5327755af7f7db686e4612eb2879be921663ff821b1e807f36c8c8ac96a6bbb17831dfe5b08baacb931

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.exe

Filesize
308KB

MD5
3da61bbf009f348749ff01fab1a96e38

SHA1
09658984c2a7b56de3c3cf073a02f5ed1f0027ff

SHA256
14a046e13d4c26784e8bfb9192471d6c584fb69bf67a5903b2b12a9c98c53362

SHA512
1652494ca31b54fe79a9f3ef025761cf3da15756af0b30a9cbd64a8faaa70152b1c7da4ef1886bd6943343a8e56a5c9e3b86e673a262ac4e05aaecd26b8cd7c7

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.exe

Filesize
206KB

MD5
43569b3b9d56b600605b4f2573d7e3a8

SHA1
ee6bdf838b67fae94d8bd0e3d8cbbe054029b50c

SHA256
81bd50c7df2b0949447a95e54bdc8e79a45962f565831c9b41f9ef0ca99851d0

SHA512
65ecac802800160b7f3d07ef3f6a8b2901f65cd2e29202df27cd800c9bb676d2151671ac8d69713914f1a5e9d6efdb833343eef47c504815c20156500286a4db

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile14.bmp.exe

Filesize
242KB

MD5
7ea55ed2e909dfd3c9953ba03c08b3ba

SHA1
fc10352f21d80a4572e450ac0fb33556bb18df5b

SHA256
f16cce1273b0f6961036e212321ec6202a046bf1c972de86ca6e5469d65c89f9

SHA512
3e7e82a612f00921563c99fb44c7bb45242c823e4f2a2556d71ac2fe4f86ce09ab16e3308b9a3993e7525311e74ba0d2d00c309d76ef6c8fb47070c6cba67529

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile19.bmp.exe

Filesize
229KB

MD5
64365e526b3a1be57fb6415f1c3388bc

SHA1
b8ddfcda757d2daef25869210e89a36b0a999f70

SHA256
e206aa900c17c2ecfcefec4eab465ca12a78e54ff257efd466905f57f7fd48fd

SHA512
9bb0e3357e8daf0aea60e80f8cf350183a3973cb47a3e25817ec9dc8cfc6314db715f1eab18fcd6b10908308eb7b55a91b3ab9377fe6dae6553be47f51d63b65

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile24.bmp.exe

Filesize
255KB

MD5
9c2283b8f960d5b2d4f9e318b37e7ef5

SHA1
7b29b4fe411b9811a149e974c0c64584c9c2d70b

SHA256
96942953d3f8247714af557634dcfc3db8168d691ed5619ff835c2ce8c540c3e

SHA512
3026feb20586ba488408f26cf778f613eb84d49be2e588b09186a996321607e8d383b1e4fca5319c199eee98ab665296a06ee7cda4347b040b856bff9a2aa760

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile25.bmp.exe

Filesize
227KB

MD5
f2d2e060533fcdae5ed591a68abcc184

SHA1
fdcc4a61826dd7076ac2cf05ce059eba4fef96d5

SHA256
ec4d835872cd0903010669e3812a1652de1cf29f8032ec068fdf2c59e969adec

SHA512
47a172edf7045e2215ec8d0ddf49c7e46377610df5e55be2a3c96003d3df7eac057fb2780a16efc901e75386da360468d08db899f050ab77670ed91a8c83100d

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile26.bmp.exe

Filesize
232KB

MD5
cdbdba5376df866ac98293ad7ea4f0a3

SHA1
053760f4ca4946e9cb3dfbddf2d4f89bdbdeb81b

SHA256
6a61c0d303044c2df0cc3a7e0ff9a6ad8aa3d79e975f2e9be4b01225c4bc2eab

SHA512
560b3a926dd8362dc9047d0cfa7dbcdaa53f09626b9f5489e0a88febe9f7bb100d5e1a0176a081f396a1380fc4d87d7ba15e26c6dcc21b42973503267d703bdf

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile28.bmp.exe

Filesize
240KB

MD5
067b2200f2fd2c988e2d1c7f70ab7ddb

SHA1
0ae796225834d0258e4ee30a3bcdbf55c76b3a06

SHA256
ee31897e969254267bb9c790a10bd8d35fa6c0e1f60591e3545cf3686b0239d1

SHA512
4ab56aae27109c7de24e84a6720bf11c23e6be69b004383130802279716d90ee1e5c5e36f41d246925af8e04ec8262f992f2db7463c51c8c6613f41273fa32ad

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile32.bmp.exe

Filesize
229KB

MD5
af302d23fa971d822a8e23f9bd8ab82f

SHA1
d37b3671872ce6d46210ed78aa3847c6edc102ba

SHA256
1c2b385e29196e9371d5c8b86c2a3a92412e7cf351570ae0fa8c348f428a9493

SHA512
91c7fd8b92535f9bb7672e604b5bffb560d495f0a1a27a6236838e923ec027284863941ef994b54a7947485530be91a8b0a97c61f650e385aa8e02f516bf4d11

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile38.bmp.exe

Filesize
246KB

MD5
827df205d24d174b075bcd935910c3e0

SHA1
ef8470f186503ecdd5d9614749f8de5f910a21c8

SHA256
776ec6b0f48f612753d1362eac1f613d09dcff3bf27dc45894bdc8ff42bc38ac

SHA512
6cfc95e6a14ebf5473632e3fa9ce4c4dfd66f85f92c1f90f7ac31b64c7c9d165e645012495403b0a9582b5583b5a39a0bcaf7528da4120648ef7d8a2bb859bc8

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile42.bmp.exe

Filesize
239KB

MD5
6f28407f869e6b68b219a8005ce69d5c

SHA1
4dc7d378b958f69384ce663ae9b8abdd1bc96274

SHA256
5d80577e10d57ab95a0eb5d79dc66bfb6d0bb30346c51b2653e4f8ce14b2d720

SHA512
67888e890e50bd564208d54effaa2ec047248a5ee578dd347981d769c0a4e1deb359f2f1b87a2aada1f16be74fe454d5131b654384c212c207ba371e1e1e58c0

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile43.bmp.exe

Filesize
235KB

MD5
c44340c9dc3951159902febfd5f0599d

SHA1
67f903c62cfbc40135a8374cb9e86e6f0b060d8b

SHA256
db3d38e1991382635efd4f067ef874f839529abf6b548bd9011e34241ac01292

SHA512
48a13f68311825afdcb45e3d2b1f2cfe38ed931f8024033d31931cc8e642f8386e47ce52809abb398c6b95e547396ae6bef185c5c346a2d4a59be0e17bba25c5

Download Submit
C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe

Filesize
644KB

MD5
4a01e2de42c8d4a831fe312dc9f48a2e

SHA1
6b906abc03807e5b1eebcaf70a9c8c1a16d5523f

SHA256
6271b7fe4598ca3752ea1010590f96c3055e57e5e6b1427cedf37f2e9e84ae92

SHA512
c857e1d67edb6997bb4e19fdb76aef3e4a558474a0585c79fb4ead2e44ee6b53d6e8f8c8e147be21df121ae4adb47008c34bc9e8a7b71afd5d2ba87f854de568

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\128.png.exe

Filesize
206KB

MD5
c9c7e6af7b10e5ff956b0030f2f9dd37

SHA1
5c2e3e3e5cc75324f7ef7078e4b55ca6ce5247e6

SHA256
526e54449f331c6115680c574b7bad3a014710a3e4518c70560b9594e6d0cab2

SHA512
5ee9b3dc9d0bbcc2ed20b23eeff3c21270ed1a3044d21ffcbe732b4d0a22e7d81ea363a6b412d77033253d244bd9b9348f89a282fda8f2e99ac245c51e0ef464

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\192.png.exe

Filesize
188KB

MD5
8ddbb01419496e98641ca7521a4b8688

SHA1
57628c91a217ff90c69ccb9821d89c4ed2ea42a2

SHA256
a38445afa140a3eca8cd55f35c14024f1e938228c49bcb368483fff6347eb0cd

SHA512
c57bf2ef176f56ddc33cb997dbfe3f15129bf84f383c6a2f0149b3fc714910c373a7d1e0f5d1b9b8df4c17e85607a547f5410aff38aa76fc16d534ce5384602a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons\128.png.exe

Filesize
199KB

MD5
fefb9ace281bc688e3b6fdb10736517b

SHA1
9c3a75811d2157d6e31ca1ee88f5106edadebcab

SHA256
3f677f66120e435df2ce0d6b14a365c5f61cd641ec19afc1c8b650e12e0a4900

SHA512
19b61dd504a9a094a3411d5e0daffaacb06e61d9e7158c773bd00c3fd9ef65e1db8d4d123d243dfbfedc94879786f323fd4d627f564874d7f2b4d2ac7059b492

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock

Filesize
6KB

MD5
6df7065f01a6050fe6a0fc315cc1198e

SHA1
7b01a12035d29cde184590b08441c61c507a947e

SHA256
67a4ceda66f3abe6e0d18b08351d09c00e29f6a2ae3e55ad5e721218d6e45137

SHA512
6b42f9485501a09460acf5fd75f61ec0f92ed0f29a7cf26c11b9a13dabbb730f5f88f6a3e0a2f1bb20f984f8d0320bdc33e589100efb40c4fdea36f16a98db29

Download Submit
C:\Users\Admin\AppData\Local\Temp\AAUS.exe

Filesize
185KB

MD5
901713996444b3a09fb4137324df23eb

SHA1
11441cc8836c7c1b1fa3da14348751c0847c5f1c

SHA256
864fea87cf0bf14f99586b1dad66d0c6d1241d3f1887b1ea3447850d489c6c2a

SHA512
5c2a5170e02fd4c11b2105eeed20cccf22f4bc7b8cd7d7ed0c2cda510935b98b5de0be262b49d2613d836e8e6d21e44a6161ccb4d8859baf325a54e13c1ffe8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\AAUc.exe

Filesize
247KB

MD5
57afd15671c64b10d50c1fa0803ec6ea

SHA1
c191d6a7c6922928ad09fc3d10374f0006b646bd

SHA256
79ab963bd29d306611dc9e622c00db42d0b683bb831a2a19efcb52fabc64e253

SHA512
e90b4efa9ba5caeb4fece4299121371af7929c07292ff10bcb1d748576719f26519d2d6261b44a552839b4bc598a787571bd899eef7fbdcf9ebf3a29d2bd42c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\AAkG.exe

Filesize
207KB

MD5
502e6257dfabd745c6967e2f25fe1013

SHA1
44ab43e8c154cffdffb88f8b292dc212122cf191

SHA256
19c1c129e2e5a941eb1e2abada1cb8c477a36acd62b2051dfd97d7cbc15af1e1

SHA512
29b563b9669204d4cfd6cfd2032dc5e1d7783a7d11a2cfebe4903f59b6e154bd3dbc5704e0a31be2733a5a93314d9b76e16c1ed52435343a4cc8db383345db8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\AEcu.exe

Filesize
226KB

MD5
6ce99add19ab509eaea40d86742980af

SHA1
862e372a9d9c6870a1b6cd861eb31ea31e6c0ac6

SHA256
eb013503dcd50bf2d057c787e59d633325e6747d4b079dfe1bf19654e6be89e9

SHA512
32bbb7620201f66b2cc3c45ca312675274b226b884f8a4769de0496feb1b8ce3d01995297934ce8d74110c395f678793695a8e78441b723a53315e70b3b195a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\AMkA.exe

Filesize
222KB

MD5
220d962ea7f511b0f12836ac5ca933ee

SHA1
954d4d89ac60d12e44e4a2c16a37447acc2bc127

SHA256
b7c6c712d368e4025f25f458ef172a6e0849ebba760680651e94f83569a65d93

SHA512
e8f656438f7c507360fe565bad008d7898ba0e99c18cfb57a200eaf05d27353da1d1ebe3bedc592a9f2f4a67833f7e9d603fbb3fbf02b6314b687e92ddc5bb07

Download Submit
C:\Users\Admin\AppData\Local\Temp\AMwe.exe

Filesize
785KB

MD5
feeb4bdd5bc652302938dd87c20d8743

SHA1
979348ec06901f8b91a1455e789ac34af46d8d81

SHA256
c8f6a488805506a9813e9b5fc91cec827b4b0ae4119fd6d9dd6885bf03d62cc6

SHA512
268d54762ad8224e15cfbb5f0180d70a52bbef366b90aa09e7b784af6971bed6ee919ddfafe50506ae24fb07794c66fd94edaf1d5f1170dd266b06248e4137a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\AUMm.exe

Filesize
632KB

MD5
91610abc57779b863e2073867ac6c2b5

SHA1
5a6c1273f0f2d2c6642f34ee8da5889ca21a3dce

SHA256
1672619d1c9e5a0bbf59fa656e9dce1af6be5dce0aacea34b0cbf49e822abfcd

SHA512
3fbbb47bbc5c27be7977f5f6fefcbdae3e9df1f7a4caeaffe3e76a26b0e0e98d01b6d4694535fed430006d4731c814dc3dc0059f6c8c1f9d493c21baf6ca70d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\AWwoAAQc.bat

Filesize
4B

MD5
16bb626983f20afecdd0b4594cef011b

SHA1
850d7c3c53b823d629097533700dc0d1ad489003

SHA256
dc44adef15620e23d363521481fca24bed32622505a232cc21c8dab5d62bff76

SHA512
43fccda4ba6ac73a26fe0ed8ca1df2c6c7f33d9075d01325073aff9a708193ab9322761e89bda16c6963bf0326f99827f951925bee2c23b502cdd1ffabf1a781

Download Submit
C:\Users\Admin\AppData\Local\Temp\AcQgIYgQ.bat

Filesize
4B

MD5
8c978e2bb383008fc9403a87e59bff9d

SHA1
bfa5db68fd98ec48d64d38f43a49f8f4a0654101

SHA256
eeec4fac9c6fb6a2b9bc2b624eafd0fc3eb9f45dbb67ff049e12ca6932ea5bc1

SHA512
06143e6595428cd6f7b5625d02817eab6399796164a350ede4391cfe5bf7f26a8ef5fa31ac69f7e158beedd483d29d55abc3b8a4e80790724fd618e28c87a4c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\AscG.exe

Filesize
537KB

MD5
0775825ac0caaa6cef7003083c371af0

SHA1
2a345a2cce7bcb185ae89bf39c5c24df3dfdd3f9

SHA256
020f5f93a62bf56c0bc25ea58e76db4181f82051b9bb1a5b28afb404fcb18d3c

SHA512
fe653a1103348ae562ffc313c05e800559a30e307261510dd3a73de2a962be86ffb99703a6972c383ceea996d7232e57626279ce1771d86cb83d531f84109443

Download Submit
C:\Users\Admin\AppData\Local\Temp\AwAi.exe

Filesize
235KB

MD5
c1b5e0906bc8e86657708ef91392b55e

SHA1
995acf0c83d118cc3a869926f41daa3ab896f53d

SHA256
a222a9ce49dffec2467d140fbb54af7e0ccb217908e9caf1bea43bd92c6d1484

SHA512
06505d2278a972a9f0ab71f01c9f0068d88b49b42aa0abb1e690079cad2c9f0a085000c433baee4c700bd0a625ae1601b9348548bfc774bf328d6be58bc432e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Awwa.exe

Filesize
211KB

MD5
c76d299fd9dfcea353d7353508392664

SHA1
b45e20f922403959ab1fa2fda8292951425e9e06

SHA256
02185a1e670b977f6ec8a242fb5bf74540651b973d62d59cbe525db446123fda

SHA512
f6420e7c82d43239919239e824e109682e55d88cacbd485714e73eff60c65eca1d82fe6903288679363cac53188b45ce2a9682e08eaffb7d71cfe4a82f0eedae

Download Submit
C:\Users\Admin\AppData\Local\Temp\BGYAsoQI.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\BYckAwUA.bat

Filesize
4B

MD5
e8554c0ce96c42648eeb0c6eb12e3623

SHA1
aabc10c8172a1c9c4cc13bb9305c31521030a7de

SHA256
24ff01e3a0e98e81e190cb39b5e71d2b4d8763974ce759ca9daf83f21dcc68f5

SHA512
fd5acc059bb8ae74c2027abe955452b7ad664ac639adf4dbc2ebeca8b3f599394b15a9a6149e1f2d83e8ad366d39f77ce8d4d3ed18256668940a9052403bf752

Download Submit
C:\Users\Admin\AppData\Local\Temp\CMMUMAAE.bat

Filesize
4B

MD5
fd7756c58d24c6c90cfdc9a27ab8b8ee

SHA1
046f179bd7c3ff157fe8bcbae6c0622e977ed2a3

SHA256
033d731f7d46c9d65f3da72926cac3024f675dbf38c3e803dd14135432967609

SHA512
6f082dad74f990a7b247a245b976041e89f1d4d8335c75d33484143b9deffe8a54fc6cfcfb2cd01706a9656c1c62c0c5429fc37de61253c298b92c5ac0207519

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cgke.exe

Filesize
204KB

MD5
9d744fcfa2f72c837dc946244d0d9122

SHA1
ffcec419033bef3c4da06319550da10f7610e07c

SHA256
389dee8ddfd3966a922a4d888ea8673282989271fb23a3c2775d863deded5f67

SHA512
5ae3d92de03a3ffb84eaa405dba2542cdfb026b6f2f3163de43ade07c4bad411e63d048346cf83fc7bb580568af8fc71b22efd3679de3e7f617bac15d4ef6fdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\CsUa.exe

Filesize
955KB

MD5
d21d44bc561b98dacae8377d2a9f5b8f

SHA1
1d3015bfa4f55f3803d68d8027e0cb73ba7e437d

SHA256
b7f3dc06d9b8dfd58ebec4ecf42f95a5c3a5be173e219b2679b427486ce11bd6

SHA512
a8a185421e1eece0205adba9de1904ec8c79726aaf7a77bc637269102f036229aa2d1bc1c5e669dbd1b8932bd5d3d0926208a0419d5dc448b9443d7c450db827

Download Submit
C:\Users\Admin\AppData\Local\Temp\CyEIYAYk.bat

Filesize
4B

MD5
3967ec918462ea0422b25e44af7ab46d

SHA1
f0d198e4f44baf4b9d825771bc21471a344208a5

SHA256
ce652588fc17da0ccee56d560aaadb945b3e5de80912e66f0e9fe6e65e6beff8

SHA512
8c20f361611bf73ed4b102624d9a5f85fb6e21cc3a8efd591506112074a6add000018f1734d54377941ea15b2c5a47ab910a44eafd5479e60256a45070339ec7

Download Submit
C:\Users\Admin\AppData\Local\Temp\DcAEcwYs.bat

Filesize
4B

MD5
3523a6744fd5159ac1b05f50da3d3d55

SHA1
49245b8679a51c2d5c10bbb23740942131c31bb9

SHA256
b9bce2eaa40ea0b4ebd52ae2223b0a48239a730e3563049e5d0400b4e18d81f0

SHA512
7c871842fea8954b61b37c28e556ed251d1f5de8db7b76412696c23210dac141a02ab52a6a10022609161057d605f5dbb5e16e964a2e3c61c48ca1b9613b7827

Download Submit
C:\Users\Admin\AppData\Local\Temp\DqokwQUE.bat

Filesize
4B

MD5
c7852eb0d9562d7d849939bf1cfe44ef

SHA1
d4181f2f1062692bcf1384664de440f62ca6623d

SHA256
711b37f972b1bc194c3a94d956df30191cf2d2c4a65395d0184b42349a35c552

SHA512
062f03f603053ec86f632e5a7d4c574c93941224a06fc63ddd5c6e3e293e6dee770c5146d36d4b2172e962b2db9300a8ab97c9f8c590c294562c4ce34b999a6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ECgwYYcY.bat

Filesize
4B

MD5
5d3edf189bb56f3f97b796e7290b7a7e

SHA1
86e7a3c26422abfeed28e4948275c01d52bb7512

SHA256
9f7c2df9b45dc074c6b2fd3c7981be362a6954b0cd518be02a617396c2de9690

SHA512
ea3a448a081381c4cbc0d1de4fc229fba61b880a571a22899830701f8dd67b4f1c60cc0720df0496878b418acb35eed5ec771925912a822348b1fd080e941924

Download Submit
C:\Users\Admin\AppData\Local\Temp\EEYA.exe

Filesize
498KB

MD5
b48242ef691005b105ba87bcfcd17bff

SHA1
4b75d26d5b3a4642bea755659ad002e29e60bf9d

SHA256
eb895dd1ccac70623d929277a6c826eb77cd4793927b070caad0ed68c47ce389

SHA512
5db9bb13972cdf495d576944a2f6c0224c009e6bfbd1b3a8ff1fc38e1011d560986df161aecdeafe84b24330fc3e4d79d7fdde3ba5e14e4ce91ac9ec6436e63f

Download Submit
C:\Users\Admin\AppData\Local\Temp\EaYkEkos.bat

Filesize
4B

MD5
3ecb29b2bc43e95c172695b6776b3fa1

SHA1
1a4d4509133fb33719fb7b62347a53a2eae4584a

SHA256
7ade0bb9bf4d549e414e4bb020a5513a4f64d062025ae3712853104022fc2d70

SHA512
ebfa261e5868a64664741702f50383e319d0e39963977a80374d9757d16b30d265ae5fc702b42345d221137c4b045b1cc511ba9fed53e29dc5a0bbcc673ff481

Download Submit
C:\Users\Admin\AppData\Local\Temp\EsUA.exe

Filesize
240KB

MD5
d425bd51f750a2683ed797f66b0e50bd

SHA1
fe87ec9f6133d454c5383382f7d150b5ede45ed3

SHA256
e85fcab03b47f4c9497e9957adbc7d4ab0269b20f92a16c3186ceb3d957fa369

SHA512
69bf6f1b5bf1c906b63e495b7b68cad6c33f79cd37fb02b50f5d8b7c4d7ba751855c1d148a8dc46ebf128f2ea04891651a7f22f0fd88941e432f1b0c5a49131c

Download Submit
C:\Users\Admin\AppData\Local\Temp\FKYEokAI.bat

Filesize
4B

MD5
65f53f56269afd4b21d85a42b68d858e

SHA1
06e57fcb0a92fe46aa93403ed0d9d4017ea1b957

SHA256
81f77011690c84e996cf3beb30797c0994bb902986eef8c67b8d39d73f25aa15

SHA512
0ca0e9a9f68d7b1c75f36c4b870d0cf9e6dc5583a7d39538f7bfd9db8c3eb9d173209e91418b8631791564d073c78d48901433219b352a14c5af2d56dff09906

Download Submit
C:\Users\Admin\AppData\Local\Temp\GCEcgUYU.bat

Filesize
4B

MD5
a87282fe0cc00a511d2570b4602e9fbf

SHA1
7b4d97c234e32d5bd83e1309b1b4e95242eb0f43

SHA256
01e9806897135645fe75b3de9e78b09847ecf70dd2d13872f2b575ff1dde91e1

SHA512
6631ed28a6255ddd7e879d728d4f109809f3a063739d06c08796c6f2832c95abea982d932bc593ca0e1d2b94d3e194313dd4be47b93bd1078942379d32c02172

Download Submit
C:\Users\Admin\AppData\Local\Temp\GEEw.exe

Filesize
198KB

MD5
e0635eb4029117159ccd9b0830ce873d

SHA1
89684fe5d8adb72fcdbd15143d4d31e1a3bfa6dc

SHA256
751c2e5f2f07c8c9b4b4a055cf19ab3520923e92c01c255e2d2da4d70e299993

SHA512
47db7598de817544c945b42b57dfc585f10b2b5b2f6d6edfc9c373c0aa84ea1a61c69fcbb45450f9314a5f2816efdb07417b116125492db26e946a735866b30b

Download Submit
C:\Users\Admin\AppData\Local\Temp\GEQsMoYY.bat

Filesize
4B

MD5
105472af09432004deb24b92a417bfba

SHA1
978f0e62fe525d000ad7a75017f3b7478201dfb0

SHA256
35cfa47ef7180c6b1263c2c869bc6a57c976086d45711f4bb875add5263109d4

SHA512
18926ad0a994d516099eba5d37e7dc503cc688acf87ffabd121b5ca27f761c064f8378541fedf344cfe374e36dd236f5a995930a96e87bfcce502139845a32f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\GIEYMMMg.bat

Filesize
4B

MD5
f1888129bda77e20bfff9b8c70485de3

SHA1
6ab196f8716ef24c0fcd9b64b90983c6ec5d18b1

SHA256
e30cf3a3b487d47d99d6ace18b69f16c16a032c8e00400f66e920d719fc92b2e

SHA512
ebe032741307e40d7ca421ff17b1235d1dba24751cf6392e2cfa245d2cca6985df30f584f37f0e4f004ba7186bea8e113553d2bafb4df3aacd11869f57c76a0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\GWocIsUg.bat

Filesize
4B

MD5
3cb177e420caab3716ae5e881130d3c7

SHA1
f61c89b7943a7a783d456f514da7726810f40f66

SHA256
47381541b8f1b6443b0f7abf3de9f11895ac01b5ac089529d9a442d8d10c8367

SHA512
21a80ae60c19dae6b185191b50e8f6e92e088b8b8ce32589823b7acac74f40174db7a3545cb697b686fa5c469b8e1c19624fee23a6d22e26cc65522692424d5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\GWogsIQM.bat

Filesize
4B

MD5
9ed1f58eaa8ed8f328e29c90e216993b

SHA1
900a585f11d7114214639840a90a3e91a3a8d8d4

SHA256
cae58dc625f0771100ef1ca3d0648578c10da7e3bc87f648b36a3c10edf9ebc4

SHA512
c9995f1db883d89b48ca0dcfad64d3fcd740ff43430b18339c1f52bd67d51aef23228144bf4457d30d5d68fc93e45716b39b3dabfb339d127853f9ed6f193283

Download Submit
C:\Users\Admin\AppData\Local\Temp\GgUU.exe

Filesize
213KB

MD5
19c0824fe8853976d2e0c0cc03982681

SHA1
15cc87d9cb491fbaeb42e380fac24e6da99503ec

SHA256
c47eb9ab5ad7cb10c0807fa79ead4e913c6f52fb2824a78bece9c1d6581672e9

SHA512
2e9e244357cf853a3897ee8be645b6a654f78030b00accf4aa1916565054d631afddfda55e8cfe59883efdfce886ad8ffc525c1b75c3f41c7dc341e8311d4954

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ggsm.exe

Filesize
244KB

MD5
b7e7c0bb148f46634f6a9738a13797cf

SHA1
42f5f61771c8b0527c0274e70e52adcf9a089ef9

SHA256
cdec47bbd30b6b914269e70cc0d41cc50127ef94ee3b7c3b6e94acbf35505e40

SHA512
0b5a3669a4e548ede1173b1de56103608422c6a918e96cb463842d76b0cfe65cf22c6da5f7288fe7e7f2782ab0b4a1a165203ef0ea11613beb2e137239411d2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\HMEccksg.bat

Filesize
4B

MD5
52f7b32d3d044eedf6d0cb6cf8dfca50

SHA1
7195f6d09914a8686bf66a53d3fb215e0cf51e95

SHA256
bc6d4776d6e99a42a07c42d39320f0102a05a8bf1a58d19ba5661937d9054a05

SHA512
e14db5aac077b1617e7684aa55069f69a9a9f572110daf80e1a49e33311f7225373304a28fd8908ae1dc7393c13aad7f2a4a350989bab22d3b2d6a6ccf750119

Download Submit
C:\Users\Admin\AppData\Local\Temp\HSEYksUQ.bat

Filesize
4B

MD5
9542bf517810e3b8159765af98f5dc39

SHA1
7edd94eb05103df1cd987a52f69ddbf228a3ce73

SHA256
508263c6583cc1db1532368b9fbe843016f34e0d41ef04e24b58b4a6f5da0433

SHA512
7f8ff8ae8f5de24a6e348970a51fd73a6c085dccaaef92da198bd538f4199637f58eaa7a6ad6347d76079a827169ed0cd8226c6d048650352ef1ba0bda45ff22

Download Submit
C:\Users\Admin\AppData\Local\Temp\HcoIckQs.bat

Filesize
4B

MD5
6edaff7b78ace1bf17e879eff5731802

SHA1
0417006b1542f9338090ebdea62e66feb9140303

SHA256
28ec50a9f50fbd2a95bb4586b43a78075aed1190b6e7883a78c6a952f120fcad

SHA512
f8f925b3cce757376a57b353237a4e503c02de5f3f6c47def71991d88d88b082094fc1f2c37f2114462bc1d4ffe5b9a0b6e5e2d61f72cee28c6bf8c744759e88

Download Submit
C:\Users\Admin\AppData\Local\Temp\IEEIkgck.bat

Filesize
4B

MD5
03e57a515ab3231cd8850a64bd98cda3

SHA1
0335df3a36f1dc2c777724f1595911bbd8207bed

SHA256
b6ca59901abc701326f86e89dd0864220787f23182ad0120e860368d0c72a8f2

SHA512
b9702df8d91c3ce8141499964c06c29afb62c049cd16ca234e510f896c004c3c75f7bccffe846f5567904e7937c13af13e6bef84d1d46fc6147efa69a911f312

Download Submit
C:\Users\Admin\AppData\Local\Temp\IcEQkgMw.bat

Filesize
4B

MD5
bd77dc1e3a4be66bf54ceaa8dc028643

SHA1
d472ebd9f9d7b57a78328f5784a7727307e3f972

SHA256
c4aed70786d14280ca2beff28e8fb9daafe6755ca25827dce65878723e111db9

SHA512
56451d2318b9c025e527a86e56ccf09c62e30ece95ad1fbf6c5b13152c92505d228e68e5fac3c53aa89a5af69213bd8fe038e9c1b86133d0a79b265738521475

Download Submit
C:\Users\Admin\AppData\Local\Temp\IkEU.exe

Filesize
244KB

MD5
baafba83e7749cb0c3efdf8734ed5a15

SHA1
952eee0a1ffbd0f1982c78f71b9794d8e8af1ef4

SHA256
19e7764d9da048a3823283b2106b19a43d1993065443bc04979fdea10662f43b

SHA512
15405d8b2cdf2e56e2762ccfe6bf8d7c6e9a94d77da2bb50e95c3da3b04e014aca79d1956e4e21063390fc9f388cae2735dc503931365a8b45a4414456fd266f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IkYu.exe

Filesize
245KB

MD5
025df4716d3d0dbf829efcaa0baa7bc8

SHA1
e7ed184b9251421975046a628e6642f2af033cc9

SHA256
f70e67e2c826404a6ce48dc0160250d9165a559c36e150ee0652393ac90e4d26

SHA512
4b82ce8393f6cf6fdfcdf47cf9fee8c8fb98ab20324e1d376efe7b730efedeebd6863f612cd7b46aaaeb482ab3e354fa89d3a22ba70bf9e443dbf055aea29393

Download Submit
C:\Users\Admin\AppData\Local\Temp\IkwA.ico

Filesize
4KB

MD5
964614b7c6bd8dec1ecb413acf6395f2

SHA1
0f57a84370ac5c45dbe132bb2f167eee2eb3ce7f

SHA256
af0b1d2ebc52e65ec3f3c2f4f0c5422e6bbac40c7f561b8afe480f3eeb191405

SHA512
b660fdf67adfd09ed72e132a0b7171e2af7da2d78e81f8516adc561d8637540b290ed887db6daf8e23c5809c4b952b435a46779b91a0565a28f2de941bcff5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IssM.exe

Filesize
238KB

MD5
421bde14b277270252fa3584c1059a10

SHA1
0d902ba3bbbe7a9cf0df5e5d7830c5d43d62b6a0

SHA256
de46e1a2143e01f7f1df23069f52dcf44e0006321298dfa2db1a0b6f9a7cc39b

SHA512
024edd2d903a0926d68279e4f6bc09c4eabb0015c6e3b6304fad66f58d957a6247a70845b6a0b7201e87ffcbb07dade030d773a2393962c0c1324c2b25bb81b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\JgEIoYAs.bat

Filesize
4B

MD5
339351586f90e3fe81a45a7b76a3f1a6

SHA1
f5c136e36c7d8cd38226581f4fb343088d4b337e

SHA256
4f92d7553035483c80b10f274329ec7170172f5c396d1070b3e9620d522e9b2f

SHA512
e62a7a477b799f8ab827287bfa8920a815070d0b25118c7861f68f5d734a045df090601974a8fda6682d20dfbe6c2e205280cc2eb642eb2d2385533ccf360157

Download Submit
C:\Users\Admin\AppData\Local\Temp\JmQgswEY.bat

Filesize
4B

MD5
f3dfe6d5d9118af35dafc7aac9ddf894

SHA1
8998786c6a29cb28c65c54f9eab9838b06e2eb12

SHA256
50fcd15e38a73d84031ff931812fcc526e35bc5aab6abc9e44ce33f94acdb54c

SHA512
590ff1ce213d7165e77733b18897a27eec974f62073d2ca619e2e6b42cba77ad0ada957a415b855006d2ba0707bbc4f23032c8fd621d3491e52e6ce896d83ff8

Download Submit
C:\Users\Admin\AppData\Local\Temp\JwosEIoA.bat

Filesize
4B

MD5
dd6368e457d0c737409bf751a5deabcd

SHA1
9beb215d1a1d3578f0dcc4bb0abbc40463dd0976

SHA256
d88e4fb41df9068cb1ebc46fa359b7b5a8988e412c4a3016fef6019a60fea75e

SHA512
bd10d69f53528a81b31bafd8722246c38d018090c069fbcbf2b27df1da64579783948de96f508542e5ee4e714bc803c3a8991d0a86a4f500c99ea569ec64a7e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\KEsy.exe

Filesize
243KB

MD5
4b2360e2155bb6e093f6cc85ce466b9c

SHA1
4b17de7763a2b76879b7ac6e2e147cce1f0b458a

SHA256
69096aaa02c065237531f1573a426387dc2dd9d07615fa711c8df17b2c3a37a2

SHA512
cf39106ca91eecb5478bf82d84cacb6b8be39eabee6dc04b30150c84f2703eb0dfa6ad040160ddb87a3a5d1dfb0771f565de92b2171faa9e68a001897064aa8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\KYIo.exe

Filesize
771KB

MD5
9eaa6381500e5525bc2e75d8db97e8d3

SHA1
12648fc67683c787420653ba969ccef80deb7f43

SHA256
18631ccadb6758e5df8a575cde03255e09ad66031582014d83361811f64343b1

SHA512
4e74e4679379c63fb1afb1e294e30a69c6f96cbbde5697e1d7b8cffd3c15c8f489225afe53dba9a3f4fb9b01bd2887ae59113d14e2be07c6a2fb5d72a230fccc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kcwk.exe

Filesize
239KB

MD5
d076f4d7b2a43592705d8bfe2e45c6a6

SHA1
5c37137068589f393af70f86e021c3511f724b44

SHA256
86772a8706407945c6475bdd96fce14ddbded7be9701cfddca38d6021a731ceb

SHA512
4ff54ec64f6c57c4fdb3752601f2600e217d31e77cb83c9280064bbd51cb76bf499d0a32ae89ccb2619e97ff29df3cd257f77b79de682e6c704e3bf53b2853b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\KgQQwscU.bat

Filesize
4B

MD5
38606b96d166372060d0eb80474fd8ca

SHA1
bfec0dcb51b9f7f539e1e49a18ca0d4819142e0d

SHA256
e49ba07fa5277cc0fb4a9e664bff0491596f16cc2cd355ae0a710d6c979ba45f

SHA512
26ecb3ced54200de4821a2af64ef80c225fcd8bb118f6a350ccdceda7d5ca2c5c0261209048a069918d6496ad234185b680d37e0f516f806ea5054952b8c50de

Download Submit
C:\Users\Admin\AppData\Local\Temp\KgQS.exe

Filesize
230KB

MD5
cf3e663634ab87d880f880d434b02556

SHA1
b6b09c076722356d4ba41fb0f59330e0008c7cc5

SHA256
8c91c4d9f8a90fe7908b8c2e7d679ba25c2d6b31b9b39fb5e643cf2c3930a996

SHA512
42ed71bfc1a1a90bbbe661956adb6276a5460616d536988d42404e8ec7336be939b5339fcef02133e3fe42dcf816883f8299abe3525757b02ec28393051cd4e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\KkwO.exe

Filesize
245KB

MD5
c3aa02770290231172fe4cbac07f2ba0

SHA1
70f6bc36bcdba33d33b13dd1d96a80f0895e79a7

SHA256
41c1821e88346f7890a8c3a0f23c4cb8e8e21563c44110a65280e1b73c8363a0

SHA512
8a3d0cbe3e3ae0db99ac743cc7b8ddec61593a07b4c801d813b3bd3fd1db8aa98a60b0a3a650121b91b3bc8dbaae79f93d64f37f7df2653b9375f3dbff6ff59d

Download Submit
C:\Users\Admin\AppData\Local\Temp\KocS.exe

Filesize
244KB

MD5
6d565f165d68d8da372422afe2149786

SHA1
6cfd4bfd4cd9b5845a8d73f3931e2b5811f9de63

SHA256
fddb39aee8c470dc05289bb2df4950c225499f5dc8a93d0f73146e4f3f63c985

SHA512
ab0592330108bf8913111875c2d212116fb791d19cf379fe9984d6b3aa24b83392c8da20b76c633e20892901ca9ee20926a9790bbdda46b6f5331cdb29ce9da5

Download Submit
C:\Users\Admin\AppData\Local\Temp\KskcYYwY.bat

Filesize
4B

MD5
226491be26f63941d08cf2985c6bb8af

SHA1
e6df188f2c847140cb5f857e6290f4c5460a5ccc

SHA256
1247675a904c7c17db54d2a9418e18265299ceafd8fc324d241d60a18a9eaa3f

SHA512
2c2b38837323f18b30f30db3df446c9a78fb415549d3cb8d3a1cf835973e2829433f2814f041d4f02ec5a068951d550bc0a0084b3b53d25adadb31cd092f0f23

Download Submit
C:\Users\Admin\AppData\Local\Temp\LAowUsIY.bat

Filesize
4B

MD5
45a73a13ee9cae24ec9c8cad6c79fb15

SHA1
0f13d0ccc2966ec96b98e7e8bc8e08bd2b0668d7

SHA256
a6b4102791d246b8a201353b3b3f307204d73fdb24c1ccbcf3066b07f93f0793

SHA512
df2399d61aff0c2d4d939466c2ac50f7f5f53e0aa0a3dbc1293736359f5d6defbee01ed1c73cf4dc8696a510f6cde90af53708e5cc6916b9c79c02eac08fae21

Download Submit
C:\Users\Admin\AppData\Local\Temp\LkgUgwoA.bat

Filesize
4B

MD5
fb5149d310d11b35ae4fff6918754b6d

SHA1
1bf9ecdaa5097af87423aced40e332964b9db7cf

SHA256
884ac7c1a5cb8740b8ffaeb0faaa509ff012101846415cc2bc9f9890f81507c7

SHA512
aca027ed6ca378560088e51cffb7f6419f40433cbbe723aeb8b5c8e53c0a248d952432c8fbde01cf6ba87b3c3b3db291cca9460fb02868f2a287ac658dc07041

Download Submit
C:\Users\Admin\AppData\Local\Temp\LmYIEAAM.bat

Filesize
4B

MD5
fb816b6c5d53bb872938f46236363377

SHA1
41bd88f9a33fe01f7939584a7b4b16a9b4a8683b

SHA256
09f8ed7ed7caba2385a212aabeb22e23f22aec097295c6c4be6d0dddf8e0010b

SHA512
b58ab3d765f9e3015b064f5eee8b5127b2611bcbd0aeb3813f520c05cd3e2813a3c72ea56b6cf3fe8d2a3e5df6ded3f1ae55bfbbafd5fba6049541b7fc0049dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\LqUYYgUY.bat

Filesize
4B

MD5
3c8e6c77cc38b7e5fc4d852a6381bf6d

SHA1
3f9e61a2443b30372eed272c3be907a7bdc6d20a

SHA256
f08734bd0844fba9123d813ce7bdce31155cd250c73684ffb5c6b26b51579f8a

SHA512
ddcb044a9b498cfd2ed154d099db49a16d662d146217567b8fc9c16f537625db286a2c243692006354a4b70658a77edfba9144b5e5cf9a1a654da0661be62b98

Download Submit
C:\Users\Admin\AppData\Local\Temp\LyIccAMc.bat

Filesize
4B

MD5
d11301bf30e813a0ce3919d78b18c4d7

SHA1
2464e0b137b279c7941119e9417df8e638fa2b3e

SHA256
354faccf8add1b565b746bab353fb9a01e4f2b45eacfe404cc557665b353071d

SHA512
411df337cab0e7a2ee9fafa4616cfe98bbdc3cadfcc5a237863374eccecfa56924188d7d4edbbf678713a02aa58b68f5d8d635e53083d04be9af0de403724914

Download Submit
C:\Users\Admin\AppData\Local\Temp\MIoi.exe

Filesize
187KB

MD5
2a5afab4a7b85a20152b9a3e1535824c

SHA1
970ce6946a5a948e5f3437e2059c628d1cddc911

SHA256
1b2a868507228463399ca81975aff86523063ebc77bf20e4a94e0956ecde36ae

SHA512
0363cea357f4b9af5fc572f57abf7901adf411cdd169ee71b951a0d2e4b5de1d31b029e27a5283c127acbc0e5ef791cbfa65912d14578fe6333f6ce63e088337

Download Submit
C:\Users\Admin\AppData\Local\Temp\MQkc.exe

Filesize
245KB

MD5
e632732dc1cb893f74d62540b0d09680

SHA1
3735771d169702ce027bc145a428e5fa1b7053fe

SHA256
40b439500953fdb7231626bd3b7e0a61589325090b74e13bcadf4d834bb316d2

SHA512
643265c37ebc07a7d9ed363aa878bc0ac475b8159482006dc293e24f754a1ad561ae9c5429b52d55f0b027f7a12750ac1aadb857e1e9d17cbd148a618c504063

Download Submit
C:\Users\Admin\AppData\Local\Temp\MoAkscMY.bat

Filesize
4B

MD5
31a866d18a678b3c07246b17847a52f1

SHA1
2604284d46043e61c23016a35224d2ffe6b3eedf

SHA256
7fc100e5c29b69341ac081a91d977c12b73fff75cbde4fd289a977461ced4d0e

SHA512
b19435c2c3342e5dc94e239245052dab440e438de5607599868cc6b4e9b5acedf04450b4d805b39362fd014c48cb4004675b3e8894ab31ec1c1da6da9c57e7e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MsIU.exe

Filesize
244KB

MD5
c0ae16863270c7dd93a80131b6733673

SHA1
eb020b3125fbc542dddee79722eb1f0972443793

SHA256
8e5a8c64742a7752492af45aeabc620ca478077b0a73b26cc4d25d7a4ef8f3ce

SHA512
f4fb29db2dfdb5ac9b4661cf317bdc74a1c3cc529638687b06341161ed21ee66d6319a51c6f939b0f5ad6a81e1d26673d27482e29d288f9784ce11e8f9f1922a

Download Submit
C:\Users\Admin\AppData\Local\Temp\NSEEgwQo.bat

Filesize
4B

MD5
5ada732eba59373946b2b3348dbe6075

SHA1
d1383129b41dd9f1883a4da99304b032c6eb993e

SHA256
63785ae3056c24a66b7c3cf9cb595dca8df9402a254d426236642d311aeb68f3

SHA512
bc5cf6deadf17aafbf0a6b69d6fed398fb289630c7cf20f24b1b74d29a310319a971668387136cc73858646ec2d44a65d0d6e9dee087decb1b75af1ef90866cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\OAAY.exe

Filesize
634KB

MD5
49d7ba0f5cf9e9cc7ddd8e1d1c088abe

SHA1
de3025a1b2cf76a7873e2cf7700c0390862758a7

SHA256
a1a7b3b846abe56f33a4ee04da342f8ec62833586e9e123f1023520476d5e216

SHA512
c4ba54b2749e4d5394362ba1f6d84e8a1188245853c80c28c13a8107978564efd8546b5e2006935708b73770099ab448992f28a40538f6639dc9b18feda0ddd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\OEMM.exe

Filesize
207KB

MD5
48a62d41e312fdd0e63e02f8e5c2331c

SHA1
9a55579f2521fead40b68d22dd77e0a33be77907

SHA256
ea6f4e6f5be992b51de00588d2b3a97d09a37aa72244269cd071f4be12aa961d

SHA512
069b12868f7908eeb19c9f017bb688acc7724c0ec8b18cb097cce96d90f7b42d94e55927b0ce4578b1371f3935906337b51505902d384a7509874e4e21456fbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\OUQG.exe

Filesize
240KB

MD5
9a28f38bb7006e8ab9a80e7944bfa60f

SHA1
ec4f21298fdd0b975a78aab5a8f83913453f415a

SHA256
b3985058ea0eda7990779aa238b1c3a7a533066833aacb4f2f6b65a247e77f37

SHA512
ebc9e95d1492fd4b98311adffd60dda03bbf81f862f21965dc490ba45fea3f04ee764fe64d2b2cefe5579aae4288b005e471b318954711a61fd9323f8e9ddb3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\OcEW.exe

Filesize
957KB

MD5
11de3dbdc24db6a575321efb73e8f285

SHA1
0fa1c5b0d074a20b4ed99f4dcc3fd1f29d74cb5c

SHA256
9c554276e617009b9c433db5d3ba63cbc315670a58ee67013a9de2ac806afb25

SHA512
3869e0d91bfc9e75b60624aeb5a16702a975d3f773471c2c8b61439338da5c374ed157f4af0ea49bde46b056869c1d4392ccbc79faa4480d29e6c9153f7a7975

Download Submit
C:\Users\Admin\AppData\Local\Temp\OeYAUUYM.bat

Filesize
4B

MD5
aa8e90b50d7acc2c6fd81a27de3485b4

SHA1
68bd5e9b94d0224210c62da7853a2e8e47309b5c

SHA256
4fb8180353850850b6b927325ab4ecbc752ca6e944749ad2b7fc723e8267d5f3

SHA512
703d9f7e8030d3cf33ee5ae26e4e35efe3d9514a2c0957774eb0f159a9f12dbc9e8278227914c53ea6e89b6e04904619a55a81aee7542b47256c69bfb461d2ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\OsIm.exe

Filesize
192KB

MD5
3b6cb25e619c181df7a78a8f4a200a86

SHA1
c7a5733de1cca09eb9bc1ef97d12aa46d4ae037b

SHA256
d7da60384d6359f5960eb45f045d15bc89666dc6585299012052755bae05ef50

SHA512
b6cc0c2554444809e2ccddf75d1848c934afae3b37fac18bf48f0cbe019460b8d918a30cfbcec29dc94c02ae8f59b74880f73f841d13d281b3ac9a0909ea4638

Download Submit
C:\Users\Admin\AppData\Local\Temp\OsMS.exe

Filesize
211KB

MD5
1952dcace07f308d66a3dc95f941506c

SHA1
0697fc4a39767a69158bb28c2b547a722ba2ac2e

SHA256
7ff20e42840a7e23d3776e07f89b84c6940e912e70c6f8b193ca70271206d59a

SHA512
92440d17a8764e1d2ffb9c81a184ab3455c2f93fbc6cb59bee6e31c8b00ddbcf1ba8d2955337ca5662ccdabab43cf4c3b9f0e74fcec2a0687bacb79cef7e0fea

Download Submit
C:\Users\Admin\AppData\Local\Temp\OwMa.exe

Filesize
220KB

MD5
c7fdf233154f6260df51b2f0b0cd4a8c

SHA1
c8b4626c9d7aeb8267a4047af82507c77995cebe

SHA256
3aa984f45c5bdc6139a84a6ac97c8bc4375358c9b84d08f5ea728ef881021790

SHA512
a55c10c003815fd03196a6bab5074e8a3b907b909291851064699f2932250cdf82206259b3d2fc6b6c6c4dfec679f631550188f24c3115792daa16d8f11aa059

Download Submit
C:\Users\Admin\AppData\Local\Temp\PMAkYkgE.bat

Filesize
4B

MD5
d5f631610ddb72762ece3f6bbb23f42a

SHA1
295a12c32e5e9a501724ef65656d3d6ac614b4aa

SHA256
1c4e640666e6a23a37cf626c484a842a196636848256be4efa0f97321906cd58

SHA512
63eb5ed412f55ceddd50cd4a76bc9541599a25f793c22806448aeb90790408a349c0768112cbc589e27be8c4af609ffb6370c696cb1ec5330f9c9acd94ff9df6

Download Submit
C:\Users\Admin\AppData\Local\Temp\QEUY.exe

Filesize
748KB

MD5
ceed180ce2837e7c341c373917bdbd1e

SHA1
3de0a66afdc8dfa52e831eaad1bcdee314cb286b

SHA256
e7fbac6fa9ed6bcf127a1a7089e16ed64c2fe01a2ee464790e8e12ac5ed3c704

SHA512
f8b8571d28373f953f46329b9deec2a467cc738e498a9383cca7c2212f9660af178049e4e3c78e3f2d8894d3cc7dade205fb181fac8dcb7cc49e02f65bf6b9b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\QIkQAEMo.bat

Filesize
4B

MD5
4f5099de3c79c27277c109c66fabdabb

SHA1
6a64ecc3c0d28a45418d168028774307e238d772

SHA256
2cbb9ac50e386f06aab1d113e201ffe6da10dab7711710552da806800ddcd678

SHA512
1a4cda4130008f817411745a3058b60d66b3a57ec474fedf9486f467a1a83f164fa6e28210de0391eef79e3a105d61e41dfac1aa12186957f69338ccf568d452

Download Submit
C:\Users\Admin\AppData\Local\Temp\QQIi.ico

Filesize
4KB

MD5
47a169535b738bd50344df196735e258

SHA1
23b4c8041b83f0374554191d543fdce6890f4723

SHA256
ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf

SHA512
ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\QccC.exe

Filesize
241KB

MD5
d95c3b0ab8df1297f9533acc10b68f84

SHA1
8e348b37246e71b8143c255d6e3f36cf8fc622c2

SHA256
ed7acb2a6985bd4a5db6c146429dd043c9b4cbef70323c33f1cc555143d59b69

SHA512
c48c300e9021fd0dd00e787e950fc456901ba872c839e8f470a5fc90f9b489959551f8605ba5720f354206a763bb4ce4921c746d1d9ca060fdb586065eed410f

Download Submit
C:\Users\Admin\AppData\Local\Temp\QkUC.exe

Filesize
240KB

MD5
5656dc900d688efa88b83d8cc4da182c

SHA1
197b1bf59344e07fec85f82b3f0364f07ab21748

SHA256
d470d68b0fa631e11e1c433b5d528711bd71e7b23ee84d498d291e5ba69308a6

SHA512
df0230a9dbbd46844fbbd60f5cd1b3d945253d3941ddd780ef0841f0b65674c6cec346d2002ac432f07ebbe5503a260f15fa5a29ecb31e5998122ef940145a51

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qksq.exe

Filesize
876KB

MD5
a481486a7e1e3ab8246aa05ba8eb602d

SHA1
7a559d71d7a9d4f9856af5d651ff8e721847a7c2

SHA256
fc1a1964b5440c9dd6cb841b2a0e42ff325c90f1f43edaac032d5e4a6ccc6135

SHA512
984300813cbfffecec0980fc5c33492c42f98031401f09716ade35ecd6eea22a7165d78d6899789a010b74a87dabbfd790771802d42ed29a446f00fbcc669aa1

Download Submit
C:\Users\Admin\AppData\Local\Temp\QmsckoIQ.bat

Filesize
4B

MD5
f03469a2f7b67e0b5aca112078a9f03b

SHA1
e26e8546499f1b733142a97f43c322844db77799

SHA256
f0cf19c0419cb21d33ec079fc986822d6ab83b5753bdf713d777bd8e8dc3e961

SHA512
3c9af78a50751f1f8ae500012bfa8f2d75b9afa5944718598e4f57927818885600673a290e73f6466177d75af8ea72bfa49b7b15203cab1ec74d701cc37bc60e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qoso.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\QsYG.exe

Filesize
314KB

MD5
063f07f3f3b7f44215a701a384faa665

SHA1
4c993197ef0331a00e98557ea5591c51a140b794

SHA256
f7fe3fb7c06250d8d24158753d7aac4908f514e394380a98e3fe7ad7f38050d9

SHA512
d03e713dbfb8c7f6632d5a4924c9d547e4717361a1b40033b60aa5333875af87fabc56eddc6bd025473d2988cb6417c74f65f7459e85a46c608b14f2ee8f1bd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\QswI.exe

Filesize
230KB

MD5
423b8734a029e8aca5e8310f3087cc4a

SHA1
8f1455209454373c3b60c2eb37abd87c52d79b89

SHA256
33e60296d9da00214ea3c1498d8a66627eacfa22cb9407fcef34e02e1809563e

SHA512
a602b6c04a3e870c19376867de5f1356b05506da44ec0ba5ec27c6f41a6596acf183c93f6ef5723dd8f5c7036ff22c0022093cb7094be8311f29536b4e8f2752

Download Submit
C:\Users\Admin\AppData\Local\Temp\RQUUgYYc.bat

Filesize
4B

MD5
524a5e8f759d9d1e21d596fd0902c8a6

SHA1
547e796b4f9f08e8914cb34e715af550a20cf426

SHA256
d7a4ef4781815a42b7aba9088494dbb1736fcfce315550a8e4487f1fdb39acc7

SHA512
11d26406ea5a49c357ac9aea8b6c35bc36b965d47b2ac5084b29fd31987f3de910396457570eab883995113eb3490ed5845f466db344d3085f936746b4816253

Download Submit
C:\Users\Admin\AppData\Local\Temp\RUUEowMk.bat

Filesize
4B

MD5
a4c92c734285e48c1ee41c562f4818d2

SHA1
744deb2f0c36f5b9c8af9ff117afa945973fb9a6

SHA256
f7ec4660405c75bb6c6abbfdce6beba36d01ecbe8de2b770dd536228c1332a64

SHA512
3d582fc58cd0a1c84919714d3ac066a69e279d5813cfd0f89701723bd8c6c02bf1f1765d54b8481e9085b0be8b41b728df3ca07cbbcb4d438d3bac46bcacaf4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RWIcAokw.bat

Filesize
4B

MD5
9d563b5f5f624fe9d6fb7e223034657c

SHA1
5988cd12e182234b9952f20bdb45b54f63b432f3

SHA256
357479773dad5fdb59de7e1cee3d006d17181e1f90a254bac3c52fa362d6edaa

SHA512
9896c692ca355f9b80dd5438eb27b230b4365b31ea8c8035c4e2c7728487022bb5773e5843e82a1e373b1e9d535a969e0159329872d8ec3528d8ee8b5330b416

Download Submit
C:\Users\Admin\AppData\Local\Temp\RYkgYsgw.bat

Filesize
4B

MD5
3eb1d1a45397879e9a3d6690c0cdc87b

SHA1
c0c7c9d7057fae7b3975161daff99203ec504364

SHA256
7f713daacb5c39902503f81e40f5239bddee3d5961bdde190060046a648f8df8

SHA512
0bdb39299b9f3570a455d936e6b1e2d8a5520916776ca9aa03509d0980910adc5607d411e59eb1c78ff00864d40f49dab737df05a8b3096dcf64b55e69449c5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RsMgYsYA.bat

Filesize
4B

MD5
403bd305fe46c813b19040a957693594

SHA1
e49f464fd2e79223fe1d60e77caf9580e4cfdd30

SHA256
bf3520180ea530c8ba7f72c296ff08f73dd5c64a7e9101a1185b97a6effe2409

SHA512
bd5c26294d164e078f8cf32574d6d4b340ee69b60b89065e9203c740da6f9526e6566e482773047799d92177eccb208aef695c5ed45f73fd9051304bfb45831f

Download Submit
C:\Users\Admin\AppData\Local\Temp\SKscYccI.bat

Filesize
4B

MD5
693d94cbad716c9ca03b079443eb22e8

SHA1
fc83f2bf25b65185ad3028999be0abf739e201df

SHA256
a813fec3a208a8d354a47d3f511337707c00eaf5bb6e9c38bbb6ce0896efd177

SHA512
0d4bbb8a476f9c1142f7246d7180637dcdab220bb6215214bde45d0799d6e53c7a04c21e14734ca7082850855522fde06b297443752b83ee8f71f42aa775d1fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\SMIU.exe

Filesize
383KB

MD5
cc5e2f9f66193e26f3494c11b43ab916

SHA1
51a9e290973e38ed57b42eae9c1bba7c5be5c494

SHA256
a8dbf14996cd277bf4e898b6588f527d2b69a0903279d10e6029615afcaa00c3

SHA512
7601f2cb7e2a4018ad2eac02ed585a5659f3d237a61ac3b45d3da3b13c53beb1a8e4308a209415052fba4c7fc87f462b4a972ddf5f22c926617c344a9edd889d

Download Submit
C:\Users\Admin\AppData\Local\Temp\SMoI.exe

Filesize
229KB

MD5
4b087cf2f6c0f7498c2618a90bc6596c

SHA1
79dea6cf1baebf99bb6d7c7f7f89de2b4d08ae94

SHA256
6391346053bf20a225c1351b78d9dce1c1f07c67506dc0c40abe947a65e7019e

SHA512
22a7fe3160fc28fc697af1ea3384ada341fff20e461930411a520c657ae2f5fdc9a0fe155cbad966179181c8069aeb9069aad31eecbdd5aa6c231b80ad4c8c73

Download Submit
C:\Users\Admin\AppData\Local\Temp\SQIe.exe

Filesize
233KB

MD5
994d3afe03ff9c6a914eeecc297a570f

SHA1
28f0a05d3d6240164383de585005f1c828d657aa

SHA256
90363adaf09b883fe28f2d9e607a62a9147347bf5e04411e0d34f8194603f744

SHA512
4f32a468cb7521371da8155897f22f053ec43d91543dffaee3a95ca03e1106f49eedec168ca1e6c2459fb1ad1a1cb2b01d8371565054e7cf2b4ca9f982fba5cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\SYsc.ico

Filesize
4KB

MD5
f461866875e8a7fc5c0e5bcdb48c67f6

SHA1
c6831938e249f1edaa968321f00141e6d791ca56

SHA256
0b3ebd04101a5bda41f07652c3d7a4f9370a4d64c88f5de4c57909c38d30a4f7

SHA512
d4c70562238d3c95100fec69a538ddf6dd43a73a959aa07f97b151baf888eac0917236ac0a9b046dba5395516acc1ce9e777bc2c173cb1d08ed79c6663404e4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ScwUEAsM.bat

Filesize
4B

MD5
74a1a21aece3ec647e0e78f0d1c0e68c

SHA1
7912512bc1ea63bd64ffc5c275cde3b3ed16d3d4

SHA256
d5851149f61ca3d5e3bb9885d11914a0d5b912aaec4c223136bb642782a0978c

SHA512
8885bd7dd139740707d19cd95fcccb0f46c5c8554d9af05f9cd70529577f01ec06c0c1a06dc023ad7b82ade2dd098e410e93f3a2b741112f2bda2d8687c0da2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\SgEC.exe

Filesize
203KB

MD5
e42b997af03eeab08cf83b0a33ee717f

SHA1
6be8654cbfd8457f133d231a632ae8be13d98d0b

SHA256
b0524acd1c9ada07f139567aed6e9bac475a08a8cd83024cd99ca05d4a2d97d7

SHA512
a20412174f2c7733afc1acf1a55223b0c3839e494b55ee695308f5345f29a29d822e77fa7a8ed018cdcd0a879d32b48bf100569eb76a71bcf62d1cd4d4f84a01

Download Submit
C:\Users\Admin\AppData\Local\Temp\SgMQ.exe

Filesize
186KB

MD5
1014ce9aae27c05a4cdde48f7536a3d6

SHA1
16f3a8a8d4ca5ecb5a056f0b98ab47fcb1ca3ac6

SHA256
b7ed73c8cbe86be1bbfafa8d1c5e7a0a8c009fea0d76062a53d07c8110d9f4c1

SHA512
f10ea65af81615fdb8b70e548dc10acc35ed01b02c8eae1036c802f4d1f821317093ff4ccbb08a9936070421971307252e165f39ac722b7717ef1c828ee57e52

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sgkw.exe

Filesize
4.1MB

MD5
8b4622c666d6f66eac4057f38fa00fd5

SHA1
32e5e1fc7f7374f42e70ccb9d6eace45da378c1d

SHA256
28100ddfd8f25610862d3fbca7c5ad80766ba9aefbc29b6857bdb7345a281885

SHA512
2c84f4241113b850d466e5c5f666fa3141d9f7f4a5ef5451f0834fb82ec37cc011fca89c7796bc70f45653712de97c6a5ce1c8ccd168ad58db65138f41b9e70c

Download Submit
C:\Users\Admin\AppData\Local\Temp\SoQQwwco.bat

Filesize
4B

MD5
2e083d9ec8acb72d259517a775d57871

SHA1
ba8b1013b3badcd31b980f17f23b5fbb7ac7da6f

SHA256
1fc7befa51f9ea928f4f224e78bbc57ca5cc1989f74848803d75bbbeb1204b84

SHA512
006590d0f1a40a04356e2b1cf8dd42a268d832aad07dbb3df7f38847080ea7986bf76ab4e8d7447f9adc4c53f1fcdad2fefcbc02cf43fc346ec1ec25c1eea46c

Download Submit
C:\Users\Admin\AppData\Local\Temp\SwAwMYYA.bat

Filesize
4B

MD5
31bb43282e94ad13d747fcd2510de010

SHA1
05274f78122b5d5fa3cb2bd1c74b7eb36970b6ac

SHA256
e4a3f59f88cab6521cfd73ddb46d2e11e32f8a84f6da35cdcf7812f0852e85ba

SHA512
85a552d6cd4012da4662c863e052a98dcd5d6a3f28d1cc9c7d2f85e8d4de55f39f230cd8a1caa3a72622626331842ea8170569bb8e3366cd5530f8eb05b6030f

Download Submit
C:\Users\Admin\AppData\Local\Temp\TUQkYgkM.bat

Filesize
4B

MD5
7699e518e9ed894ab318279688ec34a7

SHA1
7940399cce8f679e01763d37aa04271a6a7cd700

SHA256
b6b7b4f27cb2169b8c7311249ddc4f3f4048340a8c7daaa7aaefdb6a5162b309

SHA512
2c09ce129ef485711fdf5c4713bb476cff578eba540a32553ed6c55d7a86b4f0c3ae45068f650401b425d723380352100aea84cf5a56afdf501e578b36b2852a

Download Submit
C:\Users\Admin\AppData\Local\Temp\TWgoUAIg.bat

Filesize
4B

MD5
27a73ab1959f16a01754cc55c1bed762

SHA1
b9090959b4fffd42d63b16f089302b81ded08082

SHA256
a73dd6ee4354fe23a633d8ff113510bd0ae6892f99e7dad01870ba0bf59f990d

SHA512
bb3551befeb3390674b5ab863829c1dd12b0678d1f7bb5df3d133ed198596d9f399674da76e7be71a047dff309ba0150cc85c9441b0bc607fe4e4d7097d0fca0

Download Submit
C:\Users\Admin\AppData\Local\Temp\TeIUcIYA.bat

Filesize
4B

MD5
5c06945ad71122ed25045389748f0bec

SHA1
b08270f9fe20bbf02dcebfe1adfbc06356fb2da1

SHA256
ca564a07e65a64b07ccc2165fe3ae495630e32dedca202f47053484c84bc62c6

SHA512
61586649a7684b85cb98892cd4cdb8e230f8e6234b76ea980956c15a7d7899a4335f408863d780557e1c655381e89bd6d0b1ff2b5376271f41c8fc2ed2298464

Download Submit
C:\Users\Admin\AppData\Local\Temp\TsMwockE.bat

Filesize
4B

MD5
f5275ed68ca30f6d002762653489ce1e

SHA1
5debabff2b1f2e28ac4a0b401926daac46ebc496

SHA256
67546b3fa79ead179dd129b2f99754fe66b24916db630591ec16023a905c425b

SHA512
d3e783800f00342fcc85babc42188405ac6d3faf9d8a77114cc5caeda80975096aaa6dc018b10bed54a77c32996deef0e469772c0a73f6d09d06f77d9bd598ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\TyoAQIUY.bat

Filesize
4B

MD5
9e893c6f2c5bbfd3260b188b1ac93a33

SHA1
1736b5b8da177959f2bba46ecb174fc48ab5e3e6

SHA256
90bad47a29f616f3004fa5c48f61156aa68d470b3671dcf43a84e83828db3a55

SHA512
6bee387cfbb4831bffc89ce0a1d242b7b057e1ef4f28d66cd64b1adf444b0ad6d53aa3e66a032f587624e273d32bed5d5db0cf6b38b2a62e65361c6ae5d7d6e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\UAAs.exe

Filesize
229KB

MD5
39bc4fb43397094c2cfaa6269ff22203

SHA1
655de3a1a11e2c719be7ad9c414bb3df21b55b69

SHA256
5702cf47c7164af7b98466fb127675062c5b14e5157a5d7ea64bc56201be03cd

SHA512
aa9cbc901a91dd169da2cf1153f50a5dd17e14812b050a23ddb4a54996703024fc46c7731bfdd361ef0ec36fb9dd8fde8dff99253743b21f73d2f802be7a5af0

Download Submit
C:\Users\Admin\AppData\Local\Temp\UQUcgEUA.bat

Filesize
4B

MD5
7695b3e786063535f0a3d1283b3400df

SHA1
a8c419f226313b8c421cf9440d5f616c07934b59

SHA256
7711c2167ab0d4b8dd15728aebf9d96da90e58f8816f00e017c6f28e7527c1ad

SHA512
4d60064b75107aa3a4ead76c9ac54cec2125aa347f271a39b485a56790ed07094b19b813f81a2b5d4efe0cc612f00f265d44602bbceff9639fc517cba2798781

Download Submit
C:\Users\Admin\AppData\Local\Temp\UQosssAo.bat

Filesize
4B

MD5
caf0b0107cd7c08d48356c8cb56df0c8

SHA1
4e248e298f80ac21d33e737ae7ac7a5216a634bc

SHA256
8065a6c3a7524ccfe1f400c025c9b58daafeb1dcaf30e9b1e67ce892a2f0a635

SHA512
94482272ae518fd30d8841da613386ac313f41ae3e4fd4fe1e73dfeaa48b746f646e9c50723730acfa391f6007ca172a453056d8cfe17066fe1d038889266e0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\UUkAcEwc.bat

Filesize
4B

MD5
98ae1be38c28cb0f9cd40662b6a2b2f3

SHA1
aec30f880c16ad13931a159370d697997cbb7594

SHA256
e29e3bb91d2b362f05a7e2749270cbf02be817180dc79ea195332d4c261aed84

SHA512
8fd5b1ee85737303a0c1dd1d98f8a554610c48c6ed2c0e3ad40ee8f59a29b9eda0c364b431ee7f26f7006aa2933d7a9907ee42e8439a92710e5e71ecf2492fd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\UeUEUQAs.bat

Filesize
4B

MD5
3168e4bc1fc8c89fb46dc16b11a56c44

SHA1
b50ba5fa7eadde256df2265aec98ddf69518d581

SHA256
382a4918f32a7bb50b82794fb043e9e46f9e953df385ca60883e20217742d15b

SHA512
56c5b09444d74c4082486c03cb07271f6a14088c2bf0c388d5285e2bd4124d404796f0d94ca601856a314795b5022386e9904b23b54962e28fbdf23784a97dd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\UsYU.exe

Filesize
243KB

MD5
bd7eeef4c99c5c3f2158bdb92b79b4e3

SHA1
71c364f4fcee60d211763b6b07a7a7843c3519a6

SHA256
a5f5632ccf00b82857029a73342c9f3500923b0f5ed4fae268360e0b2ea547a0

SHA512
7f669953fead27dfb095b66046f4e825783b9338bef936c513bf8342f2dc4b720f5cdeaf446c385259ae1fb354996cfdea04f0977150b12d3618362e74660cb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\UuIkIcgA.bat

Filesize
4B

MD5
4bc0eae050f3d2547cec9701ba00be02

SHA1
49be05e376be0f22c73e26accd567eb0f3e4a6ff

SHA256
700df2e12ec1d63fdb223371ad73087d3e5b5f081d5f48f764609a1bf8494991

SHA512
691c1b2af9e0bea856d3fc51aacd42866aaaa99d3d62994ce8f476582dd0b5430b3876c21cd50970cc6429eee4a1a44c612c48e6a081e9c30b33a4ac27d4eb90

Download Submit
C:\Users\Admin\AppData\Local\Temp\Uwse.exe

Filesize
232KB

MD5
fa80cdbe013796ab80d34e016abb4746

SHA1
8eeeb99e5a9a407723f1dbc77f86e78ac4492533

SHA256
8c02a7ca1c99aadc0ba9889b4061581aa7c414ad1ad31b70c14a5ab0c9ae4ab4

SHA512
337d36094597878668a4bee2b33292f002965c6be9d87f884e52b72a4e51872a78a8621faaa100860b66058323ea4e8a091f089ce2d772b435e6829afc5597df

Download Submit
C:\Users\Admin\AppData\Local\Temp\VKQwEAQs.bat

Filesize
4B

MD5
cb9c4ac95a8e0e50af025838e8e87e76

SHA1
cbac26be87ba7a573ed8993b954e4dc58137185b

SHA256
7d13feeb4020e59eb04d282c655f9f9a6cb924fd75004df4cae2bf1f3a06f523

SHA512
39da4566711a68316ecce71b4b1dbfc6434a85984f3ff33c42fb7a5f4f3dde8437212946609c871163ae3e4779047f514d5b02ce1e001c2a1e4edd322e5cd7f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\VsIQokQQ.bat

Filesize
4B

MD5
7f4cad10164068842babee153ea2af35

SHA1
00bbe50fb24f5f995f44a47a239a5a64e5881f13

SHA256
c42cb0450f5eee13f7f24a78713889c968595c8812e22acca457d230c1fe0c78

SHA512
02009c6f39a24f08a56b486d092b2af67ee7331f9522a60c024a196d19f30111818520e97f5c5a485fe2555a65a8f6f78ee8fef5a72dab139fca5db6ab448938

Download Submit
C:\Users\Admin\AppData\Local\Temp\VysEkgcU.bat

Filesize
4B

MD5
6f361dc96b24f5f7c1ce5c92efd13543

SHA1
016031de78535af155bd14dbe2b467bfe19fb829

SHA256
f5ab4531bfcbc58e0bf86869a8e366378cb82addb0d063e6d0fca022b75eed05

SHA512
4598fc997cf571c91a11382657bf8c9aa78f930951ae45d5033ec3de08d0ec372d8010035f057c7ad4e5464747555d0baf3c59e403fd09b39890dffe033ed2d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\WOMMocQg.bat

Filesize
4B

MD5
025038de5d5d77d6bcd34d0af79eea5c

SHA1
0704241dd184351eb48d4ace049bc44941ea56fd

SHA256
27ce60a42f55bb37eaab08cd02cdb94ffd458e6b8ee75478f58e9d51c274ffd5

SHA512
0a9eeca601d6d63f6ecfc62815385d37ad4ebf36f926aae0f808388ddccc463ed9ea08b91eb26521a25252790da4789fdea2d4ba894741e20d88b48974576a76

Download Submit
C:\Users\Admin\AppData\Local\Temp\WQEY.exe

Filesize
240KB

MD5
824e9a46d3e0c68994b0b7ea6e6feb8c

SHA1
76098894fea722257538cd368c351138ccc01f77

SHA256
200340b5ad14134c111bc4d6d88f988737b553eccb18bcbaeb4734400dd00495

SHA512
91fe1665220a670c7f747014631da047e701fd9329ed5eb9c523814923fa3357325524a3d5f687254447fd08cb1e92d54c5457b23a6af1cb549474016493254e

Download Submit
C:\Users\Admin\AppData\Local\Temp\WQMcsMso.bat

Filesize
4B

MD5
f352915954f06033e0ab4c54f519c517

SHA1
5de24e29ee796df73f0f89f93801956bd046c3db

SHA256
15db958fa36372182da975d220988c987abb6e39bbb8ac870a3ca94643343049

SHA512
2ed8acc32df0c2bb53a4f3be1287be63ab7947ac9b2fa61edded4ae29a31572628289484462dd71f1ed8f70a6de5389201eb6e1de39ca5bc6c4ea287f75c81f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\WQko.exe

Filesize
202KB

MD5
f26832a55c0faf658077c3bd4f211ca4

SHA1
ce443c6cf8fff5daab7e876c5068e2aebc426c67

SHA256
a6b1fd0a775063a479a1f30ebc775fd4021efe65534e9b3f0886a5a098c87da6

SHA512
fed6f784098cecb145aaeffcb32682658da748ac97bdbb9e3df2cf1e9f883bf90dea9f182f439f4d9ee53484dd4dc234e493b63851b725a3297417e207d6f708

Download Submit
C:\Users\Admin\AppData\Local\Temp\WSUQIkEE.bat

Filesize
4B

MD5
125023a3624445ce9906639bd7aa2eed

SHA1
c0207486fe38bfe6149fa90d9da48be2c0505fe6

SHA256
0a178ec7472ebb1094bce4fa8f52498586d02b7cfe59131671d321abcfca7384

SHA512
21aaa2a164ed17164f41a91318d386d4ba24ce22c7736b86e0eb9fb772e5cc8ae0635bbe6e9d38601a0efb603aeac269a32a3723322b865abbf2e02be69ec500

Download Submit
C:\Users\Admin\AppData\Local\Temp\WcEu.exe

Filesize
206KB

MD5
2fcdc290f982f8605781da8250330208

SHA1
a48c5dc0a51fdd4add8264db3f942f024b3d67ec

SHA256
31e97c3586c1d617e668669e27dafe50014401f73bdb314dd2daf7f7f3e50148

SHA512
5e3cacac246ca1d8a558e41cd03c9856bec524de3bb4f3835c81aab1cfe3276d0c0ce3b66481a3fe27d6347de31708c05847108aab50d75b2020687a323c3989

Download Submit
C:\Users\Admin\AppData\Local\Temp\WogMIUIo.bat

Filesize
4B

MD5
51cd0ac1ba5f8225e2d165d8f4270afc

SHA1
39be78d9131da8b7753d6429c33abadcc4b9ceb5

SHA256
876df72356ac1b4587cdb28211ca6a384cf8d57c837e9a1b0497d1c994dabd08

SHA512
e9ba0ccf41a949d2127779e50376e5b0b4f166dc6f6cd64841406262b6c46da882a9deb9501c1338397b4b075aa218ebcf0ecb4aecf3db81896c1df6c6e62dc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\WsIS.exe

Filesize
238KB

MD5
47050d2570e6e010047c1e6363726d09

SHA1
0d6d488575cf1d015d4f579ae1337f7c1fc1769b

SHA256
2b6fcbdbd6d9ac2562b54f96d50072ebd36e5730454e02b1843537a6686499b9

SHA512
3dc05a50e1b63063782910df67a3fadfad252e5bc55b03d9a4d4111ca825556ea5dcfec84c13c1dd0fe310337684ca4de411c840844fbf095ef63531d6563118

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wsom.exe

Filesize
249KB

MD5
c029e93925a1e7b6b0c39b7bd53a90d1

SHA1
6ea1ce5af2ac52bf1175470a7ca677d7fe9d89d5

SHA256
d733f6c3fa868af0679449374f1ce7d1e46c08f8df0842a7ff3496b89de42db6

SHA512
fda2f9803c2798609694680e4ccd2db045b262cc4c573ba1281c6009353fc07fcef63347abd61cb7e56e853b155e6a41409feb59df233a83616ed92386902a0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wwgo.ico

Filesize
4KB

MD5
6edd371bd7a23ec01c6a00d53f8723d1

SHA1
7b649ce267a19686d2d07a6c3ee2ca852a549ee6

SHA256
0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7

SHA512
65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\WwsG.exe

Filesize
894KB

MD5
38ada360f3df07c55b670fe663555663

SHA1
ad16abb70d0534ef89f81f11daefe67eb55ce8b2

SHA256
8d9053e3f5cf09fc00b40681e0f6bbb08f557bce0681e72910799e8f0e6da12d

SHA512
cc682456a9e6631a101c28944a63cbd5ab350aca9ba7e1ee82794a913da9bb331b17154c64c21609634c4bb625890dbf057715d1c0519adb366b22d05115c4c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\WywwYIwc.bat

Filesize
4B

MD5
5262b41cf55e3a8f771919860a88e177

SHA1
58c7140b222230190e1c5fc6c2951870a434de12

SHA256
10c1374f82c398a8cd19a67b9960c480e8ff5b45590ad3bbf1a84df1af8e0beb

SHA512
9e5d6eb4662ca53d20a830106cebabd6ac89392bde3d65453fc216ebb0c14bef5cd0e2c072d5b72cae6ebc0cbb55efc4df46ef50b63802b784e1510752ac079b

Download Submit
C:\Users\Admin\AppData\Local\Temp\XYcogAMs.bat

Filesize
4B

MD5
62b55f674f3ea8b6f33027ad6d2c003d

SHA1
6bfd915c5d378fa23bac727b2e79c3a48a27be1b

SHA256
1f1e83f77b25471606035de3feac131f76aba01dcef5a5cb45a71456624eb16b

SHA512
d79b1e3462968cc41e7051c2b73d7107899666f7a1242446935b7c1e65ea6729e872cc289c176776b3f67eb4268b69472c30b1d0cf1f45d662b289e46ce2da33

Download Submit
C:\Users\Admin\AppData\Local\Temp\XgwcAMco.bat

Filesize
4B

MD5
94c49dc4aa11e6373fc9619f6010ceca

SHA1
aaadf5f3e7242fac1f4c92efc816376cdd81a59f

SHA256
7288458c38ea5d4d965a52e80e19bf8699267d3196a2aaca454d0327598c579b

SHA512
4036becfce17008edb0ae5dc62967009c2c75672ba2e3680d0eb1371d67acfb99f49996c1eab408df02493e750d4aa88262c667817981e011793b43fb9244db3

Download Submit
C:\Users\Admin\AppData\Local\Temp\YAwE.exe

Filesize
1.1MB

MD5
3be7c08be809a67c8f323a3c2f042d67

SHA1
3fcf321e3c50d93fa5791464f15a6fa166d4d121

SHA256
2825af7d3f0116a996f52b456d2e30eff5e4a534f00db40f901dfb5f05146c20

SHA512
31da6f02066b55e0adfc2dedbf858bb528ff1e536a879733d1cb4d752e007cf8f12acc8c2505df414e85ce5d9ca6ac797140964a63d00bc81bf1ecfe2c6e8c93

Download Submit
C:\Users\Admin\AppData\Local\Temp\YMoMAUYg.bat

Filesize
4B

MD5
28821d7d175e26d0f0b324ef408a6b2c

SHA1
e8241e4bb256329c529c9a60c70da759b6f5411e

SHA256
8c8c6a63a76de2a7e58cf2421782a393090065097a2555aac09bbe73eb4c4dbc

SHA512
7d086ed02a6c1543e101fa5833e0ef924e43036713948354e99c39df85e7abdf0689d70bac9086def24af1fa2f34fd03cccdc7fbf265bc11e571415119886d5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\YYQk.exe

Filesize
204KB

MD5
1449b6cd05905e45e26fc71e1d25ce72

SHA1
f4bf94a1400767919639037267e76ba63d58f0d1

SHA256
5e76c859900fa3acc3556540d39b6e93e935529ba4cc682ea713b9bab234bb65

SHA512
b46f0143be8a959b7d5a7b554f5c9dffc20addbd053be7a1f6e9e557e17f3b23ee517be00d150b8cbf499a9fd1747c067bb05482749c1e06f5322399f8d08aa3

Download Submit
C:\Users\Admin\AppData\Local\Temp\YccAwYYU.bat

Filesize
4B

MD5
48a8ba30aec9143c19998b9230596eba

SHA1
a627968661863aa8a8863d4f473780f6728be584

SHA256
1fd2a9f0742a4086d63f87170468c72121ea2c4639a0d571ea3131ff23fb6045

SHA512
8880d98d34375162a7617e3dfc4637f430bf8b7af487f8e7ce5844daf4a27ece980fb6b6fc86c8a6c75a370f8a6e68ea10ceef754f005ab9336a23350b0796d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\YcwsQoAU.bat

Filesize
4B

MD5
8e1b969f2494dc0b67a8b6133ca856ac

SHA1
19fa5b58c3fff6c7f01ec813bd0cfb283b7097e6

SHA256
f7e89631cdb0c192f7396e5b7c608bddd7346899c9c7bca33c8f8d97633cceae

SHA512
d6f8746b4af795e1f2ab67de3d61a024ed14c80f9b1832e4d0256f919e2d0173df7227e9dbd4b019f9883c3679a22ce3ab851138770ba5d92b6f9516246710ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\YsAE.exe

Filesize
237KB

MD5
ff6057100642e2b518acf3b86eddecfd

SHA1
7970f3a5917a631a9e2f5bd859d7df696caf2677

SHA256
795a5168deec042ba091e962d8e2012b9717aef1341cc0f0f7e98df6b2d08376

SHA512
f6c876eb4b86f1c791b37f1844365544d35671cd95420c4dc72cdd642e496a553e934dc42681a96c1e2fa9c1c433b618336e4cdcd7fffeb91a266e6152e48752

Download Submit
C:\Users\Admin\AppData\Local\Temp\YuoMwYIA.bat

Filesize
4B

MD5
8fde01cb274e207c22f9a9a5b6e5ad49

SHA1
8b2022fe62614d5bed0ba95bc01b496c9061b476

SHA256
526246570f731f9bd05f2496406490aaa215d27eb7777f12094c00e20926f4fb

SHA512
8cbc801ddab3479f1a6a401b077421de571d87937e33bb5b5f9e834b186834b1fe1f35bb38a4d52d8e711afd80a0ef6939ae5952ecb2ca02d7e1447183a9c1e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\YwwQ.exe

Filesize
247KB

MD5
d5188107ceb47faa08e5c7518a9e1d2a

SHA1
174bc7f2c6d6aeac31dca385cc8a1b7ef531827b

SHA256
b9af0e28c3e7409852bdb86733118c496fb9a2810c4093f86eba4887114997be

SHA512
9770a62528ec045d86f5bf5fad71d82aee480a736a0794f417b2173ad1209689b845cdad28caeea515cb131f6ed9f9dbb82275befd828a76dd97a830b0430684

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZwEUQkow.bat

Filesize
4B

MD5
bf57959786e9e095db6b5944cc0179aa

SHA1
409af718c0942d5867c68472bd641d0778e53fcb

SHA256
0184a865b97b96923e3f2c5f59dbb766e23b5d4a09c82bc5e30f7e2b473ee332

SHA512
36b529e9f5f25437a484d29eb1f5e75eff90bc23b1336af5ce0ac30784bbc71ee2e72bdd1b6f659389517eca5cf4aebe4a0f9222e56406fdfd5ad09110295333

Download Submit
C:\Users\Admin\AppData\Local\Temp\aAIa.exe

Filesize
233KB

MD5
40c866921d9212824e238cdd53e8d7e1

SHA1
b8b89b8a73dad2e024f2acea77cd7f0590e21676

SHA256
37f611a264fe6df88dbc132ceb991f30c8f052bbb0bc47099f1761b9359cb095

SHA512
6fc7aa7d3c4df205c75090786f5b44acd1328d3f0493f4fbd9b5bb8eac2a4b763d75500ed2d4027ee127967cfd2b1d270083b695a6cbc3618fa300a31f908fad

Download Submit
C:\Users\Admin\AppData\Local\Temp\aIMk.exe

Filesize
193KB

MD5
3744d312b775092c838ed65228310887

SHA1
90ad6890f12e3c29c02317499e4cc65ab33bdb4e

SHA256
43a3df4d558638a49d324b06c2a85961fc18b7e50617186b2051f5f846056af8

SHA512
863ef07651d6813815ff0967cf86b39bce2d28e816881a58fe35be02cec24ccde31f80586d5fb8d8320c27983f3bc2e5a5dd4da7b835032cfc1c29ad8d18783b

Download Submit
C:\Users\Admin\AppData\Local\Temp\aegMkwAY.bat

Filesize
4B

MD5
3d405b5a6205ac262f698ff26b8e2f19

SHA1
d668390a4617799bee94bde529b59ae4d62a5d6b

SHA256
4e660498a459c52dc08afc7c86800990c5946f2711d399e539f46df970115187

SHA512
b402e5ca2f91ad1dbac1ea5c41baed08d2109e0daaa5440d614f1406591077906dcaa9827f566870f2bc819d4ee89561690504dc16075c4703b2d94db30e0b6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\agYI.exe

Filesize
234KB

MD5
3d51282e45881fad06f228a90171d70e

SHA1
ed571c0a7db0312b8dd8619227639aeea98d376b

SHA256
cc350a0071f100c3ca2651965bddeb029a024725079d72bbb0d784b186c17990

SHA512
2170d620acd1bec3dbe5162433d075158787bf8d036583087b59cbd5adf72fcbfc695a3f9462b4ad7a88a7328f09b744cabcda7e987a4a8a8b242248b9af4063

Download Submit
C:\Users\Admin\AppData\Local\Temp\aggYcEAs.bat

Filesize
4B

MD5
82b2418ea9cbabd644ece74cc1492e24

SHA1
f1df1981c793d91e96687bd32898e729649c9a92

SHA256
d2e52983bed7ef8b5c0c0c3abe335e5153301dc16aed1ff3e5888ebfdc286444

SHA512
854b8aa6f8953ec15a5b39d76ecca288a4dc65caac2c669480d650584b443198521f8902199126d569f9d29022630fcec312f0374d0de9e79d23a185ab2bf68e

Download Submit
C:\Users\Admin\AppData\Local\Temp\agokEIME.bat

Filesize
4B

MD5
284bff5e4cfb1dfd9b819a926d96fb04

SHA1
b9338e48798f49b07899082fd871b9a51a8e3a8b

SHA256
96ea8374241bbf3eccc9c362076a35744014c797b68e586f6a32becd99145db6

SHA512
bd782413b0e414d280d66fb5b5bc4b5a826b2e47687569894db4300e84ad3b730919c891495d86d3f40d01b36908d1c36420a235fa34670378eeb294ea65b4d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\aksu.exe

Filesize
242KB

MD5
493c80cb8719e0d3a320ac534102df95

SHA1
e0d8efc11e9584c1c2165a084e09c57fa917efb2

SHA256
eac226691594928a119b3217a71597baf8d346082143d66b7e072b2ed92aa21e

SHA512
4320da3a445b60c1f79523a16f000b0481c8fcf2422303c9d464352e0acfca1312893b22d71e36766462f64e307d46110404d9074f9f9e4a082da3e867fc71e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\bOwsMAsI.bat

Filesize
4B

MD5
eb37c1ee070eb36cbe20d7160e472321

SHA1
b669da17ea4ac7301a782932d27d6ccb407621ad

SHA256
f0ff749dd7271ce2e77351704f28d901b562d7672e2e3ce4ab13987c30861342

SHA512
cfa48eb9a08d9dd1d2fe7730b1968de2d15662f7525fb31d4f10d3c9b974ed8bc6dba00307bf093a1f21aee18170007a5a28a7d5fab67da2b4a105e3082d3059

Download Submit
C:\Users\Admin\AppData\Local\Temp\bWAwccwc.bat

Filesize
4B

MD5
d3c928a89a74bfade7f4ad1bf1006b90

SHA1
da90599d82e9352c932ac031c0214ea809ac97d1

SHA256
23459c420f45aef7d8e2ed4a6e4c81d049c5df1a925be433eeeda8775fdfd881

SHA512
2db9534850a46fd4dfdf9b4990d5eceb2596af273bb20ec6c194a564b65e5fbae61351a91936ea22379a033ca8d97cc3ae28ecf22752d809c423178a826fb27c

Download Submit
C:\Users\Admin\AppData\Local\Temp\cCssgcwM.bat

Filesize
4B

MD5
bdcd2b537fc82e69619e6a7035041124

SHA1
e41e4333f8e30288952fe8c1fe6d64394109b76a

SHA256
2e75753a69e3057289553fa8f245cc951f61a730f577ffe6fffbed8cdab3db40

SHA512
061c063ade278c55703b6c5b14c7790ba10827fd13c9114054ead990a142449b80a5da6725fa03fce1b5619f27bb30eb0ddcf73cb5dda2dc642efc2c18ed3eae

Download Submit
C:\Users\Admin\AppData\Local\Temp\cEAS.exe

Filesize
185KB

MD5
198914714a3d2341d11e8fbe8cb55b21

SHA1
abccef64c43a6830e44e4812a7d422743f25e179

SHA256
9cf45d2cc77fca53676fa2bdbe43c25dca3f1bc1a7c10f4cda14c8c3b722ae93

SHA512
1a3dec92361a473b72c5e5dde8b4f1d87bb483af905dc810ef57d358b7d7a9f82716e85cfdb33f93fb445b9f2eac1117d9bceb833ce82de0dfcee8f457efff1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\cEUw.exe

Filesize
830KB

MD5
5f0ac8fca9ec98b8e38b241e30db4888

SHA1
79e09d23271ae546bc80fee15fc1ada1f779a1ef

SHA256
26f5f6e181bd6c1942b81c9ff1368569ed8d7f8b170eabd251010a8e0b109cb5

SHA512
a8699b0bb701473802eb0ab71112eb190a00ca908df32cdd336ce88e2d0785e6f827ef435037ed51d6e73d0d4a71df4e558b0897f0c64033aaf10ebf4e6e1fd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\cWMYcgsw.bat

Filesize
4B

MD5
a30e969a5a35e5c095981657dca879f0

SHA1
660fc89efbe89368206fa7d3c6d6b2bbb2dff183

SHA256
95905f930e2fb30f1dcc144af72c22d924ebe9df965d8fdf603860cc7a01a5fb

SHA512
8bffbc0739fa993f92e68ad54cb59abc9bf6700b3f0f8ce56be96ef3fb41af048ac5708d4b287c41215bd8bf2a5b775113c80518d96495450bc0ce84d2cde2d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cYww.exe

Filesize
231KB

MD5
bf6089a82787870791b0802a121e3784

SHA1
3296fb81a61b4a9b581c1c49773a46e6f5358428

SHA256
cbaf590f9d7f03c866d3b9ad7e3e97a6bcd29bc7f96780053165cac33c6d9668

SHA512
596a077fc38d4092b2093c887048e1c310a428f4f7c7647e8bba29f22d77298bd673494e27743b3c0aac90245d074bbc9854f36a678d9a3158036b0827926997

Download Submit
C:\Users\Admin\AppData\Local\Temp\ccooIMQg.bat

Filesize
4B

MD5
715dc72b912ffcc1e666c546e97dce51

SHA1
03b4324d10deb90c4e82420b3e4530c6da9f2005

SHA256
fb7733821603d2ee5b4bcca269f100308ac3f78c4e65c147f41bbc8a3789294b

SHA512
2f834ea441bee35c14f0c458bd5a67b2230e27b47ff7fd5fa968f6095ab9f20d959f54760f72f147548301e9c919802717fdfa9dd97c810161437accafa6c08b

Download Submit
C:\Users\Admin\AppData\Local\Temp\cesYcQko.bat

Filesize
4B

MD5
c031842f7b95ba3ff3935040e461bd0e

SHA1
364b74c61c3113a92801f41758a8797e9a7898f3

SHA256
d2420aca530c4ef17014820e1c2921ebf6734eb4c72b94bca107bbd583599971

SHA512
4c75a740bdcb51f656c17611b5ef54df0a108224543c70842be6ec77dea2eecb0889a36c1d6434921ebc4ca9624c9fda1bd2d4a10b6e7407db610cf51db3a0a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\cookUgoI.bat

Filesize
4B

MD5
e3e90fd6d2a7c4661a1a3acf2f60bc6d

SHA1
f3ba4d993e2dbcd87a6390a0cd67e6eab0b01a18

SHA256
03fb94180aa0ff2c583d97bbb1fc6d84a6ba7df5bde3c267459bb9a9b8c9841b

SHA512
ddc39b5492890350adb48937428a6c6846ca0f3769f68946c05156c624cb5e1beb1e9dc04c94cdb1384352ec585f3faad0abddda79935005f4fd878a1b3cc940

Download Submit
C:\Users\Admin\AppData\Local\Temp\cooq.exe

Filesize
239KB

MD5
58d69f5f0dc73d8eff4a250f453ab623

SHA1
fb15c1d296c510ce5a1100002dad87ec7526b343

SHA256
39133849b458e66395771c2e1d57c2873a77359ee5281ebb8a38f0dff4e1a7c0

SHA512
a4370cea641abacad0a7f8e02df4812e4f21210e1c039224f830a93e3609762f86ca309c3d493a9e4c89713b7e604b302e9e87046f13bd8a45c544515413f24a

Download Submit
C:\Users\Admin\AppData\Local\Temp\cwEQ.exe

Filesize
231KB

MD5
8f8252828d802d08fd044c77489c0d3b

SHA1
7a4ade250d260ff47b2add3072326042d01e118d

SHA256
0f5c817c7663d04b4736ee31d9e4639a4a2b278212d0c05dad86c85883910960

SHA512
d342949471a4153d965e8fc06551ce8e15cc166a23fc052b62e9b73645919e984d39b80b5cc81d49de49c3f990d6ea47521532bbb9d023ea0685092ca2be1246

Download Submit
C:\Users\Admin\AppData\Local\Temp\cwQS.exe

Filesize
201KB

MD5
1058f50bfd95c0b76b4ccef09c2f9ee2

SHA1
fff304dba57a5d793c124434c7e6c257b682047f

SHA256
3b431ac85a8eceeb92622ea391498d8bc05118a4640657148481b59e6a18339b

SHA512
5814e0ae484382163515ff295457d4a0d2eb015eb56a0d10300b9c6ab658029d15a4efbe72f03d9a3f9190da39a6ac6bfac2c2b7f74bf653223eeec5c8447493

Download Submit
C:\Users\Admin\AppData\Local\Temp\cwsy.exe

Filesize
637KB

MD5
fb1199dfa869b17ba5a8ae192132d00a

SHA1
e732745c19d137111ad9e153bd64c2b772ce5420

SHA256
1014723cec44adb0810c40af49d2e357402b4b9620253270b314ee107d817973

SHA512
7d51eb1099d4db40154121ac819e62ead4c0a43b6bda886096bd64c9791f9f569842d8073ba4a37b60dc9427e0edb08c69dfb252dbe3847402c263bf99bda47d

Download Submit
C:\Users\Admin\AppData\Local\Temp\dkUAsIkI.bat

Filesize
4B

MD5
288082a90ca5fc7a4377a87c1bcdf748

SHA1
7349238cbd93ba6c0e4960ac0be627c4f487e275

SHA256
49f528ee59f83c35dfb07052882646451ea64c6b766203de7c9181d077feed17

SHA512
a3edd22e1961d4b5ebd7cf93bf46b45d477572a97f7137a5c2c7e37963ab22dadd9b9e417962fc26b86db0adfdb9c770afc55e14c6a8be4f3c844687a9b5fef8

Download Submit
C:\Users\Admin\AppData\Local\Temp\dyIAAogY.bat

Filesize
4B

MD5
65513e6185505e17cfba763ad3ebecb2

SHA1
31c406d4890f23fe65b6053cd2dfd13391c95f51

SHA256
77499fc4ca699a139a362177e9558c4b8a00ba8654070c95ef0db4d78ed588cb

SHA512
ba7819fb1bae568298a6bfa5bab98fdd3911c660644b7c2221365e9cab349b7bb087b56cae9e52a466c9bece3e3f8aa1b536e4d7918ef31efb8d2b0df855c3bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\eAAO.exe

Filesize
232KB

MD5
9fa822ee624536aa79f45b2cf5770447

SHA1
3b8e1c706f6aa8226cf2789545d5a7367cd44224

SHA256
65de12a52ee17410f1bfcaa011964a39e132018a30bb0a30c7741f6647c02dec

SHA512
4f0ed4b355d32fadc6758eaba174c0b97a25951ac37b4546a54e08f040e896f5da3a32d1a6fffb76eaa63c82e355c3df9d52ef1fd9b9120d6eaef8704ca51a3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\eIUM.exe

Filesize
632KB

MD5
777b7ee9a487715a37945564be67ee89

SHA1
bef41b1cd21fe4d95f489b9d09287f470a775252

SHA256
7e426617abb6b0a4656975392c678ffc39ae48cb04e96ce39616f1e51e8d1c20

SHA512
e1b2af10a2591167a51bfee24d9340da2be81cf7b08e7e5d3219a9b745a553a49cab86acdfc77430db044f975f233239d5ba92b8892690c8f9de22367822f4cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\eQwa.exe

Filesize
636KB

MD5
ad55f77c96f81c4bf4393ebf2d583ba1

SHA1
770f668d2ca48f7f281cdc72557dfa4fb92e7908

SHA256
d7f7da93bef2c1b30eea28e91a7b2614cc773426615e738ed63c42e5bc95fc42

SHA512
dca3f1532cad000662a5993369f6d697cf1a11263b0116010efaa70db69001ff640dd2025e1514ee7dc494538ddd52ab9efab00204288b633c68edcde5093c3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\eSIUoQkY.bat

Filesize
4B

MD5
ea2a0c6f6d53f056168b742118e631f4

SHA1
d4db7cba6add67f554f48552e8434212d6483f01

SHA256
ffb7bb7e273e3119fd1eea5530aaf77ba48dcaf6b27fbfa0629d48e0dacd694f

SHA512
44e280902900a8e3e9a9d1512b2621c6cdd924feb272322dafaa192b58d9e8790bd0379e9144ee267c2c7987f788df21dcf0f4fcb5bb3061d9e301dcb4890ead

Download Submit
C:\Users\Admin\AppData\Local\Temp\eUws.exe

Filesize
228KB

MD5
5a255d5f4e80ff8723a89b2544cfb68a

SHA1
f5cdaa80466613b02dcf3ade9e44ebdd9f5330f9

SHA256
655d62d1ddd230dabada8e71acc70e096a49843044d327144c84a07d91fffc74

SHA512
7cab587a8a6776f5eab35d88ca9e39114495818c22bb9b0cd69cb16d5c21273499c8ef4c0b1da1728e9ccacbcbc145435e1a8de9351f1c26741b3de86e05ac27

Download Submit
C:\Users\Admin\AppData\Local\Temp\eWwIYQkM.bat

Filesize
4B

MD5
a2851670825f1f0c914e74d58c80370d

SHA1
a7b9f84c0f7bbd88a3c948a05b323c6259ea78ee

SHA256
ec9d7b057f1f45771cd01692c5c8ece1b7af4d9fe2017310ca6c1290bb71c284

SHA512
0dae2e6a079f6f09f8d8ee0aeb3a3c3f38680f6894e871d9d9c67b67a5af26fe3b33fec8e0a312fc2b105b5cfb182254013a21d9c37754eaf2891aaba6e97b66

Download Submit
C:\Users\Admin\AppData\Local\Temp\eYMG.exe

Filesize
253KB

MD5
000732723fa92d34a322111e61eaa27c

SHA1
73238f7066c0ee307b62fd762c6f7008d424db41

SHA256
bf179c6e61254e9bbe6b08beee618720c5781880965de4964aa62b4ab2acd809

SHA512
ba94d7307eb7dca557a3d8b27f398073a572325638350668190684cdd4b246d4f05e0e97112b671f2649e3c6fe72c686df65f50d2dd5a7aa33bf229fcc3e083a

Download Submit
C:\Users\Admin\AppData\Local\Temp\fcsoQYQk.bat

Filesize
4B

MD5
65390a3ed8e238e1ee7791bec5d8ce66

SHA1
6c74bb1695e0766b88b68d6bf76608fd751c014b

SHA256
1eb7452b5e514a00dfb29005e941323917313d5bec345a59ad7b9977e74e5ecc

SHA512
d610127e109bf6ff4d58a48f645c0e276984f6eec22aa9eef651dc6b6d452d2155416d86492ef9f3239c119ccd92200ef6989e187fc2ae04d0109c591dde1e19

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\foYgowss.bat

Filesize
4B

MD5
9d81c1de3ec0d136c6b791342b2aa749

SHA1
fbcbf3c8416b4822f031b928aa08765b1c41099e

SHA256
c345dfe793df62a196bc9ae460a8f1ff8124a3e9475296218aabc314f1a82911

SHA512
94fe14e4824037b8e00d5f6de3e334deffff6f950f32d20fa06123b36b0bfd8cddc31244f0fdb17c4acaf280370e645aba389047561ba6ca1f8b1735cbf5e08c

Download Submit
C:\Users\Admin\AppData\Local\Temp\fskEMcEw.bat

Filesize
4B

MD5
5cbca159dc7709e270acd5b26d2e0707

SHA1
364944444d99a9993c94b61d6a6bdd55bc65ec37

SHA256
b63194cab2a19721d161fa538f07890e6d20b12423de2daff9b139d0e2e1a578

SHA512
fb4a0d065d455d625226d6b22c097523a5d6ef8fa377c8d1b2c182c0d9d5086a7890a071d3f0539f84834c66ed435fdb90bf556b85f36970c0fc7509714e0735

Download Submit
C:\Users\Admin\AppData\Local\Temp\fygIkkYM.bat

Filesize
4B

MD5
e4d5ead989d5a30fb843e2ad2d736169

SHA1
98d175f6c99ffb5435d315c379bebc9f2e23815f

SHA256
b07bb81fe125028fe00f1a5226a2a6031081a8f0e5ad1b0e8252734767b170ca

SHA512
ffc90933119066d8f33d85bd2ae631b58599625421b28925ae95599f8d2294688d25bb286b2c31c505c98f21a4d171849d0b1fb9f02b83addcfe7e688b702cf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\gMIG.exe

Filesize
237KB

MD5
30486bc9670bfeb98dd29effbb208cb8

SHA1
371a5a4ff452a564026fd0002a16840f1bcd4dea

SHA256
85307e07b473a16bb18c6282c72258e6ae93e60c5c1274dd95610fcda71c1783

SHA512
7582f625dda129ce33ecb06486830bb74820c322972182d1ff8b5041dfeb0604175356cfeefc1324d8a59aa5c3f8b9d424e02f8df96a38770f1ece2d607e3c50

Download Submit
C:\Users\Admin\AppData\Local\Temp\gScYUsss.bat

Filesize
4B

MD5
14fe54de0aca1eb4db10dbb0a0ebc625

SHA1
8f46b84232ff3dfc95a1de08984e78f585d36a2e

SHA256
c8aafe2873883792ccaa2e96cebfcbb77172d2d144e81dd7d931071686acbca0

SHA512
8b64fae85a5fc0708a90c0c35fc5e45217a6fde08e54336e61308e0c1f4c2cf2bd028145c0092658d243fc07e8f029eff7bdb47daf9a9e4c65a9b42b9d337c06

Download Submit
C:\Users\Admin\AppData\Local\Temp\gUUe.exe

Filesize
328KB

MD5
d9ee31e1ef9783b9e5a67c6369837816

SHA1
cfd4b0e492d84a66502807dff7db80d09cd0c219

SHA256
d63cb9d247d040b36cefb8c678ebd259637d055c3d292df6fa6bff1ae5a94c43

SHA512
4673101dea088aee3cd9bedc8fc2b7ce111c27e5347a1ea4c7f83dd827b2901f367e4e9ce66f6ca3fe8c679a13cb8fc66fa1e11132251b4902212cc80a2a2126

Download Submit
C:\Users\Admin\AppData\Local\Temp\gccG.exe

Filesize
201KB

MD5
180bc4584f51e08e64592c244f9d3953

SHA1
ed1435c758a64aad48c5e11fd0c846e43e3dae2f

SHA256
67220f3dbcd22ca05e93389487c878faf92159d7644aca33c0b4daa3e3350506

SHA512
c6eb86b0f45007a909ce56c87cd5efd5d22dd537d63548a623f46bca8688e229ebda7c929f9b7d062e94e6c06864a1dccb2bb972112d0b684783f57b5358d084

Download Submit
C:\Users\Admin\AppData\Local\Temp\guAMgsUI.bat

Filesize
4B

MD5
17c626fcc71762df48b4acc90b212722

SHA1
d5ee3ca5653d5ec8f88b445b20ba2ad603797417

SHA256
bfbe0c145924edd843f0c0c3c0371448b6baff302303409dae43c263bd08cc13

SHA512
5f79ea5ca0c342c9508c9ab63f55ddd521a1cfa8cf93dfa8448db8fd0bc036611fb02d97faedc7b1ad8ba61f7c9c4faf2f180eb8269a8ba6d940ff5df1ee7bac

Download Submit
C:\Users\Admin\AppData\Local\Temp\gwoi.exe

Filesize
253KB

MD5
f1857639c821b594cca0259f07244a36

SHA1
88768a82fc4a799bd1a0db3ed51f44d7faa014a1

SHA256
3f3d7ff59cc4c82a0ba69cc2df518f9f163050c4aa72077eaea10268625d7873

SHA512
f10d49123ce46acae8fe6766154e9adbd878db0b007e5dc73f4f9eaafd4dab4c34c81997f303e80bb364785611744894007073898b033f9c80811e069279f39d

Download Submit
C:\Users\Admin\AppData\Local\Temp\hKgggsUs.bat

Filesize
4B

MD5
b0d18b856086719f9a3ff6aed3966624

SHA1
9c2692c45ca60a501f0bc58dd35816af8f3f7bf5

SHA256
9593afbd747281493eb6563a28a4937e41f7263b1ca07e25347e33915acfc160

SHA512
2a05de11f2afe5b99372580a1bf3c501ed30b9c4a9d0c2007846987c99aeb011c8137a3af74a00cc78f462dca57eba514b8960c2271fd534dc284a77e6a4ca23

Download Submit
C:\Users\Admin\AppData\Local\Temp\hOsokQos.bat

Filesize
4B

MD5
14cca387175c04a01cedcc2ec998bfa9

SHA1
e0640643e73127347e1a8ad27fc4687c40bc8c44

SHA256
78e3f737e8e9429bad0809a0503a87ac6311f3af98d2de6f68d1ecf7f4239359

SHA512
50140ea2054324d42fbf6a9b81d7cf80bb038986dc189726d5610e3d4d2d18a6bf811b8c41adb5ebf39adfa7166357ac2ccf9adb67ef971516837b8d2f9f3e80

Download Submit
C:\Users\Admin\AppData\Local\Temp\higcUocg.bat

Filesize
4B

MD5
b66a957cea9c49277fca16166031ae0b

SHA1
bcc0fe6284f745587a9940b937865cfb337cdf89

SHA256
c97e50540e30edf6407a73871c84b27223252978306f964255e78e5cb0c3ee06

SHA512
bdc205e5be804adf62dd04889af234da0b9ce8a8db4030285f5cd7d5b184f7428d28ba2ce60e37ae1decf9e64fe169b137c30c7dd62ef87dd84a30587300d0e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\iQMm.exe

Filesize
185KB

MD5
ef7d6a2da5712ffc0f73ff2a5621e47d

SHA1
b5fd1d9eca4e78127c5dc0224ce300c4397938d3

SHA256
8ddb12fbf2e0564bd2e87f622e16cc74754e17a74515741b0f3718d4fc60626c

SHA512
6a0bdaa6eeb572e5bf92ed59e4d82fcbd0cd525c69048f3246a90f43c30564f006d6ccb4f520c9f20f227a84d9b4bfffb677acbd5b1c4418cc62f76450a671b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\isQy.exe

Filesize
189KB

MD5
1659519a6510d7f58cbfcbda83a25fd5

SHA1
f076be28921b0ad0c60808b68dd3844239f18481

SHA256
e30eb8d95f7942bdf07aaf23fc4d1d8f44809a2b3d150189e4d6411c7d519ad2

SHA512
131f3e222aeaeb933e27abbe14d1b6e530c1776b0866db026c8e1809c562936aa0a0a1d9a44a2c64b08f70bdbbd9846095f0e7b82b7543e617998748d598e851

Download Submit
C:\Users\Admin\AppData\Local\Temp\jGIwAYAI.bat

Filesize
4B

MD5
cf6f43d37cc2143cfe3f15a4d130a410

SHA1
6cf551e0d7e0f8ec1ea7b22bda9ae24e9eee8067

SHA256
179856215c5792fbdc9d109e6b9eb3c303dbfaf4ee0dfad8eb4578a03006f529

SHA512
da3390638df43af5ddf8eba71b039515157b051b977cda36e09699076f9d1d5a528d8af608a6c612b2328b7e114cfd2ec0f4230b2904bd170958563d72d68f48

Download Submit
C:\Users\Admin\AppData\Local\Temp\jSYgwEoo.bat

Filesize
4B

MD5
0e2add877a29423690fb1df3bbc0dc5f

SHA1
256683d6535d4d21ad5423659bb536f33d1933f7

SHA256
bc920bf92a42ab3424d66805ce8dc87ec9924042fab838119c2622ae9a4cca45

SHA512
4aaf06561729cfa78dfb14cac4bbc312e5050cf2e0458e3b858146cfa5ca9af084c189460f78afe58395005f6c7765ed3254887e9926ff2fe4a23d301ab93c6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\kMkm.exe

Filesize
235KB

MD5
cc4b195b30e52c23499bd732c329675e

SHA1
e83b057238111c122c613026ae9ec2e96c862587

SHA256
39150ba4e89b4f97715d735a898b5d9df59f51525001dfa52913177f4bf6e3fa

SHA512
44aa1a1b1b7df7bbac2ff26c849960742f0be2bff3f5d54c9b542fbcdf25bfc7eca8d69deaae0e92ae6955fd6f936ffd5b62390f9927e75e26a1a0213f68db49

Download Submit
C:\Users\Admin\AppData\Local\Temp\kYIS.exe

Filesize
240KB

MD5
ed230e8b4e40b1c6f7538d4be47bbb33

SHA1
053b3e83f1459e2f1988e759f2c2571e33f98e51

SHA256
21ad3429cd61598b7c64086dee1e6716db9e1059e7333029890e4ecfdb249032

SHA512
f7af776c002efab733a3d20b154c851284fa9f9e09dab730ecad3393dba85789e274630715d044400725891217de9d4edb474fa49559c15248baeaf5113c353f

Download Submit
C:\Users\Admin\AppData\Local\Temp\kYUs.exe

Filesize
233KB

MD5
2321852ce0321b2bae0c0176c910c4e1

SHA1
94e1d7fba753eff6eaa64d9ff25360e80e4f2377

SHA256
4d2bb65215cf3ee9471786be82ba77724af742b1542fa89922c0d831bb16ef20

SHA512
f90e7551e59466d5692c71af9fb36e7ef6ecff504c67598a25c0642073b14d7e9f34ad903fba17220fe6cb59e747fd804111887e1f247cc3f2a93999272d8719

Download Submit
C:\Users\Admin\AppData\Local\Temp\kccC.exe

Filesize
562KB

MD5
f5f625a231b3ac8879f2fb02334c5baa

SHA1
8986871d4a522e3b9605a5fe91fa87dec8c44ceb

SHA256
a65fb3e87b63ea2aff0b64c9eae244b8ea0a98f61462bbc15fb638ca1ec609ae

SHA512
f2720c6047f2bb3e8128ae7189a1adb00baf317c3633aff09bcd0eecee4927f0760fd3022a5c00fef01c505cf381e275ddb0b2f1f3bf6ce0e8adcff18690c93b

Download Submit
C:\Users\Admin\AppData\Local\Temp\lAsksQks.bat

Filesize
4B

MD5
27e7a38fe97f2d1dbbc0c6070ebcd627

SHA1
4bcbadd76e5bed336beb8e03d2d54e77c5554ca9

SHA256
6df23d5b6ff9603c0d4774054f802c3c2598e4cb232fdc04c1ca2a65f1a244d9

SHA512
1e3449292ccfbfaa537405ffa6702eaeb41881b84cce1bc4012a3b752710c35fb9a62df0981f1eeb1169413ea5600a7e0a54ab3df0ee7ab0e42b02dac73e8463

Download Submit
C:\Users\Admin\AppData\Local\Temp\lkAkkEME.bat

Filesize
4B

MD5
7c1f0c7a51ce3d226ae83a5fec141e24

SHA1
c84f83beda462ee87db00cc82f5cc048fc8a9b79

SHA256
520833af34bef22940f301b8b8c0e482ec589c466b226a67b64db5f79264dce5

SHA512
19cffa9e1c8c31592017c576b816bc637e50c306a651e759373c04c7be3b2275b310932af5f91bcf3de117646c30d402ba165ec76652f6bb7edfe7fd372f978f

Download Submit
C:\Users\Admin\AppData\Local\Temp\lwsskIoM.bat

Filesize
4B

MD5
9f12f80d2cb79cb0d527c9cb6dc17a30

SHA1
0ade4fff12e1994c5071c11062958a01ed8c7b3e

SHA256
8181fbc714cdbee944718daf4b24ae13afad729e99c81d86709955061012d2b5

SHA512
999d7fe010ecb709234e2a2dfe677b87f7855c3f4a1afa3f1ae696b6d69e58687a6c10d1f9d04557e3ff3da977893827914a54c24675f3ba710cd459ec7893b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\mAUc.exe

Filesize
595KB

MD5
8d4edc30905d99cb65aa6d4b84bfed0f

SHA1
d911f53fedfabeec3ecf3e4f46935215547b6bd5

SHA256
168f9a5bc879cf38547000371056da7b1e4ae814fa7187fbbd1ad8e4f4a6e341

SHA512
0e8dee75f4d9d1ba0eba73bac3b1bc570c2236afb608ac0becb58cef6c7325ac575ac9eea99a9b12bf426ef6dd374aeaf2879421eb3542dd19242e19269abd8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\mAocUwUk.bat

Filesize
4B

MD5
272598f4fb252681fdbecc503493f49a

SHA1
45aa75c011be6d5ee678650b76b73181999e5c1f

SHA256
95fe19daf142ac07b74b89a135662d2980dc3aab0fa205f725c0a6b587fcbdfd

SHA512
8a86efea810a6512f17b3073ad47ad8e644997758a805a41e4a3d33da72e4478b2185d6d069c4861cb0455475180738713f4923dab66842ff54919ddb415084b

Download Submit
C:\Users\Admin\AppData\Local\Temp\mYQu.exe

Filesize
495KB

MD5
05f8dcc2765af4c37dfc9e68a0fec508

SHA1
8038aacfb767324ed139bffa94119d21d15774b2

SHA256
ef7a1332378aa4f6bb7a0665dcc8793dad7d5ce4762ab1f9796ac08ee7c58a83

SHA512
d40998498bdee0603fd1887a15233e3d74fed43f6b683a07a7e2b4a8044673bc0ed86f37091eb1174d30892b1acb64a8222fc8bc3ac11603b97924a56363b1ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\mYwa.exe

Filesize
321KB

MD5
33c5599ea6d42d3cf4a277b180ea549b

SHA1
255ce22b888d4886add21b5600f768f9349f655e

SHA256
de592edf80c9fc8268779be27eb9ede31e6af0ebc93f6c4dfa475858a90c106a

SHA512
60990e68dfd387f4d6ff816ddf84f49265b6bbcc85c2750499031ce04af502ff1f431de2f370fc3251cccb5c80619f109cbbfa01da853aebb63b71e915896aa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\magIAEMo.bat

Filesize
4B

MD5
6ef30179fff24e707698da04f27acf8f

SHA1
81e3b0f390bb7d13cb50dd5cd585a9c7377d2e37

SHA256
cf48ddd1ccb63be87774869a0a90a54f6ea43ef32307a9c5e28666ea4ae8e2c0

SHA512
153b41502563f7e61fce9cf4a629531d29a65ee14e4886ee9648bf636e11fd91588d0a7e0586d8414b17038d3f3d78ace648ddad7806a6529c947a8220c86666

Download Submit
C:\Users\Admin\AppData\Local\Temp\mcIU.exe

Filesize
523KB

MD5
b7edcc18223c3f91d7f99c8a5158ba32

SHA1
76b1b8eaba17160e6ad56273209ebe45ef9c77bd

SHA256
83e641196878b7a7883b27a1a92ccef45bacb6b239fcd0cd316a6bbfdcd6eab4

SHA512
ab63418bcf4e2d681a9ac6df145b722c4e91e8adfcd05096f40d3e553a6fef87971abb55317337e0995cc281e1e2a59519fccf9a501e130a2cf7f055ce465ab3

Download Submit
C:\Users\Admin\AppData\Local\Temp\mkkYskEY.bat

Filesize
4B

MD5
a0f87778f2b8dc828233f9c9ac94a05a

SHA1
e69540f1aef4f71e962077c7d86be66b8013b05f

SHA256
80c72482e62005b2697feb11a6f484fb58a37a4138162de7cc0893b23e3532b0

SHA512
48bb08d71eb70e5f27e14399c8add92f335e4637173a133d07592094b524118c0a70a2608d406019b08e804c270faee72c14ad73c8a278c1c23a92584251ca89

Download Submit
C:\Users\Admin\AppData\Local\Temp\msIY.exe

Filesize
231KB

MD5
31a732efb9059a60994c0abde41d9b05

SHA1
dea3041fb859b607d11c13f55d9c27626405314e

SHA256
4f1d0cbdfab0136f2a760d8123cbd398fec58a6b36d035978ac27968d9305176

SHA512
ea5b2ad3b01cf423f880586b1f99102d89df026875c28476997343f729e7ebfb2ca39f6f678cbfeb0e3b9d5a57965ca39f4539d53ed1546b5d5f56882a06edf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nUEEkQUk.bat

Filesize
4B

MD5
34d900424a7d1accaa50973af70d6f04

SHA1
44db8a033c5ab9d1b3afa4de0a12803bf0255610

SHA256
faec34cb64838a1761e71df569b9a7d714a62ceb7e35a59e8c0e9fbf2e75f55b

SHA512
c97319928ba38c2ab16f272467f1128d5a9e05dd09b65a0141b5d709f2f978ea17f3c1a978f668f13f4b0cfe5b293c67f9135c6b1c8e891f5e0e51e36cb1f25b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nYYoEgoY.bat

Filesize
4B

MD5
ee384811fbe39a69b634fcb077260c2b

SHA1
f37068f104f29ae5a940deb7c5ed51da286e3214

SHA256
5e6d49657f412ceddb0c586eebc08c02c42c652999b8fb734095d56165687cde

SHA512
40990e5a96a2f7e9d51b3c30cf46a1f26aaa19830e68a0c5cb14ac54f5c41f042f5f7e717d2de59c20ab7efef33844fd07d13beadfceb59e672a467ba2682735

Download Submit
C:\Users\Admin\AppData\Local\Temp\nkoMEsss.bat

Filesize
4B

MD5
f4265467be65b4043a0ab050c5f94bb7

SHA1
766858488b4b7137d0f5c091f9eb96f834b3b48e

SHA256
2b026a8b15871d979c31648b00732422e3757d0501ea9fcfd69c03a0101c876a

SHA512
f68d4d1f7db0ee881682900537b89d9718e52110093866832ff94054e915787c980505bf381ca2f5083aca8b0e56863a3f2183d9265ce1c9c6f6654bf0f573ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\nwIccYEg.bat

Filesize
4B

MD5
c75ecd40355f2aa05fd9adde8ffb8e64

SHA1
2ca39867cbcd2c25da4eae7d93bf71734857128e

SHA256
8d6ce728451813118181073c215d510c89595e0247a705af18080d3192c0c5f9

SHA512
640ceb2b2a539b309fd5bf50ed3b35303700b5c10b8fa1482f06dfa574fa5ead0fc8350001ef0a033d11a5be4a3b0b5a2c28e3097962c168bd1133c24750e8e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\oIYu.exe

Filesize
199KB

MD5
df9af7bcbbb86dc8390ae7db3b30a12f

SHA1
6ecca536634732048bb59e01f07a0ead99e31922

SHA256
62a4879d421d5cc5aebec9fbcb02db34a9e0c6ff1be15ae0512fdd2407501570

SHA512
d92a17e62d8881d578008126321168c0e13a4c902f3fda9ebe97b161cce338f610cbc595557774edfdf7ff5da82248f3eef38db0b145201258243411a65c164f

Download Submit
C:\Users\Admin\AppData\Local\Temp\oIoi.exe

Filesize
248KB

MD5
38e16684c6d7671d42bdd3af9a228ff4

SHA1
7981f57138c6e9018b5a83e2c657b8f730259e12

SHA256
a511ae6b2b1cc7ad559e453d5a8acad3c5bae598942df634159bd67e99ded95f

SHA512
c0a1083ee4158b4225f3438dbc36aeca657e8e81720224bc1d669cf4190423bb0e49135a3b911f8a9ec62f01781204a6d65ac7ed9a4fd6ac49e1c343657e28a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\oMMy.exe

Filesize
200KB

MD5
a85d1e963eeec7a383c0c8fc72ec160f

SHA1
90bf75b57cc63bb763d2fa66ee0b1112c931d141

SHA256
8a0e67a9f50038ed07dfeb81b207c3a978f095581120c348260762906853f537

SHA512
8a4a3ff4765849da7994d84ca915e42d59b7f53c58316127527148eec454bb90169ce540e7709650d926bfb62fbe7051b57d0f4d22873cacb54134160fcf1cba

Download Submit
C:\Users\Admin\AppData\Local\Temp\oMcU.exe

Filesize
227KB

MD5
b5d827c57e36e4e041277a4d3505a75a

SHA1
86cfe1f457a16b905ba0733db1cc2001e03d9567

SHA256
6ac12e61bf2efaae29f6a5f67845b44bf70cfa18b2f11580ea2404c7bfa0346d

SHA512
a0a9e05102925fa49344a5a66ded346da5a5eb1c1b6a5ed87c0e5e22ee07dae6e82d21d64cb73b56369df55bc217560aa65c85a4513f9b024bb61fce94e3eb40

Download Submit
C:\Users\Admin\AppData\Local\Temp\osgEgIsI.bat

Filesize
4B

MD5
5261b2f64f7f359c5df70150fa8ee44f

SHA1
51cb5cf4f017bd7dece1de9a8d498c3bfeaafcda

SHA256
3e31de690a7c0ac122160aaa93dee571bc52cc7b6723bb02e9f6a7bb6ab642b2

SHA512
878956684f872a375239faee8b9023ee16b3b9a6363bbf5ba9807cce2a641c4ac91bed45524ceb1fd2fb966b5a7df8b5af722fd152087ea8422abc21574edd44

Download Submit
C:\Users\Admin\AppData\Local\Temp\pMMwMEUs.bat

Filesize
4B

MD5
37918536182e39b3d436c8f02d822ea0

SHA1
3a9a828004dd81cd3c572f22a3ccbc364d4a0133

SHA256
1608064b94ec4998b3e3f264f1cc0c81e450d4fdbd5fb9137ead7783e3d84606

SHA512
177bc6bf181c027cbf2fc2fd7434dd1aa0ef623cfdf6d407756ab39ef60128398b232c7d82188c8fb0484e87fa854de3cd3009ff4725e4e935466b04cda9bade

Download Submit
C:\Users\Admin\AppData\Local\Temp\pyoEocAA.bat

Filesize
4B

MD5
dcf2b1c47f5bcf93cdbf4f771da787b1

SHA1
6e84a9a549d3798548b91fdefd543cbdd13ab910

SHA256
e8996ed5a5ebab2cb614cf79c7f5f5d662ffdc5f2e6afe5c09140cf33683bbd1

SHA512
7b27cbda0374b6cb0a2a53ec94a8fe2ef8137ecf604da25085e695c5004f218b6e79c0ad9d398c82f9e0bd01602c356d102ef391dd39cec4382e3d99e1a67290

Download Submit
C:\Users\Admin\AppData\Local\Temp\qEEwAosI.bat

Filesize
4B

MD5
5129e8d8450db9d168a51b03469247d3

SHA1
da7c9d88f9bb3cdd819d3f7016cfb039052ac685

SHA256
4e04d3c4b899ee0eb68852a38100846f7f2dcdc722983bc7728b0576ba625600

SHA512
557216be6b59dcc45a13bc0ffca866dde74166cc6879c66a27d4e59d1489552eb8923a3d991efa1259b25ffbea3706de3f449da1189e22d7758bb2d0cfab9db5

Download Submit
C:\Users\Admin\AppData\Local\Temp\qEkw.exe

Filesize
233KB

MD5
2a617fef5310d739e3d8e6e7aa42ea63

SHA1
8daddbc641b3e0d7fe198ceb7b47b28896687eaf

SHA256
b6217a2e061ccfd203da6eaf4305598d0af07038ba93208b748f2c489cc998fa

SHA512
e400bd7f50c08bf051889cc83261bd19f276b97e713f0b36850de96ec01ece536f431fca04eb9a35e65b9dd36d756e036460f0c802241c88b266a9560ad78d7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\qOMQIgwo.bat

Filesize
4B

MD5
0cab1d6d1b8c097d6c917256f353ade1

SHA1
d89044bbaf34a2c1b8b46fc964b36427ac33c7f4

SHA256
077d793f3766147a76525559e530ab26ee95252d7f13772403339035e91542a5

SHA512
58d422134b16c81f6ed87638fba5ebf70a79e3f5df1ef6432d9c3dce093967286f92f8dae148e513e317ef203eb13edb508b3beb0e86f209d5c5c37b521603f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\qQAkcQMk.bat

Filesize
4B

MD5
bef588ace828c8e2d51f576af36926ef

SHA1
90a631878e4596e800c79220c8cdfd2ddca221c0

SHA256
c1924894c75f6b07d2d68772524b4dcc97086259f6475170ef4b326b902f1d6a

SHA512
47f2ec6fddddf37a06413d0f7b6d541b0f8d2882a1dac4ec6c2af0f3adeb73da519ec65bb9e369579b3979ec6f86eb3bab564a6c495041c0d7842fb348dda912

Download Submit
C:\Users\Admin\AppData\Local\Temp\qQQI.exe

Filesize
225KB

MD5
901d4281a1bb230aef788c69387b463e

SHA1
c6494223e13689ace08e0f56a6efd5c6f7254b27

SHA256
27efc09f8bf5b51581779867079f87ed4409ec0818f67d0c4776feba077ea56d

SHA512
3f93959755807b2e2ae3d242b0c594e054a7929bcffb4b2d260328e960756213afa05bf75a121ba7c01be1ce1986186046193c99f6290a79ca818aadc69940d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\qqIkYUsA.bat

Filesize
4B

MD5
e52ec5290308f4707624e4032cf848fd

SHA1
b74e83ee14497c29a1f750955813b9690554e9ef

SHA256
5d1e813e8a9d54a3897a58a87154f3a5558573f23ca830a54dccc7fa07b45278

SHA512
454db9f41c50e755eb0b8722e45816c178d88a8a83a5dc83fb5531cdcd5e4a8449f3dedd01547862c2e0c31abb801b07b338bee5fc1ce53a54b6a6ab6986025d

Download Submit
C:\Users\Admin\AppData\Local\Temp\qwcM.exe

Filesize
253KB

MD5
274b6f694c98882d8617e8ad868ee12e

SHA1
03e5ca0131f4a268b749b39634d1bdb356d406ea

SHA256
51b912fcbd90c84d8739860922dc7c723d3e05e7d7c6ac9e5d9fa3ad61525226

SHA512
9438092a403c8828320dd0007d7573b050a2a5f63e64155be55f1ee41ea6487044217f97006796602837e5f396d8a1f7590275f07c1500560d401b665285222a

Download Submit
C:\Users\Admin\AppData\Local\Temp\rCYwIMkQ.bat

Filesize
4B

MD5
1d3f61fe699bc697d9d92f9134790594

SHA1
37873d17aca474344c2aee1d6b932b58d949c917

SHA256
0a1ccd78f0f55440d816740f547d663572de0f8c90070b1f6f31687782f63a85

SHA512
0adcbf8f532340670c75e961cf7f1286bb47b932f567b863271017327406f5cd85619da402e4c2759c21e4cc7768e89c0af82b54e06a8b5acd4f4a82665cdb55

Download Submit
C:\Users\Admin\AppData\Local\Temp\rOwsQwws.bat

Filesize
4B

MD5
aa6d378770176abbf68f106b8ef84858

SHA1
eb4877e832121dc0bb9296ec250663fe1ed6fd2d

SHA256
19801c3cd663a78b4d91acb9472fbd9c555bf192f31f028aa4a2f2cbbc23c200

SHA512
e92c3198f9d35bd1cb505b20227378262a2c5c85fc593f673194c388a8683b49f425cad268be591f409443314a8d2ba4786f545a90e67bffd4f5c284c7fc6b21

Download Submit
C:\Users\Admin\AppData\Local\Temp\sEEo.exe

Filesize
183KB

MD5
4f49aa81980424794ebaaf5b7518dcd4

SHA1
e92870479d7477da2e36479c127eefe5144439ba

SHA256
29cf0821a2321adcaf9839937a87b75c624f9a1a0da0b4c23acfffaa1e42177d

SHA512
c7a33d2b42dc9201ae1f1f964f74c17c09a2702f5fa250534411768f430db1350105ace9cf870e196837665a00cb03f272b6c1de90cd66db95d413f6587539de

Download Submit
C:\Users\Admin\AppData\Local\Temp\sEkS.exe

Filesize
229KB

MD5
0d319bfc64461b72e5826773e6a127bc

SHA1
3c116929c5864a86df52d9f5f1d36487af15fe09

SHA256
9a4e3bebb0b1baf1568552f23168034ece5c4cc42473e39d657b277ea31367d2

SHA512
ae01d8035aa7f2f9abbf1a5ec1f12b2f1087a4a42fb4a0d5e5d81b71ed45773eccd37558366289083687a458f8fbbcce4f67520f02690ba67af84e53a336c506

Download Submit
C:\Users\Admin\AppData\Local\Temp\sIQA.exe

Filesize
243KB

MD5
d7adfecb97997663a70fb785a94a6398

SHA1
540ca9522354e76874255b69f7a61e65b9734d1a

SHA256
b49f41adad98b2b97ca388e6a9660a03f30d080d04da6db4932c4d37f80fa0fe

SHA512
33ae95f88f26e5201f82101cbf4222e9b22a11bc5ab13545bc7fe796d647758f89e97670963597826878ad0fb3497415ef98be8c3b1e69e42c730838a2a9fe2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\sQwg.exe

Filesize
229KB

MD5
c18aa2530d79ad7e1380d1b119243efc

SHA1
7cd996278604be081e28d7f63b39127dac446531

SHA256
591a116356e751ae4a0a9340b6a9e0bda98d67df1a44077909158219aa709bd1

SHA512
efe9b53b5517d6a1478441f15f7cf74a87d17e1303fb740681aaf185ebaa8e032e4af89937cbd2f133ce02692589b86473d5513e913daef9cecf273133447ca9

Download Submit
C:\Users\Admin\AppData\Local\Temp\sSQIssUc.bat

Filesize
4B

MD5
929a210fa95740cdd3f2cdf90eecb547

SHA1
611994fddcf8738866f5a2e8c57f220e130f8bfd

SHA256
4b372cde9a49030c505f828524c8aebd205262738672a6e77361ca5c53358831

SHA512
1a28299d31555822b4f21473cf833d697e3b526774455a57607bb403c345adcd2f7364da8114fe27d9fa5cdc320589b8f87c00a8de713350512fa47f6ac97afc

Download Submit
C:\Users\Admin\AppData\Local\Temp\saUAgoMI.bat

Filesize
4B

MD5
48565f7bc6c7a50998552f4cb91cc292

SHA1
3f57e24737a73276bc230f52d5ab204dc5ecddcc

SHA256
94d44538f3c23a16b29f3d098a6ef88787cb692b7400a33e3242979d85ce7311

SHA512
ecc4faec2635b3f4b6d9082dd1734f26783eb52223611dc091d507f42fb7a2dce3141bf9e2c6dc32b36389bb43169a54c2527b6d5c694cc37593ff333ae9cdcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\scwy.exe

Filesize
431KB

MD5
9f72312e625b4ad117bea0411dcefeac

SHA1
c6c8e9a99ca47df1403ba6ab090c0b0a1720d024

SHA256
fa7b892654bb789bfe371cfb9ed6c7045073c79f277e3a75849a47da6ef6d2dc

SHA512
2becca616d54c36d73a9e0f74eea4b44fb1959f281d34488f481e7943cea526340ce755e4ca4febfc6098abc491c44c390af78da0e5395f92e3e498dab60b1bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\seoQMMMA.bat

Filesize
4B

MD5
ef3068a689826b0c9302fa7c7868d0ba

SHA1
cf689859b7f495e2830f825ad2c0437465954c48

SHA256
9affe9ebca915caad90b363a31eb4cfc6ea30c36445285fb97a776d2197bdd0e

SHA512
6dd9d8e908f7240b293dedbeee679a27dfe3021ecb87cc7722c74d7de8ce277246fd0e3d4f2bfa08c16968b551c86288413d2db69b74121c319e6713e97400f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\skwY.exe

Filesize
815KB

MD5
bbacf5f3a06b45c0b8414908fcc2a0ca

SHA1
e46bc9edc703e3fca0c66bbfff2cce237283abaa

SHA256
d93a59b9f14e15ef79bc89be8e217206bb5f281fd421a2e0b1392cccafd6a780

SHA512
5e13f1398487c6a78ae2d7df5de0109729a2003000e306b7fb699eb4e196b46dca9023f311191cc49e6aad4e04d8418468e7dd1ab2f60f7a360486d18bc67b81

Download Submit
C:\Users\Admin\AppData\Local\Temp\sogU.exe

Filesize
209KB

MD5
b1ac5e3215c861ed71bc931ad49a489b

SHA1
37a4b22fbd73052e5d5e13c3c9a8b5307b1c9240

SHA256
401e56e884c7add78992fa92efd8c1a0bb0f49a5f16a03417169426b554a91f7

SHA512
557ac3c71d66f7e1b81ebdfe68136fab826b8a0ce9cb0d156cd47ef8312ff0f819019aa130c323cd30f8efa142d0f7d422658018abb63d3a61e9ea7e2080a46f

Download Submit
C:\Users\Admin\AppData\Local\Temp\sowsgYsk.bat

Filesize
4B

MD5
7424f8eea9d00469579a68eeb2b7973d

SHA1
9c21dd9884d9668f46d295e1edd453a6186ea798

SHA256
ac2e5af7627ccf936f650529afbf371fa1936c80a72486591e5fe5b24d171cb6

SHA512
4f86c9367ddebd1d2189dded8ffb8d754689ee7ba78a5a825250a0361f4951eaaf3f4665383efd2e089b04e34fe04ca7cb6054447e00bad3a814ecf8f78380dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\tcsowgYc.bat

Filesize
4B

MD5
ff3d616e942075b6c9ac6c471409da71

SHA1
0baa98f3028d0dd7bc5dfb8823305cbf7b3fb776

SHA256
003d6a21f019c51aa7cba8da22b7b440278fedba352c6c3f8ab3d32557c6a3ea

SHA512
1c168b454c0a039332cf1794a270a275dad452eebb724a9305c8c49874647f9781237b83a274f49e3e362a5152e6dda1f1d7f6d12dbb4d0a2e2226dc981cc7a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\uIsu.exe

Filesize
232KB

MD5
9e42958545393ad49798f15308e7f13c

SHA1
43ab1f4ecf6a954a02b49aa8de0d4b39b99fbfd3

SHA256
41c0c80febac957f3b4826a55a2bf3739bb7c3c6370a88c3c48f6aacc2db26b5

SHA512
6152032a031aac3b5209c59206fa8211799c28e1bd72e67aea00b650cc2911bd861e8e63c7a528f4e70e510d4845bb6c32d6d1603cbdc175992c4a21894c0990

Download Submit
C:\Users\Admin\AppData\Local\Temp\ucIs.exe

Filesize
234KB

MD5
e7a3730d8f7b5716e0f75a18ab76491f

SHA1
2f707ee2e5684082437c28a6675a88ebe4a0a62d

SHA256
0a9e9fcc254e33f432973c07eeeb14d586a4c027252f0fe865a8ed3527d1083d

SHA512
b4e0305cf7eeb8d6542bdd91b7631635e5ec6d493aef23b017efae737a1d57745f6c09ea567ea181bb9020afaf01dd3fb6e51fb6f358272690775dd2f12b94de

Download Submit
C:\Users\Admin\AppData\Local\Temp\uckY.exe

Filesize
8.2MB

MD5
116939073e8e47353403e2867e6780bb

SHA1
7a513d65b289724e1fd80fa8c38acea748531a1e

SHA256
f19e65be1500955b8f38e9412f1248e9ec3c20276b4f9d7f2d4e4bcdcb3b2fc1

SHA512
c9df2db0d30834370d55bed2556a998d39c2fdeae8d16d26a695cdf97051d5b5dd1cd15fa7406439d80daed8f8d85e8d5bd1eec536aed2869cf0a61cf85eca2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ugEAcYkI.bat

Filesize
4B

MD5
d39e56795c3e1fb4f86d3e1945d84100

SHA1
57dc5821223bf44cdbeb9ef3f84a8341c07e41be

SHA256
416a2a9b79096e06fac2b135d34817177fcd00cbaabe20b00d421c5e54ebdace

SHA512
a7efe931888ffc7cd089da28bfb175bf58ff9763a79cb32f1f0c3d7356858c47da6d8e9f31490dcdbfdb184890734a17e99bcf835e0e1ccb48dcad9ec6c58196

Download Submit
C:\Users\Admin\AppData\Local\Temp\vYEwEsgE.bat

Filesize
4B

MD5
9910bf1241ffed32428ff8af10ab2340

SHA1
e8bedea1b23ec9b04e85bdd97799f0918a620e90

SHA256
5413dcdce0d9a658f1f4da2744f39cdffff28a428356e914cf38fb9e40c8fc1a

SHA512
6a6a023aef35569e98abe50b75fa50d545e26426d3649ca603307424a039f3c93821412da92a8cf145a6bdc2a53e00ad3f9c26a83dbe4615efe2e86aba7de5fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\vakEgoss.bat

Filesize
4B

MD5
aeb4402e074cf514e3ee4703b111c7c6

SHA1
dbfe0acb8745114703961db96264a9f5207073ad

SHA256
e9e9f8f0b19dd88a0847c0c517591f702b35a32267bda2cf37f19d4ab3af5558

SHA512
93f9041d9ce8f974abd2f2b2417fdd5ac18d57ef848fc2f17be7166cf5b652ff2c4a582cd9f6d10ece488db34f404655426bc8bf54323a7965ed52c1c6b0558b

Download Submit
C:\Users\Admin\AppData\Local\Temp\wIgU.exe

Filesize
234KB

MD5
3b4460e3786ee24414b5b3d54a7d0fed

SHA1
6afab166ea3af08072a03d42e51cb57fb0abb9b8

SHA256
da8d6bb180d6bd5af5974260d86a029c56fc012f1bd424de8361c820c46d473c

SHA512
1ee4a314f31eb74eaa2871ea72c6137c4787369709b97423c124e72e9f4b3681c57cfc29c63ace79408780aa9a244ad158b542ff5f58aabcad36271248fec1ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\wMME.exe

Filesize
186KB

MD5
957cf693e3298db1cb69251fd699005f

SHA1
2da071c90e4e08f69729687900833b8191ed4b2d

SHA256
73973593a08e0bf98d98bfccfad95d464d9f0499f23a14c34c513b1413337e0f

SHA512
aeb1010ea49f9431832136cb71111ef7219d04d0fea3ff1f4d745c6edc038110375882fe570e966e2f0f77065a1de90908b57347767074a7d3dc04ac1e33c7d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\wUoq.exe

Filesize
251KB

MD5
e4fad6cbab7fdacbb3f050ba06f796f3

SHA1
73918ce86d3712c1306fb1fee2ca141591a7b039

SHA256
0fe12a04d1d78686e68c45e134d00530c40f81e23aeca0de108b6e4dd9e2af42

SHA512
ccf1823d83d354bf815149cea844a73005e80906531642314f1d81e6951bd7dcad182f79b024f67d6652861abad1a6e009b0e9b68121c3e92a39ba1ccc86373e

Download Submit
C:\Users\Admin\AppData\Local\Temp\wiQQAUAA.bat

Filesize
4B

MD5
5385b0e6ed5855fc081273d6bbaa0494

SHA1
7f2633e73a5c877eb41d1e0d44bbe9ca7c903c36

SHA256
b2ff3244ce8c3bb8101eefa73eeccc18d60f5c22ac061a242b4a3d3566f044ee

SHA512
eb94af80735c74a714a55ab8cdd3d705921c87dcf4bb3f248f8480bae1e555581b4ce2880c790454da8cb78e6fd8a0520bd19e5acefaa79f29c88f9bec314d08

Download Submit
C:\Users\Admin\AppData\Local\Temp\wswA.exe

Filesize
667KB

MD5
473ae2bf868c322480cb87a85a7782e0

SHA1
77086755b512b7977869ddd630c0d77ed1f0def4

SHA256
fb151fecd4d176bf4884c5486c5a6464752adad2531c3c8b840f039e76d7cce7

SHA512
638a557aa62b024eb16e05832c320c239e117dd6c4ffd04a994355a007cb8ab1e5dcdf8aa3a846778d0db65212868b3ce1d4db342ab738a17dd171925b6bfcae

Download Submit
C:\Users\Admin\AppData\Local\Temp\wwMe.exe

Filesize
241KB

MD5
fc995057cd651982af66befc500d8524

SHA1
d9a78626dabe4358c0026201867569bf6c6c0e77

SHA256
20a52de7a1caeff5ba812125e8a1941d66e2c9c4e07df7d752d0c5c85bc06a44

SHA512
7838229fd5d17eb0fd8f91e75f31924ef18d2466dd1cbf005e61f7ff04f676b9ce8623da2cad97e3bc8c4a9d280ea1ff735f88f215eb732dfa80fe73a14c0790

Download Submit
C:\Users\Admin\AppData\Local\Temp\xIckMkoc.bat

Filesize
4B

MD5
7c92de567b51a865f187e530eb0c5ac4

SHA1
717f95765e9c1f05fa14036c2d8a9428a0a4a283

SHA256
57a4c1d2462cea3c88f0fc08061043a75053124e42cc5a62187a4ccba7eea5bf

SHA512
2a02aa145263464e756ccc9e236a2564dbd9062fd011aa4b9532f78af9682435ee2ca1fc93124904e2035dc10dfa0648142c12f9deab3ff63b7d509818c05cad

Download Submit
C:\Users\Admin\AppData\Local\Temp\xQoQQIcU.bat

Filesize
4B

MD5
4bf22d9bb4d607234e0248e719c7e1e6

SHA1
cac475c2ae0dd391e0fcc023b0602f595ba96b2d

SHA256
67b090b7c8ae8d1e9cefa8158b3c2ddadf65dd8a7bd88091cdda5a92aa5f061b

SHA512
7ee7392be330ebc2b7ce564a6843d6bd449154dc1067cbd2441b77c73be2e1676385ccd88dc91e96052d5ee87873623b7676dffb0cbbe4bc1a8917acb24b4ee7

Download Submit
C:\Users\Admin\AppData\Local\Temp\xUoUcgwE.bat

Filesize
4B

MD5
754210dad4756cfc9b9a8431bbfadd64

SHA1
82014f9b936ba8951c3ef3fa5fb866af5e0080d4

SHA256
ce36f14379f0443d2e6b386c0989d1da27bbeb4cdd246f68a38e7d02c14b4ebe

SHA512
33ba95940f671ccc26a632c4115697be52759f82e1ae154312d05d4b4d9e009c7693c46e8a8398c8662b459ebb5730737efb2169ace76e271a94879b73ed0b31

Download Submit
C:\Users\Admin\AppData\Local\Temp\yAIu.exe

Filesize
236KB

MD5
96155e8a608a44280e6e8e49a52674c9

SHA1
2aa3b0cd6bfb91741fce3a2ca2c31e1d1d4809b8

SHA256
367af1c1ebae480f32d666316ef51cae35a253a46736cdaaadd5483200d4ed2f

SHA512
401b9e6c2e93d337f22a46d738af9bc6e9120c16f219e7767b48f10dc8ef1db75a5a23f6d28b389de1863194a69303db6cecbfa94e74db98b09b4417c83ca482

Download Submit
C:\Users\Admin\AppData\Local\Temp\yAYo.exe

Filesize
1.2MB

MD5
9d2c205803f52f41999e4b0a7235e054

SHA1
089a0b8748e8b43feede8753815d61f7689eda3a

SHA256
a1ac87caac78e4b697ce618d2c5bc64c01cd244fd3be7779840da4aa6ae8dd3b

SHA512
0179c38d7fb2274e32e5fd54544e8e83502a7302683e974954a163ce5ae369efbc8ded71ced133c8ef948e8c4567f80ac7b8353607f6c11ea409bb94d2a15e8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\yMcq.exe

Filesize
803KB

MD5
ee82f6ace0133d60202c771ec9aa4c9c

SHA1
fc2bd7d3c616b693b1e09fe50ffb09a5d10931b9

SHA256
26b165009595cf6606cfac1bc9e46bdf5445368c96e70dbdd8f78b093f6e2851

SHA512
171ca4170cbfee78f337790cc5bd3ca6a37f69fb5f2155641eb8ba8a28020821ca44c064ae381822f245b973baaee18ad1802e2428116b9ecd00d075bc1fef92

Download Submit
C:\Users\Admin\AppData\Local\Temp\yMwQ.exe

Filesize
542KB

MD5
87ef2c015c920346e6c1a7440bdbd845

SHA1
782e636c20e10ad79c83b7166f4b1043c531124b

SHA256
594a107f9d8dcc7968dab3d4855ee0fd5943ccb8943706652886238f3851a7f7

SHA512
47341ff71f2cce5275fda1dfde6297dc98a26541cc75e3a2e4ed150cbc19a807ccfe560ffbe36892e494f40e3a63fe91f38b05156a8fabc40ff0b46a7e3333a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\yooM.exe

Filesize
231KB

MD5
d29631543c7b1a3da5a1ffce6157dba5

SHA1
896f0f5168f99fc731f369faa1982dc3588d7aa9

SHA256
a405ba2965771e412e9704585d38f35a22481bd042ae52044316d6117d555d9a

SHA512
3a6aa0b2a0d668d2a14fe2d4d3c3f8dd42203a8e6fc2eb57f296bb5ae0bd56817cd1e184894ec273fca8710c5db7444c1d9a4048ed00ee934f614dda09b28158

Download Submit
C:\Users\Admin\AppData\Local\Temp\ysgcUokI.bat

Filesize
4B

MD5
347cc860a70a83560d4ab7b81d7d58a5

SHA1
ef6afe4c290541b114b16f8b0c78197e68f5a8f7

SHA256
a8998a3971d988ee9c53156cea6c9202d4c747b060f0ad0b4e364c9e30add39c

SHA512
7dc0615377b93f506b548d9c311ffdf93dd1ac7b75400b31e98643a69b560a4327a5bfa5479c32c89b67017df23ada07112d921dfddf149b06c23f50d9e7c710

Download Submit
C:\Users\Admin\AppData\Local\Temp\yskc.exe

Filesize
228KB

MD5
6bbaa102e103c60b374e3e4fa76f9e32

SHA1
816c25a89dfafba99ec808a2bfcc1f331da9ab39

SHA256
45999eaae59fda6589651a2fbef8cf969aaaa3e5b466aad56f8a925e6fe1a69c

SHA512
6a3b1b38ad704e087fa64e2a9fa84e79f971fb06ab595cf9bd7533790fef242280891ba76fa72c354d01304596f9fafd8c26ae90bee289ff1a9ef26c519d3c54

Download Submit
C:\Users\Admin\AppData\Local\Temp\ysoO.exe

Filesize
496KB

MD5
28a77b61085fceffad0c5e565b2f8e84

SHA1
5c0ca8400073b7a9981f7aa863f142d835cd96a3

SHA256
2c6a31326f4dcf14c2e5e95dadddff7a765de44e56a31b37538c48f93eaed8cd

SHA512
31fd47cb8430b865d2c12cc6e2c619f1e596cf3664f78f5d9db035795581b730aa5004bfa43ba37792bc0c4e37b56402b842d690be0a9fc1694d1a83f8e42f63

Download Submit
C:\Users\Admin\AppData\Local\Temp\ywwu.exe

Filesize
231KB

MD5
bf93c26bf8e766b509cb7428b9f165f9

SHA1
9ff7287cf3c350e64a888f29bed19692f9053441

SHA256
d848846df4b71395beb9e555228fa94cc6ed5cfb8cedd53a608f98f0e642232a

SHA512
6ddb98749edfca214d6f7c565883939632a53f973273c0ae24428bb6102f487e36efbbcdba0259cab4da4f5787c585e0f6a60348056685156296805196355865

Download Submit
C:\Users\Admin\AppData\Local\Temp\zMQcMwYU.bat

Filesize
4B

MD5
999cf379cc55fb79bea99b8ad548adc3

SHA1
3b5bc12c9236efb0fb31cc4ddf443e9eeeae2d05

SHA256
dab5985f368dee2418ec3aa3539f5f25292aee41d661fc95a46e547cdbde3c81

SHA512
c1d547a14dbdc05c1c4f02ea44f8ac43665acc835d6a56b4a4b86ec077d56bc9c4c0b000ca6267da179bd606cd6f50ba8308603183de66a1bb6c9078e5f8cf15

Download Submit
C:\Users\Admin\AppData\Local\Temp\zoYgEEQs.bat

Filesize
4B

MD5
49f70e36367d90ee955abd019d393f10

SHA1
276613ffdbcd4b9838308fc8bc20c0bd0c0cc005

SHA256
659152101450cbb3bad3925a01337d508f4674b38a7a61e48122ec2e2c0b5db9

SHA512
d52c5d4998819ebffc054202b0b744416a8b5db49790226a8298ead83b30ef40d3841c6c3e0e2b60d1ec9c7de2867bc3e76eb089243033aeadc8d4dea297a7c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\zqMQQkUI.bat

Filesize
4B

MD5
f57171d68863fddf3566bad88ee7142e

SHA1
7c64307ce5684a7bd4b927df5f944717f9024e06

SHA256
1941387c90d7d66e1ec41950286755602f02a590b7985271a03b46f46ffc5a3c

SHA512
843b2f6faa82ee42c3f7a8ac4562ba31c922e0edd63eda57fb94b99ed91e3186d160bdf0db7df79b5639ba8eab02d9782572d836780608248bbc915974810811

Download Submit
C:\Users\Admin\Downloads\CopyRepair.exe

Filesize
458KB

MD5
86c974021b479782c7e2d464a61fd0e5

SHA1
6bb1f7593efa5dd357bcd74d5b638d5ee04fd211

SHA256
d1bc3b2c45115cc75ec5965bece6fcfcd1a57aefd90a04330613897d45fa0d21

SHA512
4da168c7432e0935a8de209bd58ac91b2482956179728a4ad51bf9d35efc280ace4b26082a453fe1d8f1fef8924eba8384262a5254eb0219f1420d51b6e1d25d

Download Submit
C:\Users\Public\Music\Sample Music\Sleep Away.mp3.exe

Filesize
4.8MB

MD5
6dba454c22a0089324eb98b07e70c741

SHA1
9f32ec150e959ab3cd81c2f7ab7ca7a404823862

SHA256
cf0ed85ad36dbfee2cda633e777832d87de1dc1dd54fbb2dc05794b061028b6e

SHA512
9129c87e8e849af8ce489972d37f84875040f0be3d78c134cca326e3949000cccdbf100eb681c2103995e62cf8341825f692d959c42f7d47d5559cdb5438612f

Download Submit
C:\Users\Public\Pictures\Sample Pictures\Chrysanthemum.jpg.exe

Filesize
1.0MB

MD5
d03fa70f5bcbf25ac5c9b0e7f263d795

SHA1
803212a7e32d12e6b09a5496573c2fc580277394

SHA256
b1979df27e6c5b8b7d8759a3c102b384f7c3a58f6c17bdced4040397eee0fc30

SHA512
724496fbe28da9f6c3788643f4b244bc20a3a18e38e7ff2ebb2f309f2587c66b9c989aabad14ffe0645578abf48640ea98cc6d6a3fc866674c1eee35ac34e3f7

Download Submit
C:\Users\Public\Pictures\Sample Pictures\Desert.jpg.exe

Filesize
1.0MB

MD5
4fde5d62a20d9af5c3fae5f701792826

SHA1
e361f07027e51faeb85fb855db0addeda8ec86cf

SHA256
c0cd9f4d1b6b4024328ddee337b44e2942fe1c35ddfc304dcfa84b08afea2ca3

SHA512
74e2295c3c8cdac1ea3cb19a652a86a1b97337f1d8198c63b0598ab94ce019f4ad25ce4f2ead4819735b40957e881d033ad361e2656f34de7b378831fc389de2

Download Submit
C:\Users\Public\Pictures\Sample Pictures\Jellyfish.jpg.exe

Filesize
946KB

MD5
f005ea05d56b5ee1af37e48df700f8d2

SHA1
2c8e62b2104ebfc7ac56afd37fe810c27f18e603

SHA256
af5d16ca07c643c5b0a41e9e147de0a85770c35e394a1e03b0f568ac67f125df

SHA512
7e78f0a7f660aec81a4c96307083550adfe18215a9ca79b1d6b109e62c372e3a27b31dfac33ba0ac981cab88f760dbe45fe3857fec907c8f154ce2fe941dc8d6

Download Submit
\Users\Admin\gusYEoUc\qwUMcEkc.exe

Filesize
187KB

MD5
d58dda466fc10bc60d39920fa6b284f0

SHA1
b2532e55b398f8b30994c8db4eeb9baa7cb4eb20

SHA256
0f467c8fc09299d560bd532f6ddde2456acefae1aa61294fad0e13754112d7e5

SHA512
a11472509cf62b175a7503ee6937b6ded2f620c1f0b2b4c8823af1412eb86b9e09ebc7da24695c7e37a48c150df268de483db597c3daba4f4a7046aab35a8710

Download Submit
memory/384-106-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/384-138-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/452-391-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/452-423-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/472-246-0x0000000000290000-0x00000000002C5000-memory.dmp

Filesize
212KB

Download
memory/472-247-0x0000000000290000-0x00000000002C5000-memory.dmp

Filesize
212KB

Download
memory/472-82-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/572-328-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/572-297-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/628-154-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/628-188-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/632-341-0x0000000000120000-0x0000000000155000-memory.dmp

Filesize
212KB

Download
memory/796-163-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/796-129-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1224-223-0x00000000001E0000-0x0000000000215000-memory.dmp

Filesize
212KB

Download
memory/1304-272-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1448-153-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1448-152-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1552-593-0x00000000002C0000-0x00000000002F5000-memory.dmp

Filesize
212KB

Download
memory/1552-592-0x00000000002C0000-0x00000000002F5000-memory.dmp

Filesize
212KB

Download
memory/1552-436-0x0000000000170000-0x00000000001A5000-memory.dmp

Filesize
212KB

Download
memory/1664-529-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1664-559-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1672-624-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1672-594-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1688-273-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1688-306-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1776-414-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1776-446-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1780-508-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1780-507-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1788-550-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1788-582-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1808-549-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1808-548-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1824-528-0x0000000000180000-0x00000000001B5000-memory.dmp

Filesize
212KB

Download
memory/1928-390-0x00000000001A0000-0x00000000001D5000-memory.dmp

Filesize
212KB

Download
memory/1932-201-0x0000000000190000-0x00000000001C5000-memory.dmp

Filesize
212KB

Download
memory/2028-367-0x0000000000120000-0x0000000000155000-memory.dmp

Filesize
212KB

Download
memory/2028-366-0x0000000000120000-0x0000000000155000-memory.dmp

Filesize
212KB

Download
memory/2116-224-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2116-257-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2204-23-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2300-342-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2300-377-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2440-460-0x0000000000260000-0x0000000000295000-memory.dmp

Filesize
212KB

Download
memory/2440-459-0x0000000000260000-0x0000000000295000-memory.dmp

Filesize
212KB

Download
memory/2500-319-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2500-351-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2512-614-0x0000000000120000-0x0000000000155000-memory.dmp

Filesize
212KB

Download
memory/2512-613-0x0000000000120000-0x0000000000155000-memory.dmp

Filesize
212KB

Download
memory/2540-105-0x0000000000120000-0x0000000000155000-memory.dmp

Filesize
212KB

Download
memory/2600-69-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2600-34-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2676-413-0x0000000000180000-0x00000000001B5000-memory.dmp

Filesize
212KB

Download
memory/2676-603-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2676-573-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2696-178-0x0000000000160000-0x0000000000195000-memory.dmp

Filesize
212KB

Download
memory/2696-177-0x0000000000160000-0x0000000000195000-memory.dmp

Filesize
212KB

Download
memory/2724-115-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2724-83-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2728-571-0x0000000000120000-0x0000000000155000-memory.dmp

Filesize
212KB

Download
memory/2728-572-0x0000000000120000-0x0000000000155000-memory.dmp

Filesize
212KB

Download
memory/2736-33-0x0000000000160000-0x0000000000195000-memory.dmp

Filesize
212KB

Download
memory/2736-32-0x0000000000160000-0x0000000000195000-memory.dmp

Filesize
212KB

Download
memory/2744-210-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2744-179-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2776-59-0x0000000000410000-0x0000000000445000-memory.dmp

Filesize
212KB

Download
memory/2776-58-0x0000000000410000-0x0000000000445000-memory.dmp

Filesize
212KB

Download
memory/2780-487-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2780-518-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2784-485-0x0000000000120000-0x0000000000155000-memory.dmp

Filesize
212KB

Download
memory/2784-486-0x0000000000120000-0x0000000000155000-memory.dmp

Filesize
212KB

Download
memory/2792-92-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2792-60-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2832-615-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2868-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2868-43-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2868-22-0x0000000003DB0000-0x0000000003DE1000-memory.dmp

Filesize
196KB

Download
memory/2868-9-0x0000000003DB0000-0x0000000003DE0000-memory.dmp

Filesize
192KB

Download
memory/2868-10-0x0000000003DB0000-0x0000000003DE0000-memory.dmp

Filesize
192KB

Download
memory/2880-368-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2880-400-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2892-471-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2892-437-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2896-282-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2896-248-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2916-233-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2936-21-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2972-296-0x0000000000630000-0x0000000000665000-memory.dmp

Filesize
212KB

Download
memory/2972-295-0x0000000000630000-0x0000000000665000-memory.dmp

Filesize
212KB

Download
memory/2980-538-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2980-509-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2988-461-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2988-496-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2992-128-0x0000000000120000-0x0000000000155000-memory.dmp

Filesize
212KB

Download