baf8a44716c5f3cdceba80c4829c1dfe1cf85f70738ed7751300c94399a466f1

Analysis

max time kernel
150s
max time network
118s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
25-05-2024 11:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
Size

202KB
MD5

6db37117e8c0e5aeba603cbb6b97b82c
SHA1

f81aa8cec4472771da6a97eab56f9bced6fb4ec3
SHA256

baf8a44716c5f3cdceba80c4829c1dfe1cf85f70738ed7751300c94399a466f1
SHA512

c6886cd3de301f9bcc540a9ff9acbb95a196a8c9ec69023e1281d7033f1fd12a6623a665b5878f246cf56e04e8e3275b72cf03f814d2a22ee78a1518f0c020ff
SSDEEP

3072:290rs48O0lrcIX5i7RlDRvo2GBmQIg51uHR69+tcliXrOyswHu5TTxU28r4/:26ErLpiHZo2+mng51uHGOWiXrU6B4/

Score

10^/10

evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Renames multiple (60) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

tgoUEksY.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\International\Geo\Nation	tgoUEksY.exe

Executes dropped EXE 2 IoCs

Processes:

tgoUEksY.exetsQIwAME.exe

pid process

2976 tgoUEksY.exe
1620 tsQIwAME.exe

Loads dropped DLL 20 IoCs

Processes:

2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exetgoUEksY.exe

pid	process
1888	2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
1888	2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
1888	2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
1888	2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
2976	tgoUEksY.exe
2976	tgoUEksY.exe
2976	tgoUEksY.exe
2976	tgoUEksY.exe
2976	tgoUEksY.exe
2976	tgoUEksY.exe
2976	tgoUEksY.exe
2976	tgoUEksY.exe
2976	tgoUEksY.exe
2976	tgoUEksY.exe
2976	tgoUEksY.exe
2976	tgoUEksY.exe
2976	tgoUEksY.exe
2976	tgoUEksY.exe
2976	tgoUEksY.exe
2976	tgoUEksY.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exetgoUEksY.exetsQIwAME.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\tgoUEksY.exe = "C:\\Users\\Admin\\WqsQIUws\\tgoUEksY.exe"	2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\tsQIwAME.exe = "C:\\ProgramData\\mmkQsgYI\\tsQIwAME.exe"	2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\tgoUEksY.exe = "C:\\Users\\Admin\\WqsQIUws\\tgoUEksY.exe"	tgoUEksY.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\tsQIwAME.exe = "C:\\ProgramData\\mmkQsgYI\\tsQIwAME.exe"	tsQIwAME.exe

Drops file in Windows directory 1 IoCs

Processes:

tgoUEksY.exe

description ioc process

File opened for modification \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico tgoUEksY.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File opened for modification	\??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico	tgoUEksY.exe

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

Processes:

pid	process
2960	reg.exe
2960	reg.exe
1880	reg.exe
2740	reg.exe
1896	reg.exe
2776	reg.exe
1280	reg.exe
1960	reg.exe
1232	reg.exe
672	reg.exe
2120	reg.exe
992	reg.exe
2404	reg.exe
2248	reg.exe
2356	reg.exe
268	reg.exe
1576	reg.exe
1600	reg.exe
2096	reg.exe
2144	reg.exe
448	reg.exe
2500	reg.exe
468	reg.exe
2572	reg.exe
2164	reg.exe
1404	reg.exe
2280	reg.exe
692	reg.exe
2524	reg.exe
2368	reg.exe
692	reg.exe
2440	reg.exe
1520	reg.exe
2452	reg.exe
2328	reg.exe
660	reg.exe
2544	reg.exe
3056	reg.exe
2184	reg.exe
2244	reg.exe
1932	reg.exe
584	reg.exe
2720	reg.exe
2584	reg.exe
2112	reg.exe
2044	reg.exe
2212	reg.exe
748	reg.exe
1888	reg.exe
1476	reg.exe
1452	reg.exe
344	reg.exe
2748	reg.exe
1824	reg.exe
976	reg.exe
2124	reg.exe
672	reg.exe
2864	reg.exe
2672	reg.exe
1016	reg.exe
1996	reg.exe
2804	reg.exe
1920	reg.exe
2480	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe

pid	process
1888	2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
1888	2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
2800	2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
2800	2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
1504	2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
1504	2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
2280	2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
2280	2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
672	2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
672	2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
3052	2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
3052	2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
1428	2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
1428	2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
2432	2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
2432	2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
1856	2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
1856	2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
1676	2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
1676	2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
2264	2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
2264	2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
3024	2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
3024	2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
3064	2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
3064	2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
884	2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
884	2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
2612	2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
2612	2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
1436	2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
1436	2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
2684	2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
2684	2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
836	2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
836	2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
3028	2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
3028	2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
548	2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
548	2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
2288	2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
2288	2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
1548	2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
1548	2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
1040	2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
1040	2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
2264	2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
2264	2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
2096	2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
2096	2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
2536	2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
2536	2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
2404	2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
2404	2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
760	2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
760	2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
896	2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
896	2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
1652	2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
1652	2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
2836	2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
2836	2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
864	2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
864	2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

tgoUEksY.exe

pid process

2976 tgoUEksY.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

tgoUEksY.exe

pid	process
2976	tgoUEksY.exe
2976	tgoUEksY.exe
2976	tgoUEksY.exe
2976	tgoUEksY.exe
2976	tgoUEksY.exe
2976	tgoUEksY.exe
2976	tgoUEksY.exe
2976	tgoUEksY.exe
2976	tgoUEksY.exe
2976	tgoUEksY.exe
2976	tgoUEksY.exe
2976	tgoUEksY.exe
2976	tgoUEksY.exe
2976	tgoUEksY.exe
2976	tgoUEksY.exe
2976	tgoUEksY.exe
2976	tgoUEksY.exe
2976	tgoUEksY.exe
2976	tgoUEksY.exe
2976	tgoUEksY.exe
2976	tgoUEksY.exe
2976	tgoUEksY.exe
2976	tgoUEksY.exe
2976	tgoUEksY.exe
2976	tgoUEksY.exe
2976	tgoUEksY.exe
2976	tgoUEksY.exe
2976	tgoUEksY.exe
2976	tgoUEksY.exe
2976	tgoUEksY.exe
2976	tgoUEksY.exe
2976	tgoUEksY.exe
2976	tgoUEksY.exe
2976	tgoUEksY.exe
2976	tgoUEksY.exe
2976	tgoUEksY.exe
2976	tgoUEksY.exe
2976	tgoUEksY.exe
2976	tgoUEksY.exe
2976	tgoUEksY.exe
2976	tgoUEksY.exe
2976	tgoUEksY.exe
2976	tgoUEksY.exe
2976	tgoUEksY.exe
2976	tgoUEksY.exe
2976	tgoUEksY.exe
2976	tgoUEksY.exe
2976	tgoUEksY.exe
2976	tgoUEksY.exe
2976	tgoUEksY.exe
2976	tgoUEksY.exe
2976	tgoUEksY.exe
2976	tgoUEksY.exe
2976	tgoUEksY.exe
2976	tgoUEksY.exe
2976	tgoUEksY.exe
2976	tgoUEksY.exe
2976	tgoUEksY.exe
2976	tgoUEksY.exe
2976	tgoUEksY.exe
2976	tgoUEksY.exe
2976	tgoUEksY.exe
2976	tgoUEksY.exe
2976	tgoUEksY.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.execmd.execmd.exe2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.execmd.execmd.exe

description	pid	process	target process
PID 1888 wrote to memory of 2976	1888	2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe	tgoUEksY.exe
PID 1888 wrote to memory of 2976	1888	2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe	tgoUEksY.exe
PID 1888 wrote to memory of 2976	1888	2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe	tgoUEksY.exe
PID 1888 wrote to memory of 2976	1888	2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe	tgoUEksY.exe
PID 1888 wrote to memory of 1620	1888	2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe	tsQIwAME.exe
PID 1888 wrote to memory of 1620	1888	2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe	tsQIwAME.exe
PID 1888 wrote to memory of 1620	1888	2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe	tsQIwAME.exe
PID 1888 wrote to memory of 1620	1888	2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe	tsQIwAME.exe
PID 1888 wrote to memory of 2680	1888	2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe	cmd.exe
PID 1888 wrote to memory of 2680	1888	2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe	cmd.exe
PID 1888 wrote to memory of 2680	1888	2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe	cmd.exe
PID 1888 wrote to memory of 2680	1888	2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe	cmd.exe
PID 2680 wrote to memory of 2800	2680	cmd.exe	2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
PID 2680 wrote to memory of 2800	2680	cmd.exe	2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
PID 2680 wrote to memory of 2800	2680	cmd.exe	2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
PID 2680 wrote to memory of 2800	2680	cmd.exe	2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
PID 1888 wrote to memory of 2500	1888	2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe	reg.exe
PID 1888 wrote to memory of 2500	1888	2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe	reg.exe
PID 1888 wrote to memory of 2500	1888	2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe	reg.exe
PID 1888 wrote to memory of 2500	1888	2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe	reg.exe
PID 1888 wrote to memory of 1108	1888	2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe	reg.exe
PID 1888 wrote to memory of 1108	1888	2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe	reg.exe
PID 1888 wrote to memory of 1108	1888	2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe	reg.exe
PID 1888 wrote to memory of 1108	1888	2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe	reg.exe
PID 1888 wrote to memory of 2556	1888	2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe	reg.exe
PID 1888 wrote to memory of 2556	1888	2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe	reg.exe
PID 1888 wrote to memory of 2556	1888	2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe	reg.exe
PID 1888 wrote to memory of 2556	1888	2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe	reg.exe
PID 1888 wrote to memory of 2532	1888	2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe	cmd.exe
PID 1888 wrote to memory of 2532	1888	2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe	cmd.exe
PID 1888 wrote to memory of 2532	1888	2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe	cmd.exe
PID 1888 wrote to memory of 2532	1888	2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe	cmd.exe
PID 2532 wrote to memory of 1876	2532	cmd.exe	cscript.exe
PID 2532 wrote to memory of 1876	2532	cmd.exe	cscript.exe
PID 2532 wrote to memory of 1876	2532	cmd.exe	cscript.exe
PID 2532 wrote to memory of 1876	2532	cmd.exe	cscript.exe
PID 2800 wrote to memory of 1548	2800	2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe	cmd.exe
PID 2800 wrote to memory of 1548	2800	2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe	cmd.exe
PID 2800 wrote to memory of 1548	2800	2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe	cmd.exe
PID 2800 wrote to memory of 1548	2800	2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe	cmd.exe
PID 1548 wrote to memory of 1504	1548	cmd.exe	2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
PID 1548 wrote to memory of 1504	1548	cmd.exe	2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
PID 1548 wrote to memory of 1504	1548	cmd.exe	2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
PID 1548 wrote to memory of 1504	1548	cmd.exe	2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
PID 2800 wrote to memory of 1352	2800	2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe	reg.exe
PID 2800 wrote to memory of 1352	2800	2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe	reg.exe
PID 2800 wrote to memory of 1352	2800	2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe	reg.exe
PID 2800 wrote to memory of 1352	2800	2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe	reg.exe
PID 2800 wrote to memory of 1468	2800	2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe	reg.exe
PID 2800 wrote to memory of 1468	2800	2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe	reg.exe
PID 2800 wrote to memory of 1468	2800	2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe	reg.exe
PID 2800 wrote to memory of 1468	2800	2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe	reg.exe
PID 2800 wrote to memory of 2384	2800	2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe	reg.exe
PID 2800 wrote to memory of 2384	2800	2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe	reg.exe
PID 2800 wrote to memory of 2384	2800	2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe	reg.exe
PID 2800 wrote to memory of 2384	2800	2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe	reg.exe
PID 2800 wrote to memory of 2356	2800	2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe	cmd.exe
PID 2800 wrote to memory of 2356	2800	2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe	cmd.exe
PID 2800 wrote to memory of 2356	2800	2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe	cmd.exe
PID 2800 wrote to memory of 2356	2800	2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe	cmd.exe
PID 2356 wrote to memory of 1840	2356	cmd.exe	cscript.exe
PID 2356 wrote to memory of 1840	2356	cmd.exe	cscript.exe
PID 2356 wrote to memory of 1840	2356	cmd.exe	cscript.exe
PID 2356 wrote to memory of 1840	2356	cmd.exe	cscript.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1888
- C:\Users\Admin\WqsQIUws\tgoUEksY.exe
  "C:\Users\Admin\WqsQIUws\tgoUEksY.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:2976
- C:\ProgramData\mmkQsgYI\tsQIwAME.exe
  "C:\ProgramData\mmkQsgYI\tsQIwAME.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1620
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2680
- - C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
    C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2800
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1548
    - - C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1504
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock"
        6⤵
        
        PID:2276
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2280
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock"
        8⤵
        
        PID:2924
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:672
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock"
        10⤵
        
        PID:1532
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3052
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock"
        12⤵
        
        PID:884
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1428
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock"
        14⤵
        
        PID:1712
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2432
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock"
        16⤵
        
        PID:1876
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1856
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock"
        18⤵
        
        PID:1364
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1676
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock"
        20⤵
        
        PID:268
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2264
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock"
        22⤵
        
        PID:2340
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock
        23⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3024
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock"
        24⤵
        
        PID:2852
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock
        25⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3064
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock"
        26⤵
        
        PID:2404
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock
        27⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:884
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock"
        28⤵
        
        PID:1112
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock
        29⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2612
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock"
        30⤵
        
        PID:1540
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock
        31⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1436
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock"
        32⤵
        
        PID:1032
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock
        33⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2684
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock"
        34⤵
        
        PID:1016
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock
        35⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:836
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock"
        36⤵
        
        PID:976
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock
        37⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3028
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock"
        38⤵
        
        PID:2204
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock
        39⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:548
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock"
        40⤵
        
        PID:884
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock
        41⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2288
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock"
        42⤵
        
        PID:2348
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock
        43⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1548
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock"
        44⤵
        
        PID:628
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock
        45⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1040
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock"
        46⤵
        
        PID:1464
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock
        47⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2264
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock"
        48⤵
        
        PID:1516
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock
        49⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2096
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock"
        50⤵
        
        PID:2556
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock
        51⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2536
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock"
        52⤵
        
        PID:1348
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock
        53⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2404
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock"
        54⤵
        
        PID:1260
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock
        55⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:760
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock"
        56⤵
        
        PID:1412
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock
        57⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:896
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock"
        58⤵
        
        PID:2816
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock
        59⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1652
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock"
        60⤵
        
        PID:1904
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock
        61⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2836
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock"
        62⤵
        
        PID:2940
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock
        63⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:864
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock"
        64⤵
        
        PID:1672
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock
        65⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock"
        66⤵
        
        PID:548
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock
        67⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock"
        68⤵
        
        PID:2784
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock
        69⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock"
        70⤵
        
        PID:1476
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock
        71⤵
        
        PID:304
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock"
        72⤵
        
        PID:2128
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock
        73⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock"
        74⤵
        
        PID:2504
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock
        75⤵
        
        PID:1052
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock"
        76⤵
        
        PID:2468
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock
        77⤵
        
        PID:1568
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock"
        78⤵
        
        PID:1504
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock
        79⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock"
        80⤵
        
        PID:1160
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock
        81⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock"
        82⤵
        
        PID:2276
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock
        83⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock"
        84⤵
        
        PID:672
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock
        85⤵
        
        PID:448
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock"
        86⤵
        
        PID:1044
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock
        87⤵
        
        PID:1108
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock"
        88⤵
        
        PID:2864
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock
        89⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock"
        90⤵
        
        PID:1028
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock
        91⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock"
        92⤵
        
        PID:1556
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock
        93⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock"
        94⤵
        
        PID:1260
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock
        95⤵
        
        PID:344
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock"
        96⤵
        
        PID:1684
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock
        97⤵
        
        PID:1832
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock"
        98⤵
        
        PID:1476
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock
        99⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock"
        100⤵
        
        PID:1628
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock
        101⤵
        
        PID:2572
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock"
        102⤵
        
        PID:2692
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock
        103⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock"
        104⤵
        
        PID:2872
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock
        105⤵
        
        PID:976
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock"
        106⤵
        
        PID:1536
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock
        107⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock"
        108⤵
        
        PID:1400
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock
        109⤵
        
        PID:1460
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock"
        110⤵
        
        PID:2244
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock
        111⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock"
        112⤵
        
        PID:1908
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock
        113⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock"
        114⤵
        
        PID:884
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock
        115⤵
        
        PID:2892
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock"
        116⤵
        
        PID:760
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock
        117⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock"
        118⤵
        
        PID:2968
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock
        119⤵
        
        PID:2572
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock"
        120⤵
        
        PID:576
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock
        121⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock"
        122⤵
        
        PID:2532
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock
        123⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock"
        124⤵
        
        PID:1628
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock
        125⤵
        
        PID:1588
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock"
        126⤵
        
        PID:1868
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock
        127⤵
        
        PID:1352
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock"
        128⤵
        
        PID:2184
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock
        129⤵
        
        PID:1032
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock"
        130⤵
        
        PID:2036
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock
        131⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock"
        132⤵
        
        PID:2468
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock
        133⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock"
        134⤵
        
        PID:272
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock
        135⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock"
        136⤵
        
        PID:2816
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock
        137⤵
        
        PID:1404
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock"
        138⤵
        
        PID:2476
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock
        139⤵
        
        PID:1460
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock"
        140⤵
        
        PID:1564
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock
        141⤵
        
        PID:1108
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock"
        142⤵
        
        PID:2836
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock
        143⤵
        
        PID:1780
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock"
        144⤵
        
        PID:2528
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock
        145⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock"
        146⤵
        
        PID:1724
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock
        147⤵
        
        PID:1864
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock"
        148⤵
        
        PID:1720
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock
        149⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock"
        150⤵
        
        PID:1016
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock
        151⤵
        
        PID:2556
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock"
        152⤵
        
        PID:900
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock
        153⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock"
        154⤵
        
        PID:984
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock
        155⤵
        
        PID:2512
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock"
        156⤵
        
        PID:2316
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock
        157⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock"
        158⤵
        
        PID:1160
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock
        159⤵
        
        PID:1828
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock"
        160⤵
        
        PID:2160
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock
        161⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock"
        162⤵
        
        PID:1748
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock
        163⤵
        
        PID:2544
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock"
        164⤵
        
        PID:660
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock
        165⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock"
        166⤵
        
        PID:2688
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock
        167⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock"
        168⤵
        
        PID:2584
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock
        169⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock"
        170⤵
        
        PID:1996
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock
        171⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock"
        172⤵
        
        PID:3028
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock
        173⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock"
        174⤵
        
        PID:1288
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock
        175⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock"
        176⤵
        
        PID:1988
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock
        177⤵
        
        PID:1208
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock"
        178⤵
        
        PID:1400
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock
        179⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock"
        180⤵
        
        PID:2536
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock
        181⤵
        
        PID:2504
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock"
        182⤵
        
        PID:1896
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock
        183⤵
        
        PID:1444
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock"
        184⤵
        
        PID:764
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock
        185⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock"
        186⤵
        
        PID:2812
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock
        187⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock"
        188⤵
        
        PID:2080
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock
        189⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock"
        190⤵
        
        PID:1280
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock
        191⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock"
        192⤵
        
        PID:1240
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock
        193⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock"
        194⤵
        
        PID:1244
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock
        195⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock"
        196⤵
        
        PID:1540
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock
        197⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock"
        198⤵
        
        PID:1872
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock
        199⤵
        
        PID:1112
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock"
        200⤵
        
        PID:2476
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock
        201⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock"
        202⤵
        
        PID:764
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock
        203⤵
        
        PID:660
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock"
        204⤵
        
        PID:2148
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock
        205⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock"
        206⤵
        
        PID:1940
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock
        207⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock"
        208⤵
        
        PID:2572
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock
        209⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock"
        210⤵
        
        PID:2312
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock
        211⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock"
        212⤵
        
        PID:2548
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock
        213⤵
        
        PID:1452
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock"
        214⤵
        
        PID:2324
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock
        215⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock"
        216⤵
        
        PID:1564
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock
        217⤵
        
        PID:548
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock"
        218⤵
        
        PID:2960
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock
        219⤵
        
        PID:276
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock"
        220⤵
        
        PID:2872
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock
        221⤵
        
        PID:268
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock"
        222⤵
        
        PID:1780
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock
        223⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock"
        224⤵
        
        PID:2784
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock
        225⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock"
        226⤵
        
        PID:992
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock
        227⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock"
        228⤵
        
        PID:2740
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock
        229⤵
        
        PID:2228
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock"
        230⤵
        
        PID:1784
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock
        231⤵
        
        PID:1840
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock"
        232⤵
        
        PID:1836
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock
        233⤵
        
        PID:1216
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock"
        234⤵
        
        PID:1228
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock
        235⤵
        
        PID:1404
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock"
        236⤵
        
        PID:748
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock
        237⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock"
        238⤵
        
        PID:2372
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock
        239⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock"
        240⤵
        
        PID:2512
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock
        241⤵
        
        PID:1492
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock"
        242⤵
        
        PID:2316
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock
        243⤵
        
        PID:2324
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock"
        244⤵
        
        PID:548
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock
        245⤵
        
        PID:1448
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock"
        246⤵
        
        PID:1244
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock
        247⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock"
        248⤵
        
        PID:2984
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock
        249⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock"
        250⤵
        
        PID:1832
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock
        251⤵
        
        PID:1044
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock"
        252⤵
        
        PID:2620
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock
        253⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock"
        254⤵
        
        PID:804
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock
        255⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock"
        256⤵
        
        PID:692
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock
        257⤵
        
        PID:2576
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock"
        258⤵
        
        PID:2800
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock
        259⤵
        
        PID:1208
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock"
        260⤵
        
        PID:1896
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock
        261⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock"
        262⤵
        
        PID:2272
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock
        263⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock"
        264⤵
        
        PID:1532
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock
        265⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock"
        266⤵
        
        PID:1180
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock
        267⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock"
        268⤵
        
        PID:2632
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock
        269⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        270⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        270⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        270⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        268⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        268⤵
        
        PID:568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        268⤵
        UAC bypass
        
        PID:2788
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\kSkYEsks.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe""
        268⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        269⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        266⤵
        
        PID:996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        266⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        266⤵
        
        PID:688
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\aOIogIIg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe""
        266⤵
        
        PID:2500
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        267⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        264⤵
        Modifies registry key
        
        PID:3056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        264⤵
        Modifies registry key
        
        PID:992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        264⤵
        UAC bypass
        
        PID:1364
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\RwIwEoYw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe""
        264⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        265⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        262⤵
        Modifies registry key
        
        PID:1280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        262⤵
        
        PID:1460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        262⤵
        UAC bypass
        
        PID:636
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\PqwMIwsk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe""
        262⤵
        
        PID:2480
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        263⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        260⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        260⤵
        Modifies registry key
        
        PID:2112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        260⤵
        UAC bypass
        Modifies registry key
        
        PID:1404
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\VmckgoEM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe""
        260⤵
        
        PID:1424
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        261⤵
        
        PID:1228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        258⤵
        Modifies visibility of file extensions in Explorer
        
        PID:596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        258⤵
        
        PID:276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        258⤵
        
        PID:2504
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\lAEkgIok.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe""
        258⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        259⤵
        
        PID:1216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        256⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        256⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        256⤵
        
        PID:448
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\SSsIccgY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe""
        256⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        257⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        254⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        254⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        254⤵
        UAC bypass
        
        PID:1720
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\wKkUMcUk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe""
        254⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        255⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        252⤵
        
        PID:1908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        252⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        252⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\eAoMssgo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe""
        252⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        253⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        250⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        250⤵
        
        PID:576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        250⤵
        UAC bypass
        
        PID:2100
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\euYQwAwk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe""
        250⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        251⤵
        
        PID:1052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        248⤵
        
        PID:2572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        248⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        248⤵
        UAC bypass
        
        PID:872
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\aqYcEcoY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe""
        248⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        249⤵
        
        PID:1112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        246⤵
        Modifies visibility of file extensions in Explorer
        
        PID:984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        246⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        246⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\LmsAEQIs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe""
        246⤵
        
        PID:2508
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        247⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        244⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2160
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        244⤵
        
        PID:976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        244⤵
        UAC bypass
        
        PID:2252
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\LYsMEwws.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe""
        244⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        245⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        242⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        242⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        242⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\PUoIYIIc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe""
        242⤵
        
        PID:744
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        243⤵
        
        PID:1016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        240⤵
        Modifies visibility of file extensions in Explorer
        
        PID:308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        240⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        240⤵
        
        PID:764
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\jOMwogoU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe""
        240⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        241⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        238⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        238⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        238⤵
        
        PID:1040
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\qkAEwAYA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe""
        238⤵
        
        PID:1452
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        239⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        236⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        236⤵
        Modifies registry key
        
        PID:672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        236⤵
        
        PID:1548
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\QcgUgAkg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe""
        236⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        237⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        234⤵
        Modifies registry key
        
        PID:2404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        234⤵
        
        PID:1436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        234⤵
        Modifies registry key
        
        PID:2544
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\kOQMQIUc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe""
        234⤵
        
        PID:2440
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        235⤵
        
        PID:2468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        232⤵
        Modifies registry key
        
        PID:448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        232⤵
        
        PID:1176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        232⤵
        
        PID:1904
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\goMwUcAk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe""
        232⤵
        
        PID:276
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        233⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        230⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        230⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        230⤵
        
        PID:468
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\veYYEMcU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe""
        230⤵
        
        PID:548
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        231⤵
        
        PID:532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        228⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        228⤵
        Modifies registry key
        
        PID:2120
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        228⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\LkMscUcU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe""
        228⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        229⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        226⤵
        
        PID:352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        226⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        226⤵
        UAC bypass
        
        PID:2164
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\XscUgUYA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe""
        226⤵
        
        PID:2512
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        227⤵
        
        PID:840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        224⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        224⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        224⤵
        
        PID:1044
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\rqgcwAkY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe""
        224⤵
        
        PID:576
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        225⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        222⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        222⤵
        
        PID:900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        222⤵
        UAC bypass
        
        PID:2948
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\JyAgwkAM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe""
        222⤵
        
        PID:784
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        223⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        220⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        220⤵
        Modifies registry key
        
        PID:2328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        220⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\WAYoMAkg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe""
        220⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        221⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        218⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        218⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        218⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\EmsUkwYU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe""
        218⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        219⤵
        
        PID:1836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        216⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        216⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        216⤵
        UAC bypass
        
        PID:2316
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\UeUYIEgc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe""
        216⤵
        
        PID:1240
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        217⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        214⤵
        
        PID:2476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        214⤵
        
        PID:2988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        214⤵
        UAC bypass
        
        PID:2720
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\MgIscUAY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe""
        214⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        215⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        212⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        212⤵
        
        PID:1100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        212⤵
        
        PID:876
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\WCgwAwAk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe""
        212⤵
        
        PID:992
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        213⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        210⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        210⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        210⤵
        UAC bypass
        
        PID:2244
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\HEcMUcwM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe""
        210⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        211⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        208⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        208⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        208⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\vgsIgsQk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe""
        208⤵
        
        PID:1300
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        209⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        206⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        206⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        206⤵
        UAC bypass
        
        PID:2804
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\naMkcgsM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe""
        206⤵
        
        PID:448
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        207⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        204⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        204⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        204⤵
        UAC bypass
        
        PID:2712
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\XGUwgIoA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe""
        204⤵
        
        PID:1420
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        205⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        202⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        202⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        202⤵
        UAC bypass
        
        PID:2760
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\AGcksQIg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe""
        202⤵
        
        PID:1908
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        203⤵
        
        PID:688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        200⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        200⤵
        
        PID:1828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        200⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\iKckEcME.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe""
        200⤵
        
        PID:1832
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        201⤵
        
        PID:2372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        198⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2144
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        198⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        198⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\eMMAAcEI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe""
        198⤵
        
        PID:344
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        199⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        196⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        196⤵
        Modifies registry key
        
        PID:2776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        196⤵
        UAC bypass
        
        PID:2404
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ekgQYQEw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe""
        196⤵
        
        PID:1524
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        197⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        194⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        194⤵
        
        PID:1232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        194⤵
        UAC bypass
        Modifies registry key
        
        PID:2960
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\DOkckwow.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe""
        194⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        195⤵
        
        PID:2468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        192⤵
        Modifies visibility of file extensions in Explorer
        
        PID:876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        192⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        192⤵
        UAC bypass
        
        PID:2528
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\DuIMAMoI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe""
        192⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        193⤵
        
        PID:760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        190⤵
        
        PID:1112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        190⤵
        
        PID:1844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        190⤵
        UAC bypass
        
        PID:2144
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\BAIMYcUc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe""
        190⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        191⤵
        
        PID:2948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        188⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        188⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        188⤵
        UAC bypass
        
        PID:988
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\LMokkMco.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe""
        188⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        189⤵
        
        PID:2564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        186⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        186⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        186⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\AgMAEIYA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe""
        186⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        187⤵
        
        PID:1356
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        184⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        184⤵
        Modifies registry key
        
        PID:748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        184⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\aKEAoUkQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe""
        184⤵
        
        PID:992
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        185⤵
        
        PID:1452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        182⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        182⤵
        Modifies registry key
        
        PID:2804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        182⤵
        UAC bypass
        
        PID:1876
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\YQEUMMEU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe""
        182⤵
        
        PID:1112
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        183⤵
        
        PID:1096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        180⤵
        Modifies registry key
        
        PID:2164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        180⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        180⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\QkMskUEE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe""
        180⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        181⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        178⤵
        Modifies visibility of file extensions in Explorer
        
        PID:992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        178⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        178⤵
        UAC bypass
        
        PID:2744
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\RgIgcUQo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe""
        178⤵
        
        PID:1548
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        179⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        176⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        176⤵
        
        PID:2584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        176⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\hsckcIwQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe""
        176⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        177⤵
        
        PID:1828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        174⤵
        
        PID:1356
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        174⤵
        
        PID:1492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        174⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\fGoUocEw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe""
        174⤵
        
        PID:1444
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        175⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        172⤵
        Modifies visibility of file extensions in Explorer
        
        PID:908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        172⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        172⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ngAcUowQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe""
        172⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        173⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        170⤵
        
        PID:448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        170⤵
        Modifies registry key
        
        PID:2452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        170⤵
        UAC bypass
        
        PID:2748
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\CGEMsoMc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe""
        170⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        171⤵
        
        PID:828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        168⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        168⤵
        Modifies registry key
        
        PID:468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        168⤵
        UAC bypass
        
        PID:840
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\uiocwYAM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe""
        168⤵
        
        PID:888
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        169⤵
        
        PID:808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        166⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        166⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        166⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\MawcYAMM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe""
        166⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        167⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        164⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        164⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        164⤵
        UAC bypass
        Modifies registry key
        
        PID:1996
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\QUckQYQE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe""
        164⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        165⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        162⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        162⤵
        Modifies registry key
        
        PID:2524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        162⤵
        UAC bypass
        
        PID:1860
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\VosYQEgs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe""
        162⤵
        
        PID:1912
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        163⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        160⤵
        Modifies registry key
        
        PID:268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        160⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        160⤵
        UAC bypass
        
        PID:2384
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\rewMokIQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe""
        160⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        161⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        158⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        158⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        158⤵
        UAC bypass
        
        PID:1576
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\vwocMYcM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe""
        158⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        159⤵
        
        PID:628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        156⤵
        Modifies registry key
        
        PID:660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        156⤵
        
        PID:864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        156⤵
        Modifies registry key
        
        PID:2720
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\NOgIgcAI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe""
        156⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        157⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        154⤵
        
        PID:3052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        154⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        154⤵
        UAC bypass
        
        PID:1824
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\gMIssMYc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe""
        154⤵
        
        PID:636
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        155⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        152⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        152⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        152⤵
        UAC bypass
        
        PID:2176
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\WmIgAMYc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe""
        152⤵
        
        PID:1400
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        153⤵
        
        PID:896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        150⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        150⤵
        
        PID:1028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        150⤵
        Modifies registry key
        
        PID:2440
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\YMEokoUk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe""
        150⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        151⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        148⤵
        Modifies visibility of file extensions in Explorer
        
        PID:988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        148⤵
        Modifies registry key
        
        PID:2480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        148⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\QcwQAQQQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe""
        148⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        149⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        146⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        146⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        146⤵
        UAC bypass
        Modifies registry key
        
        PID:2672
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\VmMUsYIA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe""
        146⤵
        
        PID:1840
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        147⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        144⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        144⤵
        
        PID:2432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        144⤵
        UAC bypass
        
        PID:2740
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\PKIAsIAI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe""
        144⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        145⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        142⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        142⤵
        
        PID:1052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        142⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\XWwgUMUY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe""
        142⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        143⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        140⤵
        
        PID:1560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        140⤵
        Modifies registry key
        
        PID:1600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        140⤵
        UAC bypass
        
        PID:2376
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\vIYgooEo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe""
        140⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        141⤵
        
        PID:608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        138⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        138⤵
        
        PID:576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        138⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\icAIYwYs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe""
        138⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        139⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        136⤵
        Modifies visibility of file extensions in Explorer
        
        PID:304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        136⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        136⤵
        UAC bypass
        Modifies registry key
        
        PID:2356
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\UIYMMYAg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe""
        136⤵
        
        PID:2480
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        137⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        134⤵
        Modifies registry key
        
        PID:584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        134⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        134⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\aeIEgAYs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe""
        134⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        135⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        132⤵
        
        PID:308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        132⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        132⤵
        Modifies registry key
        
        PID:1932
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\AoYoUoMg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe""
        132⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        133⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        130⤵
        
        PID:808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        130⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        130⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ISkwIoww.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe""
        130⤵
        
        PID:1232
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        131⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        128⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        128⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        128⤵
        UAC bypass
        Modifies registry key
        
        PID:692
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\LmwYMosY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe""
        128⤵
        
        PID:2588
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        129⤵
        
        PID:1052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        126⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        126⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        126⤵
        UAC bypass
        
        PID:2636
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\haQAcgAo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe""
        126⤵
        
        PID:840
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        127⤵
        
        PID:1100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        124⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        124⤵
        Modifies registry key
        
        PID:2864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        124⤵
        UAC bypass
        
        PID:2484
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\PeoEAEow.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe""
        124⤵
        
        PID:1568
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        125⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        122⤵
        Modifies visibility of file extensions in Explorer
        
        PID:836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        122⤵
        
        PID:692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        122⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\viYMIQMY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe""
        122⤵
        
        PID:1016
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        123⤵
        
        PID:1288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        120⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        120⤵
        Modifies registry key
        
        PID:2748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        120⤵
        
        PID:1880
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\wMMQUUwI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe""
        120⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        121⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        118⤵
        
        PID:992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        118⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        118⤵
        UAC bypass
        Modifies registry key
        
        PID:2124
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\gCUoUYIw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe""
        118⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        119⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        116⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        116⤵
        
        PID:1244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        116⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\KaIMIIkg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe""
        116⤵
        
        PID:628
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        117⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        114⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        114⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        114⤵
        UAC bypass
        
        PID:2868
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\UeIYEoEI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe""
        114⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        115⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        112⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        112⤵
        
        PID:1560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        112⤵
        Modifies registry key
        
        PID:1476
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\OAAIwIIs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe""
        112⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        113⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        110⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        110⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        110⤵
        Modifies registry key
        
        PID:2248
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\hUskYYoQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe""
        110⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        111⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        108⤵
        
        PID:1100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        108⤵
        
        PID:988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        108⤵
        Modifies registry key
        
        PID:1960
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\xAYsMkkA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe""
        108⤵
        
        PID:344
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        109⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        106⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        106⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        106⤵
        UAC bypass
        
        PID:1364
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\faQswQks.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe""
        106⤵
        
        PID:1844
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        107⤵
        
        PID:896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        104⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        104⤵
        
        PID:1356
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        104⤵
        UAC bypass
        
        PID:764
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\bmIYAYwc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe""
        104⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        105⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        102⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        102⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        102⤵
        UAC bypass
        
        PID:2340
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\bWYUUMgs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe""
        102⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        103⤵
        
        PID:1468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        100⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        100⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        100⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\MIQEEUAU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe""
        100⤵
        
        PID:608
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        101⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        98⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        98⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        98⤵
        UAC bypass
        
        PID:2736
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\meUMsQIo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe""
        98⤵
        
        PID:1908
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        99⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        96⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        96⤵
        
        PID:688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        96⤵
        UAC bypass
        
        PID:2984
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\emAcUAoY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe""
        96⤵
        
        PID:828
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        97⤵
        
        PID:1040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        94⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        94⤵
        
        PID:956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        94⤵
        
        PID:1840
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\gmoIMUoM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe""
        94⤵
        
        PID:1460
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        95⤵
        
        PID:2160
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        92⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        92⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        92⤵
        Modifies registry key
        
        PID:1576
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\bWIMMIIg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe""
        92⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        93⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        90⤵
        
        PID:808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        90⤵
        
        PID:1216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        90⤵
        UAC bypass
        
        PID:2948
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\xwAQssos.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe""
        90⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        91⤵
        
        PID:2468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        88⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        88⤵
        
        PID:2372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        88⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\JCAwoUUI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe""
        88⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        89⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        86⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        86⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        86⤵
        UAC bypass
        
        PID:1724
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\dUgowYoY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe""
        86⤵
        
        PID:908
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        87⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        84⤵
        Modifies registry key
        
        PID:2244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        84⤵
        
        PID:692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        84⤵
        UAC bypass
        
        PID:2732
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\aasEMwkA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe""
        84⤵
        
        PID:568
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        85⤵
        
        PID:408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        82⤵
        
        PID:988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        82⤵
        
        PID:1100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        82⤵
        
        PID:1400
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\eYEEEsMs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe""
        82⤵
        
        PID:1404
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        83⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        80⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        80⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        80⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\mMgkQsAI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe""
        80⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        81⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        78⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        78⤵
        Modifies registry key
        
        PID:976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        78⤵
        
        PID:1864
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\oWsAUEUs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe""
        78⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        79⤵
        
        PID:2892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        
        PID:1028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZAEcsUsM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe""
        76⤵
        
        PID:1216
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        77⤵
        
        PID:808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        
        PID:2568
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\NUskosEw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe""
        74⤵
        
        PID:608
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        75⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        
        PID:1044
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\XQMooYAY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe""
        72⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        
        PID:2540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        
        PID:672
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\BYcEgMco.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe""
        70⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        
        PID:1840
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\BQQYUMEk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe""
        68⤵
        
        PID:888
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        UAC bypass
        
        PID:2432
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\iMwQYgYE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe""
        66⤵
        
        PID:2320
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        
        PID:1216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        Modifies registry key
        
        PID:1896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        Modifies registry key
        
        PID:1888
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\WAksoUcY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe""
        64⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        
        PID:2544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        
        PID:660
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ckUUIIkg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe""
        62⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        Modifies visibility of file extensions in Explorer
        
        PID:908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ukIYYook.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe""
        60⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:2992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        
        PID:1588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        UAC bypass
        
        PID:2984
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\OaEgQoIo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe""
        58⤵
        
        PID:692
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        
        PID:744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        UAC bypass
        Modifies registry key
        
        PID:2212
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\fawAkUEY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe""
        56⤵
        
        PID:1004
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:1436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        Modifies registry key
        
        PID:2740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        UAC bypass
        
        PID:884
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\buAIMoMA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe""
        54⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        
        PID:2548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        
        PID:1480
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ByEkgYcI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe""
        52⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:1872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        UAC bypass
        Modifies registry key
        
        PID:2500
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\jcMcIAoo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe""
        50⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:1568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        UAC bypass
        
        PID:1724
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\MEokYogw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe""
        48⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        
        PID:1032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        UAC bypass
        
        PID:1232
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\OcocoAsM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe""
        46⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:1228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        Modifies registry key
        
        PID:2280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ScwUAYsk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe""
        44⤵
        
        PID:1588
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        
        PID:1180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\yygkQscA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe""
        42⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        
        PID:2564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        UAC bypass
        
        PID:2184
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\iyUckYEY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe""
        40⤵
        
        PID:1352
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        
        PID:3052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\fOAkIEkE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe""
        38⤵
        
        PID:2440
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        
        PID:1908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        UAC bypass
        
        PID:2360
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\JyQgAQIg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe""
        36⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:2572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        
        PID:268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        Modifies registry key
        
        PID:1824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\JiYksYwc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe""
        34⤵
        
        PID:908
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        Modifies registry key
        
        PID:2368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        UAC bypass
        
        PID:1036
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\TiQIMIws.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe""
        32⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:1096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        
        PID:1856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        
        PID:1876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        UAC bypass
        
        PID:764
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\cuwUMUIg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe""
        30⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        Modifies registry key
        
        PID:2184
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        UAC bypass
        
        PID:2384
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\aAUEMAMg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe""
        28⤵
        
        PID:2532
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\EKcMsYQQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe""
        26⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        Modifies registry key
        
        PID:1520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        UAC bypass
        Modifies registry key
        
        PID:2044
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ISQEswQM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe""
        24⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        Modifies registry key
        
        PID:672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        
        PID:1240
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\OkAMcQsM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe""
        22⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        
        PID:1080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        
        PID:1460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        UAC bypass
        Modifies registry key
        
        PID:1880
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\dYgYMMMk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe""
        20⤵
        
        PID:1096
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:1280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        
        PID:1452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        UAC bypass
        
        PID:2744
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\hosAEMsY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe""
        18⤵
        
        PID:628
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:1176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        
        PID:2548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        
        PID:2532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        
        PID:2564
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\vEoIgokU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe""
        16⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\zGQwcsok.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe""
        14⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        
        PID:2228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        UAC bypass
        Modifies registry key
        
        PID:2960
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\aWsYUQYk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe""
        12⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        Modifies registry key
        
        PID:1016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        
        PID:1220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        
        PID:836
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\IOogIQsk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe""
        10⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        
        PID:1096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        
        PID:1404
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ikkYwIAI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe""
        8⤵
        
        PID:876
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:2820
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        
        PID:628
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:1420
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        
        PID:1436
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\imYkskUM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe""
        6⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:2108
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:1352
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:1468
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:2384
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\ogEUUskI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2356
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:1840
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:2500
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:1108
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:2556
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\jAggkAEw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2532
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:1876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.2MB

MD5
0f1e66fbe91c4a18ee765910fcd238a1

SHA1
2e1b8a3f5b9ae486b323ff16d555dd8041beff31

SHA256
5aae5fbf0ced53d341aad6877bd72ac7b661319847f5fae76e1166dde182df21

SHA512
02089261d78b72dbaaf104399d21a70c5c3aea9dff823c59f376d07cfdd6f8521f736b9c3ca0a6af86dbddd571cebf202c5b6d43c1298404f6f3f865f5bb780c

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png.exe

Filesize
237KB

MD5
17a0f9baea2a93893c2c7c965386b655

SHA1
42a2cfbdca10f2c0837c6491cf330668de70ea4b

SHA256
6187cff81b990d482713ec3612f9c9c7d0bfabd63188784b6e52c3dac41682ee

SHA512
d319daa520a1893862f11dc2d2a1276c3873574ca9e56b25ace415b6d11bd41085ded5046c9bb2ef8985652e3fec47db4d80e4f42ac636a113827a49d82361c0

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.exe

Filesize
213KB

MD5
c97b52c20e44265b6e5f573932570831

SHA1
d41ccd5e3d57771c54db01d54b3176ebfd0e0866

SHA256
f290bed94236cee545a9bbb3bf5353d5e3b4cb932edf0d1e70c4f77c52b39149

SHA512
1f1ff49178602a1d903664f54ec7cc6cfbf5ec7bb75cad2ad0c26e89f5dbb43437747f2453fde53f90e705e5b717ff1f9cdd2f322effa820ed17566b0cdea22e

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.exe

Filesize
220KB

MD5
18f2d01f7325473ffae243ee3f50ff9a

SHA1
8ef5874cdc6d467a5966d43d7b3633da5d4de2c0

SHA256
f2bef8b37a53a461fb6cf62dab795bc16512269c426b1a897694e20a1efc1c80

SHA512
3141aa9745d5a25dede26c944b5a04595cd78d563fb0d275fdf72f28eab40218698d93030b8e9d60bb33f87b19ad4b332e4cb497aed6084ad45160382828bd18

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile17.bmp.exe

Filesize
244KB

MD5
d9d2afe72ee00d1159cfe82dbadc0c43

SHA1
d6fb0fbeb1205aa0be13c4c4eb358d0001ac15bc

SHA256
a69673b0c3ee5ef6b4398a65028b32889885d72fbdf4563cc0a2c7a982dd90e4

SHA512
711e90c6d5642aa10f9c7d71008e5a67dc8eb86fb8aee14f6c36ee05730946f4b5323e383b4731699c03ae63a7b775859887956a157d7dd8517aa5ed94b39686

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile22.bmp.exe

Filesize
239KB

MD5
89b5624985d9cce9ee2740f21362351d

SHA1
0915f3952dc1395dc3b41e16425ab0ceb814613c

SHA256
0386787f8e6effcb8e9140642f79b86db10f8bc2ae91d9ad499baa8bd51643b1

SHA512
378e96f2804fa8bb19f2c7a191863d5e53443be240b676600d7cf21a2355b80e166705c1ebd93d63baf28e64387c70cd526ec8728c83c96d35493243117b1ee0

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile34.bmp.exe

Filesize
241KB

MD5
229c2ebfff39b75a2c98b35844b2e874

SHA1
4ee6b9a849471f20f161c0535694ab562e990de7

SHA256
a978961ee13c1479930b45f03cdf3a98e2a9a70a1048cb418be8c4a04eceb05a

SHA512
ba72d1436d3281209edde9ff7816611df164d8123d94ed73a724428955f0656250221f06138d6ce9535764387ef93366222ae743d1250988eb9f74f5533d995e

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile41.bmp.exe

Filesize
236KB

MD5
856d32ffbb183a17bd5c7241cdbfc378

SHA1
3a05da1dfcf8cc0a50cb98bfcf089a6b4b60b1b1

SHA256
5fabbe59a5833eb2fd9b8125b9df03b063739fc848345672b47a4fe2b9316c37

SHA512
fcf42067bf01860917b5446dc491e611c3a7e7a7ddae01e9175f66722fc1286c7fd8b7aaafd30925faae17c7bdfd02e178773918424e121c626333c3ec46417d

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile43.bmp.exe

Filesize
232KB

MD5
601e461e7094a258ba2e44af4ae4fd10

SHA1
a8714598152b330687fd184f79f1647b43fb90db

SHA256
eb86643215826e8b70bfcd8613e8b8ba70ba46d86345deecbd23581f122c2343

SHA512
18c3db5c047db8c0f9b8f056e17febc1a7a2d1c8a9b117084d73e399ae6b118d04468f3ddb6f3535a151fd84a71fd000204f43f795a380248d9494ce5ec58be3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\192.png.exe

Filesize
204KB

MD5
513676863a97cd685cf169942cf2f606

SHA1
1a6b1e87ff9f918e129eaf22e328ac0fffed2a5b

SHA256
4ac40091acfdbecfa9dbf922753c83acda45e5f66cc41fbef4609ac0d1555088

SHA512
c595e5634a8e92258e0eec7c1cecfb8e40fb08694cd0b35551868291fee3761c1f31f53c95aacd2afde143c397d023211183ec1252cb0dba3ed670a4a6b85974

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\64.png.exe

Filesize
200KB

MD5
77f9530e9a18ca3523d54e9dd1d80c61

SHA1
7b701543fe321f2ebe5f4f186ab5dafe83e7ec21

SHA256
9c797cd4509c0841b93a0c7a5dc9aa2ac6d43a85cbad4dddd5f0dca2b8dd1104

SHA512
bb442b2c12415b8099f32331df87eb7e228c72cff19a732e4ac71c6f34b06acc75d67db189602ae7479ef4b2d71a9e4e52d491247ff2cd86c42eb63b2150dcf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-05-25_6db37117e8c0e5aeba603cbb6b97b82c_virlock

Filesize
6KB

MD5
4b8a9dc8daa40ee3fe9ca2406b0a6201

SHA1
2209e19a1af6e0b4ef96632136e449635e3585fa

SHA256
07d3aeca5d09371344e66abd6cdf2151d2f05d84a568d31307bec54ef850600c

SHA512
63d8df0a7902bfc6d83697aa34d14f70ded087591a0c534ce68e2ada936a63609344b6e717b9e09c736c8e2edf371e83837873317d21ac1b20c1fe40f2617cc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\AEMEYsUc.bat

Filesize
4B

MD5
ae675a56a53322bfe885afe4c5869cc0

SHA1
5d44517670e2a23235967cca1c70250257ea5f0d

SHA256
65cf214c791c263e543a8b7d00749631d12407bd1f04a1ec7e2c3589f7d25b15

SHA512
7ed85db63ccdf6256205f39c364b9663d9aedcd1300d80a48e81f733cbd65a9d7428633cc525ac2e20d48398a7f2d72f233e1b5b9581048642e05b3922ff9494

Download Submit
C:\Users\Admin\AppData\Local\Temp\AEMg.exe

Filesize
249KB

MD5
3989e65d156a50de61bc70970faca703

SHA1
43fb2b35850413f1ab4dc46812ec80ab6fba0c04

SHA256
ba5c8921f783cd0a1425d4a3afa455c1a8086d132a5425de9c69cc60b81bd464

SHA512
64900fb51a01da199aad356af558cbe9a62eb2a1b9b90a6621d60303b6fa992758c3355ce3139e2c3f4bb1ce77cba1948d8f2033ee1c98adb1d7e12a8be49841

Download Submit
C:\Users\Admin\AppData\Local\Temp\AIUi.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\AOgQUggA.bat

Filesize
4B

MD5
f9cac050b11b4dd9dce52483395e4401

SHA1
e7dc43589ea1f3f3fc2ab518326f552e21202f2b

SHA256
db7050f261b0d47e48a21fc6746e2d804be96aa9b6efa9e132996c8330b6f3dc

SHA512
a78d5fd7033434d308e33ee9ee8903806e7dbd16911ef863e0b2e3c228a4d849ceff85037f605b3fb6eef84ad3f8f41b53a2b0a213106dd4c5e9f09e0822b6e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\AOsUEYAI.bat

Filesize
4B

MD5
c88958be15232f13791fa9d4b9b042c9

SHA1
2d37d8b8447ec9732acf14458f39f71622f2f4a4

SHA256
6309802c5b08dbeb55ee2e2d2e0f9824bdada5938f6b4ca792a203e378fb2047

SHA512
26384b003dda1f3fcd3599e2c3e29ee4cad40bf52bd074a323e7fd112bead9dd28ba390d904cb59b8fe4a2ab904b55ad4b5d830d6627199ebc17516d518ad425

Download Submit
C:\Users\Admin\AppData\Local\Temp\AQYw.exe

Filesize
229KB

MD5
606efa14edde3e0bef468b1c8a0b3dac

SHA1
ac0feff5b57227b55bf3803e736b77a4385d5da0

SHA256
ae5f4a038201b22dd04e4a5b88ea225c98fd039cce9e4f43673e0d012a30a155

SHA512
0abeb8d2c6578e3ed9b4d4cdd72baa1d15942a08a110864cfe6e2be89205675a4822a201699122457bda59135cc8a1cf5ad2be21335fe5d7ee71f7256d519cbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\AQgokMQg.bat

Filesize
4B

MD5
cff65c6acff39b2730b44cab4332a13b

SHA1
365402baa300dd2ff43e9dd27b8a16e53c61c078

SHA256
46915e47adfefb7579ddbed14273fc22a73e826f4b15bece845d47e4e8f1ffae

SHA512
c710cbb4d52b722f12bf76c21a4942d5bce496250a1aeea2dfe7d588dee1df28fc9e01ebd825c6e6db565967f052f00d8a3f032ce68e820d3df62b4d5a2dfdfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\AUgG.exe

Filesize
191KB

MD5
c1d4696f1c73fb9c1f5b7b365d2331c2

SHA1
1ba51d41f778dfdbabb8bf9e7d66484340d7e860

SHA256
d1c7e3e6e5386e32e8885d314173a45cdbf806e3344065a6fce4ca83e79a7fc6

SHA512
dd760c59f99a4aee78d3d7142e633c83e3706fcfa2e1285a41c76787c74af9362c9e31037a5fd2d07a1be315be078c9cde3db99dba7849bbdc18356318e23478

Download Submit
C:\Users\Admin\AppData\Local\Temp\Agwa.exe

Filesize
829KB

MD5
6675c7ce405aa2ca9f239313a81e8929

SHA1
9080017a8d875663ab71548e6c2f35e7a68dc7f4

SHA256
2917603977b970c51d629ccba14be6a270877751740b8dc9bebe47a38a8f9d13

SHA512
6cdc64a6692a814bef2c437744627c5520b6a8a96fbcd582c5e80d0c2672062afdf4e22d6a58b075d21121288e9164949932549ad30514ad3edd12310b92f3b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\AicIUMYg.bat

Filesize
4B

MD5
ba01320a515470bcbc3057088d5662c7

SHA1
c5ea2a88bd957689b9acd81b8f69a27babf70a89

SHA256
bcc140f4c2477ed19726431f216b127b20f2853c463598008be0748e51765555

SHA512
23116693d39b3c66bcdf488e3aeae9de4f5e1640fcad1307fd85151bcd54cabd999a15f89563e805383ba2c1d25cba5f6d211f820e05b3aa5963bf5d479fa1de

Download Submit
C:\Users\Admin\AppData\Local\Temp\Aoco.exe

Filesize
227KB

MD5
03eb8ede974bc15eb58684490dc604e7

SHA1
e745f3dbfbffb6ff9728123699ca59e02262e389

SHA256
e6a315d2a410655383404ed7da45beb28e676930c90546799b8303d01783c0d5

SHA512
77677bfeafdfbd76fbcfbaab9f10f78135b4e7412033382b9f4a3733e96cdb398b825e374c3247f8231ba7dbbd7cc3d1413ec3866ede7a31dea42ec057663a23

Download Submit
C:\Users\Admin\AppData\Local\Temp\AsUC.exe

Filesize
229KB

MD5
d21c138931d248ed1c8a04b520d6251d

SHA1
a1b8ad90ff82fb70877a674dce27c8cd12b859a3

SHA256
d56f54f7db6dbc6566fb331c27c742575a75882838aabb97dbc81ad0b8bfdc3e

SHA512
c02d3701f71d872c7409cbc7978742da58665b0b2ef9f3e07e90f1fb5a3303eda054338112c7f844b63e50a03cea147a97973631727dfda2f17e713ab2c08667

Download Submit
C:\Users\Admin\AppData\Local\Temp\AsgE.ico

Filesize
4KB

MD5
f461866875e8a7fc5c0e5bcdb48c67f6

SHA1
c6831938e249f1edaa968321f00141e6d791ca56

SHA256
0b3ebd04101a5bda41f07652c3d7a4f9370a4d64c88f5de4c57909c38d30a4f7

SHA512
d4c70562238d3c95100fec69a538ddf6dd43a73a959aa07f97b151baf888eac0917236ac0a9b046dba5395516acc1ce9e777bc2c173cb1d08ed79c6663404e4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\BQsogIMI.bat

Filesize
4B

MD5
1d70eb8a89b33bf7f825983ef34018af

SHA1
1eec67bda9ee8fb2218c373afb9192229004cc64

SHA256
f6564ac5f452fbde68fdde202b421aaae624882aed1cfc7ee3908e0cec0804a5

SHA512
031059319f5f544d1f5e75d988c7a4b3b0edf8b5aee947ce1737fe8f813e530df82e43ab042d44564e9375dca6161ebd51f135b57bd2534b2a3f36e81621795f

Download Submit
C:\Users\Admin\AppData\Local\Temp\BasMYQog.bat

Filesize
4B

MD5
2b5bc43f46cfb5ef1e80ebcacc4dcf9f

SHA1
a91b7b85addc38bdad2b3771c6d6c7d71c04375f

SHA256
37844d070c199b261bb56a8fff2dfbebaf2ef9219d9bdc819699aac9fece2f77

SHA512
23c8a2851398ce116444fc4b5de31a8ca94a99bef21d23aef0be128f2fad0248d45aa3d88535f8bc61b6480fb7feb4f1eab66b3485120f7b1a324a9928675f3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\BcogYwcU.bat

Filesize
4B

MD5
328fffba5aebfacae285365cea975c93

SHA1
778f968ac1c8a641db72737a7666f4ecaf14b337

SHA256
44cc4b39f8034fca0993df149d15932171f6f777520cbab0c5aeafd0618f88ea

SHA512
e50e4ae7f6bc540555512b7e37a98e7f9141ac01075133be335a57af5de19d87171e1484e065893b97e7c8a69d736b14083aea645bdee49bdbc78f403d149885

Download Submit
C:\Users\Admin\AppData\Local\Temp\BmcEUcoE.bat

Filesize
4B

MD5
58ec89605b90ec69eaa372ee0318da56

SHA1
7bf5a52b167563d0e911e9fd7023333c4036c450

SHA256
bd8cd8e1f0da9cb8d2c749d4541c8dcddbc6e6d100af4c9a9848f8f1b23e3629

SHA512
992ca968c1cfbfff12849c08b92ce93933d656feb2c700d1e0690f0d573ed6d0e4221451be257edd0655d9800bbb4827e80cdab5712892122f75c980d3eef19f

Download Submit
C:\Users\Admin\AppData\Local\Temp\CIgMUAwA.bat

Filesize
4B

MD5
16d981bc9b90fb1af344cac0e4cf57f4

SHA1
54d5f5b13bb49adee0d4b4cc0b27ca34aea77f60

SHA256
6be61e06c6e7d197cb56f3d08b64a5fd12409e58d577cb0fc7a4a233b3a86282

SHA512
2574bb99e6b96bd8ebc16e7194062e2d4033c7f17ad9859dd9b658960eff390b3fb0a0cd30cf55e1308de9b0bba425f6f93be0328f2614f88c254ba9da7446d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\CQAI.exe

Filesize
245KB

MD5
da8086f9b86ba86f6b26eec2dcba297f

SHA1
6ccd5b53dfcaaaca1d6b0293d899616684ef8c96

SHA256
11616a9d55ee209575b0a7aa13b0a8ea2b6b03fc31edce69d7f669782c1c89b0

SHA512
fa48c51a51d20006552012a9b2c359e9a627c968aecd6bc5ec5d2caafff4fca6900ca99db70165affcaf269936f7b01df36a671cccecbfb3c7735c4c5f1bd855

Download Submit
C:\Users\Admin\AppData\Local\Temp\CYAY.exe

Filesize
251KB

MD5
c31e9234691a47b43ca76f4fa0856290

SHA1
03eefbb39acc5bca6ec99c5b5a4e7a8c1a6a2284

SHA256
8c1945d8f39ffa2b8cb022388a4ff2e555738bc82b573f61d150921c7daa1557

SHA512
2af5665316680a98a55e65e1ca747a0e6bd38ac37e26b2f60265d49a8d1edaa0fd8bb7fffe54e3d13a8d7889cc214db22b5b1366bb60bd650bc320b24f0f763d

Download Submit
C:\Users\Admin\AppData\Local\Temp\CcIm.exe

Filesize
192KB

MD5
8282f131eb3cfdc5234c66c5b61062ac

SHA1
db06e9ba8c5d33016b29568fbb2455b1aad4a70d

SHA256
f442f74e07f8cbfc20fcaa441be407bb0d11576d9bde67a7b1c1dc5d1121d8bd

SHA512
332788b5b2be00f65e152049de51364f826df7b4ad26d4e7349f773af9e8614404d0389cbfb57e994b8064f72fdd5d4a11c8d345c649bd16b0c10ff71865ab84

Download Submit
C:\Users\Admin\AppData\Local\Temp\CoIe.exe

Filesize
208KB

MD5
3fdc4d52cc418b846392a427f2fe0eab

SHA1
ad7ee2e05f466e2f3d543af405aa29762fe5074b

SHA256
75002e51303b307d0c75b5085d1f2af891af0fee4adf255c55f706f52b6d61ce

SHA512
98a2a7fd10781d926ba58a605a1405a3c5623c53ff8478e10b822133c27a62f3a64d971102580a8385051ae6cb45b0ea90641b73b6a73d167f3ea1eab8810f9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DyIMgkkY.bat

Filesize
4B

MD5
8a1ec154e3ab9bf09f30f6f8eedd5c2c

SHA1
42c96afe46c0d35c94166b2d583dcdb64d82936b

SHA256
6da01bccefecb1adb44cae4a950a87793884bc7afd07784c11594b9f3b85754c

SHA512
6023944a598466a0b889931f284e8ca3d36a2a10c9b8d7144a6a30d1b1e40ae146ec9f508706d4aebdc027ab16909770b18c1fb1a65cefbc84b80fa66b123f5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\EIIsoAQk.bat

Filesize
4B

MD5
178d7771229675c0c989713a72f024a7

SHA1
f1b863a5973246846b81b860bfc1da81de00f375

SHA256
b8f1dd9db0b0b5a3d06c2ebd3973b25d19e77be070d2ae54e7bbd171c27c772b

SHA512
f3824726538ce3d7061a36dc4cea8ae87f9f0156ed678d41823c77d4560fa9c4526423c0fdb8685a1620b11a8682376489ac4010c2b1371ecc495ab4764f018a

Download Submit
C:\Users\Admin\AppData\Local\Temp\EMYc.exe

Filesize
251KB

MD5
d9c754206c6cf12b13cacfbfac95beaa

SHA1
9ed76638317f230afbde2586c524ae60af059c94

SHA256
acc0f814853957ed661910d532d447b71c3310ca1c43804e1b5d3548b5a5d9bf

SHA512
946f27500921cf87106fca4f3945c53e4f94f0b1525f528b872ed29908979b29d1f1f65992966cbfab90b366b74b096472311e3abe0599165bf986a89cda9f26

Download Submit
C:\Users\Admin\AppData\Local\Temp\EMki.exe

Filesize
1.0MB

MD5
cee24f896818805aba360bb127599c8b

SHA1
82851e356c2b367d9d9fb17261109a1fa63668c7

SHA256
970f6ff9a34566ca7d132aa520f1f37a185622ddd8d4facbdab0a3a844da3cdb

SHA512
5a43a6545e0ea60da9263bfeb4deb5daf66e68a1b5a64af8bfafa5334210958c9223220023cf9bf76f11df9649af67cdb8276d1ea87e2c3b051884330a3272c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\EQYkUYos.bat

Filesize
4B

MD5
7898df19e2ab686d7e71b6c7dbaeaa33

SHA1
a1d48b1360e658b216a393cc51fdf3fa7d1a5a15

SHA256
573124e6473cf8086fa699c883bda100166654c7ebf325ccbdd195bb9e6b3ffe

SHA512
c4bf26f7fe6100b1980e85144019a31b9e9afb3004972c928d20c337d6c8183891a055579018765a8b147c3e9e5859c08a3a81eaac3bfe68a284db40ac172632

Download Submit
C:\Users\Admin\AppData\Local\Temp\EUoQgwEw.bat

Filesize
4B

MD5
76054a2938c5a5ad01ea6c5b56f83d8d

SHA1
cf62a7a92e499dd25c339c9c73f1b1c6c9c510f1

SHA256
1d0df224d0f97e6e4735efb45166b3d20c090c6cd645985e39dc0a4a2f0884cc

SHA512
eccc61336e1ac7e9bcda1926b40937dd7411dfb07c902f2364aa8316b4b4f5c788ac8ce457464ae724770de1866cc53ee6fb5298e0083e2679cb45088ca6e714

Download Submit
C:\Users\Admin\AppData\Local\Temp\EasoAYIA.bat

Filesize
4B

MD5
74bdecbe3a46d093b7844fd6d0350b15

SHA1
c338fab512914f2c825f9d3cd3cecb6bdc6768e2

SHA256
8f44418623e5c1213fe92a29551545957e323c532a5cfa01ac3c117e2f18895b

SHA512
203e7d36430f75a49993905c98aaa16a25f5b8419fb2babfe074d71708f409de0ada162f4871634b6b202f205f341b7cc9d230e12ec07bc23afb17433e2f6fcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\EooS.exe

Filesize
237KB

MD5
4fc9cafdc92a97bb0f97d38cf072904c

SHA1
9570f5cb00d3f93ec5e5e269034dd810fba1a0d8

SHA256
fd7b6bcfb5dc9d9343c973e8ed9afdb485d4f11315b76c9f267a6c0c4b3421cd

SHA512
df831c349d5df7982c4c92c066d3cf92a141e8bf7fc720afcd13eebfd0030118289b9aeb56e0f417c8e36637f70e45b3efe5c84c4c018d2f37c9d1ebec27b0ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\EwkK.exe

Filesize
242KB

MD5
57d5bf261047caa3a2a386c1b2b7077c

SHA1
4270e40e93bbb735d40856a433faadd9f53ebd46

SHA256
bf1bfe52624def1ccec4b2cd7b06c038adb6296f1b52434d598f19ad53d9e27d

SHA512
b8af988a7152a15d6fc9a5f3309a55fe60d614c0882fc926f4d00b817dc544fb3db9a9c642570532ebdf0c32f1aada226632dd4536f38f5706000fd514e3de6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\FCYssIUQ.bat

Filesize
4B

MD5
35f175991685b19fd2aa9e7283fa56f8

SHA1
38fceb7bf0ab1adbe1bedd98a969a874a3246270

SHA256
13fcb204db41adb32b109793196d0d30579bdda01c121baacdc411afb74dadf9

SHA512
dfee4dc41b45e09cfa1cf7b20c95b392b2ae1ab7991d3733f0c51bd2f7be3cf47df75d767632ef0bd8b4a69b545fe073e6cdaebe78fcd5ffaed399a82b39550f

Download Submit
C:\Users\Admin\AppData\Local\Temp\FIoYYocg.bat

Filesize
4B

MD5
59a8d681614d503cf766c18638c21d62

SHA1
bbff3fcf8ebf93a03b54e36df7079b276d984b55

SHA256
a4995157899f86a17203972127cf251d243b11a247493b3c167f7fbb51bf4dd9

SHA512
6f11b9a60fba031a470f1bdc5c07645c0455bfc9b1e67f53934fcd1b5e5f03d4bbd3cac2e0e9c36150d241d60927e829e86480404d139d5324b67cc60f1eaff3

Download Submit
C:\Users\Admin\AppData\Local\Temp\FgIcAEEE.bat

Filesize
4B

MD5
ea693c551d6c08c5eacc5c29a883e4ad

SHA1
b8d020846c967ab1a12130d550014cef99930f45

SHA256
1684d41157b48fd6b8a6fd8c3230fa1906f494dce7a3e1f3792fe852782da392

SHA512
0ffcaa6b709757c0ea3d7846bfb6181bcc4191e5adc8946c7bbe321b5d67b6674ce7f13bdc2e0c63124759918cdf59f317438a59cdd0bed1d8d4fffa25459420

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUkg.exe

Filesize
204KB

MD5
cd7a2e46abad189c0d5da408e5ffa8a7

SHA1
ed9817cd8f1c8840b2ed7fa2d7992935842de41e

SHA256
6de9695da166a0ede886e0c4a0437103af90a3cddcf70307c582f842b5adc72c

SHA512
5a149a9f3bcebd3bd31b8a3ecaefef758a6f241f8f69d4a09796af1d41da79a74a2c985ffebb833865842cdc8520b3a267e1bd1bfba919a664091200ee188fe4

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUsy.exe

Filesize
248KB

MD5
fa8bb5ed41553e9fb0ecef9858c34278

SHA1
898b23e03872097623a6f533e1ffa5d19cdc8b9a

SHA256
e9a27af008b146c5f06040b50b5eacacdef4ce5a633f45e129c286fe311fd5ce

SHA512
a7e1e8fc5e10ff53200c774272d0b7a5d65d9496d7d60998fd447b78246b4b532bd9ce396f2bdf3e4db194b110acc71fa0101fc6d006d4b57bde1796af050482

Download Submit
C:\Users\Admin\AppData\Local\Temp\GeEoUEIE.bat

Filesize
4B

MD5
9e0b49d8394179ad892f4cc85e485e81

SHA1
d22e050baf43a2ceca12b81fc4a3fb673ec9d8d0

SHA256
2811c1bdc2e671ded6001ff78810ced27b4f50c9e77df7de2f90c169674bfbd8

SHA512
317947fd4843d26315882c4d15bd0ca48e24ac2b97ccefd93b3e387734ff19671294e10ac619a87781eba2a131290d108f7e3d873925d5fbd934589a06723cbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\GigMYkMQ.bat

Filesize
4B

MD5
58dd3c30b011ef4e21952ed8ff547cf1

SHA1
742509a36b206fc05413b0cb97077825ffa7e9ea

SHA256
ae7dbda6e51f8f2d44f4afabaf0a9e494e5246a237d3215bc8acb15af65182bc

SHA512
3068ace22a4c3b5545ad02fbfa9a3247301fe33f361ebfa91858df83565ba6e795574eed1eb46e9da426ff2457b667808428a935546f6425fc0bc7606a556be1

Download Submit
C:\Users\Admin\AppData\Local\Temp\GmAEUMoQ.bat

Filesize
4B

MD5
b8f8e58cee4e8a87227b0d232918eb2b

SHA1
f72acf5fbcdc7d27db8727a21aad572e6c17babf

SHA256
b9d728593c43da2c5f3435e73e017a223b1430379634dae5b4eb74b008c0179d

SHA512
aa35e83b82381da6d1d2ecc4883ac21a0e0d03706bd075a2647763e890fbb8c42aee92e93d3132d86a58b32883245e047f0e7399d52a7b15a5c3f68a2bd9a713

Download Submit
C:\Users\Admin\AppData\Local\Temp\GmwAsoAM.bat

Filesize
4B

MD5
681f81b48b532ead1989c0886905eb1b

SHA1
c5c7f6b70f25940277154f6a8ade77ecb905b953

SHA256
7560f0a63e7258029f6ab2ca5f32a5b527dea326772f27f5df0c6df4f56dde17

SHA512
2399c7313ed7feae8eee3e5289959c83646a98745aa1afcf4672f306c19bebb3983d97a30fd2ab0abc44e78058e891f811f9690259003d9c267653126425798f

Download Submit
C:\Users\Admin\AppData\Local\Temp\GogU.exe

Filesize
241KB

MD5
0b332c4ded466bdc0e61008d1c89bf34

SHA1
932b2b825e4d5c5974b6ac26f2eae90e0c690cb8

SHA256
b2fc4c25b874f42befbcb59dacfa2ffd630bbeaf25a288f0b2f1c94afec65b65

SHA512
a90ddaf90601306176fc6df8681367792def3f9546209c796605a78ebf3ea61b611260d547d40577bae27b0ad0f723e1e76a00cd012c40dab01ef657fc3213a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\HEQwgkwU.bat

Filesize
4B

MD5
d5c4a65de0c9dee07d7bac2dde80b671

SHA1
113c971afd41ffdfdd7d02ad48c6f559fd978e2d

SHA256
572e5996f0cd7571b0c49c1dc0661b5006744796edb6c42e9b1efa779043422f

SHA512
caf46eaa349eb27dd45fb765dbccd4b3b9380ef41827aae6cf932722fd3e960a44323f895e642aaefc3bd8f06844a159a58a3673d2c1a457a7db5417c7c0174d

Download Submit
C:\Users\Admin\AppData\Local\Temp\HMgIwsUU.bat

Filesize
4B

MD5
f19194c11fafc5d7ad816e68dfbc3877

SHA1
c49670d70f7556b5479e1ae52a7a63255a34d1f3

SHA256
18b6436a2f9f8eb89aef962ad8fa76e791caeda26717bb0b831c6a1635df6da3

SHA512
49c0ac47012ca4a307687787572ad09cc8a1eb38521267b7547ff863f56113ad52407b534a72b421fc15add9aeced9409219916c4ded670a147f5053eec80389

Download Submit
C:\Users\Admin\AppData\Local\Temp\HWMAwwgI.bat

Filesize
4B

MD5
03e3fcd612d091bb5ca5853415ec1c2f

SHA1
476f02818ca674c35f275987e10c11ca2ee047ec

SHA256
e92d998618a9ad7c82b6253632d8daf6b6af713bba68d2323edda34ac930eda4

SHA512
1f09cbcfd77c1a718e065a3c5acbaa087704d910114fe44e8cea0e9d08689869515261116bda4699afda9addbf1318345a7b06215cbd6933b5a39b577e75ee4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IIEY.exe

Filesize
231KB

MD5
2cb8e717bba2fa8b68ce4a48f9b43038

SHA1
068fda6745d5fba2c56b6f932fcc6aa9e3af6014

SHA256
8cbab493cf97debcaba69bbd7d347fad3b1bede2931c4c77fb69596f79fe0693

SHA512
5ba0456216c62707416a39294cbdf33a4bdf18afada7692da9d68afb00b7016b239fe90d226dc0a1255c2c010558fcfc0b258f5cb0ca9a1c504529b6d4ab2c87

Download Submit
C:\Users\Admin\AppData\Local\Temp\IIcO.exe

Filesize
227KB

MD5
f7893428c7be411cba57f1922d0b33f3

SHA1
523c01ae1006254c5f0137b987288cfdff184b49

SHA256
21451c49e909e77a89dd21d471f49af7f0b1932abf23e9c096b549f4da6c1b0c

SHA512
d4e00aa124e526b9e3d385c3814f14279eded1fdc15b3bd5f4d765afd397c91e62315fa7bb6328e106c5f6d1e10b6d22f9fc13d9973deeb5c0a8dc9107cfa20c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IIgM.exe

Filesize
1.3MB

MD5
27f0751ed4dbd773ace37ca3cd9ae527

SHA1
3da44264d7ed0c64a6709abfe40e82440fcf71ba

SHA256
b5287e2ea33c8b7db0ed7714224b2a5df87e73229b5cd1d35817a5a5766ddb94

SHA512
0f0da7e7d52a14743b9314fd8b75fa68b01e6dc167dffa7edb901fb1c28d4f63ddacf832d397dfb54874281739be463d23b7fdeaec07d44938f4d6148464c324

Download Submit
C:\Users\Admin\AppData\Local\Temp\IUEQ.exe

Filesize
248KB

MD5
161097693e930b6566717d20b9d207ad

SHA1
4ec523ecb788c149a452d09ebbf9359ddecc9c0d

SHA256
1cbe27982a3967061d4352d7ba3cc617f7cdf502c51a4ebe668e93661a8444be

SHA512
ddc9e2412b031b760ffd667b53ab4448d05271c88477918d40d6575a1a038da4c21d25e7d856367a95664bb219d1ce5280677b76d7d2a24237d2ec6f6d0e3278

Download Submit
C:\Users\Admin\AppData\Local\Temp\IYQM.exe

Filesize
782KB

MD5
dd75e83da0312de125f75dbff925a4de

SHA1
2eb7d2157f8f0113d56d09318bfe1110c5635da4

SHA256
f58e6e81f98704acd1b2eb354b2ffd6f473f3b58c6b5c64ffbd0a30c56f07316

SHA512
21b4ba80175534cae15e1a59e68f6b8aa7100e64bddec68b40a36a84c654e1b1c9194fdf2e10565cfa01e91e82530feb6b9fc12de277ba9100907590a174f622

Download Submit
C:\Users\Admin\AppData\Local\Temp\IYcI.exe

Filesize
186KB

MD5
5143a418dcae339c2b4a90c05e0faafb

SHA1
3d974b18ce9b9f9794d0769b95f561836e082d97

SHA256
ea7277f9c645d1a4160d9fe8b9430ad75d54eacbe97f06fdf82eb9f34705fa0c

SHA512
7f775edc31ad24dd588f802a50fbfc6dd2b96b8e7dc98ddf68768d8dbeee4cca79f7ebd5292422ee576cb870684a9968109951bfbe16aa79b12f0e75fcb78e5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IYoIkIIY.bat

Filesize
4B

MD5
de9fd7466211f3dc42674246205ffa0a

SHA1
6bfd46312c102274e08d95cd5a71f9b30b72ed1a

SHA256
f5b3d221ccf7f6dc34925c4036869547e34ba7a273babbedf18fe715b2b3190f

SHA512
97d683808b2d740aa60ffb8536cfe401dbb8431f7908345cb9ddc7d479c34869f0549d46135eb62c998be7d4c662476d6107227432abd97343d19071677389be

Download Submit
C:\Users\Admin\AppData\Local\Temp\Igwe.exe

Filesize
239KB

MD5
68c527eb38dfb176b752f0ae695f8bc8

SHA1
84f242aa63a96197ce91cdcc943b79f20cb0dd97

SHA256
81d587046a6b85eb9e4ac225e67967a71ec20c4d9fd10de061018158a432de51

SHA512
7ac92cffc73f8453abdf59963a049b0a6d5b82c07776d46e5a43e65e8a0ae2d99f33d8fa762cf709f5f1157525eb31ad32368324d65e759a52418a8c032dc12b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ioce.exe

Filesize
646KB

MD5
8b13ab13342715491fadeb6f2a95c8b2

SHA1
64054a19de0aded85d614f7523737f8425cafeef

SHA256
10c68d4ce08d1ad4eb87b6f32e5f4e8772d8b839fd3deca1185bb2247ea59370

SHA512
98d960353be6d252a29dae8d19f74740b0da971325e2217dc537eb21e4ba25dd22dc501418a07bd5338b914fe157c33e96a86d158fbfc35a26761f33eccb1e57

Download Submit
C:\Users\Admin\AppData\Local\Temp\IogK.exe

Filesize
234KB

MD5
3c47623b2bf1a0e159a9ad536aaf7cc8

SHA1
2ab695b64a54a150c573892f82e9dea239bba1f3

SHA256
63b096e5cfcc69685b34f8d4abd5d86e9a530c77367b638f98487e2bd7009bae

SHA512
cd75345e6b5dabc67be9c0f8170ce6f0b4cde22112f6e436fc022c46ab1a49845d4d42763c470e384ca0b91ec8525ae3a0a642cc8610c48f6944ae237dec415a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Iogc.exe

Filesize
628KB

MD5
203b5d62be0bdf1f294ae4d3eeefb45d

SHA1
284a7bbb6b9ee7fb4f82ab42b8541d0e8fa526f3

SHA256
bdc41acbc97540439f85003be04b01fa69d83c29316fc56e94b5f77ef2e7a336

SHA512
87305a22fbdc2e62a2afd8542c369c9519ec06364791612abf16c52959481799ba1738edebd9a97bf50f68819319c032af223e52a3a014961ca1f4b277daf9a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IqoIAUkA.bat

Filesize
4B

MD5
18fef853ea5e5cf4482cf795c92f21ab

SHA1
63d2ccce2a0451e4bf288e31b7684948441d1cc7

SHA256
d08fb2b73d04142e448489c8ec6ab0ca4f5e5253f91be43b1a57f924a41e2560

SHA512
a908cd77f70957aa6f074ac96ff3f5dc044467be4e1f335be53df9a26323718e3d3d56ff1ee28f47d85dde05f131d219e63960f9cabc1b1fff3c7f6146bbadd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\JEAkIEQk.bat

Filesize
4B

MD5
e2e5add3f0f9f33a3a1663a9c67a9412

SHA1
8f7969d3f7d49ceccd3d58c552ed7b0b8c210780

SHA256
2cac2e2ad4ec546391bbef9c25aeadd6acd5f62910c48074d09d33acebd0414f

SHA512
d41c27629cab01f9c31d23ea1a83c0a672fa51cac5fc7931c2233d197b1c35dabc1c5d265174cda050d00b06cf5cbfb2449250f5a2495986e1d9587e502f586b

Download Submit
C:\Users\Admin\AppData\Local\Temp\JOQoUAkU.bat

Filesize
4B

MD5
515c94fe3b74c2fdd999a457612a7067

SHA1
cf812e7aff8a3a540f94c86660f7b503ebbeb592

SHA256
31c33c8469c01b65d80336540e0a8aba12ee9f27da003b7b3b39a4b99e1481b4

SHA512
3e26ac2996975bb6e19886a85c9059892b650f24e7ed57cfcf3de25e3eeeaa8a612353022c5831933e08d25a0458df045931b212e8e27f63558fd85913705822

Download Submit
C:\Users\Admin\AppData\Local\Temp\JqUcsMUw.bat

Filesize
4B

MD5
dfbce7bf400937ca670854b7a4717911

SHA1
8a6b6d1b75cafd709cdb1b84674d6c99e80fa5d1

SHA256
a49b4e68d334f548ee4e2f277834737f00d00232699256423d0dbe3a21e139de

SHA512
0e227671ecaf3d454b80cb8320b85d412df9487157e662be360ebb94dc99f685443843fc9a4bc0540b8554fbc02aa300588885676ac51719c68e8fdc49c20c39

Download Submit
C:\Users\Admin\AppData\Local\Temp\JwUcwssE.bat

Filesize
4B

MD5
6135746160a33f136c68087187174ca0

SHA1
6ba6ded925e26e2fe417e8930621aac7acbca1e6

SHA256
a4214cd77d38e8bdeac3e6106f241e249e95d4215fac8a994cd03a9c59dca310

SHA512
a4bbe748e5f87e81f024bf45134c3986f8ca9eb362e5f8439242cc498fc63ffc04bacbead6eac1ff7c863f44208400443aa3eb422f7eea966781c57fb134e01d

Download Submit
C:\Users\Admin\AppData\Local\Temp\KMAq.exe

Filesize
804KB

MD5
c701e40520f35dd67592d8dfe8f69626

SHA1
87d3f11252e134a1c29d8fe14a0620664324cced

SHA256
9b484f06e993dab3c82edec34c7635f89a2cabe38fac8b072eb56160d8573da6

SHA512
98c3b991cf6cdc38536e035d4a7200b4d0f213df96a5814cafd8038ba9fe67bea9f194779f60437e04d61e2912df3ae5b001a6074cca4f3b484990574f119748

Download Submit
C:\Users\Admin\AppData\Local\Temp\KMkI.exe

Filesize
232KB

MD5
754c720f86178d4da6a8f98f7166a4c1

SHA1
821bc8f0391d3cab06db0642e0cd7a416bd2786b

SHA256
0c77f552bcb14ceb6273566cd31d13dc80d872ee89feece197f0b12a912345a1

SHA512
308c1626b9e66b30482b82dd244dbe42e9ae95f7c9d241ab30ea1409eb5744d673a72dbb3b46839234fd5903150e12432efacab137d436d5a3bd0cb111af4987

Download Submit
C:\Users\Admin\AppData\Local\Temp\KegYYoAY.bat

Filesize
4B

MD5
f90df0eb40d1e15e2d3a8d35013924b8

SHA1
b93415c3bcb3b8ec54e21f81d4a506ece5c57b52

SHA256
910ac14a777b81e7e27b8d0e2288a73105fb568e5b3ad6a5559e86a48424315e

SHA512
59e42befc90c3d4dfd6f2df1bba90a747340af0a586c4392509b81d0d2865cd7fc799795798dfa0fa3c43d2d12783ab87b872364cada92d8b01ffa4dd45e4c2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\KoQo.exe

Filesize
608KB

MD5
3bc53f51d7f43187db8ee3ee51beb437

SHA1
c81f8502e7b5f93b9a03d8627560612aa8f3eb33

SHA256
b826828d177cf73535225cd259b2073bf36ce88b154edb344e628570f309f609

SHA512
ce28c29a1de98f9acd429a4a961507bf37e130509b4edd9e4c30a66bc2bb67d8916cfc44e6abf5913f036832d20fa9b45181653b02c0f4db9a1f13e3d91b9d48

Download Submit
C:\Users\Admin\AppData\Local\Temp\KqYMEoYo.bat

Filesize
4B

MD5
8a4774e4bc87c1ac7fdcea5bf2647ceb

SHA1
1ea2886390b0b078b9b032276541606bb492b97a

SHA256
488a40d91a75bf07299d7391309f7cf68fe2e2ff9f447ba9a46654b29825a4d5

SHA512
c3a1c66b98d4583c965d359e827e5edc4a6309d783150e5f8392f5f763342208945a89d92bc5ca67c3139b26c9e55cc93c83c76696517a0f5ef4c779255b2567

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ksou.exe

Filesize
249KB

MD5
194d7f3a8ede5121a757fed7fc5014a4

SHA1
b141518f2df1da382a2b609cf254722cd5041f63

SHA256
3b1a9322fe1f12c629000d1c6f36f25c1309b5e31f5ddfbe00cec07ab5d0c09b

SHA512
b1d4e07bacb617fb3acf5b3af006adc705a9e8dec13e59bde622c0dd4f301e26a37054bb9aac6297c7afe187806a4c5ee63b97c58e4ffe41478c7a537d639b96

Download Submit
C:\Users\Admin\AppData\Local\Temp\LcIYkEgk.bat

Filesize
4B

MD5
5c6cd4bb0050b0e22c29357fb0780100

SHA1
28fb058c2ddfa879e175db70ba625807016e2ac5

SHA256
8b79dad2c1fc3e13e5206c0f4224b48151d3429d66c64173eb54a7def1c6c56c

SHA512
4c3b6b75bc1f07d48302231af61033f36fa1f970441ec3f95ea9e5de752ccdc621e2d0d36b08bdeb283cabb239d820a3f2f045cc604ad654f1ee02ba1b24951d

Download Submit
C:\Users\Admin\AppData\Local\Temp\LecIgQYw.bat

Filesize
4B

MD5
59dceb60043654d0332b9dda557be641

SHA1
f2e0b2bb92c6302aa1d2243c1c3e0f63788ff2d0

SHA256
56bae55aea7c3297007874c79c6ff21d6e9e8cfc9ced3e8e675b4678fc17c764

SHA512
a7e4f1e160f0bfd83b46ab159f7237680c03289a9df3170177db0199cf4384fe1ba5828295e2ccc5c897e34970a7ed01dcccfde1d1045cacaaa5acae375c3298

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEccUEkQ.bat

Filesize
4B

MD5
0210deeedbcbe42365474dbff9e66aa6

SHA1
cf5a1e9021c40bfcdfd45341d679f6ea47f708a8

SHA256
a68b042dbea0930a28e8823158a239c26f39de0215846c961842063cfd0b0706

SHA512
179cd604b09e854ace5251e4be314459ee7387de666eb433c4837949dcc1e65231b38266ddf494c765db7cce30a3612050302a83720507c3c783ef19e13043b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MGsgUEQI.bat

Filesize
4B

MD5
10305138082dd68a8b6d5e0f29df8613

SHA1
318ef80ef7961d8dcad8dab080d31ca84fddfa39

SHA256
bad052794e1f8ae174c67c97dd72e2c1fbe3e8be709e1d85fe5e5afe71bb8eec

SHA512
5546cbd3bf9e4ffb5d4ac53389ef3350c09ca4e3fb4df15611750d4173ddd83306b542ea9bcf9ab2b6be96fa24ce408d748fa6fe00011a6b8dbfd7d1c5805b06

Download Submit
C:\Users\Admin\AppData\Local\Temp\MQAA.exe

Filesize
985KB

MD5
6887736e047558d0e757fe364ca6910e

SHA1
3cbaff2402f612e4527003db51c4d5c68125ebe9

SHA256
070f1f7e088e10e3141e97216bddafded086bdc5717da8e1c94d9f9e283b42aa

SHA512
e578133e9abd81607d891e6a7c2d38bb614c7094bcd0961778923cdd98e0817b9c011ca72f87f242a4c0683ed9c111df822b1988d946b6feaf32fa4a599241dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\MQwS.exe

Filesize
211KB

MD5
04ce571c6e5b40fdaeec4745323882b8

SHA1
34e881b655f0f2a00067a400099b99d1aa155bc2

SHA256
7c28609d6b75f52f324577bf6a3b9e167d6794509589c9c14b91997c6bc75b9f

SHA512
060a741399c47eb8babd893cc1fd08a578995b15b85c01bfb4b53600958acfe7f0440500103abe2e16536cfbab27a3c4208ab04cc76d3bc4867207de11af1390

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mcoa.exe

Filesize
313KB

MD5
ccba1b7eee8656930f469bd3176457d4

SHA1
5e669ad43f99559ceeea7d953cf6a97ca11032df

SHA256
60c7845ec57aa5f9793a1caf9b0ac689995c306867ac2ea2331d543851467845

SHA512
1be53f62cc283bd98a7bd60e02ab3ea772c56b8c8065373399a51bff7809c149d7912db344e3565c63033232edd6bb7ae7c38ac03a93d427e0ef1c33a1a4b86a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MsEu.exe

Filesize
642KB

MD5
b0032484eeafb526893d1a86f5132644

SHA1
faf07173a1a639ac4373b3f52b644292d789610f

SHA256
add5415f4188d7a8856ba3f8ae9dcac080352bd55228b3b6992883399f3ef2c3

SHA512
628867a7098305dce3124c2310ef31fc6981b53b6e20e6498c95a52daa693710f84fabebc2e06615d6ef3e398d724690a5e784721856ad4c50bedc1626c5dab8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mwou.exe

Filesize
248KB

MD5
f5857b0f00f1123aab83ae897d8e3465

SHA1
95dc9fcfb3f737f6560af61721127f378499dc67

SHA256
08470c3aec453e30f2369caad071bbc9101f98373b2ff7bdd8ec276d224f93e3

SHA512
b00474573b4f3b449836e97d020b05c3cf4c36507ec274e0658bd30ad92846611a4e93a1357a47670fa46b0230ed514de55133e563c9e4151584b4a2f1544a82

Download Submit
C:\Users\Admin\AppData\Local\Temp\NGcAUwow.bat

Filesize
4B

MD5
daebc97fd14b7463f9e3fbc61b0fd3b7

SHA1
28d45facece5343cea99110a23603ad999177bbb

SHA256
e5cc14f6b0df5401f23d0d1c0d7c4851613290400f8dfdc3fe5174d0ef6e056a

SHA512
f1d2a3d68fc1f5096fc3ca67b17b6b001a071fc7df9853399cdc5ac083a9322cf99f0728ae33d2ca22ee811d018f965e1e9f57c6dd056222d8d82047f11ba0ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\OKYMIoYo.bat

Filesize
4B

MD5
e0bb1bfc29dfb0c4376585c02751695a

SHA1
a962916183f2666ec3e09b7d656dcce881061db5

SHA256
e1fbf4cd3e26550fe6f3594a1f6b0f55f0ed49453a0f9f99c51aa837ebe0aa07

SHA512
96857cd6a384565a057a45756e1b57649d8e5e951954d5a738b83464719de34c339842489e0f042645ddc258583d46965855b0da9acefa0c47276e2ab5fc7265

Download Submit
C:\Users\Admin\AppData\Local\Temp\OWEAIgsY.bat

Filesize
4B

MD5
d7d750102e80d78afcf93ef7d03a175d

SHA1
6358c00d02824e1e56b4f162b9ee2eea0d1014b8

SHA256
a0254dd64f1c53adf2c70eb0b8345f4a52c9623aa2e050bb236593817e147b0f

SHA512
d965741bb339526437bc00221ad4b9b61eda30493497d55156248e46c13bf17bfe54739a2992c60f4970b7c53cde1b1284647da7aa833da41bbf8d4bf3d129fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\OcMQ.exe

Filesize
801KB

MD5
1c9babf803d255877761c2a22ad62e00

SHA1
5167c98dfe223e423c4fe89ad2451f1cdc00724d

SHA256
a57898256467a57fb3e3eebe035b059ab19c37a27e89cf48f48bc3d93ff319bc

SHA512
651f696ef2ae4a12c5a10a830cfbc3928ce7d34a7f1d5b0a924da7eae179fe52565c8a15817d4ecde1636aa729fda897e370359d484d097b5b284e759bf3ef1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\OcQG.exe

Filesize
229KB

MD5
3564062f91ab42b75474bd43143bcd64

SHA1
85359ec22f931fbc168b47a0a70dcb6ce46e06f6

SHA256
a778a2873dae63892dde34efd54970a223e67a3f8e8371750089ad6937cac0a9

SHA512
c69586244c08f7a74aa6367effd35e9512d42f18bf12d7bd32601afb3ff91f6bc7885e590b52c6c0baca710b8ead20cc614f6529e26f10d7d7e67dd781edb8fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\OkAg.exe

Filesize
229KB

MD5
7523aaea068705cc5eb4664714320736

SHA1
5580a74c216e86be7e555f78475cb53d7e1b14d4

SHA256
4b89fcebb0ce6458b752ec1caa30c483da2d9f6ba5c45b2de28ad3d103bafb6c

SHA512
b81c5947c2f6741e822c0fe6a9441abe9f429c557bdf85cb947132d327d4c5a448c074a662f3a533221912ddd5447d65a9048d66b3898962a261f78714be4319

Download Submit
C:\Users\Admin\AppData\Local\Temp\OsEU.exe

Filesize
234KB

MD5
1d5ac07dea1b9eafb464cdc460ff16f8

SHA1
aab93a7ae03adaa5b92e86f503e8e9645da8aa61

SHA256
f64db0a29955c4e731aa6a197b1e9e1d7aae8a241382b905976e2ddbe92bed1b

SHA512
c15faddbcfebd2687dd00c927d582eddacb4614be509655c12b9a2555cc7a1cb9d0f5b94bac12bf31100cfdd2f0524e4d7f13d1bde320c69ed8dcbf6583da09e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Oswa.exe

Filesize
534KB

MD5
46e0cb9ca5e5872f2e23339bac540169

SHA1
9b6a5f97aeb02c07e7749cd4a264d8bdbb3b7405

SHA256
35e453cf121fcdf6507abcfda5f4a67bba35ec920a39c90bf3c4b9f8081b100d

SHA512
0cef2785453509ae04a464929aa5ab67dbbc38df7f887946db766a31e54961172f557a325d62c135a3cc68cf4b1ff67d22d23b5b8b8f5208590ad27e585f5737

Download Submit
C:\Users\Admin\AppData\Local\Temp\PAEsYUMI.bat

Filesize
4B

MD5
157f204948d9705acffe486a373be426

SHA1
493ef52e42e150417210b5bc103bba4c02d759af

SHA256
015854d8a002106a725b60f152997ec64bc7928fbaeaaf81cead9b5a650d43d0

SHA512
77d1ca77a3d4fdda238bb41f9e1d426771869abde2e29b613f5ddfee325e349de9eb826ce31308be241e392a276e0b7413f79371231db8ee61b9add5830b0230

Download Submit
C:\Users\Admin\AppData\Local\Temp\PQgssoow.bat

Filesize
4B

MD5
2d331ae1d1b48eddd8425c3f5e43ac80

SHA1
5551128d810a5706266e021f89597b111167b072

SHA256
5dcbd928d77696fa770f684cd44c16aa7b612e239853f9d93e586f7ea6cabf6d

SHA512
638f5d21a41e7c4ba4715616d5e4fee361fb5a4aaf2bfd4546fea223f28adb5466ff3b6de8be128bc35c07068f08bc56b2c4efda49577c61d8dfd308d7b19ac4

Download Submit
C:\Users\Admin\AppData\Local\Temp\PigoccoI.bat

Filesize
4B

MD5
79263b04814c66896c0cd91495116e10

SHA1
26b63e6063b245a432b3ef9ef8f6a4045255053e

SHA256
14541fba21dbd1e5c1b08234d205347257f32273e62b72626f88188582edff78

SHA512
045ee711bd0ac564e52334d417f101796f42667de026e25eee99db7b93dfb100a704227beae9ad14c30372d32fd4f1433917aba6ee24d8026bf94457d3258c31

Download Submit
C:\Users\Admin\AppData\Local\Temp\PqAokUYU.bat

Filesize
4B

MD5
e98185e90d35a972e2007af4bc6e992a

SHA1
608fa2ab79a8bfbc3981bc419965ea642623769b

SHA256
aaaea6a8563e8d1165688dc80c3e7141310506c8999e69ed7ac7745e45dc9e25

SHA512
316514453875df7bf7446380e928ed2e4ae8b407fb6621ef49fe6621f113f0cb6e1f0ca3eff2f64e350998ca7330b64f16a548fb746bb485b9cf9ebd4ae536ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\QQYG.exe

Filesize
186KB

MD5
726513e8b403617cfc968a6209ff6dd6

SHA1
01913541bf0282f978ec851688a0715a8c8737af

SHA256
8779d3fbdf76f1da09043b3bdfe4c18117519777d187c98c95151d4faf8ba19a

SHA512
4b0f8106ace0f4edf4a1f794199e5373ea61d4a183812885824e638fbd396489294b07eda481b73c64909eff484430b7c523b5b4fbe827f22aa0cd29f9200a98

Download Submit
C:\Users\Admin\AppData\Local\Temp\QUUk.ico

Filesize
4KB

MD5
47a169535b738bd50344df196735e258

SHA1
23b4c8041b83f0374554191d543fdce6890f4723

SHA256
ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf

SHA512
ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\QaMgEsQQ.bat

Filesize
4B

MD5
510ca0db2a95ec4d21dc448142eba36e

SHA1
50becd9b142dab98ff546c5ba393d4e2b731244b

SHA256
b74abf762db3f7402f91bd60e0f514273ee75de687088f7bbbfaa9a45cdf07ee

SHA512
a8f196c99723df89f172639db07294b4db2946fb632253ce4be2bcb480618a471a67d44a534c181311563a91c8fa69cda7fc562350f4b33481e18f9444cb7fc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\QsQg.exe

Filesize
230KB

MD5
6982bc858d03f5dfed6f600fb2f993d0

SHA1
fa21a8bfe41b0d541b658cde27b418f31ab292ab

SHA256
1a40e71cd3af1a463cbe451516aa434aa7c163eaf54b11e6e86161564a32c8a9

SHA512
79402f6dcb5d8ab5a16f88e38f02c94bd6e4b235e3d38492d8f3763fb2b2aa6abc2eedb0fa068cc8d8e3904472e16febbdfd37055f34af01c01c0ce5dd762957

Download Submit
C:\Users\Admin\AppData\Local\Temp\QsYM.exe

Filesize
231KB

MD5
08f74eed2dc046b94774061f01e69a77

SHA1
9479e0e422b14c3668980cb4cfb8628e6701729b

SHA256
9d19da03b441702b7d41ca41f0f9ea77050d8da602473e9d6431f432f12a6f5e

SHA512
1a7ee39e85eb2256c040423384ed0e5a9d5cd9e3ea402c2968e0173fa91bc48bf3764a5a2d13e665d8501a2c5cf189d2568a4335f27d811e0edd2dc5fe6dc701

Download Submit
C:\Users\Admin\AppData\Local\Temp\RasUsIIM.bat

Filesize
4B

MD5
b49a5073fb119d04de8e0aea34a48c21

SHA1
9f271a9f8dd87918c95047c3a5390d888ef8364b

SHA256
aa2b75116d517a0f2b51594ca4059a73c5283df7e53cdb3d6258ea65c5fc5afe

SHA512
854e5241e25f15cec28304868ad320086107e98fb130a9268b2568f695b15d9d285086f0c4e1c1a01aeba01cd7a5f3e25ca5479c895635c1d03f394707d1386b

Download Submit
C:\Users\Admin\AppData\Local\Temp\SUcm.exe

Filesize
567KB

MD5
cffd9c1466e8fd8be3a8ff167dad02d5

SHA1
8252d46280619026aea79eb95e83f7db92723145

SHA256
902bf19990bc7605c8ee1f879646e82bc0bcc084424d54569ff829d8a166a721

SHA512
cd112dd404078a7c8fc01f9d0fc3feeecc3d414928c8520aa3a2fb8c9de7fe767298766a0a7ba85b94e5c76e65c411430c966cda0837a607aa6d832d37f875b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\SckS.exe

Filesize
502KB

MD5
8dd1734afbf7ea8714023822b5008139

SHA1
f0927792a2325f875a2aa7fe1eb9e7e3ca43b20d

SHA256
0573a602fb3b55fc7a3eab3a4826a9edde73f24100ee8df01fd2a21813963d37

SHA512
9ab7d8173f4fe8a3c7ba1470203b2c8457f6c6053cf5b32c653a312e2caf8aedf45e4b85c0a9e9da02479c89e45f9bae4cca62b1117e18743e1d882233d25268

Download Submit
C:\Users\Admin\AppData\Local\Temp\ScwQ.exe

Filesize
592KB

MD5
e3659c53a2894b7501eb2c1c18ebfab4

SHA1
c950e78b63f657af7c82d16cf5603f4ada4b4d1a

SHA256
ef38cb39a1ea1c7bb5a9d3d6ed7c8a6e5bf599b722bc0a8d76405a4bba69024e

SHA512
49a1813fada75509b7f21241aaa347ecdb1ac6e4809cbb9857e95bb2480e5aa23f9977e5c447c2d0a522f1f781e519cccd162faa2800bb168f548b4685d2b04b

Download Submit
C:\Users\Admin\AppData\Local\Temp\SgsIwQEE.bat

Filesize
4B

MD5
cd33db40080eb1c805861d8f64d65cd9

SHA1
2703faee6a1d95bede9ace2997ab08ef81437aec

SHA256
c85753a7e2a64baf2a4016b37125b30cc1dfdd0628a304484c9f66dd1c264843

SHA512
f70f9f31145beae65e2569a564393b69f92be2099449769a7187bcf8d9751e0343bc4f828fb314e9f0f0261a30482bb297729709cdbb661d24ff3b27bc688379

Download Submit
C:\Users\Admin\AppData\Local\Temp\SoIm.ico

Filesize
4KB

MD5
6edd371bd7a23ec01c6a00d53f8723d1

SHA1
7b649ce267a19686d2d07a6c3ee2ca852a549ee6

SHA256
0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7

SHA512
65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\SoQU.exe

Filesize
323KB

MD5
ce8e2b8fbfcc0cdb99aa43fffa22d3da

SHA1
054d8a164b28b08abb46c27aedbdbe831774bef6

SHA256
ef46cfdc9155e302503cba783731504e2f0fe6d7a001caee2ade206699b078f1

SHA512
921c32571a02ee074f340054e41e75681c0b39b8fc182fbb5999e6987cdebabdb6131636cd20bf5da3305438b84017ba21cf0e74b10809fa8eed99f9d4666152

Download Submit
C:\Users\Admin\AppData\Local\Temp\SqIYQIUk.bat

Filesize
4B

MD5
da6f5347033a30bb4758e3e8201d8f22

SHA1
243a43493b44c085b376c027aa5d11713fd25088

SHA256
0be1daab44214defc4cd13c06f39b5798cf6a4f41d26c9864304a5801e39f794

SHA512
484532dea5bbf40fd06bddcf94dc220b2f60d5c46fbd482d77179ef209f47836a2b028ed33dfce2d2206ee20dc214dfdb05aa0a0c3a6e6bda6e8e0649bd7b7bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\SwIM.exe

Filesize
195KB

MD5
6591ae47e09edd04a8db7373b8acef23

SHA1
e3fcd278f323bee1d85311d791675b91da30231a

SHA256
15abd94056052471eba7e506dcd7e0be06c5a28320c1a30f5eef272887ec6732

SHA512
91296da7c6af3c815e8c82f6634fd1cfed8d5d57241bc3a39aaa232ac71c572951854a4513ef7d26b8a2ead003c9221eec2d320e72f98e7975ce60fb5b7eb40b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TAEwQUcg.bat

Filesize
4B

MD5
15bd717d7a62bc56fd410ac82b6c1ae4

SHA1
50e2768f39f769bb5cb9a079f6d70323ea02e130

SHA256
7feb907819ee2a5d6481335e1cca10016a274b4518e2e31fd2d3563955685c36

SHA512
886df2348a07bbc1ca5778718e81150e9e207bca982453866a961316982518acaecdb90c0279455106b71efb17e5611dccd57f49f7d539a33d4b3dd5ecfacf00

Download Submit
C:\Users\Admin\AppData\Local\Temp\TcwgkAgo.bat

Filesize
4B

MD5
4b0b2b02802358c1ca4f7678ce9f5e7f

SHA1
aab9a7cee61df01e0f2417d9b7016c2abcd0e7d9

SHA256
0ca318da8fa4c2f656c9982f3c36b5831942eb26a56ed42c5192be4fa4a0c3a6

SHA512
570ad9c0e89f009d35f699092228be4537e282b4c6ba3398efcbf4507c03c2c4c1de56f8d42ce05895a1a2ece1279763116600fb865139e583741b3a1047e8ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\UIYkkUIY.bat

Filesize
4B

MD5
8139fc1369789b7a4593321422a39ba5

SHA1
fe4925f1afb6c4ac02eea4ed5ebdbec636dff604

SHA256
8c3a23848f76ae554b47ddd51c35d3f42917b9d68761bb041aea11ed5e58df5c

SHA512
6fa15a9cc15a35e47acfc7efa0190d1896751169b24e558cae377077dc068a51f36f5bfd33a48e1e59ef2ff831b100a45c631f702035fe728ad4ac36b2413471

Download Submit
C:\Users\Admin\AppData\Local\Temp\UYsw.exe

Filesize
200KB

MD5
4022651ec78dc18e5a762ef19185879f

SHA1
446eaa7ddedae407269eb458c470d3bb9efce716

SHA256
3a4bd601f5c12b669b8a11862799abb005c7da439d207353f6eb69bcb6e971b1

SHA512
3218b63eb3ea53179a73a99897713147d0cfac2b862ce3b7c3c79b1c649790f6c31061dd827834c2d9c56cff24b27aebe74b2bf63ee34662c512af23bf21bf66

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ugsk.exe

Filesize
191KB

MD5
4260168edfeecdf84a0f1b54a003165a

SHA1
227cc8e6393e646d4b79a0d3158c10eda27d98cf

SHA256
d1a8b4e5303996e17f9c80f0c30b2f9510846d7f5bd6f65bf764f7d114a7c80f

SHA512
946571c3616a59b7bbc883559c8d4a6223f7fe631f9b96f36b1f098b9e2465deb7067fc80fae7568e7588d7787c3cd19f9407e2ed9f8e77529612c636493af5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\UkUM.exe

Filesize
958KB

MD5
db0ed5792aae9253817202925928801d

SHA1
8b81d0e2009af95fd4379bde5f5d65e764bc3618

SHA256
cfd0b628e290afb8001c765e85131615dc701aff9295579c1c7f39e98dcfaa12

SHA512
2fd3079cbcf096e04e96b07201d87fd0b862f18eb1bb5a938f27efad5532dffbeede56caa4ab8437c94df5c048ab28ea33566e89f7fa87685106b9f191622588

Download Submit
C:\Users\Admin\AppData\Local\Temp\UkcY.exe

Filesize
233KB

MD5
e486127ebf707c2eaea25d3bb79efdf9

SHA1
1f11639f0b0a4ccb8789d9e28a86cc8974a9d3f5

SHA256
2851feaeef0446d138caa0991e2c7de39f0fc3286ddc158df60e0e21fb496939

SHA512
cd8d348774331fac404b7e4869bb2180dd410fbc2934ac15fefbb92385f7ddb6ec008f09c32e6476a38bf319b955cc76bd500e9c9c3c7278710bfd0b50919f57

Download Submit
C:\Users\Admin\AppData\Local\Temp\UoYO.exe

Filesize
237KB

MD5
9a5eddb4884f50b3f5a693e7ea71858f

SHA1
bda8b46094dfa253c94b2831767c2331167aa140

SHA256
e83443c71d5c0c883da8b6aada7ccf4b1b734d06b32bc07221678ce429357634

SHA512
b0732ce4f8b42b0a42f1d1eab70769d5a6a3c53669e65b320edcb0e4880760e76204775ac18150aaefc888713299d8db2d4f0dab855f846a03e30488e1da453c

Download Submit
C:\Users\Admin\AppData\Local\Temp\UsEU.exe

Filesize
236KB

MD5
7d1d57e3a6c21767f9fc20a8ba39774d

SHA1
f7a2e384443e2b4e457c987c309134d80c41d19e

SHA256
8498e674a9695e872111e63fe49cc90f5df9f215bb8d0bfd21216801a1258870

SHA512
ed599c93574dd1f39c79dcfe50adf28bfedb1f00e982ed672dad4a298300c870ab386cd80ab71da0a492a7efa13871b5b9d4b6e8799a1702b20f08f97c87e4aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\UwMI.exe

Filesize
185KB

MD5
5d7b9b4f816d8ff7b727361c4f361c9d

SHA1
8b0944953b923d25c959b345af5e57750c60d31f

SHA256
d8ad6a1618a45746f1b78772c347d0375d2cb3d2d16460116639dc0f30403ae1

SHA512
eb4ecb3f2b9d861bc93ef0973ba4ef0ffd899ed4946fa84d07d2c00df697aaac7916d4dd62a02e13e2cd353be791168a6cecefc5e3f0ca2b350307e336c54fb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\VKEIUksY.bat

Filesize
4B

MD5
4074d1c132eb8f29cef6d24cec8e4d93

SHA1
5601febad65fbef324358724a5c15d8ee62e302e

SHA256
b19c60dbde74aa12afd90018c4fe0ae3aeb8d7f4a4427b89455fe80ba3f8ea71

SHA512
7a239d7ff5b8c9a2657c4711e2fe972ba305b63ae47cce694e1f2a7c10aac0125630d7fe40dd627764bfebcb37b62103ecff3ccebd491c8b120af97a0d6721c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\VYIcoQsk.bat

Filesize
4B

MD5
c823ac9e343ad67b7ee4413e009a9e14

SHA1
dcd329b77ab61e22f8cdd8788ba64e432722b048

SHA256
836100996015e608856c1682d7903cfb98d5ab15ab1c5c6912aaa75b02f22950

SHA512
066a89dd4120ef869166491d7c101fa27f2224fb246343f21932c0d94da4dec67be2c0fa2f20a60a39f2d9535bb15173eb1a54208a9c78d0e7294bbe54bd0b8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\WMAO.exe

Filesize
212KB

MD5
8cfa0210bf86becb300c13968bf12a77

SHA1
8499761b9e8c6cd2ba2ae74738d077402c56efeb

SHA256
c3ec9ef72bc3427d3778d404bd7a00e59960fe4baf286b63a24816ff4fe33da1

SHA512
d1f5479e7836d060802099244d8708351dfdf2bfb5b6eb803f3af881c14384a3dc9f0fb9473372584e470778ce0fec92a127f0c27d4caab8b93e449d3a2f11a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\WQwS.exe

Filesize
194KB

MD5
c675c76e00c1248e828abe8c2a736440

SHA1
5a0169989bfd0b6dd210c2c4b055c4bdeab97d06

SHA256
a80158d1ea81b9b7c056b70bc17cd9f24a19c14457c1b85d9d00e77340eae866

SHA512
1ed64ff79053db72594f719908dcc15950187a745387b9cfa7d31c2b1df14deea8c80895150f002e0155ddd6f1f7bdbaafb2f13bb8c14d614bf5f58df723df4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\WWEoIkEY.bat

Filesize
4B

MD5
cc194386ddf09082cc8832b7fe0665e5

SHA1
9d0fd1388b823c6ce82a92ecb3173da374baae4c

SHA256
bb9c69a8b67d2b090281a67b89d3a8745eafdc0ab7165e3966f031be9584bd89

SHA512
c8f068dbb3e7a61bbe19ca894cdd0fee62746a531a90856a7dd6b89a8246579c8b7c4ba1f47f291ddbab6d3cfc38e69a394a6558eef9f00dc69f040a860c8664

Download Submit
C:\Users\Admin\AppData\Local\Temp\WYcU.exe

Filesize
246KB

MD5
0fe78ffdee8cd7fa8d4172beb6a7a83f

SHA1
f2a4efd850792ea3f34628b74d6cde8a7f387b56

SHA256
5f3f30354ec586e8a9bef94e9edb699474fd8298ef35f761c2bb4f1acf9eebca

SHA512
3e9d45289d435b254930333d5ee9db64e0c408c4628e038e4fb7189028fd6150f6db9753c4d6a0060361c27e7cabe4138b95b50b2af680d1ca2667a5ba154762

Download Submit
C:\Users\Admin\AppData\Local\Temp\WoUW.exe

Filesize
201KB

MD5
0180f2c748c781558fe44ff376d7b1f5

SHA1
d7e81333a10bcfd4daf3c007a560b62ba50c30a2

SHA256
3e74e63d0c895742b24f5b07591c8d44c69c8dabd58824de8f6a14e17c15b906

SHA512
ea04b6148cec7b2afae251dba3fb014e017b119438d8ddd9d65f2044480e6fa71376dd08a8ac30d94cf03d9746c59eaa45088e8b85c64532f111190779f38960

Download Submit
C:\Users\Admin\AppData\Local\Temp\WocC.exe

Filesize
250KB

MD5
c8823461e4e4003a7da22d97a6247b43

SHA1
0697613be75b58b6c04e8a09ae23d6330f729a60

SHA256
44f6ac62eb93c5931bbe929e7d8c94652b0ae3ce9a454a84657060c41b88e48e

SHA512
d6b455d09a7d23653d836ef3a49f0b34a20170f57f27e7a7572ec9f8ad0a6fc3ad5271b2c551ee2576611da519adfdbf4ccec45f6531002b965f7cc078a09513

Download Submit
C:\Users\Admin\AppData\Local\Temp\XQIIosYw.bat

Filesize
4B

MD5
c4adbe2c470c53c5bbfba8a689090fa2

SHA1
ae371da53c4f1097fc8689777ea3e8235e401e9a

SHA256
b5525e77102fd91a146513acef7d99c8ec551871079537167744c25e5f5b2805

SHA512
957b231bb4d241b2e30cfed79ebdb0b8442003f6e92217b0d3e181414932383a844cceaba5d4e024b77d00d64627fa4241f39ecbbdce9989d44bc59d19d63bbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\XUMwgcQU.bat

Filesize
4B

MD5
6a8bade3a7b99780254d52a7361df9d2

SHA1
5e2e2b130832b924c460a4236c676dba9d05ff40

SHA256
0d4023bb6c195c1b5865381ab4b853f027abef0e9bac217392257f78cf650c15

SHA512
58565f654b0bb27b7550a3ed4c49445ebb9290f3782106c47415ddc5a167646e480a73aaed6056143369ec6586e0618a1275cc525cc2b6e023d30a62ffc29f08

Download Submit
C:\Users\Admin\AppData\Local\Temp\XcIIMwYQ.bat

Filesize
4B

MD5
da3e4e0ae456f276e249183e94b3a81c

SHA1
375a8ae3ccf8e2e9ae9d5cc8baa91b2097a940e8

SHA256
b21f074f6b5c9e05ea31b30ea71069711ce930ac8241b80a068abf6e4820d86d

SHA512
243106400d4dc967477ed97cd585a8ef0aa8bf9b11360cf2bfbfdeea49b356a5b8f946ec8202f70887752ac4f8fb99cb2783ed0682f271106bd68d1d88d30109

Download Submit
C:\Users\Admin\AppData\Local\Temp\XiMggMUA.bat

Filesize
4B

MD5
8709ceaa08175062fba87f9da7a0dd36

SHA1
6ddb235ab15f2b33da88962a6fae330dd226072d

SHA256
a78d8981e92cda793f0f5c7d745da279000c143ea20eda4e403a8b4be93dd298

SHA512
0424b3ffce48d202bc41455e35ebbd11e269c66f73db8d8a44cc9e31103cac9d466c77458393b0daf99f4907c25117cfc35bac559698c6cad98527c2f091657e

Download Submit
C:\Users\Admin\AppData\Local\Temp\XskgsIIY.bat

Filesize
4B

MD5
136965c345c51743b22028aba6254c0c

SHA1
c4220fe2cc45cae43745839a60daf9df686c7681

SHA256
1fd91d07aa3ef37390c9f39af9fab2b11d62ac098d12b186892624c1102c65a4

SHA512
806be79e9e4c4fa83c8d7caa4f704c9bcfb1e426d323328ba8dace274117a155f577ee3242f863b75e993d7ea1f5ebc77d8d8df13c930d73c86f1ca587a37200

Download Submit
C:\Users\Admin\AppData\Local\Temp\YEYU.exe

Filesize
249KB

MD5
79fca5941d63b2396ba89013e78eeca2

SHA1
7fe188c70b4de05274a284483f65cc80643bf0c0

SHA256
88bd6afbb1b387aecb9ce1ba8ab332c4c94dc215c599dc22d1a6d3f0a3bb56ce

SHA512
06755eaadd992dc0f87289fa429bccbec692223aeea03c870093b47f45336ae09a7ac6476ac0b4078c6432cd689c439c2dadad422ff4b25ce18f5eef6dc9c6bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\YMsC.exe

Filesize
773KB

MD5
46e46833d876a618f47847edd3d6f656

SHA1
76515be98a3555fdaef611b4edc06cf6131d72ae

SHA256
fe2c77a09f4e4beedfe194978153915746516a2e658a844b68f3dbeba32e7f8b

SHA512
e6c637de8c648a95d0c90b897f9c2a50d9722f358a06f0cb64c2781f9211083338b13ae4d3b13653c09be17d9dac309388fe814fa6db52636ce8918b040ca2ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\YQMA.exe

Filesize
243KB

MD5
860ae0b86a061a19b34902200329a062

SHA1
e10408aa8587d52518d0b18987d19f45136a39f2

SHA256
d26c75a75cae1c6a6df33a0bed99d03ad9bcdbba8d6cd7af6f73903c9a7d84ab

SHA512
12ee8a9c7843036203a6d614615ae83d4208d031242f88b3b6f636e8df57d14db01d86cd2e9ad28bdb0108586254b272a5284727e482a3a60fedaf919fabfb6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\YSMUwAgY.bat

Filesize
4B

MD5
28fb0a6084b77df1e729bf1c7dfba512

SHA1
be56aed9f7bcf4593c1f0eb5ad1a43adfe0de4a2

SHA256
9128502df2e6ac99a7556436440467229a81216cfd785600d4c3550249255fef

SHA512
e1660e84bb557594f8fd6bc96ea4e80c25a6104a8010a78fb16647b9c025abd3d7d73e7762b8c951668cf53bddedf3c9ae9c9d5bca86f336f6d477f382d57153

Download Submit
C:\Users\Admin\AppData\Local\Temp\YcEO.exe

Filesize
945KB

MD5
b355d3d55446f5cd62f13305a4f361f6

SHA1
363ea4bab53daf36fc0e4a75b8e8e67ef14b75c2

SHA256
9b2a2222dcd9d314c31c6ab751c247248bdb8438f822f159da0e79480de10a41

SHA512
c18d0054c8f46e906201910ffa44a07fe71e06db9ec894b15936d52fa88f7e5980ab52667daf9c4f236e0452e1c08f57a6f9d14545e041cdd0f45bc1ffb52249

Download Submit
C:\Users\Admin\AppData\Local\Temp\YcYu.exe

Filesize
1005KB

MD5
06ef658c88e2304e195a823563dbb86f

SHA1
6d64e63ea5cef9720bc9371c803436fc2ca7a0fd

SHA256
a9cc579c71a20a37e9c68a7378dee8edd880460b0697e85fc2917aa8fe298d61

SHA512
8ff89bfcda7b2fce6cdc266075fdcf4857d09ca2b7e457df08db2d471d4f61bd4c7061bcd91f64f0544408eba2addf53bba110680b077a38018ed00c34081257

Download Submit
C:\Users\Admin\AppData\Local\Temp\YcsE.exe

Filesize
232KB

MD5
221be74d50369acd27861a82ee64a821

SHA1
2ef7c9991a42fb8cbd74f33ddc98240531e55e8d

SHA256
24f41564769e523248e56ea3f3f1d05ad1e7da3d7556bae8123c579a120830f9

SHA512
66ae0baf1e84d733efe336922d7cdda288323c1fd0b413309a942f49b211e745ad5e5b8fd71c311c5d12c792eec5dc358e7ca910aa1c327ca381b12aabd1afe8

Download Submit
C:\Users\Admin\AppData\Local\Temp\YgMk.exe

Filesize
230KB

MD5
e12f198b096ac8bc6a910b2908b7b0ca

SHA1
5b151df308f434c530452a73d64ef769dac8dd7a

SHA256
fbfa889a21f7f9202b1388190613470a8b248eaea60197196b7018046b816619

SHA512
dab50c1a3526f71f6d7d0ad6ab34d85f4a9e818be174945692e5477be2492609e727c5b5668d778f5d368a7e919d4544fd61855361dcf977f493af823cf7f762

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZKQUYQsA.bat

Filesize
4B

MD5
8535243269a241927187859ab6b16de8

SHA1
9ecadc24d031228561c32d5e5bc2ae63a178d3de

SHA256
44c8da258c593770a68d80d22523ce7ef7c3cc61381cd46b34663ee9eb626951

SHA512
9144f1d84a3d88e084e4ff967f36c19654d3ea64a5fe1b64bbd11b2a8168cdb12fca33798d17ebb1ce85acba22c6d19fa5635a4aa182b1b1b4b709ccf1110f17

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZMEskYwk.bat

Filesize
4B

MD5
9dc1afb68389b575de1910ece50d4bc2

SHA1
3be9daadc75927e837cc5c3d2e7296279213e948

SHA256
6fe82eac541a7ef12dfb21fcd3c12e31d80f76562b21b69968a889c93e67b354

SHA512
191761b544bc08cc69f3c6b7152b78770a8f1be413378bf3ebb91dcce539058a4f864d45aa022630668c645f173d1f4288cab5839a84d8f2fd3994ef1892e72f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZUwYogkA.bat

Filesize
4B

MD5
ed0093f9ec17f5197cbd970b081ddff1

SHA1
f18e652dbf382ae77d2991849ebe3111cf1f2722

SHA256
eb27b82043ca606841690d193150d7c0cd086ef4e03cd8025523d1ee56c4933d

SHA512
f5ac70e88d5b6002e141d4e6db48ff920fac3fa1b0faabae18ad18598b1b3ea14c43fb2e936580b06459feceb4848cf873fff95cb4050a81bd7f7bc2baad9486

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZisAwAgs.bat

Filesize
4B

MD5
a06ec0798a3d87173690605e3af5a2bc

SHA1
48fbf21974a685f67cacbec3150de3f80cdc8439

SHA256
9ac65d842eb01bed22ae316428ebbd94506025686eaf89e6fbb1c3f64011f79f

SHA512
10b5024792a74fc54eb0ae42ca1c1a16ab540f477913a835a267207e98f7b0a259e65753e8eb589061108e1f16fb6f9e022a29f1efa0914198e5e52309418deb

Download Submit
C:\Users\Admin\AppData\Local\Temp\aMYswcks.bat

Filesize
4B

MD5
8454c81cbe784314f33545fda70edcea

SHA1
6b2bcd4a1acb35834921f1e8cb3c17129e02722e

SHA256
7ff48dd5b1b7f4caccfa59b5532e9eddfba301cb08730f5c1b2b5b43f6ac2ee1

SHA512
ae0a30f4a3b038807c62e689b248defa48a0c77f2b76ec052ab51cbc6e9943c31fd070880c2aa325c647a91df5d4a87027f7274713ef6f732507a59f414a4c39

Download Submit
C:\Users\Admin\AppData\Local\Temp\aUIQ.exe

Filesize
211KB

MD5
63a91673ae9a8b7b0b1df6965fbfbd5d

SHA1
3b5993f2797bd487594a1022750f865eb68a36f0

SHA256
8eef291da216b01b97b3d53b2ac6955c6ed037ea6758cfa493667de0f4013d46

SHA512
3007b0fd2204370e306489aad69a2ab9cc817ac5934c6aa312e57e9b09e71a533b94a74f6b0bf573be8465cf18c3a5885aec9ab0a1751a9c87073eaf768fb80e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ackG.exe

Filesize
746KB

MD5
7108f088c223f25f063312f0f9a63dee

SHA1
376ebd708bc0a774c04823bc10c3b993e8b05412

SHA256
5e82f77a80eebbaa4587b4b125b684e7a3065394fd2a444d8005ad6ed8052eb2

SHA512
7796ab6a70bedfbeb8e1b65d5edabcaa872404cb0510ac6137142ea062d40b8e17ee8b6da5c3bc8a9b1e2b413654af37668e73ffcaa7a7f10d5c50b07651b63d

Download Submit
C:\Users\Admin\AppData\Local\Temp\agEk.exe

Filesize
248KB

MD5
54d336f9850f2184f147c6fe3dfd76b3

SHA1
618355fcab5ffcd544995552f8596009b2a1c541

SHA256
6fcd9a67dc5b21cf3b068d79edbd559edbd2cfe015c2822d1ff13a7a626b6651

SHA512
46f12af5a3997081a4b8a72aa1a776998c236d0064aaeb5bd4914745929195009acb0d3875fe50dd2e1c4aa6f220fab32c3402f34e8e18d54f4757439531d264

Download Submit
C:\Users\Admin\AppData\Local\Temp\asEkAooQ.bat

Filesize
4B

MD5
7361894934b6be1e88577fc4e71e165b

SHA1
a3686abfb3e81ff2d28c291968f3b120d4cd43f5

SHA256
1a8ed53fc53a2a8c48e8d7d516c658289d313f6dc4758644a030c23057a8264c

SHA512
78fa7ec33f97312925c5df0443b10afc3c72d3a6734a0a2fb065381da1e45be37841c9c00af207fd3aa95150b4e2d8c2e9ccffae7cf01da467943c40d0e4bac7

Download Submit
C:\Users\Admin\AppData\Local\Temp\awMU.exe

Filesize
235KB

MD5
68cf265c49c8e4d711a8b2967cd31543

SHA1
ac1ab7bdc0e00c5f576bf432c4c4c78a9f8d40c4

SHA256
02b301cc811553ce86295d25e8f4c97e2f880137ecfaee3ab8e123053dfd522b

SHA512
f83665767f860ddede43251a4c48336664bf0293c181290db8350386c3056799254dc76b3be539181c38e5daa80afefb7e4351c34630919321f21796c2971c59

Download Submit
C:\Users\Admin\AppData\Local\Temp\bIEsYswM.bat

Filesize
4B

MD5
eac095da3e85a3081c413f555306ab62

SHA1
6036f8b3c5a59018c21bc51b024a7e6e7637d470

SHA256
2b96e5e679b601b0d3b3620485b32f6790153f69b8ba6ef2de2ac0108730c311

SHA512
b646c2e0a37dc80fd7cd37b9931d85fc743602fe0fcfaa18ab48216968b95da756ddc5c3564a8aa516593d7fd64113b390857ebde434448f1a70baf7efd225fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\bOcsQQoo.bat

Filesize
4B

MD5
e66949ca290a20740203e1e2c84d2750

SHA1
2a383765a983cebb836e9d1008bd7aa1152ec0a2

SHA256
cd2c9d4d1a25b994f33ab1bcb9e90cd0402f3fc5de1c57efe736a383771b0b7a

SHA512
875d965b9f166f55d01ffa82dfcc9bbb8cea5369832daf0d85b8b7493885f4f2785f4dcd24032ae6df19d6570ed4b1ce0eb0c0e10455ac6383bcf50cc8dce30f

Download Submit
C:\Users\Admin\AppData\Local\Temp\byscgIoc.bat

Filesize
4B

MD5
054124ee4674623ca0de697c2e0fc204

SHA1
cb85d4f36f2bc33f0007279c399ec9ebfd076989

SHA256
e899a6d973e10672d9e296d36051b0f3090a3d62f19bfb569256cab1f1176ae0

SHA512
a60226d8882003caabe4bda9bf9d5eb898bd19677f26cb0b16743fc49a8e029137d90eb2c5b0ee73d8f112b9b056ef12f803b5891070ee29ed210cc8550871ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\cAQkskAA.bat

Filesize
4B

MD5
84ff791409edda8110fd31aa4263469f

SHA1
0de39f0fdef963c5ba8de56d17e5cc391f3cb592

SHA256
22c091c75057eb9cf5d00219aaff6fe8fee84057a7d68d8c3fcb6451f7aaabd5

SHA512
433a638aa14cfab7d766e342ba176bc9ce5299672a796af4fd9196e92272df22d1571670444cdcb0754e7d10fc8265c107a84f48df6a3a987012d05a33dbe33a

Download Submit
C:\Users\Admin\AppData\Local\Temp\cQIO.exe

Filesize
208KB

MD5
ffa0b0862343b939a2c2ac96297ad411

SHA1
56f8210b7486c9de6200c683f438a69a9b9c6f8e

SHA256
9078e9bfef2fbeca69fa84aa1eb543a13f4418361c7de18c4f1e6deba102dd9a

SHA512
c3fa533b1ba83df876177b44eafb8e1ecbe53adf0d2c48f524e8d4e39eef718cacfad235cb6d1e6dfd5cb7c13d1b2d1900dff6bf3a3d837c648f6fe924a7e7b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cUwK.exe

Filesize
215KB

MD5
70c47d1bf6606fe5636e80020a10496c

SHA1
ff630cf56e50debc2a86438eb69170fa32bcc2ad

SHA256
b16d6427bae80282daa42f5294e592abcc4c46e1ec9ed5ab3213c36a3662586e

SHA512
1deb608b783621b69c638c0ba1c88ab4ca8b64686e3255e0fc89946eb0f758528860e49a2c6d7abf70b3c2992c607a82d41419000019284ef1ae49feaab29af8

Download Submit
C:\Users\Admin\AppData\Local\Temp\cgow.exe

Filesize
227KB

MD5
06c932cfadd7d1aaeeba244bb0878edd

SHA1
5cb206dc10abedc6222de3b17f2d028f0364684b

SHA256
25fd47d1ef2e84e468214acc43f5e78295dfb3640b93010eb40a5631b0cc3dbe

SHA512
f7cc80a60831fde6c7d6cf29865aaee42fb02d43432d1f5d2aee9ad5712211de79374686f9081ff84eac81cd704813cb0dfd2c3113c6275122415e6b8626cec9

Download Submit
C:\Users\Admin\AppData\Local\Temp\cgsi.exe

Filesize
180KB

MD5
72a95088b0e0f8e82a4dacef00d823ef

SHA1
44fb2d885e505bb84ff655674fae88c6a022d1f1

SHA256
5401409948f034eeeb9ec821490c871fcf3c9e343f12d00ac02fb88f3ac1d291

SHA512
2badebb6065816dc2df611b8bd0599e8c708d0fa2be55023ef10c16c5f25014e45f56e3d9fca589218376b40013605a8590fcb88c4e1925aa09e2a16de58ecea

Download Submit
C:\Users\Admin\AppData\Local\Temp\ckQs.exe

Filesize
315KB

MD5
ec872877193ac1910bb3d3b54256ae65

SHA1
0e4145b7e55303e4beff63f7d59d7dcadca1a8b2

SHA256
a627ce387dd231f9ee9e843052757560d85b0507fc1cf362d606b6bc9eef74c3

SHA512
3a997a6ee97ba2eb8180371ce50e525d3be08814e33915f28ee59c1c9837caa00113c05c9ba9d06af69008f531b7359304d73d8ff1fa07ec01bbd9150b490697

Download Submit
C:\Users\Admin\AppData\Local\Temp\cqYgQowA.bat

Filesize
4B

MD5
d801462330cca6dfc4b251b31eb32111

SHA1
6ad074f28fad3a6f8cb25e5410037451476f1439

SHA256
b18c9c8aea9cdc5c31296dca6126a2590d240f8d056f563d6a14852a31cb0361

SHA512
334bee4c8c3ede23475ce53bf5c33ca80e1e41ec5a153981089aefd76be7320911e9856cdf77c74dceeea1af015a749c7a5b899b2568e78d0496bbd1e2ea89be

Download Submit
C:\Users\Admin\AppData\Local\Temp\cykgUQUs.bat

Filesize
4B

MD5
f06950a9f771bbbbf3114a42222fcd04

SHA1
e84ea31286961d7bda209279c3992e5ceb5c84d5

SHA256
0305a444f2d32eb666d8458d1b30084a1edd0a63efe34e70a7e13b3b142b5b57

SHA512
e79d6be98a3743e4fba6a7ff09d72f66ff44f2f5f84d406b5549bae1991a6e95c6f36490675c9b8d1bf161a3b0b33176f0fdc477ab48d81eee528217936df1e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\cyoIMEwM.bat

Filesize
4B

MD5
4d78ae9e70f50ac15682d5c2ac8dafe4

SHA1
5f1b2e2191c37d6e88c0e471e2c4aff7ea2ce1d0

SHA256
4b49412bf82712f1da820da96eafaf77969da892674974560d324631624ac138

SHA512
7ff1bca735ba23c21af39d2f58ed7f54fc145179477435ef575bbb051e32269b5ba0ea7a52d97c921e895c726c70ddf6d4a9bb60efa8d5f4b734f516f45ea625

Download Submit
C:\Users\Admin\AppData\Local\Temp\daQAYgwk.bat

Filesize
4B

MD5
75438c40c3f4ec038248f268352d3273

SHA1
afd3b42aeb17f6be8cb54f0c9d1cae43a5a68dd2

SHA256
a9914f69e2645101e261249ae5c167ad9355aaa4ee7a375925ee80cdda5329b6

SHA512
24b441e73844cf8750bdc9727bcb39c73f68857ecde8261c8f0d3953316283cbc9e53104291d066de2d97bbd8fed9b743244e2758f0190425edadf90d9419fa4

Download Submit
C:\Users\Admin\AppData\Local\Temp\dawUskEk.bat

Filesize
4B

MD5
29ad90d3cf4b6c147aed7aa14e358e16

SHA1
c6c6354a60b6f0f282bc30cf3afd4ebd14640191

SHA256
b0f5568bb5bf0afaaadd53fa566c72cdb4654a50a5310807b9a0da7fa5a1dbe8

SHA512
03be4f38954361ae16fb1fe02f12bec2b85fed2e565e2f350ff21e2a65f153b256c3c47ab44d7de6d68a31f900797b897c4de2cc55fb99bd23827d25e2c3fa84

Download Submit
C:\Users\Admin\AppData\Local\Temp\dkssMsEc.bat

Filesize
4B

MD5
630b921353652475e9416ee3094cf96a

SHA1
81b32c83518f5351d50ccfd0ed57a308759bfc6a

SHA256
d2dbe8bf4c8b666472cb7680c277a57b3cb27050c4f87a067ec34b92210d566d

SHA512
575d9b865c9c61e47a087034bcf4590459c1e3d16529bb3fbabfcc3a77dd9144f9a34d86c87d12ef687d3d5df2954d42c91c58127f27a0729ed35aacd02e9bc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\dwQgcogs.bat

Filesize
4B

MD5
546598f21618f0f40cd9db996e67b125

SHA1
645bc386d4dbde15d26c351583cccf4d7eb146e5

SHA256
654738b41a0c3506e2fc6d179a463d1ad3dd5d83ac59479a304a3c9b2e8578ae

SHA512
4fe7fc656a021c43609d7281ca6b443d79d8949bbcea9ebc14b0d7ed97b2a8edc5b629f38c0938a01e8e4493b5e6661217ec9db9e799f9c0a732eb4204c1e43d

Download Submit
C:\Users\Admin\AppData\Local\Temp\dwgMAowg.bat

Filesize
4B

MD5
afc1781daab12a17ab4c9851b5ab4951

SHA1
2fcf7e890e6fd9a632be41699af57bd439fd91e6

SHA256
9e62e7a399a71043ee2d6a6b39e017a1b987e1e5cc2a2d7a476e62465e02c140

SHA512
c426099632e686cbed1baa7533b1c21ccb401df3e325d17d005cd4cd147c4c820a0aa2ac1c36d4911b57ca848133eaabd363f2a33d37015d9b91e6e039956493

Download Submit
C:\Users\Admin\AppData\Local\Temp\eaEgcEAo.bat

Filesize
4B

MD5
5594f5e43dbc2edee50ee91bb3eab6fa

SHA1
ff0d091826fad2e5534452b5653253c62d82ee9f

SHA256
7cf955f0638cab974973cf6fdb3f43842bb87907f8ad85b77d5963c9d5973d17

SHA512
3acc5193b7a755d6e7df356d1f5f31d466ed61be719ddbccceaaf1e394e49934856e43b7e700f23ddd277a20856359ed0013910702108e7664eb9a971bc3a1c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ecoC.exe

Filesize
232KB

MD5
95f73d148d2f89d4dbfad5e7d10b875e

SHA1
d966630d0755668c0b476d20b0c339b45a7a62af

SHA256
9c79f044ee6bced6e0cc5016ad430990f1319129cd0717b5fcdff62924bf3b9d

SHA512
9a97fa00b80150c9989f71631b43bc10ea34bc02018fffe87cf96ee08235d76ecfe2fd10f004d4c8fc6dcbef383b6cb5b13125e0dc50ac5ad9e4335fa81f3f93

Download Submit
C:\Users\Admin\AppData\Local\Temp\eeYAYIYk.bat

Filesize
4B

MD5
901edceaec211c6ca16663de0173a1de

SHA1
2c47b5a94081296b1ec43c1d79a5e9eca049fe02

SHA256
fe15b2abc401cc116f6cecf51a86ca90732e37f964bd2eb80c14480eb96c4f90

SHA512
584e93d3d081732df4a1525c3d49bd7363972dbcec6bbf22206016710160a17b7a6b798f5986219f7543f87f9bb0c35a919678ae42bdbb4bf024fdbaa6511c5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\eksq.exe

Filesize
251KB

MD5
b2f50e053823e756472ca8b113984611

SHA1
58c0506543be386f1027edf8940cab9f943c402e

SHA256
f10efeb9a61aa87e8d645e505670764f614d3b275225f8bb6bc35eae77cc2690

SHA512
c151c35864d89718718dd95612b8a130e2f1049a6dd5e221f48a96c023104b9e09bcadc0302e43c2877b459339354f91c431206220f10220e82c88e2f0d8eddc

Download Submit
C:\Users\Admin\AppData\Local\Temp\emgQYEoM.bat

Filesize
4B

MD5
2d5c8b227c5c01edb4f747e9f6a1c365

SHA1
47fab67a30ef3db33e14490662a947cfaf15147c

SHA256
5f6899e8aba7244f7fa2ee0cafeb908b977bbfae644c1c6a2afec5363a4e6391

SHA512
77f2a515bf5ebbe5b19135c45ba75928ca6ef2f3e20036ca6a6811e5a963f2c7ab9e1efdb23d90ba647f9daf1057157647c5af9a3074f55fa7d0e800f188fcb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\esgYIoAs.bat

Filesize
4B

MD5
1c14cf71ab16dc92535fcd9d9d8d6923

SHA1
30320a9bfd44b8d824b3fe165992bee11932806d

SHA256
5268d6298498df876c84b3bfb10ae03ea2a3e7c233aefe35749846d6a65dfdc4

SHA512
2258c2c8e90d0c89bf851dc6a8f6e21f246135577dc01f3e4901c00241d41b73aa6ca6deab7f42eec5b030ae5ac9379d39891a7736ef12723dcd34837dcfe85e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ewAK.exe

Filesize
646KB

MD5
c649150e10cfc590ae1d8a3c5be1f6a2

SHA1
24572d417ea69bd0b49621cb598dcf981d4b51d2

SHA256
006a41cd1e289f451c521b044c8cc2c23953e24b93b420f4cc25ddd95298ef12

SHA512
69009b1ce64d1405269e6c4b25825701c77d2894f287f4d489bdf7ecda0d69080a37ae63d53e494f6f0d9aa3d4a766626d177b5bfbcf8b5fd6b2ab366f83531b

Download Submit
C:\Users\Admin\AppData\Local\Temp\fGwkkgcA.bat

Filesize
4B

MD5
372bc5fa14c36aadf7ae928cbd70c6fa

SHA1
dbd4e8e31c76cb41d441fb8e124da3907af45cd0

SHA256
a887d5a41d832dff7152e35f93b4af97d5acca9a6e8e2658561e7d4fb7a14389

SHA512
f33aa0559fdb0c73440281881e4d709187c3f35fd81c0700bd038daed738aaf182d355976b047676c02b67204b781c9a362cbf478e7d25b3cc13d4886a9451cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\fQAIMUIY.bat

Filesize
4B

MD5
abbba98255a46e89ca44e4b70e61cf1d

SHA1
b990108d8856521795451670bdb8358f9bbbe4e2

SHA256
8c119ce56a96a5566daab793518f7bb8de581e7bf960baa029555cfdf4821056

SHA512
7657ee8eeadcbd69ec9e9d957d023c1ceb54db10e70b62564a3a90c6a67d4f4772e785ce4eabd53485d2f1a45482c35b68e385ab02166729b86663614e5dae51

Download Submit
C:\Users\Admin\AppData\Local\Temp\fWQEEkQU.bat

Filesize
4B

MD5
c331ad0c8fb0b9e53984b9975dc27d81

SHA1
c03cfd9b03f08fe7b84af2430acc69181f572d8f

SHA256
24c1a537b83a0c724bda896622c0ee3d022e9924ec04a4ccc98bfbf9ba421035

SHA512
52002802df3bc7cba89520de53a8a69436d5da4d9a4cce0b064f8456a2b0f6866855a1e71383ded76503a2c4799048a9fd46a3effc9381d7410d1c5fdb2ccc4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\fgMYAgcU.bat

Filesize
4B

MD5
834b5879b1103215b9242e9b48e97551

SHA1
eab7d4f1b72cf176506cb1ca2d4af8f96bfb96c1

SHA256
4010e6b52024b50e20d9aac82d42a815014ce3f7a40f20b53a6eb1662fc285aa

SHA512
28397ae3dbcc92198d4df5e5f96de61a95c6a35b468d43e72f7761f1c42590db362a2b7b90ad4030d133f816b83b20d53f111490bce440a6c3f64627b0085dc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\focoEMsU.bat

Filesize
4B

MD5
92b43425272d758f407bbf369cd1cd0e

SHA1
f5b12374a0a2c4303491f35856140f29a13150f8

SHA256
4ab9b2bdd4369b7f6a21a2e6625b2ea26893d4d1e91e700a8ea05f0eec51e47f

SHA512
18ca54f1315a5072da96b9453adc128967052b3dc6aa41d2eaa6b9cd62bc171b67e990f01818c312af94170f97d37a23ef216d7624c5816aa8d6a3071ff3b261

Download Submit
C:\Users\Admin\AppData\Local\Temp\gAAU.exe

Filesize
951KB

MD5
dfb9646cee391642273c1b4dc1f49979

SHA1
09584f977bcdd3d3216e6dfd2f1ab98e4f003a8a

SHA256
63b6911ba13eb0d56982a607ff1f39a13e55a28fb667e4ef27056a2ae6c2a35c

SHA512
9201246739be2eae19363773c4d89812c04e68005307d9b5006322ba708cd2bb1eb28aa2bd99e3047e03e06d19a2fee9e4f59e37511ed10c229d0b52540da570

Download Submit
C:\Users\Admin\AppData\Local\Temp\gEgo.exe

Filesize
235KB

MD5
a6037d10db15f3c3a9c6b88ccc0fcf86

SHA1
4560e58f16de75d4b5e7eda019fa987183def173

SHA256
c6b1112da9f03c29b4d249dd7177d7af9cec60e4bdf23bfe617f25418c531aac

SHA512
9233e8849b9c42740be23e9a77a0e767c058eb495e808405217132ab4df12555805dfc534fcd5de6bc5cd7e6ec170cc3e174e54274140d74ef495ec5a1f4d456

Download Submit
C:\Users\Admin\AppData\Local\Temp\gQMM.exe

Filesize
229KB

MD5
3c52128f36d05a99dd4c68d3ddde5fc1

SHA1
6340dba2838e6f415fd27a74ba9ebd84d5a57ebb

SHA256
57b1d8a1372b24b5bf6c44f7fe1323b896c8371e4352bccb0fb594d4113c5a77

SHA512
7659c5d4330df282f52c78a5c3f16cad71f3d0ba59d2c473b2bc9d7d132075602c39c9f8a89f3dd6cb38e4ef54d626df8775e23ddc6ab50e4c8886e9678abd62

Download Submit
C:\Users\Admin\AppData\Local\Temp\gUoY.exe

Filesize
245KB

MD5
65206802787bb226190332970fcf5f9b

SHA1
bb9319ca8a36408495b24b7f45dcd7d27677dcf4

SHA256
15038493b290e5a0a01f091d4fa8a7e1face82b79a2fd065b4f609213b505ea3

SHA512
8f91ccaedec43ba54c58712a2230482dd6e9cac0eac15bc57450d0a2cd95f3aaca50349c5b9e8207a80070ec0c84c86e19896b423bd2e6c03b9f947237d3a730

Download Submit
C:\Users\Admin\AppData\Local\Temp\gYMkooQY.bat

Filesize
4B

MD5
7540f311052fac85e72001afd10a33f6

SHA1
0d247440ec3da518c4dd4c4baf96116032910e50

SHA256
02bf4ec361c1a588169bc43852ae9282d01890cb7cb46e3a60efb69ef26eab00

SHA512
1b63a8372dd98d9d839239f31c1ea9558b1bcfac3da2d9c6ba328f2559e4d1e1c1d256cf512f50781eede3d1be2befae23aa1aadae5fd9849e2730ed0abd7251

Download Submit
C:\Users\Admin\AppData\Local\Temp\gooa.exe

Filesize
559KB

MD5
a5a0be2af14dccbf0c4e8d3422fea6d2

SHA1
29b29971969863616b2ecefeb89814ef3eb4f6ba

SHA256
6b418f928edb679775faa1e54f675ee6cfa7a08d3247c4b2e4ccd0df9c1346e1

SHA512
8546a44e26da66de87aa1d31256020fe8d690c03041c34f3cee4857c455c7b2c7bbc31424b3a20601d6b8f63d71dbb6bf83907238566ccfb390146544d3c0a9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\guwAUYUM.bat

Filesize
4B

MD5
324b6b7a3179271176b316e98746200c

SHA1
5c212c393a5e83141d4b722a843107b6c4052e61

SHA256
2b438487501172792c2b4f445f94b86591b47b8d46b65156088e01bed1a25b0e

SHA512
6da7998c59ce4f1f6bb433851b23634e8897ffcc25416e57ff6d4c6a9c2e48c59294bb231879e9f58a87daf48e44237cb1b94bb11173cff4fcb1b5f4481f65cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\gwQw.exe

Filesize
194KB

MD5
08a5cea17ed4fde07e88c67a06290a5a

SHA1
df11b7505892e17b011d4e7b2b98189f0e92f58c

SHA256
f99103f57ea4f1e580e4d64c9b1a1f5bc15439d3a3b3a77583232d21d4f2bd64

SHA512
64dabe860fd9f9cedf19962aa835391105eac1dfc8d9d16bd9891f3bab70ff96658ce75bab70b7cc4332962c96129e2f55843129ab14e6e5f1576f88abfb7394

Download Submit
C:\Users\Admin\AppData\Local\Temp\hQQwgAkk.bat

Filesize
4B

MD5
fb0c773511ffd21c5bdfb2dbbe3c4dd5

SHA1
6b79f50b6e041b8adcc12047cc42f6b9ef061605

SHA256
b64ca5e3304efd0a08cc098b0093fe1cd04fa6c4333c3366027b6114f8d6c254

SHA512
5078fa6c61b4bfeabee1bb5867c8fbdcd70b9ced466e3b0799123cb667052002a31bd683cae2598640ddd102402a13dc84be0bc265b8a44786ec611985747a7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\huwIwEok.bat

Filesize
4B

MD5
f7bc32ebf4a8483cb5fe7a39aa0f53d0

SHA1
a69a1297a6135c4a26a337aede2a5a441e384be4

SHA256
79435c5ddb4faca0e7ad0f30be342d69e284f4eed523351ec18285ab6d4bc5b8

SHA512
9429523aef434d7f0f6575396a9725bda2b7af60f98c31a4dc63b8ebc9b7a6007f549fc5d4e6cee171a7a55d8a00af424cadc3f7f69de6c4ebd169bd6579053c

Download Submit
C:\Users\Admin\AppData\Local\Temp\iAMU.exe

Filesize
249KB

MD5
7ccfc9e93905dc2dca1a722667f19415

SHA1
067b0c2525ac35ee3400216929b37550e87bee21

SHA256
e353f0b854792442996b883d4c5a404e1a08510d3e8ffa0679ff4e20219527a9

SHA512
f019510602a93b650b4b7ed1c66ec33009bc6f242a92c668bfe17250486d0979c78a8d2f1e8941ceec47cddb93527b2b439ead5cc724ac7f5467405529949db4

Download Submit
C:\Users\Admin\AppData\Local\Temp\iAQE.exe

Filesize
248KB

MD5
3e16e47409e62a9a0e687b197f981b1f

SHA1
f8e2f229019d28b7c5ab51a836d8c9875de5eefd

SHA256
66132f409a143fa71a342834fbd6665fd5115edd0fea069b1c81c132fb9ca10f

SHA512
538ab0cf00fa95d3016fab0038df3c8c5cdbfcb7ab2f597240adf6d63d2a8b1aebdd204f7ea2ea8ca742e7545d3eb5a3582cc9bfd3a2cc68e052b3b4e4c48e8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\iAYgYEYE.bat

Filesize
4B

MD5
e7c7d9dbf96ad9a98bc326da54834057

SHA1
0d7cccfa934b718df59f19cc07a9d9e53c50f9e7

SHA256
1b7735beeb07acb72fd92b5330109d38ade1d0c6c1bec1047bd702c98a469f1b

SHA512
6d62062fdf989d04a0258111b536a195dd3bf283fb6316681832bb410e80956e4a6e8574fcf9a3bb8fd9415bb8d224cfe978983900497221af9d1f10d90e4741

Download Submit
C:\Users\Admin\AppData\Local\Temp\iMAwsQok.bat

Filesize
4B

MD5
80a2178a3ec99433937399128281af5e

SHA1
4765981aeebde4b6782f35d1b34b2d23f1d8624c

SHA256
ebc815098e824f4662e3715cd403a5d02057384e1aedd3b67d983eec80f78a1d

SHA512
0b160f52513034bb837e4db52e1142fadd12b341be5033567ce2da9a4f929f039d1b598fb585da17a0a1c1be43e20a7190dab67cf8e9b20e6bc7a0973ca4a3d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\iMYu.exe

Filesize
229KB

MD5
bdee309b7055183b0afaec76d51b11c1

SHA1
97984bfe1859d1deae0b53c5c2886ab74cd5777d

SHA256
c9f655431088d440444119d22ed0d9281b04254ef0ae0ddc9ad6e0d33374d7eb

SHA512
953462b737d13c6b42b88a35873e786059d8c09f7bd6216f7aebdf7df151491b18d7b47d5698aa5f40b220239bbed431e8fe3ab7620c748325b4d7a464e2f158

Download Submit
C:\Users\Admin\AppData\Local\Temp\iYIQ.exe

Filesize
238KB

MD5
e3547f5e08c00803027f0e2480af2005

SHA1
b41497fbbe276c4fee3d9f1dbd838209650f4fe2

SHA256
89e29fe9e797156b72026256adcab77b4b8d273d356fab8c6cf5ac9eca4868f3

SHA512
888d08151cb46ccc31947828105a50ff98f0ce81dc0284ff0680261b87021732e9983858685a726ef8dda3f60f94d010093031eabb35739eb2061f4d97d44133

Download Submit
C:\Users\Admin\AppData\Local\Temp\icIe.exe

Filesize
199KB

MD5
d18e089c2cf58cd0f1fac54944a1ba61

SHA1
1ac20ba55ad345c61e08055503ff1a2824d741b2

SHA256
bf9305085b6af53518aafbf2c33cd1825424d75ad1504dd6db44334d8c6abe04

SHA512
69866bcd74f9c23cadeaa376d5add1c4f6808bb1b0dd8f9018cc98fd432b979a57e0e73110954c9e66c9e5f491f43c8223d8dfe9045e3131356eee8829905879

Download Submit
C:\Users\Admin\AppData\Local\Temp\iwYy.exe

Filesize
214KB

MD5
8d8170b67599a42b5194645f5b562efe

SHA1
e25a758a7791a1432bfd4f6fd961fe38c3ec5cb1

SHA256
a4035b47426483f43b00604f0c787db8fa571e98e9c5f55297e24950b607e412

SHA512
fff624104cce7d03bebca55b4934e19ff22f513bfd58d7815bde4815db7a10908f7d01b4aa9d9a7d69b9fdd1b51729d4ce9e15de4f5d3833c182c472105b7722

Download Submit
C:\Users\Admin\AppData\Local\Temp\jAggkAEw.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\kcAa.exe

Filesize
201KB

MD5
1d4892ffaf7560e71a6360f8e39ca05e

SHA1
7778f732c97308c1e347d05a8ea2168daeb8d2f3

SHA256
11bf8261bcbb20a53d8bff9f8666cce8777ea25fd47cea33cc52a4ed3e382c4e

SHA512
98dbe4d7d500255b1700c0326ed015e86be4c6e263e3ae4583ecfc9b2205ce647d70ae1652258e58a9b5f1d391fbcbfd4e979c42640e238a9e4321394d16ac40

Download Submit
C:\Users\Admin\AppData\Local\Temp\kgQYcQsc.bat

Filesize
4B

MD5
2b5336e3e1884c85a0486b8dc4448f8c

SHA1
2edb8de41c7cd55d363e1cd40a66f5e23ba93d62

SHA256
d2443c7abfe24340671e2557e5122718bf766ebd86489035e10a6d9afbf10a4c

SHA512
b553f844c297518e4c93c52e84362a5cf076ac5ec30569cc6d565f84dfb06e872b825e5abf15d1fee6e4f9947c3d655fbc65b676125ac2bcd6df57eaa32ff2e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ksQM.exe

Filesize
217KB

MD5
9c5625252d9816952b604c09f152fa98

SHA1
b812f385a43753b3789168063efe316916e533d1

SHA256
797778832aa2ddcf142714ef4a808e43abb5f6f6a985a7a0335563e2ead633bb

SHA512
8cb588bcbaba7bd94824e71013ba4828694d1020b116a19308f614abed3e5bd6eafe4966ce15d0b8f8f49ba13f8448b9b8405e851aed7635fd85d25d8c6d1dd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\kwMS.exe

Filesize
324KB

MD5
d11dded1131e4d641ae51925e3e7e5a3

SHA1
6c10bbb322e18a55fabc449b551516bbfad6d22b

SHA256
0dbce4eb32a2a2272a43dc33670230f25f3115c3a482c2598f167ed1564c7fb8

SHA512
5189b5ce09c91bd599ad87480ab5d9d72c555a5dace8fc836144e867470cfbbc423805a8161b9ca36e9b34c2a779a93db90b17fb4e3fecdc2355eb72f339c6b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\kwUgEQQI.bat

Filesize
4B

MD5
d75034c32495f268f2aa0e1d390ff190

SHA1
e43a9ca7a29f582e9393aee4c1327f6ca78204c9

SHA256
fef79ca85f6d27d0087cb3bb5e16b9be38f11e88d14cde89d8f36908e1137d2f

SHA512
ad06fb4ede35a83ebce8c815e07773b38d47454d64f7041c8ac6bf8e859223d5d1fdf54ad134b392dea8858b60f567f8b0d3a51f06b48476ef20a74a759161bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\leUYMIQE.bat

Filesize
4B

MD5
cbdd0ff80cef5097ca97c5dc88d3b0ec

SHA1
53a7aad6191cf007f336a356b9b723698e66facd

SHA256
352b6777abecda2d9fd99536d77aefafcd534864ead6904428857b70e8959535

SHA512
c09ad9f7580dfa884c07575c5c549b16d19eb8f93e8c66918c1f520aaf96167dbf98bc796f27a7086aa503ec866e5575637160a4d62ce2399265de74e18abebc

Download Submit
C:\Users\Admin\AppData\Local\Temp\mCwoQYAk.bat

Filesize
4B

MD5
fa3fd9c81ca63084a29071e3f96b93fd

SHA1
d8f5bf43d662daa0e6c358657b50355e4b3609ef

SHA256
e51e9b6ba1e56870cc1b2cc6c19653ea0d4dee8c22aaf18e0b77d620e8c5b6e8

SHA512
263077f3bf550557312c01f2f09cc1e20ba0d1a678eac4cf9553f18ba1363b3eae591bffaa0b162e6575e9e623ca296dbf8ac40863f1f00d237003bd91a9a6e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\mGcggwgM.bat

Filesize
4B

MD5
4021a175d339fe8647eecb5f4b7985f5

SHA1
e3475bbaf7bfddf3683aafa168be32d7fdce35c4

SHA256
ffc86d9e6f0d67cd73635e3b14c72cc68da1cebf7fa1baf1d6a17123bdf7fce6

SHA512
b9ded489b39cc4b13672bdd82df75f64d95a3fe0bcf99dd3d333ecc0b47e88fda512a46fab5c3f0bbeb663d6d3230ebe56f4f2bb63411bdfb3b757c65ff02bee

Download Submit
C:\Users\Admin\AppData\Local\Temp\mIQK.exe

Filesize
793KB

MD5
30b99b972d365f1c044e0a8a62481a74

SHA1
eca8dca52e6bef0467fcaf6054aa7a9746346fbd

SHA256
06820da91e7a1e478d3b7fae302ccd4f9883e58375d63cde723fb06f747c7b10

SHA512
7480b6db3e43056dbab2bcf6f7e4b56220614428f9ae01d7d016a50d1d75c8d3fb5efa393f2a950ded822b2f5a5ef026446d6b5bbd095502ca66dabda27472b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\mQoM.exe

Filesize
1.1MB

MD5
dd71287f50d8a295180fd83c396ad21d

SHA1
7d7b1976191829d371b034a0037154ef2dd36593

SHA256
635965808b72d663a713ce1f63dd888b41383d4fbbd7fef234488712a04f7ddc

SHA512
df736af4f411748ba8e1a88b8f7cd6ebd649ae22bdc228bcc95a6696ef239fb51b11f97edae9b039404ed8737dc4f6d218050f8726bff5e8aa70aceace7dbd2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\mSAcYQYA.bat

Filesize
4B

MD5
1402018cab84c94fcda8047f60f86463

SHA1
3015ac090763e1b7aa51bab835834d0048cc94d7

SHA256
da969f3a56f31e7d371aafebf2ec900b5244473cfee99bd4cf517781375d6cc8

SHA512
0293b5be5694249dbe2226113786c213b232900547c451749b39ba0462d30bad5d0306984316ba9ab83a7cffb1c071ad37cc1b12e071a2c98d8a63c5841ac4e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\mUQY.exe

Filesize
243KB

MD5
8009a564bad350e41d84309199af0664

SHA1
2ce6f0a47b22ccc3125c4ffa8918705199d175df

SHA256
327e8e41824a3205125fceed72ef4e4a8a341421217c2a4aee2c0db012847aa5

SHA512
5b6c2a935a0adfb132df652cec2cff75e50de0e4d61ad721e10316a0a1512ff5489f4bc78875eca123dd1b861e91eec3bdf5b75181d2655aef0b9d4f2fbc7049

Download Submit
C:\Users\Admin\AppData\Local\Temp\mYwg.exe

Filesize
252KB

MD5
ad4f2575ff3e3e7d91a08d6ddee748ea

SHA1
643d697edfdbea01a5c72fa466b35e80b991f8bf

SHA256
e45372c6a06c7a773f0601ce83728e3c2dccebafb519e5d587381a3235ef6739

SHA512
9a233beb00f1f0b2389582f43ca7c239999b7dd1417b4d6c8b1df3aa0a5e41a1aec7c806df7b231a95c263e1114b8187cccae21d87d10677b219d95c63dae427

Download Submit
C:\Users\Admin\AppData\Local\Temp\mcoC.exe

Filesize
229KB

MD5
cf0730ac238edb40fcd2e2f269bcba45

SHA1
65cc85a814b020e40189c823b921b7704dae1038

SHA256
9d51d093ebfb7b32beccc06aceb0638e764a7f560861deafbf606c911988ab35

SHA512
a2354133f78b25f2060827abd887712d3649c418f2621958afeb0e37c0f7792abf3faedbb79754e9a6f3c196fe5c1d30c676fdd16c5b7dd5668d71e575100ae0

Download Submit
C:\Users\Admin\AppData\Local\Temp\mkEYkMYI.bat

Filesize
4B

MD5
ca468451d3b1f725c635747f09f99368

SHA1
1449f1d7a2c247710e6dfcd46978532e21139cdd

SHA256
e65069710beb704c09f17fae29db246cd4d0c8ec143f5178d829099626d745ed

SHA512
650b632306d4e775ce51b3b755a22d9f45b8111a28ba6bbac77199de699580e25d0a10284d5465a151a90fe3f5d71945d3faaca7258c05078398a7a8c19724ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\mwEk.exe

Filesize
231KB

MD5
16331f0060c8d3e74be74bb22df89a30

SHA1
705480576b22523005cb0801edce24a6ee6f5de1

SHA256
3bf1058677740670b53e5d3508855b7bdbf4e9e62c5d99e173e68221cbdb5fb0

SHA512
24b429b37b8686559ca10b1c2da6ed2e1659b329c7dbf9e72dff4cc5563d962855ae81eaf9fb590b9fa4a786f175487dddab728c2c519934a16db8dc2983face

Download Submit
C:\Users\Admin\AppData\Local\Temp\mwom.exe

Filesize
207KB

MD5
49c81ce5b2f15cd3188adf35ad94d9b4

SHA1
31afa2cfaf7231f6b1be8a33fa76a32db1fe52f4

SHA256
7a0e01f9355ee5cad242496c1e11665ea3a63d97cb098566415c9a02d28829e0

SHA512
bae8735c03e9f2e86076360959f656b011f152e45649997a2a9011e575bf75b23e978cd676c41b48631fa9a3010c2f23b79d12aca73cf500c49e7b4bbb2c073b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nGQIckkc.bat

Filesize
4B

MD5
61ad01a8220390f169b450059ba7e3cc

SHA1
d66871eb7f06f552ee24b51eccfee7c493ae857f

SHA256
4c2fa2b7bcb8052294cff1c9140173f8ff1089c76a3c0620a3c5fd703dbab2ed

SHA512
129585df535dd70659e3420ebc27ec977207de82257d42f4f54c14e2a481645175ee6a673bf2a5ef0330f1aae5f7232823a18130284b4a04d3afd2ec77efc5e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsMAYQcY.bat

Filesize
4B

MD5
27c8102b512f59a145f0395f7766c6f3

SHA1
3afda19aa44ddd04ffed64cc0658d8561f55ed3d

SHA256
ba00d936c4e41ff9c2ab9e37558dbfe58f369d1e4423e52b61e97703ac5135d5

SHA512
dddf1899430a05582592ed1b14e2c53b09e2c13559c4d45fd60bccc4dd713b683e740f9741a627ab5901514f27b441a8a29b71797ca236ecbd1c3b8e439d58ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\oAIcwkck.bat

Filesize
4B

MD5
f86364933840f6cbc7d6685aa77c9138

SHA1
2083e1b82e56557b2166306002cda9e211d2ec50

SHA256
45a73af0e4c07a9b5d429bc22965f7561b3f8dd87265a0e646693fb49e76277e

SHA512
000fef5c05de7cc910f7bb7fae3769adfdaa87a75417abff4cbc6ecdecaf493e26626bd0a117a459d3a8aff4234e0465e5fda1f78f58b51c10166058eb162f1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\oIQy.exe

Filesize
552KB

MD5
728031b412c4a53a6760f7ce1aaaec49

SHA1
cda6561b4e5ea9d3c515fc5fb46dccb0b82bfabc

SHA256
54f8a6696d25a7d376a8d2186cb9d3634d91e44b38ad1c659d66c9672e27d498

SHA512
33316852900021356bfe9887fae20f7743ae27bf806a518a8bc37689d7b9b65eaa4f70bf373372da5549394af467b4c679353fbfabad9b6c194939cd28f9def6

Download Submit
C:\Users\Admin\AppData\Local\Temp\oMMa.exe

Filesize
242KB

MD5
c383f95fa9cbd45b279ab1dffd0ebde5

SHA1
2be924b175307013da4450bee328bd544a4aa53c

SHA256
9b26617b17d2371db5c6b8a4f34efafc384269ca45f4c0e426b2f99e226e5c84

SHA512
42b2394f499ca07716bc56a6f4a56b3906c6e72cf40fb8e61852a893c2e658a1b40b558ba149f3e01af267da8ec0f3fe0d038ef732395bc79501434517f9c334

Download Submit
C:\Users\Admin\AppData\Local\Temp\oQoY.exe

Filesize
229KB

MD5
caebfdafde4feb818e19cbbf29cd3642

SHA1
92338864a24edea96b719e02f51f11bb56a46698

SHA256
c16c689bc7690bea616f56ea3ab68bb86446bd1e749d6c4207f53e2eb26c6ede

SHA512
3dc25a2b3affa8203be594919e83bf1e191fa5602b97221119523a571a561ad6ded7313679d27a21a9a578c0aff49a0519909cf7dd71fdbab56fdd4e3d63c094

Download Submit
C:\Users\Admin\AppData\Local\Temp\oUEU.exe

Filesize
186KB

MD5
52736b1328083f44dea26566f484fd80

SHA1
0aeeed3848b7559da8cd7c76d4a1cb84c5e097dd

SHA256
d399dcb32588bf9997ef60acee5d83a0674f11654946e693675bb883aa7f26ab

SHA512
b6e5a53c69851f208ffabcfc69e6b2ebca46e16a77e8b60205191f31be8ac98f18fbf592fe5d131796c146d3eb5b1a8daaab806af432319e7d47bfef749c67e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ogMc.exe

Filesize
224KB

MD5
929408362e8911f0a1c5562902926854

SHA1
ea73db3d77797138ad3e7a3bf41dab9a462dfcf2

SHA256
9c8f9c4fb7a3d33769411ed3d0040f9435c9a451a88b3bcab457e2d9a376c50d

SHA512
d59ceaf4a4c478ed8ad70e27950328826d6a4eaa343e2d3a6b1ec714f3f335bf627ec966045c3b9ca3b450c11d16b0ceb4969377b9b2e6d3c7a41d8dbc2db568

Download Submit
C:\Users\Admin\AppData\Local\Temp\okQE.exe

Filesize
242KB

MD5
3a05f5dbaca2589b212f120e85dffcfe

SHA1
61ad026c26dedb4f0bfeb512e21feeaf88c27e0c

SHA256
d0f1e8e833c688fa81685ae75d5b68396a22b84ad55a16f093f2ad8bec8e8622

SHA512
c6613f0d8598e802485493d1f808c6724caaf713dcb005bcd9c669c7d78c000eb47669eea9509878b25cd4adb76962e1c1b7830f7f90b712c6c087f2a72eb6b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\osYu.exe

Filesize
243KB

MD5
54b77f957e6cbd679443ee7104bba1b7

SHA1
a6a307e4dac0e283e307d2d13721e92b7ffe0a58

SHA256
d89627f0970b687828288f93172701162ef6c8898a9bcd03ec3f3aba2bcadb5d

SHA512
69dfb804bcb2893f8768d34d77cf0dcd583f32cbf0abde41b6aa3b2881d423eb41545fb6e3139a7e06f7da3327089d36f58ca791513f3bdb82a053a8dcfdad63

Download Submit
C:\Users\Admin\AppData\Local\Temp\osoI.exe

Filesize
653KB

MD5
7548e0ee7921098f5262a00497c81db0

SHA1
229be57e8301a7bdf7c54abf80bbe7771da7af9e

SHA256
13be66168749ca4c6a8e1e8c89b34a61febc3bf2d9b5b1dfaf4aa18f7902d2de

SHA512
70e5879af2ec7672b88ca11467ec203613f5543a763af9934eeb06c597d9f7497027ea4bbb0ac1bf11f7bea80a54ec88bf1ac9bdf3ca958a25a30e2251e6abfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\pAwgcAYc.bat

Filesize
4B

MD5
5b999a7a36ffc42de1e71149e6210054

SHA1
7f305a99f38ba57c3ef78d458037ce0fa4c13bc8

SHA256
0081db60d4b70ffc16d5dd079f9d17da01d4489547bdf04d2d585463b9b4efa3

SHA512
0f02ec7c698acf2175ade7b9c6cade30a4448fd951bd188d4bbd96205449d127467ce0dfa60281978434a20ca3544e28d1f74816209e03ab08fb68042f96334f

Download Submit
C:\Users\Admin\AppData\Local\Temp\pOYAkIQc.bat

Filesize
4B

MD5
c83731918922694af4497a963a257305

SHA1
143a5067d2abbc743f568fcfbb7f390713b748dc

SHA256
e002253e73be01b8cf84c00d830945ef38ab425a4e053fe96eef102659314603

SHA512
430e62c088dea111f462d1355415397bde6ea1bbcb30b6ab4dbc691cb41e943ae7a670010dd90690a45000e023b41b605d7cd8bc270c65ecc514d142c530dd23

Download Submit
C:\Users\Admin\AppData\Local\Temp\pasMgkoQ.bat

Filesize
4B

MD5
38dfd153adfe7385674c1f5ef2e1eb8a

SHA1
a7f43b3566f174848bc30f49a0b429360601004d

SHA256
8a3ac249d5d2b12312ecb20df9c42dd7740bff0d0b1f03f860b2c21a4c6dc0f8

SHA512
2bf81128680df404cea1acf0a5737ca8de140e3e7d823d38d03fb39d23c26b176734e3e1fb41b6be5760d39fa303f594f78b24362205894247c8a21a4965c3f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\qAEoEEoY.bat

Filesize
4B

MD5
67376bd87f3ab21d22151f0acaa0a84b

SHA1
bb689a59b344750b10f4d06b10428fe60d1d373e

SHA256
56eba3d422a4a04c0a85f95621d9411be397b331cc80649297bf8b6ed730be98

SHA512
723679a886df8e497113768c0cb85bea2887a961e6f19619e19ca171a0158d0e91aea996f314162f4bfb8ba686af701e0bcce2c74d37bb9b91f72c85266aaf19

Download Submit
C:\Users\Admin\AppData\Local\Temp\qCAIEkcQ.bat

Filesize
4B

MD5
acd6efb489e454025c2d701e8abc80f0

SHA1
23626b1787ee0ebb6b85ce2b9dc960a7c84c3fd2

SHA256
5b6989fe252130da9f1dd754cfdfd7f3578fde6f5da108b7ee4945187bb9ae9c

SHA512
ce6b0cd132f35e8a306bc52401fc776ecf8258baa9b787cb32601507baa29fb8a21a1e175dd238351b528c5b0d1fb666c757917f5d5faae3bc12126afb87790b

Download Submit
C:\Users\Admin\AppData\Local\Temp\qEoS.exe

Filesize
579KB

MD5
43b85c51f0250783e9c50302b6210043

SHA1
ea560a4a4794587abe90c66c999c4727ae22e327

SHA256
5cb5871218c00a23dee0a4e57c04fd8b3437931472db413b5fa30cf7ceedb4a5

SHA512
f4a8216d582c67b4df51bebde8af6802b652beb698cce22b9be6b1d58897371b425893198adf0c7973a4ec1706b2de6f9dd09c88f70036e77771d83bb8941e74

Download Submit
C:\Users\Admin\AppData\Local\Temp\qWwAMUoM.bat

Filesize
4B

MD5
33fc8460e91aeeff0c0f42f1ecf3cd2b

SHA1
5161fee8acb6da79818f7476bbd7987a4bc14e1f

SHA256
09c56298dddc91ca792239d215be76babee8f2cdabd1e51ef90b85466c1357cf

SHA512
1746819b375df3f487fbac798bb7d5733611e85d30e527a2af3de89d192e93ee6640b8bffb0071227dd4153938a0846441411eca88691093bed07e0a302320fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\qkIS.exe

Filesize
836KB

MD5
0ddea4d558db4b245325b54549d52210

SHA1
d2a01422bf01dcf614aad3f51cdbecaba49a1fda

SHA256
dda1c05e9f3cb6047ca48b29972fe900ae45851c1c0254182086ba2c695890d2

SHA512
b628a192e6943cad54b2189d590c2920dac5e55049be65c8e731f071f5311154b4754f74545b3a24b38fbf7493ace4a6c0b6926007be5fd5904e443950277f7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\qwUu.exe

Filesize
245KB

MD5
15df7688784930e18de6038ab6ef2df3

SHA1
fa681646ca99d7088a658ace9900009dc81249da

SHA256
f64ae55872cf870f47963bffa59d02a4579ab4e119840a61f5ded398a30f47af

SHA512
e0b8bceddd2d42db31480dcf05353c0af52c0f8e545245998fc828dd69f5177c1d8d4ecc5ab73ea3034f9df817d1ac7e1bc7cde803197868938d6a4064ada7fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\qyIAQook.bat

Filesize
4B

MD5
7a57362a12a8365114b489cfa019fbe2

SHA1
a2d0f673baa1094e770f2b5229ecc7e02541091b

SHA256
b879e2b2e4c43bbdbe1d59aaa93974909940417096b2969ef7f4f194ac061652

SHA512
072c868ecfaeaa4bee2ed0120f07997ae03972d42a4aa1dfd4cdb8da6372dc143fc49b4d1ee8c69d10998f3049fb96423c900606b3cbcbee0fad42feab02c476

Download Submit
C:\Users\Admin\AppData\Local\Temp\rOcUgwsk.bat

Filesize
4B

MD5
e59ab3e0b961852f81cc86bdd99406b8

SHA1
73d2cd306a9a5836d660515f192ccd111a4fc9d1

SHA256
663dd4ca01306b971c3b84f7318864938ed2f3cfbcf274ca4e0425c21e44f5ad

SHA512
07c93618e63a86aa2d272cf4e9aca8117b5f4bf76aded034fe230b5996a4607c3c1fa280f8cae9940d390431b9e93eea4cd22d1b238874d2876f1de67421dbc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\rQksEUkc.bat

Filesize
4B

MD5
1560a4e8bb7a2baea4ac4232843ebe8a

SHA1
a0d402ec74aae6a1244689ff7ae2ccff7de8a3a1

SHA256
52cd0750c70d2ec3ec821ab497ad9da158a809947b8943165f965a423431c353

SHA512
e9d99783aca85b73a76fd539999f518fffcbd0513bc48fd36bc77e14c37d867cec1e41ae12de980fb74cb795dee2a56e7a877b0b8092e38b14381a5a461b1159

Download Submit
C:\Users\Admin\AppData\Local\Temp\rckcUMEs.bat

Filesize
4B

MD5
a118ed700c4550f721b583698ffa94e6

SHA1
94a1e8dae863df67577eafde9170b89b27e6c0e0

SHA256
1d506e05c48266dcf59a61c248ee11e1de7ca002e7f0b0a5f68f4ca88f9511b4

SHA512
7fb8f57d7aeb2a85e19a9be0afab60cfab45cde4137b6069b702782bbbe509a32c9e755458d76705ec07fd89e5c6355913878e2d7193a0cd8fad68bc33b2c445

Download Submit
C:\Users\Admin\AppData\Local\Temp\ryIwUosE.bat

Filesize
4B

MD5
e34d3cb94611ed41a435471a28b29d65

SHA1
642462a1efe880bba7d358aa72d01f4e021b1432

SHA256
e4af2b9742dfebaa91bc5c4b7bf8beb70077fc265fd706149c9414e0d2359ad1

SHA512
0ce713021f343ac1007202aa63d3d34cb8209208e7eeb277873bbaa4352cbeadedd9af526af292ae1c3685f47d19647f972fce9ac821db19c3ff9b54b42c7e53

Download Submit
C:\Users\Admin\AppData\Local\Temp\sIMC.exe

Filesize
245KB

MD5
d5d44aec77e5c7c08b5d3776dfb0dcf4

SHA1
842007bc5b270896c3505903a02aa387fa946858

SHA256
869c17ed5669e363d69dcef73a126d228e9a6f9f31f4d8ae8b13c03185518c8f

SHA512
c1d87181efa1cd81f62d17e61368143c1f846ecb09549089ad18184eb0742cb712e4d948dda3a2fac3d85a03bb4979bb1c0d9e35c8e3c87bfa62b05f32f4f8cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\sIQI.exe

Filesize
862KB

MD5
52dc138ab122a1cc7213e4ed5dbf5e79

SHA1
075e4687511effdfc5648bfa1b0490c9ab33253b

SHA256
6aa4e25fb415d6c7f50627b0e397af7ee22bf73645cefb2ef498ee2a3c872892

SHA512
78b37cc367a2e5934b37cfdee0bbdf5b1cfe4a28cee8b7a462066f242951e313c0ff199ddf1c07c95c98b7778049e05e90eaff766575d3dcf27c307f076f5deb

Download Submit
C:\Users\Admin\AppData\Local\Temp\sUYg.exe

Filesize
234KB

MD5
0ab166f3838a7bc3da687e3096772081

SHA1
7757ea2a2a52217031ba5112352e4ae9e538da24

SHA256
8494bd128417c6cd18137507e808cca0d401f136f032c154de75849bf12f125f

SHA512
1d05bca5e5a9911282127c7f77618ca8ab0f21548c4b7365e5213c097fbca3573aaea306e6a744183dc5aae6e955accb330230367c680ef5c7e3685f3c6b48ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\sUYs.exe

Filesize
237KB

MD5
52d97d635012ef4aef1b221d8f7fe90e

SHA1
e718a9087155e7c1b125816222f6136c08942870

SHA256
e18291dbb6e1440c8e45e649b562ca165e2eee7bc275d67dc0b75bbae8efe2ff

SHA512
58f88047d3c83ecaa6afd126197d3409707bcce909852d0687a8d734322ed050187d55aeee7889b314658a74e056b76811be08953198c96d7b667ebedc1fa25b

Download Submit
C:\Users\Admin\AppData\Local\Temp\sYgoIEws.bat

Filesize
4B

MD5
aaad8bf66bb042b82db23ff01c4e3380

SHA1
e9be2c75f36abb49d10bf5b84f6dbb361309ae30

SHA256
11cc861d1faf10c17ff322cbbd861a25509a863f55dc76f62c0077910a1048b8

SHA512
b439404f149fd84a40108ef5faaddeb42e5c6295f79e6d38150f5eaee06105b6ce83fb342c20143f99ef8b801d6051a48ecbf85201bad5f12093e8297c839530

Download Submit
C:\Users\Admin\AppData\Local\Temp\sagEYcsg.bat

Filesize
4B

MD5
21bb00baf425f5293b199e631df22833

SHA1
abbba66badfb1a2caeaaedc78c8aac6b5e114654

SHA256
66d703b46e81ee332d46ef0103695efaa04420ec2b83a0db79479f56b7ad9624

SHA512
84ba07b19d5c4138c4d9c2deed71048ae4e6a1cc00c9d2205d25ac00d86434828c25052aec27a03cacb0cd26b5505f447263199a685141f19437f146dee2af7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\sccc.exe

Filesize
201KB

MD5
fdab4da725479b084c19c63d8e9ffa82

SHA1
12f1c39d14a564c1a7603a52b128d183888a2f2a

SHA256
064ff1586c471d13e7473fff064a48ed28a16814cdeb4868dcf7bfc6ae05fc97

SHA512
eb61ce68a75bcc6d827766bc44ae2561b7356e52da17b9e5686e01199c4afe50ebf1a083addda331cc3cdd27a26c51dfde3d54f5ea267fc5b0a529737c8fdda4

Download Submit
C:\Users\Admin\AppData\Local\Temp\skoIUkwM.bat

Filesize
4B

MD5
576e79d2ad19b7dbe84983697e80cbd6

SHA1
18c852c979a36def0f9c0300b5bf07b63ebdb835

SHA256
2a962a8b591cc72dff37229fac33741a3b45ffd69135331c75c71131ddd6bf83

SHA512
2c751d1bf8948cb99ef929dbcf10133332c0d586d631d64da7542840dd105ecff73d08acbf219fd6fa4dc8ce525f5b32909f4717bf0a5641c02ace7abe99ff34

Download Submit
C:\Users\Admin\AppData\Local\Temp\soou.exe

Filesize
235KB

MD5
0d7b3731e30bb981b854435f06181fc7

SHA1
193d52d5ce7ab5c7d023c09066fd3cad4296626f

SHA256
053ce972c001bf4018a6b6bd3623c120d7738c748e33e2d9a0e075871a8af90f

SHA512
4e3b7c5b50c55a4115d732cc7b36e3cd5926c6c2100e228439adcf495c9583d4eaa9d59f11cdf88fbe7c0f879e8107d32b038b718534f2bd894c195eaad19c6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tEEscMwQ.bat

Filesize
4B

MD5
68942f6435064d077819711f7dcefe5a

SHA1
10730879ea945eac11cb6955ab83aa00de0e4061

SHA256
64e8425c064cb496f083d84f02a20ac5a1d9b27d75142b4bfd2d5828bc069411

SHA512
4d9316bca1c578945900951431919ebafa31824145b8d901074574b95e47d1194ffba8f860870d9e2d2aa4f566a6da40d70d2b4947a7db7d3a52a7d4a2763437

Download Submit
C:\Users\Admin\AppData\Local\Temp\uAQc.ico

Filesize
4KB

MD5
5647ff3b5b2783a651f5b591c0405149

SHA1
4af7969d82a8e97cf4e358fa791730892efe952b

SHA256
590a5b0123fdd03506ad4dd613caeffe4af69d9886e85e46cbde4557a3d2d3db

SHA512
cb4fd29dcd552a1e56c5231e75576359ce3b06b0001debf69b142f5234074c18fd44be2258df79013d4ef4e62890d09522814b3144000f211606eb8a5aee8e5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\uMIA.exe

Filesize
840KB

MD5
66c869fd1654953770ca64b36a60ad57

SHA1
9c55f33e0692cef16647aea7702b107d3561ec77

SHA256
45694888d34b78ea66e1cd1b98d3b1d5339e3a05c585dfeed8804de677c773cf

SHA512
531e928a6291d36584a2928646f2d2f9af6cac0b40d34dbc82d534c29d6346a204f0b943f9dc69f8f9dcae7f5f195c114cd5560a0b61a7c52463a17b3f9afaf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\uQks.exe

Filesize
232KB

MD5
b178313abfc567500a6a9bd5d14619ca

SHA1
5cc62ecbd5424e46200782283aa7862541d0ac3d

SHA256
3e6fe0fb196043c67850e3f0322dfbd69940dd27d82684314942e1f2ad0931fe

SHA512
8d791f1a40863a4396cef6c0d036af41e23b19d0fe070cc2524e4d56ab6451f8d5637954a0fa163b2fb090b5f75609a269b5588e002fd912b35aba9ab5c07359

Download Submit
C:\Users\Admin\AppData\Local\Temp\uWwUocUs.bat

Filesize
4B

MD5
a3e10ec46acafbcf780d6b3a3f25fd1b

SHA1
745bc3ca04b58983ba57beb7d70a5d5208b1bc3c

SHA256
54d4eac0adcce109bc326d661c144341426a37f9ad385965ef413a9d1879d490

SHA512
d71b5f217ceecc3eda964cd22bae59f0b8ca646bab73803c9c69be61adea3bcbca5347317a1a6dfbdf43fc425618b5dd4a83b13a6943dc032a7f50a9e7321686

Download Submit
C:\Users\Admin\AppData\Local\Temp\uccM.exe

Filesize
232KB

MD5
1fe435337256d7fa054ab084825d695b

SHA1
1a316ea75232b4526d6c751b58dc0b3953dc0450

SHA256
41e2d3af3d0b8b254099419c6bae8672e3408d9d06d58a480f036e4590c02ccd

SHA512
9162a8f9da1ca0e424c58d7f76f7c836275042149019bdd911f8e04512e6f9338e54268e3f2a3fac51a820c4579f530ae3f3c487bf0877122feb381429ab625f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ukku.exe

Filesize
4.8MB

MD5
7babf97dc673ad2aa91a3883039805cb

SHA1
e89286a3127e7540938476a352b00e2dae2aee87

SHA256
e380f8fadc3ae5e7c9b19b9d3e476fa9c8bb6af30c9e17f7670fee5917170d16

SHA512
bb87066097a15f14969797efc5fc6601776388da4a1abcf42417069960bf8b1459fae9aedc6d0ef072a1cb72829959ec9ea8b74e236b18e3e4c54c5f3f9d0b9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\uoMswMMU.bat

Filesize
4B

MD5
14f52967f77df61de62d4fc333a01d23

SHA1
22499338a1c090360ffe571b8690f0ff0f315ff4

SHA256
667aca24c9fc31d016a678ab53a2afb6b4e0808c18e4f9fd02785f3a36559bbb

SHA512
811f27445ffb607df6c6da928b31fc8f3d2879ad36db84a8fae5bb07a015fd260efea6e1a10d4724d948254f436af1a59fecd53db5c50d343a8b880c29c54d46

Download Submit
C:\Users\Admin\AppData\Local\Temp\uwEkQYQc.bat

Filesize
4B

MD5
97c20f0ee7b8d59c37f3d88c78bba9be

SHA1
3f3b0cb0535e496132dd80020507975ee1a888c7

SHA256
c12db1dadcdf7ae9a5e09d0681aecba6f67a73b27d016964c905e2a078a26373

SHA512
b6244dcf5e1c58d352a2ac10bccd87fa7e9a5111588715dadfb6e79265ea18979e9d6389c1f79341ffeb6213cadcf7daa362c538253adf186142a85dfe720178

Download Submit
C:\Users\Admin\AppData\Local\Temp\vqgEgMwc.bat

Filesize
4B

MD5
85fe50b5eca311340136379786cd2ff6

SHA1
c681054e045b4fc476c4c56c7d9ffb975e2ea921

SHA256
d0a403ccfd8920ea2220a414a9fe6440a5dbb68491ef0355f3c89542a60c0975

SHA512
ad68d0302fa3e3c87ed0e91ecf72c340f9b60fdc1a6db228a1d33a37c6f82e1bed239e975ec84c17179734b1fc884d97bef52081b77d8342e7bac8f55ed28527

Download Submit
C:\Users\Admin\AppData\Local\Temp\wAYa.exe

Filesize
754KB

MD5
bec6a2d1f11262c0ea8689ed16c22c4a

SHA1
7ec056d9bec96db6d3c655a2c949eb37abe31904

SHA256
6951acebc20af35e9e05f8265552e1835e1af4c82512531357a60dff2e2d7e3b

SHA512
bff684328b919782d913ca969b3e798d49843ec1d2c66f29f363a2c74bf99eba10824d6b2ec7b342b3259e0135ea828ce26c0e5e976c0d2151bf0ca24c4a2d18

Download Submit
C:\Users\Admin\AppData\Local\Temp\wUsW.ico

Filesize
4KB

MD5
9752cb43ff0b699ee9946f7ec38a39fb

SHA1
af48ac2f23f319d86ad391f991bd6936f344f14f

SHA256
402d8268d2aa10c77d31bccb3f2e01a4927dbec9ea62b657dbd01b7b94822636

SHA512
dc5cef3ae375361842c402766aaa2580e178f3faec936469d9fbe67d3533fc7fc03f85ace80c1a90ba15fda2b1b790d61b8e7bbf1319e840594589bf2ed75d92

Download Submit
C:\Users\Admin\AppData\Local\Temp\wYMAAwkc.bat

Filesize
4B

MD5
89a2ef52de0ef1649fe12520753997eb

SHA1
78d84a8f9a5308ca44e46cc38866483fe7b42fea

SHA256
108f0f1b152417fdb08b89cc90b6dd2679025e06358cdacef08d55543abbb542

SHA512
c5db3c7373b91134f46f594c8b4eb299f1d35788a7df1790971afb52ba662e13769dc13c935ac08943e03e17b8cc3c2384f86eaf06d3073525df66b14a543457

Download Submit
C:\Users\Admin\AppData\Local\Temp\wgwi.exe

Filesize
228KB

MD5
2674b3f6cfb38b66f63ca7359893bab4

SHA1
268644491aaaca71708be83b9e40657ee45ffd19

SHA256
17ae4e83029be5930d764bf2363f58588b052d3f64c3a1a55520e9c4fb78cfd4

SHA512
2a8efc0b8034c233e45bae8b17fd4a8c3a92ee59cc372d13d4f86e551d99afcd6775d01c5ab67b741a089134df645c7d5707ce233fd8b25f918ea141534a2aff

Download Submit
C:\Users\Admin\AppData\Local\Temp\wkIO.exe

Filesize
227KB

MD5
cc6b821fe76d70feb04f4c4f1c5ca2f7

SHA1
e044fc55f87baf1450a6ed281deacd08cea9cec2

SHA256
880f40bd3c6e3b6aae92d9d9a4734da32a70e54cfe5fbb68af0340469379fb7d

SHA512
f6a4b0e5a047889f740cd5453b60a8a574f73542e8a7da68e86d269b5287bce066d4e18eb303ec6684ee1a5de4c1767d864ea7d9f99c3238a85a6a17fbb932fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\wsou.exe

Filesize
4.1MB

MD5
156e641e925967650bb4496314adc6ac

SHA1
c7483fc882d78ba2a65ec9dbcba530d5613d6d42

SHA256
8976eedadee4d649b73b6f8052bebefa73f3511ca652dbf15b962c8bd159839b

SHA512
193514de90f3fe1dc03d82cd491415a8e8cb35abf92e435301407a3a3e20320fc94d3e72252fcc7376dece7903974133aa04a4d74b1a044e4003806211e59bae

Download Submit
C:\Users\Admin\AppData\Local\Temp\wwEq.exe

Filesize
230KB

MD5
fd93d8d14d6ffee79dbe6e2f97a00591

SHA1
27e1a13d9a9ba10334928f712ae0eb23f20fed29

SHA256
6a55e6e92b6613e4f15d3a67dc5887d75c1374b3d89f5d35ea1bf96e2774d80a

SHA512
f44849bfdb0381632f715695272dcb085a00be51d3b7116748613d4b33b56c3b216b9f3e5e30ac4126097e60339887fa4f439ad5b9deb1030bd91b7263da1030

Download Submit
C:\Users\Admin\AppData\Local\Temp\xCAIgMAY.bat

Filesize
4B

MD5
672b399db64209978f54610e10d5f82d

SHA1
2d9c4cb29470e699f0ae6aac991a160f4ad5fa19

SHA256
221c28a983c7e39c81689d4fff46a511469bb75a1e1d6babc955981bf0927477

SHA512
737ef67d01c9e62fd330f97569b657c27dee0a105dde1b45ded25ce1eb55e50301f487ef6a0a925689bda5d6ca20d38afc8ca5f3406ea9e43871b8180afaad7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\xCkEgYgc.bat

Filesize
4B

MD5
e66f6a948d385c4e293155ea521bb11b

SHA1
2b49a34a5cde23b4acbe4a81417df54f4af5c0b5

SHA256
95c009b093947a2a0ab5194e14347788b6c2fb5d3e76410c7c71845692d0414e

SHA512
57dcae4edf9516473a33aa369ab76ecd6e24807093ee0933e7821922c73bf3f39876daf8ba73454c6409d21fff3dc1c8e6dbe427b47e04de2f7e9de9ab49f220

Download Submit
C:\Users\Admin\AppData\Local\Temp\xGggMIoE.bat

Filesize
4B

MD5
494d007b9a61efe2f1726e25ac89be8f

SHA1
48425bb4301667401198b8faf5043e9d027da9a0

SHA256
53565f80d55d1225c827788ff305dee5544d4114316c9175cabf68740f75b08f

SHA512
d27f107978aaa80f7f5a1a23bfdd1f24bafbcc55c239dbc5d004d41c5102d614680ea937fd1c32768369df830de851cfe58877963164a0650f992373ad60bb51

Download Submit
C:\Users\Admin\AppData\Local\Temp\xIQwsEMg.bat

Filesize
4B

MD5
baec1aff0364c2bbe4ef7912c03499c8

SHA1
1b2a8a894229d1347d8ab4786c4133f06bdbe2fd

SHA256
503cc96ade0339705643bd09062348df3823eb9c71e4213b353e904b34469dc3

SHA512
82c86b40b03faaca78b91d2c4c84371d13612b3d4c33d9a524da510bac3687d9c7d967e087c8f6356de80f43ef725d61dbb21d5bcca6b8237dd9e08973fc61ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\xacQokwU.bat

Filesize
4B

MD5
ce33be0d98fbbb22d0f4d6aa646d30c7

SHA1
5e86409af9e2e2e3e592f84881976089a545c642

SHA256
a0496ac201cfaa4eb6b6b737c88fc767ae33d14a5f4798ca7dbabb05e394c81f

SHA512
d5d21387fbf3a0ee367b627c86d77e51e87d3aba6782548cf5eb07c2820255861ffd65a5b31b03de37c0b767fec29c7fbd9bb26208e900eaa7162974cda6030e

Download Submit
C:\Users\Admin\AppData\Local\Temp\xskEkoEE.bat

Filesize
4B

MD5
6935c807feb24aceff215a71afdc4020

SHA1
43dd65b651f2bf86112621d768b7bbfa4f802a5e

SHA256
c39fc23417d025e5a5129daec1258b9251b6ce23bca05b488ab38ad173f8e4d8

SHA512
7401fd2163587d6adf8d1314dd349459f9635d8ee57f5c0cd6ab8507b49db8c21025b94b3b8f68dd615fbf3daa991f6d53d723e74e366ff7661d3edc8f9b7c11

Download Submit
C:\Users\Admin\AppData\Local\Temp\yGcYcIAU.bat

Filesize
4B

MD5
3a7940a6e1a9af78381afb4d0fec06e4

SHA1
77024bd7114d2bb35b909eeff502ebc7a7312055

SHA256
133541de4b03b8e1893336b74f95cb98a3d260b3387cca6a75a6c775a25ba6fb

SHA512
a6ae18c4e8b5c21a28792c9e718bc98aef5b8b70e973b994f07e8ea47124024b579b10426374a80b3429f6acd4fbafd5b5347679241dfc7a30a8642f3a9f8260

Download Submit
C:\Users\Admin\AppData\Local\Temp\yIYQ.exe

Filesize
239KB

MD5
cce119cab57d960e80f1f12e85f2254c

SHA1
e2a87ba5d47f82620dee6aef6657d7ddd2650397

SHA256
0b49ee7030e05e980d502dac21b75f9b76a23d1b4b518431eefa3db558dfc2be

SHA512
d7f83eb9621066ebdeac6bf1398d85fc170de7968d4e88bedfb98af87304c297329dcebbbd5bb39849f2b5973a08fa59177d4d76f35b711386e89f2bf6c88577

Download Submit
C:\Users\Admin\AppData\Local\Temp\yQsY.exe

Filesize
252KB

MD5
82213285e1c7d3b000d555ccfd6b931b

SHA1
126f0a18c83fc3678710c858633712a304b44453

SHA256
4070f23578ad1d2f2fd1754ad923559cda17becdb5eecb531b150ed3d9b69c28

SHA512
d966971ef7bf42ad72ac9fc69efc0346fe7529c90c2283b773f24534d233bac0520190f6133ff851ecc8b63f085d6827ca31438b2429ccdc416c07a877524af0

Download Submit
C:\Users\Admin\AppData\Local\Temp\yYwi.exe

Filesize
245KB

MD5
41ec9b6fd6e99850353ca0ecc858c025

SHA1
7df06b1aa013e9d14f6d0b59d5d55f242351932b

SHA256
0517f7d34dba7f05d228a1e94047e8164890d4685c0b0d355f0065cc6ec66e71

SHA512
cff54db92a0f65d8397e8b46d88514edb8a4ede3d946d5c1f9647fecccda54db984b20bc8ad561bfb2ef647cb423a8983f2b3d7d27871e7bdbd9444373582aa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\yccYIEsc.bat

Filesize
4B

MD5
d2c193c7044084ae33b5f47980854abd

SHA1
502cbcf7204cc93758b4b63a63d3a3b582f3e999

SHA256
d1cb3e0be2ec031645679366716a65322751054bdc7d0b2c835a677f37916807

SHA512
9ccdcf864e470d70cff24b762209c5841929f37f3078d2bfe3b2ff1ce934e4f476cde353ddb3d13b57112a07792fac4a238adb637d48a146bd5fdf0621b04de3

Download Submit
C:\Users\Admin\AppData\Local\Temp\yccq.exe

Filesize
238KB

MD5
cce725dbf34e232a64c6c4d07c536d21

SHA1
45e7ee05da0740d6bf0566f3d9745d1bfcbc77b6

SHA256
e08bbddac306adafa5341cc6b01ca33e8a62b7ce2fad812c12eeac4d96d641aa

SHA512
7cdae2656ef710d05442a568ce1b8bf0f35cf5e15e70024fcc7aa1c190ab4068b3a836a30f90f5a0f8c69461c1570e9ab0ebc2aa064cf4a4a90adbd5e43df1bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\ykMU.exe

Filesize
198KB

MD5
b1dea554beb1db462fc3111b2ef15c31

SHA1
2cab9c260ae5e5b926d4bd218dd3fcf007475a35

SHA256
1c2715b6dad0632ead2ed3c6a9493b73f1f35eb5968d6e1676206e6152cdfc64

SHA512
5390d7459f834337432319085effa344f980c29f9a3aa5a1365fdf9d6c7ea36a03b784a61d2f420d4da1c0b8a4f485a8cb789d54ecb224b090717e5c658ec135

Download Submit
C:\Users\Admin\AppData\Local\Temp\ywgwEwwk.bat

Filesize
4B

MD5
28f8e85f56db80909d485f940948e20c

SHA1
95a1831613bee88b3001b769ae2340de06925a67

SHA256
2a689e2ceedd7898953860ffb539c4e845bc79822dd7327dfcfed0d9d65e073d

SHA512
41d46bc80fade5bacae83f3ea98668c496d2cdbbd7abb9e99e1af6a9c61b30b25b72f7642c5f43653b2b4196c13ccba8e7ff77531119eb7a47b2c02285006395

Download Submit
C:\Users\Admin\AppData\Local\Temp\zkwEgokQ.bat

Filesize
4B

MD5
da3e9b2e9e5a02017ed58ff6b6b32d2b

SHA1
757bc469d056e53508e04c172dffcc30c1eea1f1

SHA256
2750e3fd8dc623b93dc029d9e5effded598bc1a490b2505c8d14251ad47af880

SHA512
a71cab3c61689891024428e48d5b38c90b414d9a4bdbcc904ab0b096dace905a8ebc8d5f3aca43622a44a2ec52ee349b4b3841d635ec3bd5d6ed646db824adb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\zokwUkQg.bat

Filesize
4B

MD5
83324672bd9836011509966644947204

SHA1
782e827e74fbd493d0855ab5f1df882068b55869

SHA256
9d262132803581d541ef240b263ac2a707b19c705bdcaa0318d59321b50fe790

SHA512
19cfdebd097b98cb41b22488e5f0a58165941f3a6b70623099e092611d956b0cbfa22dab1ffa0f050694f989345974bea6dc53e6bb3bf4859dfacc96ae3bcb75

Download Submit
C:\Users\Public\Music\Sample Music\Kalimba.mp3.exe

Filesize
8.2MB

MD5
ef4172021b8b0488fd91499e66b01211

SHA1
80de4aefa97b8117c38ada3381df4c5687173787

SHA256
566c29691467451ff9fabd706e6d5be7b28594472700e1dbee25da71657b6a7d

SHA512
1885ecd4e3f4189f75957cf7e5bc3a7d5ce596d37840fbe77c9e68baf00904153f544acf68342038dfde0492d4366cf1629b63e4536027559b018a1de1f7471b

Download Submit
\ProgramData\mmkQsgYI\tsQIwAME.exe

Filesize
197KB

MD5
9c3708793a5739430532d2dfe9bab6eb

SHA1
46c19afe47adf9123fef376c955b209d9b449ffa

SHA256
2727ef2af02c1408d0d746e21765e8260ae5a914e5b24768016d696caf5897ef

SHA512
c1eff5cf984e1330ad30fe41031328ba57fcbcc4564f748f17f11a148690bb734ab9a4fa03515ea3c141a58c72331153687b5b48eb7a87b1686e77f6621137c7

Download Submit
\Users\Admin\WqsQIUws\tgoUEksY.exe

Filesize
201KB

MD5
311c646e36624334e0e15ad307aec89b

SHA1
52b060e8ce8bd614fb72f70cfdda4dbd3f148c77

SHA256
b46884154affad4be238adae5008189f1c8146b0f66a912fbe93475bc6f34f16

SHA512
1bdb2ece04d8c0cadef71a12a4e9d1fb148aa5cf7e2bf2817da62a871a1d9ee85199951127ab77714f9aa4c607c19ac996d8b5ef657fe349fc123343e7760fd2

Download Submit
memory/268-244-0x0000000000260000-0x0000000000295000-memory.dmp

Filesize
212KB

Download
memory/548-457-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/548-492-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/628-523-0x0000000000200000-0x0000000000235000-memory.dmp

Filesize
212KB

Download
memory/628-524-0x0000000000200000-0x0000000000235000-memory.dmp

Filesize
212KB

Download
memory/672-106-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/672-139-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/760-630-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/836-443-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/836-410-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/884-482-0x0000000000290000-0x00000000002C5000-memory.dmp

Filesize
212KB

Download
memory/884-481-0x0000000000290000-0x00000000002C5000-memory.dmp

Filesize
212KB

Download
memory/884-347-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/884-315-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/976-433-0x0000000000320000-0x0000000000355000-memory.dmp

Filesize
212KB

Download
memory/976-432-0x0000000000320000-0x0000000000355000-memory.dmp

Filesize
212KB

Download
memory/1016-409-0x0000000000120000-0x0000000000155000-memory.dmp

Filesize
212KB

Download
memory/1032-386-0x0000000000210000-0x0000000000245000-memory.dmp

Filesize
212KB

Download
memory/1032-385-0x0000000000210000-0x0000000000245000-memory.dmp

Filesize
212KB

Download
memory/1040-525-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1040-555-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1112-337-0x0000000000130000-0x0000000000165000-memory.dmp

Filesize
212KB

Download
memory/1260-629-0x00000000003A0000-0x00000000003D5000-memory.dmp

Filesize
212KB

Download
memory/1348-609-0x0000000000190000-0x00000000001C5000-memory.dmp

Filesize
212KB

Download
memory/1412-650-0x0000000000120000-0x0000000000155000-memory.dmp

Filesize
212KB

Download
memory/1412-649-0x0000000000120000-0x0000000000155000-memory.dmp

Filesize
212KB

Download
memory/1428-187-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1428-152-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1436-362-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1436-396-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1464-545-0x0000000000530000-0x0000000000565000-memory.dmp

Filesize
212KB

Download
memory/1464-544-0x0000000000530000-0x0000000000565000-memory.dmp

Filesize
212KB

Download
memory/1504-60-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1504-91-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1516-568-0x00000000000F0000-0x0000000000125000-memory.dmp

Filesize
212KB

Download
memory/1516-567-0x00000000000F0000-0x0000000000125000-memory.dmp

Filesize
212KB

Download
memory/1532-129-0x0000000000160000-0x0000000000195000-memory.dmp

Filesize
212KB

Download
memory/1532-128-0x0000000000160000-0x0000000000195000-memory.dmp

Filesize
212KB

Download
memory/1540-361-0x0000000000120000-0x0000000000155000-memory.dmp

Filesize
212KB

Download
memory/1548-534-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1548-504-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1548-59-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1548-58-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1620-31-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1676-253-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1676-222-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1712-177-0x0000000002260000-0x0000000002295000-memory.dmp

Filesize
212KB

Download
memory/1712-176-0x0000000002260000-0x0000000002295000-memory.dmp

Filesize
212KB

Download
memory/1856-231-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1856-200-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1888-10-0x0000000003DB0000-0x0000000003DE4000-memory.dmp

Filesize
208KB

Download
memory/1888-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1888-29-0x0000000003DB0000-0x0000000003DE3000-memory.dmp

Filesize
204KB

Download
memory/1888-30-0x0000000003DB0000-0x0000000003DE3000-memory.dmp

Filesize
204KB

Download
memory/1888-43-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1888-7-0x0000000003DB0000-0x0000000003DE4000-memory.dmp

Filesize
208KB

Download
memory/1920-4497-0x0000000077390000-0x000000007748A000-memory.dmp

Filesize
1000KB

Download
memory/1920-4496-0x0000000077490000-0x00000000775AF000-memory.dmp

Filesize
1.1MB

Download
memory/1920-1150-0x0000000077490000-0x00000000775AF000-memory.dmp

Filesize
1.1MB

Download
memory/1920-1151-0x0000000077390000-0x000000007748A000-memory.dmp

Filesize
1000KB

Download
memory/2096-599-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2096-569-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2204-456-0x0000000002270000-0x00000000022A5000-memory.dmp

Filesize
212KB

Download
memory/2264-546-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2264-254-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2264-278-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2264-578-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2280-82-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2280-115-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2288-483-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2288-513-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2348-503-0x0000000000210000-0x0000000000245000-memory.dmp

Filesize
212KB

Download
memory/2404-610-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2404-639-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2404-314-0x0000000000260000-0x0000000000295000-memory.dmp

Filesize
212KB

Download
memory/2432-209-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2432-178-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2536-619-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2536-590-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2556-589-0x0000000000120000-0x0000000000155000-memory.dmp

Filesize
212KB

Download
memory/2556-588-0x0000000000120000-0x0000000000155000-memory.dmp

Filesize
212KB

Download
memory/2612-338-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2612-372-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2680-33-0x0000000000120000-0x0000000000155000-memory.dmp

Filesize
212KB

Download
memory/2680-34-0x0000000000120000-0x0000000000155000-memory.dmp

Filesize
212KB

Download
memory/2684-419-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2684-387-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2800-69-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2800-35-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2852-291-0x0000000000160000-0x0000000000195000-memory.dmp

Filesize
212KB

Download
memory/2924-105-0x0000000000120000-0x0000000000155000-memory.dmp

Filesize
212KB

Download
memory/2924-104-0x0000000000120000-0x0000000000155000-memory.dmp

Filesize
212KB

Download
memory/3024-269-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3024-301-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3028-434-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3028-466-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3052-130-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3052-162-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3064-324-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3064-292-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download