a751a60b06499e204d9abfaf588df1954c2d0b33226bc426473907256147a389

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
25-05-2024 19:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
Size

189KB
MD5

6d874e41449792478345cbc917bfbb5d
SHA1

3a8888f4cb9cf6490afc04e80177dd37b445ada2
SHA256

a751a60b06499e204d9abfaf588df1954c2d0b33226bc426473907256147a389
SHA512

ba3242860f70f46a39351ca4c51534cfafc6d3126817ada92a7200d1b8a5938d8a5c2760ada050d455ed08f03aa8c309e4696e3d3f1a1ea15856fd78ec7e4c0d
SSDEEP

3072:2ieAr74wFkOLyIwxUwwwW2NMwowwS46mMFRwqgLYbXzooHj1WcL6+20+7XHpksii:3KaM46mMFRwqgLYbXzooHj1Wy6xDXJkq

Score

10^/10

evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Renames multiple (61) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

zGMUckMY.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\International\Geo\Nation	zGMUckMY.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2652 cmd.exe
Executes dropped EXE 2 IoCs

Processes:

bQQYAsYQ.exezGMUckMY.exe

pid process

2976 bQQYAsYQ.exe
2624 zGMUckMY.exe

pid	process
2652	cmd.exe

pid	process
2976	bQQYAsYQ.exe
2624	zGMUckMY.exe

Loads dropped DLL 20 IoCs

Processes:

2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exezGMUckMY.exe

pid	process
2084	2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
2084	2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
2084	2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
2084	2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
2624	zGMUckMY.exe
2624	zGMUckMY.exe
2624	zGMUckMY.exe
2624	zGMUckMY.exe
2624	zGMUckMY.exe
2624	zGMUckMY.exe
2624	zGMUckMY.exe
2624	zGMUckMY.exe
2624	zGMUckMY.exe
2624	zGMUckMY.exe
2624	zGMUckMY.exe
2624	zGMUckMY.exe
2624	zGMUckMY.exe
2624	zGMUckMY.exe
2624	zGMUckMY.exe
2624	zGMUckMY.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exezGMUckMY.exebQQYAsYQ.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\bQQYAsYQ.exe = "C:\\Users\\Admin\\DuIQgwQc\\bQQYAsYQ.exe"	2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\zGMUckMY.exe = "C:\\ProgramData\\zaAIkMEQ\\zGMUckMY.exe"	2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\zGMUckMY.exe = "C:\\ProgramData\\zaAIkMEQ\\zGMUckMY.exe"	zGMUckMY.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\bQQYAsYQ.exe = "C:\\Users\\Admin\\DuIQgwQc\\bQQYAsYQ.exe"	bQQYAsYQ.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

Processes:

pid	process
1108	reg.exe
2396	reg.exe
2280	reg.exe
928	reg.exe
1424	reg.exe
2500	reg.exe
1624	reg.exe
2212	reg.exe
1720	reg.exe
2860	reg.exe
1428	reg.exe
1848	reg.exe
2396	reg.exe
2148	reg.exe
2316	reg.exe
2924	reg.exe
1836	reg.exe
2532	reg.exe
1980	reg.exe
2464	reg.exe
1768	reg.exe
2180	reg.exe
840	reg.exe
1532	reg.exe
1692	reg.exe
2404	reg.exe
2212	reg.exe
1528	reg.exe
340	reg.exe
1836	reg.exe
2784	reg.exe
2640	reg.exe
2600	reg.exe
2000	reg.exe
2180	reg.exe
620	reg.exe
2592	reg.exe
1936	reg.exe
1312	reg.exe
2852	reg.exe
1228	reg.exe
1548	reg.exe
2816	reg.exe
680	reg.exe
1972	reg.exe
2408	reg.exe
896	reg.exe
2836	reg.exe
908	reg.exe
836	reg.exe
1928	reg.exe
1520	reg.exe
2852	reg.exe
2744	reg.exe
2216	reg.exe
2216	reg.exe
1500	reg.exe
2548	reg.exe
1748	reg.exe
2460	reg.exe
2272	reg.exe
1228	reg.exe
300	reg.exe
2448	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe

pid	process
2084	2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
2084	2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
3056	2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
3056	2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
2716	2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
2716	2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
2820	2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
2820	2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
772	2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
772	2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
300	2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
300	2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
2856	2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
2856	2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
2528	2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
2528	2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
3056	2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
3056	2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
2716	2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
2716	2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
2384	2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
2384	2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
772	2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
772	2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
3040	2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
3040	2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
2272	2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
2272	2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
348	2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
348	2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
2108	2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
2108	2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
1844	2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
1844	2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
1796	2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
1796	2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
1536	2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
1536	2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
1268	2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
1268	2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
276	2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
276	2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
1448	2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
1448	2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
1924	2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
1924	2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
1432	2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
1432	2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
2576	2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
2576	2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
1256	2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
1256	2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
2404	2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
2404	2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
1696	2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
1696	2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
2784	2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
2784	2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
2956	2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
2956	2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
1216	2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
1216	2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
2708	2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
2708	2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

zGMUckMY.exe

pid process

2624 zGMUckMY.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

zGMUckMY.exe

pid	process
2624	zGMUckMY.exe
2624	zGMUckMY.exe
2624	zGMUckMY.exe
2624	zGMUckMY.exe
2624	zGMUckMY.exe
2624	zGMUckMY.exe
2624	zGMUckMY.exe
2624	zGMUckMY.exe
2624	zGMUckMY.exe
2624	zGMUckMY.exe
2624	zGMUckMY.exe
2624	zGMUckMY.exe
2624	zGMUckMY.exe
2624	zGMUckMY.exe
2624	zGMUckMY.exe
2624	zGMUckMY.exe
2624	zGMUckMY.exe
2624	zGMUckMY.exe
2624	zGMUckMY.exe
2624	zGMUckMY.exe
2624	zGMUckMY.exe
2624	zGMUckMY.exe
2624	zGMUckMY.exe
2624	zGMUckMY.exe
2624	zGMUckMY.exe
2624	zGMUckMY.exe
2624	zGMUckMY.exe
2624	zGMUckMY.exe
2624	zGMUckMY.exe
2624	zGMUckMY.exe
2624	zGMUckMY.exe
2624	zGMUckMY.exe
2624	zGMUckMY.exe
2624	zGMUckMY.exe
2624	zGMUckMY.exe
2624	zGMUckMY.exe
2624	zGMUckMY.exe
2624	zGMUckMY.exe
2624	zGMUckMY.exe
2624	zGMUckMY.exe
2624	zGMUckMY.exe
2624	zGMUckMY.exe
2624	zGMUckMY.exe
2624	zGMUckMY.exe
2624	zGMUckMY.exe
2624	zGMUckMY.exe
2624	zGMUckMY.exe
2624	zGMUckMY.exe
2624	zGMUckMY.exe
2624	zGMUckMY.exe
2624	zGMUckMY.exe
2624	zGMUckMY.exe
2624	zGMUckMY.exe
2624	zGMUckMY.exe
2624	zGMUckMY.exe
2624	zGMUckMY.exe
2624	zGMUckMY.exe
2624	zGMUckMY.exe
2624	zGMUckMY.exe
2624	zGMUckMY.exe
2624	zGMUckMY.exe
2624	zGMUckMY.exe
2624	zGMUckMY.exe
2624	zGMUckMY.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.execmd.execmd.exe2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.execmd.execmd.exe

description	pid	process	target process
PID 2084 wrote to memory of 2976	2084	2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe	bQQYAsYQ.exe
PID 2084 wrote to memory of 2976	2084	2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe	bQQYAsYQ.exe
PID 2084 wrote to memory of 2976	2084	2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe	bQQYAsYQ.exe
PID 2084 wrote to memory of 2976	2084	2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe	bQQYAsYQ.exe
PID 2084 wrote to memory of 2624	2084	2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe	zGMUckMY.exe
PID 2084 wrote to memory of 2624	2084	2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe	zGMUckMY.exe
PID 2084 wrote to memory of 2624	2084	2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe	zGMUckMY.exe
PID 2084 wrote to memory of 2624	2084	2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe	zGMUckMY.exe
PID 2084 wrote to memory of 2756	2084	2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe	cmd.exe
PID 2084 wrote to memory of 2756	2084	2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe	cmd.exe
PID 2084 wrote to memory of 2756	2084	2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe	cmd.exe
PID 2084 wrote to memory of 2756	2084	2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe	cmd.exe
PID 2756 wrote to memory of 3056	2756	cmd.exe	2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
PID 2756 wrote to memory of 3056	2756	cmd.exe	2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
PID 2756 wrote to memory of 3056	2756	cmd.exe	2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
PID 2756 wrote to memory of 3056	2756	cmd.exe	2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
PID 2084 wrote to memory of 1108	2084	2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe	reg.exe
PID 2084 wrote to memory of 1108	2084	2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe	reg.exe
PID 2084 wrote to memory of 1108	2084	2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe	reg.exe
PID 2084 wrote to memory of 1108	2084	2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe	reg.exe
PID 2084 wrote to memory of 2600	2084	2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe	reg.exe
PID 2084 wrote to memory of 2600	2084	2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe	reg.exe
PID 2084 wrote to memory of 2600	2084	2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe	reg.exe
PID 2084 wrote to memory of 2600	2084	2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe	reg.exe
PID 2084 wrote to memory of 2336	2084	2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe	reg.exe
PID 2084 wrote to memory of 2336	2084	2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe	reg.exe
PID 2084 wrote to memory of 2336	2084	2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe	reg.exe
PID 2084 wrote to memory of 2336	2084	2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe	reg.exe
PID 2084 wrote to memory of 2744	2084	2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe	cmd.exe
PID 2084 wrote to memory of 2744	2084	2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe	cmd.exe
PID 2084 wrote to memory of 2744	2084	2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe	cmd.exe
PID 2084 wrote to memory of 2744	2084	2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe	cmd.exe
PID 2744 wrote to memory of 2604	2744	cmd.exe	cscript.exe
PID 2744 wrote to memory of 2604	2744	cmd.exe	cscript.exe
PID 2744 wrote to memory of 2604	2744	cmd.exe	cscript.exe
PID 2744 wrote to memory of 2604	2744	cmd.exe	cscript.exe
PID 3056 wrote to memory of 2540	3056	2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe	cmd.exe
PID 3056 wrote to memory of 2540	3056	2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe	cmd.exe
PID 3056 wrote to memory of 2540	3056	2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe	cmd.exe
PID 3056 wrote to memory of 2540	3056	2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe	cmd.exe
PID 2540 wrote to memory of 2716	2540	cmd.exe	2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
PID 2540 wrote to memory of 2716	2540	cmd.exe	2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
PID 2540 wrote to memory of 2716	2540	cmd.exe	2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
PID 2540 wrote to memory of 2716	2540	cmd.exe	2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
PID 3056 wrote to memory of 1584	3056	2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe	reg.exe
PID 3056 wrote to memory of 1584	3056	2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe	reg.exe
PID 3056 wrote to memory of 1584	3056	2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe	reg.exe
PID 3056 wrote to memory of 1584	3056	2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe	reg.exe
PID 3056 wrote to memory of 1684	3056	2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe	reg.exe
PID 3056 wrote to memory of 1684	3056	2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe	reg.exe
PID 3056 wrote to memory of 1684	3056	2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe	reg.exe
PID 3056 wrote to memory of 1684	3056	2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe	reg.exe
PID 3056 wrote to memory of 1936	3056	2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe	reg.exe
PID 3056 wrote to memory of 1936	3056	2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe	reg.exe
PID 3056 wrote to memory of 1936	3056	2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe	reg.exe
PID 3056 wrote to memory of 1936	3056	2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe	reg.exe
PID 3056 wrote to memory of 820	3056	2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe	cmd.exe
PID 3056 wrote to memory of 820	3056	2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe	cmd.exe
PID 3056 wrote to memory of 820	3056	2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe	cmd.exe
PID 3056 wrote to memory of 820	3056	2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe	cmd.exe
PID 820 wrote to memory of 900	820	cmd.exe	cscript.exe
PID 820 wrote to memory of 900	820	cmd.exe	cscript.exe
PID 820 wrote to memory of 900	820	cmd.exe	cscript.exe
PID 820 wrote to memory of 900	820	cmd.exe	cscript.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2084
- C:\Users\Admin\DuIQgwQc\bQQYAsYQ.exe
  "C:\Users\Admin\DuIQgwQc\bQQYAsYQ.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2976
- C:\ProgramData\zaAIkMEQ\zGMUckMY.exe
  "C:\ProgramData\zaAIkMEQ\zGMUckMY.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:2624
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2756
- - C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
    C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3056
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2540
    - - C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2716
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock"
        6⤵
        
        PID:2380
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2820
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock"
        8⤵
        
        PID:680
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:772
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock"
        10⤵
        
        PID:928
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:300
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock"
        12⤵
        
        PID:880
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2856
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock"
        14⤵
        
        PID:2968
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2528
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock"
        16⤵
        
        PID:1776
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3056
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock"
        18⤵
        
        PID:2572
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2716
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock"
        20⤵
        
        PID:2880
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2384
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock"
        22⤵
        
        PID:704
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock
        23⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:772
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock"
        24⤵
        
        PID:300
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock
        25⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3040
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock"
        26⤵
        
        PID:2892
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock
        27⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2272
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock"
        28⤵
        
        PID:2968
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock
        29⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:348
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock"
        30⤵
        
        PID:1556
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock
        31⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2108
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock"
        32⤵
        
        PID:2392
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock
        33⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1844
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock"
        34⤵
        
        PID:1036
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock
        35⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1796
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock"
        36⤵
        
        PID:2684
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock
        37⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1536
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock"
        38⤵
        
        PID:2712
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock
        39⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1268
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock"
        40⤵
        
        PID:2656
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock
        41⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:276
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock"
        42⤵
        
        PID:1452
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock
        43⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1448
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock"
        44⤵
        
        PID:2108
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock
        45⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1924
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock"
        46⤵
        
        PID:372
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock
        47⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1432
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock"
        48⤵
        
        PID:668
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock
        49⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2576
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock"
        50⤵
        
        PID:300
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock
        51⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1256
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock"
        52⤵
        
        PID:2792
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock
        53⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2404
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock"
        54⤵
        
        PID:2476
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock
        55⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1696
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock"
        56⤵
        
        PID:2908
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock
        57⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2784
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock"
        58⤵
        
        PID:1424
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock
        59⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2956
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock"
        60⤵
        
        PID:2188
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock
        61⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1216
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock"
        62⤵
        
        PID:1676
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock
        63⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2708
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock"
        64⤵
        
        PID:2720
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock
        65⤵
        
        PID:2536
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock"
        66⤵
        
        PID:2196
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock
        67⤵
        
        PID:2584
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock"
        68⤵
        
        PID:2288
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock
        69⤵
        
        PID:1428
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock"
        70⤵
        
        PID:1112
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock
        71⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock"
        72⤵
        
        PID:2036
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock
        73⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock"
        74⤵
        
        PID:2600
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock
        75⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock"
        76⤵
        
        PID:2496
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock
        77⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock"
        78⤵
        
        PID:1768
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock
        79⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock"
        80⤵
        
        PID:2312
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock
        81⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock"
        82⤵
        
        PID:868
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock
        83⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock"
        84⤵
        
        PID:2176
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock
        85⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock"
        86⤵
        
        PID:836
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock
        87⤵
        
        PID:1908
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock"
        88⤵
        
        PID:2548
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock
        89⤵
        
        PID:668
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock"
        90⤵
        
        PID:900
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock
        91⤵
        
        PID:2540
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock"
        92⤵
        
        PID:2228
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock
        93⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock"
        94⤵
        
        PID:328
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock
        95⤵
        
        PID:808
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock"
        96⤵
        
        PID:1788
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock
        97⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock"
        98⤵
        
        PID:2620
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock
        99⤵
        
        PID:1228
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock"
        100⤵
        
        PID:1536
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock
        101⤵
        
        PID:380
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock"
        102⤵
        
        PID:1256
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock
        103⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock"
        104⤵
        
        PID:1568
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock
        105⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock"
        106⤵
        
        PID:1592
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock
        107⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock"
        108⤵
        
        PID:1940
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock
        109⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock"
        110⤵
        
        PID:2784
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock
        111⤵
        
        PID:704
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock"
        112⤵
        
        PID:2384
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock
        113⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock"
        114⤵
        
        PID:592
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock
        115⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock"
        116⤵
        
        PID:2756
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock
        117⤵
        
        PID:2948
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock"
        118⤵
        
        PID:2528
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock
        119⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock"
        120⤵
        
        PID:2304
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock
        121⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock"
        122⤵
        
        PID:2316
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock
        123⤵
        
        PID:1188
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock"
        124⤵
        
        PID:2460
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock
        125⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock"
        126⤵
        
        PID:980
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock
        127⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock"
        128⤵
        
        PID:3064
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock
        129⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock"
        130⤵
        
        PID:3052
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock
        131⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock"
        132⤵
        
        PID:2552
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock
        133⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock"
        134⤵
        
        PID:2452
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock
        135⤵
        
        PID:612
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock"
        136⤵
        
        PID:2212
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock
        137⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock"
        138⤵
        
        PID:2568
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock
        139⤵
        
        PID:1852
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock"
        140⤵
        
        PID:1268
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock
        141⤵
        
        PID:928
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock"
        142⤵
        
        PID:2660
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock
        143⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock"
        144⤵
        
        PID:2876
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock
        145⤵
        
        PID:484
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock"
        146⤵
        
        PID:872
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock
        147⤵
        
        PID:2476
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock"
        148⤵
        
        PID:2188
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock
        149⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock"
        150⤵
        
        PID:1436
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock
        151⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock"
        152⤵
        
        PID:2908
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock
        153⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock"
        154⤵
        
        PID:2152
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock
        155⤵
        
        PID:2984
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock"
        156⤵
        
        PID:2856
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock
        157⤵
        
        PID:1548
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock"
        158⤵
        
        PID:1572
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock
        159⤵
        
        PID:1828
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock"
        160⤵
        
        PID:3004
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock
        161⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock"
        162⤵
        
        PID:2832
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock
        163⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock"
        164⤵
        
        PID:2464
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock
        165⤵
        
        PID:2576
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock"
        166⤵
        
        PID:2404
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock
        167⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock"
        168⤵
        
        PID:2108
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock
        169⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock"
        170⤵
        
        PID:2000
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock
        171⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock"
        172⤵
        
        PID:2248
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock
        173⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock"
        174⤵
        
        PID:980
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock
        175⤵
        
        PID:1408
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock"
        176⤵
        
        PID:2468
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock
        177⤵
        
        PID:3000
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock"
        178⤵
        
        PID:1292
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock
        179⤵
        
        PID:1036
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock"
        180⤵
        
        PID:1112
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock
        181⤵
        
        PID:840
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock"
        182⤵
        
        PID:1228
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock
        183⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock"
        184⤵
        
        PID:944
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock
        185⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock"
        186⤵
        
        PID:2336
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock
        187⤵
        
        PID:2320
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock"
        188⤵
        
        PID:2248
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock
        189⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock"
        190⤵
        
        PID:1544
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock
        191⤵
        
        PID:328
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock"
        192⤵
        
        PID:1904
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock
        193⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock"
        194⤵
        
        PID:2752
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock
        195⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock"
        196⤵
        
        PID:2956
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock
        197⤵
        
        PID:264
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock"
        198⤵
        
        PID:1800
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock
        199⤵
        
        PID:1228
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock"
        200⤵
        
        PID:2960
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock
        201⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock"
        202⤵
        
        PID:3064
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock
        203⤵
        
        PID:276
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock"
        204⤵
        
        PID:1616
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock
        205⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock"
        206⤵
        
        PID:3024
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock
        207⤵
        
        PID:1032
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock"
        208⤵
        
        PID:2716
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock
        209⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock"
        210⤵
        
        PID:1952
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock
        211⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock"
        212⤵
        
        PID:1916
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock
        213⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock"
        214⤵
        
        PID:236
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock
        215⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock"
        216⤵
        
        PID:2800
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock
        217⤵
        
        PID:1768
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock"
        218⤵
        
        PID:1776
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock
        219⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock"
        220⤵
        
        PID:2956
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock
        221⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock"
        222⤵
        
        PID:2756
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock
        223⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock"
        224⤵
        
        PID:1312
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock
        225⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock"
        226⤵
        
        PID:3004
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock
        227⤵
        
        PID:2580
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock"
        228⤵
        
        PID:844
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock
        229⤵
        
        PID:2572
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock"
        230⤵
        
        PID:2496
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock
        231⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock"
        232⤵
        
        PID:2920
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock
        233⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock"
        234⤵
        
        PID:1544
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock
        235⤵
        
        PID:760
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock"
        236⤵
        
        PID:784
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock
        237⤵
        
        PID:1856
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock"
        238⤵
        
        PID:2952
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock
        239⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock"
        240⤵
        
        PID:2588
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock
        241⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock"
        242⤵
        
        PID:1940
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock
        243⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock"
        244⤵
        
        PID:2892
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock
        245⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock"
        246⤵
        
        PID:2396
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock
        247⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock"
        248⤵
        
        PID:1788
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock
        249⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock"
        250⤵
        
        PID:596
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock
        251⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock"
        252⤵
        
        PID:2336
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock
        253⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock"
        254⤵
        
        PID:2768
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock
        255⤵
        
        PID:2572
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock"
        256⤵
        
        PID:804
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock
        257⤵
        
        PID:2468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        258⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        258⤵
        Modifies registry key
        
        PID:2280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        258⤵
        
        PID:3024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        256⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        256⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        256⤵
        UAC bypass
        
        PID:2108
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\vuIgYMkI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe""
        256⤵
        Deletes itself
        
        PID:2652
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        257⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        254⤵
        
        PID:1108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        254⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        254⤵
        Modifies registry key
        
        PID:1428
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\CaUMUcoY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe""
        254⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        255⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        252⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        252⤵
        
        PID:380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        252⤵
        Modifies registry key
        
        PID:1500
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\gYwcwkQQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe""
        252⤵
        
        PID:1036
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        253⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        250⤵
        
        PID:888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        250⤵
        
        PID:3052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        250⤵
        UAC bypass
        
        PID:2668
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\SqAMMQMQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe""
        250⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        251⤵
        
        PID:1836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        248⤵
        Modifies registry key
        
        PID:908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        248⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        248⤵
        Modifies registry key
        
        PID:2408
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\pokEsIUU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe""
        248⤵
        
        PID:880
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        249⤵
        
        PID:2948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        246⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        246⤵
        
        PID:348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        246⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\nMQswQYc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe""
        246⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        247⤵
        
        PID:2160
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        244⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        244⤵
        Modifies registry key
        
        PID:2640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        244⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\HsossgMQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe""
        244⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        245⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        242⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        242⤵
        
        PID:2232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        242⤵
        Modifies registry key
        
        PID:2860
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tiEQAYoU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe""
        242⤵
        
        PID:804
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        243⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        240⤵
        
        PID:276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        240⤵
        
        PID:612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        240⤵
        Modifies registry key
        
        PID:2272
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZWIUEcMg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe""
        240⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        241⤵
        
        PID:2548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        238⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        238⤵
        
        PID:1828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        238⤵
        UAC bypass
        
        PID:2804
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\IesQwQwc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe""
        238⤵
        
        PID:820
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        239⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        236⤵
        Modifies visibility of file extensions in Explorer
        
        PID:880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        236⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        236⤵
        
        PID:944
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\EQwIwcco.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe""
        236⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        237⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        234⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        234⤵
        Modifies registry key
        
        PID:1228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        234⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\uYoIAYcM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe""
        234⤵
        
        PID:2316
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        235⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        232⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        232⤵
        
        PID:1456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        232⤵
        UAC bypass
        
        PID:2288
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\rSosIsEI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe""
        232⤵
        
        PID:1032
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        233⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        230⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        230⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        230⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\XWoYIoMU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe""
        230⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        231⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        228⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        228⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        228⤵
        UAC bypass
        
        PID:2548
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ngcskgsk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe""
        228⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        229⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        226⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        226⤵
        
        PID:808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        226⤵
        UAC bypass
        
        PID:2540
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\DIYYUEsw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe""
        226⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        227⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        224⤵
        Modifies visibility of file extensions in Explorer
        
        PID:908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        224⤵
        
        PID:1484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        224⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\cOsYsQUY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe""
        224⤵
        
        PID:536
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        225⤵
        
        PID:572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        222⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        222⤵
        Modifies registry key
        
        PID:2316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        222⤵
        UAC bypass
        
        PID:2780
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\auAQEYoY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe""
        222⤵
        
        PID:316
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        223⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        220⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        220⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        220⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\suowgMEA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe""
        220⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        221⤵
        
        PID:948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        218⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2168
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        218⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        218⤵
        UAC bypass
        
        PID:1672
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\yOYMAMoE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe""
        218⤵
        
        PID:2892
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        219⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        216⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        216⤵
        
        PID:1412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        216⤵
        UAC bypass
        
        PID:2968
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\VaAkAAMc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe""
        216⤵
        
        PID:1256
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        217⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        214⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        214⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        214⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\rMoUwkwc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe""
        214⤵
        
        PID:1184
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        215⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        212⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        212⤵
        
        PID:648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        212⤵
        UAC bypass
        Modifies registry key
        
        PID:2784
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\DqYkcMEs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe""
        212⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        213⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        210⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        210⤵
        
        PID:1364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        210⤵
        UAC bypass
        
        PID:2512
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\IOkIkgQU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe""
        210⤵
        
        PID:1432
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        211⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        208⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        208⤵
        
        PID:484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        208⤵
        UAC bypass
        
        PID:948
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\AEYksIUc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe""
        208⤵
        
        PID:1448
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        209⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        206⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        206⤵
        
        PID:2996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        206⤵
        UAC bypass
        
        PID:2828
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\iQoIkkUE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe""
        206⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        207⤵
        
        PID:2532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        204⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        204⤵
        Modifies registry key
        
        PID:2148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        204⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\WQEMEcMA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe""
        204⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        205⤵
        
        PID:292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        202⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        202⤵
        
        PID:1184
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        202⤵
        UAC bypass
        Modifies registry key
        
        PID:1532
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\nkEgsYYU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe""
        202⤵
        
        PID:1836
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        203⤵
        
        PID:780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        200⤵
        
        PID:1004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        200⤵
        Modifies registry key
        
        PID:1720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        200⤵
        UAC bypass
        
        PID:2056
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\boEMsMMc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe""
        200⤵
        
        PID:236
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        201⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        198⤵
        
        PID:680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        198⤵
        Modifies registry key
        
        PID:340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        198⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\dUUQogwI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe""
        198⤵
        
        PID:3000
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        199⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        196⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        196⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        196⤵
        UAC bypass
        
        PID:2448
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\uYEkgksQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe""
        196⤵
        
        PID:640
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        197⤵
        
        PID:344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        194⤵
        
        PID:888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        194⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        194⤵
        
        PID:860
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\qWQEkkYA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe""
        194⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        195⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        192⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        192⤵
        
        PID:808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        192⤵
        UAC bypass
        
        PID:1520
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\qkEsockc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe""
        192⤵
        
        PID:896
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        193⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        190⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        190⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        190⤵
        UAC bypass
        
        PID:3028
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\rQgYgwQc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe""
        190⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        191⤵
        
        PID:1448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        188⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        188⤵
        
        PID:2984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        188⤵
        
        PID:1256
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\DKIMQoAA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe""
        188⤵
        
        PID:2536
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        189⤵
        
        PID:1848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        186⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        186⤵
        
        PID:2504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        186⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\RswEAAcM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe""
        186⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        187⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        184⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        184⤵
        
        PID:2316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        184⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\rgsYcwEE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe""
        184⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        185⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        182⤵
        
        PID:2536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        182⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        182⤵
        UAC bypass
        
        PID:268
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ruAgIEMU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe""
        182⤵
        
        PID:2892
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        183⤵
        
        PID:1128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        180⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        180⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        180⤵
        
        PID:1856
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\cegMMkgM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe""
        180⤵
        
        PID:340
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        181⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        178⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        178⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        178⤵
        Modifies registry key
        
        PID:2852
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\wUwUokwE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe""
        178⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        179⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        176⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        176⤵
        
        PID:380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        176⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\wmUccYUc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe""
        176⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        177⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        174⤵
        
        PID:888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        174⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        174⤵
        Modifies registry key
        
        PID:1972
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\hWAIYgso.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe""
        174⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        175⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        172⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        172⤵
        Modifies registry key
        
        PID:1520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        172⤵
        
        PID:2324
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\TsoUMIAM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe""
        172⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        173⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        170⤵
        Modifies registry key
        
        PID:2448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        170⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        170⤵
        UAC bypass
        
        PID:2996
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\jmcsEIwk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe""
        170⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        171⤵
        
        PID:2396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        168⤵
        
        PID:2984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        168⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        168⤵
        UAC bypass
        
        PID:2132
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\aawEEwwk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe""
        168⤵
        
        PID:268
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        169⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        166⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        166⤵
        
        PID:1320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        166⤵
        
        PID:2588
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\YykUkMYY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe""
        166⤵
        
        PID:2476
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        167⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        164⤵
        Modifies registry key
        
        PID:2396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        164⤵
        
        PID:348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        164⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\UygkAYUU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe""
        164⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        165⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        162⤵
        Modifies visibility of file extensions in Explorer
        
        PID:756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        162⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        162⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\AocUgQMg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe""
        162⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        163⤵
        
        PID:1544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        160⤵
        
        PID:908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        160⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        160⤵
        UAC bypass
        
        PID:2392
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\rYMYEwgY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe""
        160⤵
        
        PID:772
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        161⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        158⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        158⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        158⤵
        UAC bypass
        
        PID:1032
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\NOQIYMso.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe""
        158⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        159⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        156⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        156⤵
        Modifies registry key
        
        PID:2532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        156⤵
        UAC bypass
        Modifies registry key
        
        PID:1692
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\logwkQYQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe""
        156⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        157⤵
        
        PID:2232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        154⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        154⤵
        
        PID:2668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        154⤵
        UAC bypass
        
        PID:1976
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\daAocogw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe""
        154⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        155⤵
        
        PID:632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        152⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        152⤵
        Modifies registry key
        
        PID:2212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        152⤵
        
        PID:1232
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\kMAUcsQA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe""
        152⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        153⤵
        
        PID:1904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        150⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        150⤵
        
        PID:1228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        150⤵
        
        PID:1128
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\YSYQQYkc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe""
        150⤵
        
        PID:292
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        151⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        148⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        148⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        148⤵
        Modifies registry key
        
        PID:2816
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\gIcAgkgA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe""
        148⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        149⤵
        
        PID:1016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        146⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        146⤵
        
        PID:2324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        146⤵
        UAC bypass
        Modifies registry key
        
        PID:840
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\qYgAIokU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe""
        146⤵
        
        PID:1168
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        147⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        144⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        144⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        144⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\zSAcMwkU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe""
        144⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        145⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        142⤵
        
        PID:1016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        142⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        142⤵
        
        PID:536
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\BKMsgAUE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe""
        142⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        143⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        140⤵
        
        PID:2984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        140⤵
        
        PID:1108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        140⤵
        Modifies registry key
        
        PID:2180
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\vOcokkUE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe""
        140⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        141⤵
        
        PID:632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        138⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        138⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        138⤵
        UAC bypass
        
        PID:2748
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\pakoEUMw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe""
        138⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        139⤵
        
        PID:896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        136⤵
        Modifies registry key
        
        PID:1836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        136⤵
        
        PID:2580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        136⤵
        UAC bypass
        Modifies registry key
        
        PID:2592
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\wEgskIsA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe""
        136⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        137⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        134⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        134⤵
        
        PID:596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        134⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\WqgAsQsk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe""
        134⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        135⤵
        
        PID:1428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        132⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        132⤵
        
        PID:292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        132⤵
        
        PID:820
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\AKgMMAwU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe""
        132⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        133⤵
        
        PID:780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        130⤵
        
        PID:380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        130⤵
        
        PID:1548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        130⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\QYccEAoc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe""
        130⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        131⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        128⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        128⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        128⤵
        UAC bypass
        
        PID:2652
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\nyMMsUAs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe""
        128⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        129⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        126⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        126⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        126⤵
        
        PID:896
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\vkcckEoA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe""
        126⤵
        
        PID:1108
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        127⤵
        
        PID:2984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        124⤵
        Modifies visibility of file extensions in Explorer
        
        PID:640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        124⤵
        
        PID:1764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        124⤵
        UAC bypass
        
        PID:1504
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\LwYgcswk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe""
        124⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        125⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        122⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        122⤵
        
        PID:2476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        122⤵
        
        PID:948
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\RQIswIYk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe""
        122⤵
        
        PID:1836
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        123⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        120⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        120⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        120⤵
        
        PID:2584
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\occwsAsU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe""
        120⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        121⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        118⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        118⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        118⤵
        UAC bypass
        
        PID:3000
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\GsUwYQkg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe""
        118⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        119⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        116⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        116⤵
        Modifies registry key
        
        PID:680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        116⤵
        UAC bypass
        
        PID:868
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\kwQscAQs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe""
        116⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        117⤵
        
        PID:928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        114⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        114⤵
        
        PID:1512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        114⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\cmcIUokE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe""
        114⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        115⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        112⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        112⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        112⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\XiIwwYUY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe""
        112⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        113⤵
        
        PID:2892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        110⤵
        
        PID:1164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        110⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        110⤵
        
        PID:868
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\paYcQAIs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe""
        110⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        111⤵
        
        PID:1524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        108⤵
        
        PID:2548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        108⤵
        
        PID:276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        108⤵
        Modifies registry key
        
        PID:1928
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\rSsowQgI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe""
        108⤵
        
        PID:1372
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        109⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        106⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        106⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        106⤵
        Modifies registry key
        
        PID:2180
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\lYsYssEo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe""
        106⤵
        
        PID:1036
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        107⤵
        
        PID:1772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        104⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        104⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        104⤵
        Modifies registry key
        
        PID:2212
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\CqEgQsYA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe""
        104⤵
        
        PID:1456
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        105⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        102⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        102⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        102⤵
        UAC bypass
        
        PID:2792
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\QcoYMAMQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe""
        102⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        103⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        100⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        100⤵
        
        PID:352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        100⤵
        UAC bypass
        
        PID:236
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\euwgAcso.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe""
        100⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        101⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        98⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        98⤵
        
        PID:340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        98⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\oukEIcIE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe""
        98⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        99⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        96⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        96⤵
        
        PID:1848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        96⤵
        UAC bypass
        
        PID:3044
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\DakcgMoA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe""
        96⤵
        
        PID:640
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        97⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        94⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        94⤵
        
        PID:1456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        94⤵
        
        PID:1836
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\rKgEUkgE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe""
        94⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        95⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        92⤵
        Modifies visibility of file extensions in Explorer
        
        PID:872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        92⤵
        Modifies registry key
        
        PID:2404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        92⤵
        Modifies registry key
        
        PID:1768
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\BqkkgcsE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe""
        92⤵
        
        PID:348
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        93⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        90⤵
        Modifies registry key
        
        PID:2000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        90⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        90⤵
        UAC bypass
        
        PID:2496
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\XagskckQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe""
        90⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        91⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        88⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        88⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        88⤵
        UAC bypass
        
        PID:316
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\cEAMYcsk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe""
        88⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        89⤵
        
        PID:300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        86⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        86⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        86⤵
        
        PID:2504
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\IawIYsME.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe""
        86⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        87⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        84⤵
        
        PID:1852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        84⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        84⤵
        UAC bypass
        
        PID:580
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\CSEoskkY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe""
        84⤵
        
        PID:1424
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        85⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        82⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        82⤵
        
        PID:948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        82⤵
        UAC bypass
        
        PID:1448
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\cEsoAwUg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe""
        82⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        83⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        80⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        80⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        80⤵
        UAC bypass
        
        PID:2232
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\taIAIsIM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe""
        80⤵
        
        PID:804
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        81⤵
        
        PID:2580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        78⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        78⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        78⤵
        UAC bypass
        
        PID:1548
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\dkYAkksg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe""
        78⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        79⤵
        
        PID:820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        
        PID:3000
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\zEggsMwE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe""
        76⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        77⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        Modifies visibility of file extensions in Explorer
        
        PID:928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        
        PID:1856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        UAC bypass
        
        PID:3064
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\DacIIQgk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe""
        74⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        75⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        
        PID:3052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        UAC bypass
        
        PID:2956
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\HIMkgEkw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe""
        72⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        
        PID:2588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        
        PID:1844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        UAC bypass
        
        PID:3024
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\MMAMgIsU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe""
        70⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        
        PID:568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        
        PID:328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        
        PID:1452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        
        PID:612
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ywYgAMQU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe""
        68⤵
        
        PID:1448
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        UAC bypass
        
        PID:632
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\qywocYwc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe""
        66⤵
        
        PID:2232
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        
        PID:844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        
        PID:1256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        Modifies registry key
        
        PID:300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\qwswAYIc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe""
        64⤵
        
        PID:1368
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        Modifies visibility of file extensions in Explorer
        
        PID:668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        UAC bypass
        
        PID:236
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ISAwIcwI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe""
        62⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        Modifies registry key
        
        PID:1228
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\JeQcYMIk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe""
        60⤵
        
        PID:2504
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        Modifies registry key
        
        PID:1848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        UAC bypass
        
        PID:2568
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\rycgMwwg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe""
        58⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        
        PID:1364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        
        PID:1456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        
        PID:2996
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\daQMIoYU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe""
        56⤵
        
        PID:1512
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:1000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        UAC bypass
        Modifies registry key
        
        PID:2924
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\HMckUIYQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe""
        54⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        
        PID:2892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        
        PID:1436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        UAC bypass
        
        PID:1952
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\UkMEMQoY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe""
        52⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        
        PID:2548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        UAC bypass
        Modifies registry key
        
        PID:2744
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\mYQcMQks.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe""
        50⤵
        
        PID:1472
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        UAC bypass
        
        PID:2264
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\EaUcYksA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe""
        48⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:2160
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        Modifies registry key
        
        PID:836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\KoIIsIoE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe""
        46⤵
        
        PID:980
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        
        PID:1412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        UAC bypass
        
        PID:1764
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\BiYwAkck.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe""
        44⤵
        
        PID:1788
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:3052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        
        PID:620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        UAC bypass
        
        PID:2248
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\JoUwUgsQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe""
        42⤵
        
        PID:1364
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        
        PID:756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZeMAwgEs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe""
        40⤵
        
        PID:268
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        
        PID:352
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\DacQsIcw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe""
        38⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\uEMMAQsI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe""
        36⤵
        
        PID:1524
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:2668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        Modifies registry key
        
        PID:1836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        UAC bypass
        
        PID:1988
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ukwsksMs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe""
        34⤵
        
        PID:780
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        Modifies visibility of file extensions in Explorer
        
        PID:944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        UAC bypass
        Modifies registry key
        
        PID:1312
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\yWQcYwYY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe""
        32⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        Modifies registry key
        
        PID:2464
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\iwUcQccA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe""
        30⤵
        
        PID:2552
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        Modifies registry key
        
        PID:1548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        UAC bypass
        
        PID:1928
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\JIgoAwQw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe""
        28⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:1512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        UAC bypass
        
        PID:2512
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\XIckwsUE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe""
        26⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:1232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        UAC bypass
        
        PID:1524
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\pqMccUwM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe""
        24⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        
        PID:980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        Modifies registry key
        
        PID:2836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tYEAogAU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe""
        22⤵
        
        PID:1004
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        
        PID:596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        
        PID:1408
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\aSgswoAg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe""
        20⤵
        
        PID:648
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:1568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        UAC bypass
        
        PID:2924
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\MwcwogAs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe""
        18⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        
        PID:756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        UAC bypass
        Modifies registry key
        
        PID:620
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\oYgQYcMY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe""
        16⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        Modifies registry key
        
        PID:2500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\iQcIUsoM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe""
        14⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        UAC bypass
        
        PID:1504
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\BKYYsAQQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe""
        12⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:2612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        
        PID:372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        UAC bypass
        Modifies registry key
        
        PID:896
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\JKksocQk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe""
        10⤵
        
        PID:2568
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:1164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:1408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        
        PID:1412
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZEMIkAcc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe""
        8⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:3024
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1456
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:1484
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        UAC bypass
        
        PID:1428
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\NqEsEQAQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe""
        6⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:2460
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:1584
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:1684
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      Modifies registry key
      PID:1936
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\UUIEsooA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:820
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:900
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies registry key
  PID:1108
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:2600
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:2336
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\GuUgwoUU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2744
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:2604

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1056369544-3237773901506104388-561154800-1916947511-419580799-12806517762061730872"
1⤵
PID:2360

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "195913771078286951-1379349259-3448699421513297951-1001766695-701861414-480728694"
1⤵
PID:340

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-325299586586582495-173841958-467197110922733067362819031782279131-896839011"
1⤵
PID:1536

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1717085630-7934966791229270539-92179578-2075827926210352321-1716969829-1029719384"
1⤵
PID:780

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1769513157-184748502-256667288-1635617432-1440676683515700706823650497918178587"
1⤵
PID:840

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-517238149-403964073-27345971589764628711710722871237280930-44620036591305488"
1⤵
PID:2304

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-39133339712087119571595888686-149446675610087833411334398058-1844555415-1670683935"
1⤵
PID:484

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "17024523931108636044-1327515296-600238952694692793-2005238962-1041153712-1606029061"
1⤵
PID:2568

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2027946320-453014524-1142607470-988889293-1424276590-1471524019577675274-1609655184"
1⤵
PID:2032

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "136914308897563053413357689-937171395183551136-700288079-79552800-1300268564"
1⤵
PID:2592

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "253164656-151769704319887600731675660719174677087319114806471215779364-1423057757"
1⤵
PID:896

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1611375423767075651216072657-1108432769792825026-1737033725370026801269936848"
1⤵
PID:1108

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2797732-176694672-1533383849-13223101541913409333-14333934271249726159935706764"
1⤵
PID:2492

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1377649208991269045121350165312097345491831324777-386317672-15105194871208774026"
1⤵
PID:632

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1602404335-34199654953879159618754260-1780462769-3932210153899913191663784740"
1⤵
PID:2244

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1257309332-591097243-1505121414-1359335322-1013571559196637226949906687949706257"
1⤵
PID:2640

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "123611610344835085921374659488053424791111919964-11854625621768012180-1026253930"
1⤵
PID:1844

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1050500432-156252807517596302471633568267-32957601920375901021868575563-228900008"
1⤵
PID:1436

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2088583909-1233863811-1806110098-1846320551-181769423-1683819348712028015-1860705012"
1⤵
PID:2808

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "143252572431304365720340722971617284832-338558571-422936669-613710405-1797463205"
1⤵
PID:2692

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "614627203939061241-1855570380-2503887631516168147-1815189692804671122-472665148"
1⤵
PID:2428

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-703295369-1218352651934946678-776209880-847227131-201656069412300318591527373876"
1⤵
PID:1464

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-465932923-737911692-3736495211649411147-1711729993-1680919973-3595933992062736333"
1⤵
PID:2708

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-851728912-2111749921018345313-184774635-1335027743-988422994148211735867327869"
1⤵
PID:1112

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-863137986-9993086931401972605453231861147816005-1080295971657477643746686203"
1⤵
PID:2656

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-685026091-10771115331206198295-319946535-635437501555729149116110620-1322587357"
1⤵
PID:1572

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-150072904379359460-201564394020276020521080551862-1531674241-606305901729935769"
1⤵
PID:268

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "53745292-17527344067064034671113031638518663881-16513036792340896441108779913"
1⤵
PID:2108

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-17899641821958943961797188693-11317553981105754293-1035275213-318742944-107144424"
1⤵
PID:1292

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "94119008127583099-306686585376438657-1988718426-1090482389-960611061-206024618"
1⤵
PID:2980

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "143664089564956304-886220095-1998957116594329101179874459713222976321768762580"
1⤵
PID:2796

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1887319524-136053656730789666311176657431969834907-2019657411-1178840902-564179449"
1⤵
PID:2496

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "813631361-216343362-12855324711538602552-168993341-1912968161-10651527261772725945"
1⤵
PID:1988

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1628502438-1151601472583046821-16026536903219724322084314860-353501045500297309"
1⤵
PID:1748

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-655757386-1779942510522369203-18982422701675391071-18067659141028159992-1900607322"
1⤵
PID:1580

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1881080311-1312860137-1154429581-722715629-1043679995172852142045770553-1421235490"
1⤵
PID:2324

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-16699277581055222841622098973317189572-13212182261541663505-1774158991-1206965608"
1⤵
PID:3044

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1246353271-717010179161090956-19197236251005084959607361250-1000870056790820462"
1⤵
PID:1424

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1418716633340930305-295526051-902077292-1350555632-533085787894166105-835701964"
1⤵
PID:2056

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1586301758616828441-4836242-18230700821333888027-2931001681981589302-989826739"
1⤵
PID:944

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1150941271185244336610442234578682130841196781766871816144-1247660727-1940743660"
1⤵
PID:2148

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-28963443-594363751466773228-1775374471-12463033651547166157-1856087232569677950"
1⤵
PID:2996

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1701086825-2040620354-79302545912187425671676444773-1210550971-1967359361-860166276"
1⤵
PID:1676

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1625511590-1690089432-1403126588-1977762691-4162781071646401189-1130916033-1266335185"
1⤵
PID:1584

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1091264396-599083770-340569506-18487459103553950001620883834-4472085301041608186"
1⤵
PID:3024

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-571689410787892631-89690162612620336748183567451993833311711126235-741950964"
1⤵
PID:2644

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "235445464829755402-1838818778-1218266372-1627365777-516217418-20275009952058879883"
1⤵
PID:340

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1954037878-718378564346176661204557991939386797-516085214306908874-2106004013"
1⤵
PID:1796

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2893734772118354961-21182392741370710320-847465044-368135581466663791-1985538420"
1⤵
PID:1412

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "32691518164052428-783784728-1219071810-604627806-1028656986-1431660206128236178"
1⤵
PID:2448

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "12819956179332463471926060117-619744427556246843-11441082392110191130-1068792515"
1⤵
PID:1464

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1888553318998784580-16903193951799429442-840486693588742539-1510847674-1834754774"
1⤵
PID:2592

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "9693236641054792172725235703-1734395837-15094302101373291080-2072995714-403450239"
1⤵
PID:648

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "677375026-885756968109289499035555839747717317-1488254514-471389198-491839636"
1⤵
PID:1484

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "997434041-21182565761687723913-1177655092-478144582-262373993-1785764479-102424317"
1⤵
PID:2732

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1437863332392070194-9403118511066201492-2137955422-79264776-987447467-1442875674"
1⤵
PID:1636

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1878271631-540192189-1743640287-8675838683612333891761399-1096566688-1357446808"
1⤵
PID:1184

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "10291665538185749091713509120-273061773-15210600361809462522-1772599785-314552257"
1⤵
PID:2028

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-158256241869767817710660270662036750209-7247419031600425923417609171-201603390"
1⤵
PID:1768

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "8067016381343282020-982208417-1546895127-1422678136437659368323114959976729165"
1⤵
PID:2808

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1841838314548088281-8064356581885890537-207199095721357758179807936901459873411"
1⤵
PID:1456

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1436421708-107180300-199087375317578595421469302281546548312-246394305478509774"
1⤵
PID:2500

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "456540000-292629657497806961879670196894799081-1607507429-4961102611539834562"
1⤵
PID:2780

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "11124036237374069071093905338-1365804930139965478114180632261750218857672438566"
1⤵
PID:1980

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "4734770736581601261547963061-2135930137-129700587131654975914323278401307962422"
1⤵
PID:316

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "20052322541967473302-400618687765161931458743534-481872535-1025658175-1363325062"
1⤵
PID:760

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1663169896835629957-807957604-16369860021726355726793773876981128421263880493"
1⤵
PID:2760

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-103894932644899722020901522045131189581981440-2197314414789332941128352359"
1⤵
PID:2328

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "10150953143512429362110897378839337093-772809203407955701139744824-2418249"
1⤵
PID:1696

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "15513949091904380971549800477-1084312552464414031908934539-14509618651065851370"
1⤵
PID:612

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-8508040814632050661502331581-1468614290397352232934226275121653613-1521711965"
1⤵
PID:2200

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-705018665214620220512062882381161911520362737301940908096-1136870498-1537956041"
1⤵
PID:2596

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1392112670356440447-16393081796533834271492349555-1239783031869899994669858804"
1⤵
PID:1616

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-615944072-1944294282338200584644605339-20318829631849266078-1639414917-80810880"
1⤵
PID:1564

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1191161702-20254489571959413246-1670256072-650596133754836932-10299251531558693899"
1⤵
PID:2168

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "427531530-467552567-83278512372387474-445265165-154537526931770179730070168"
1⤵
PID:2620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.exe

Filesize
322KB

MD5
5e49adf0b3bf8fdb54ef2163df36ebf1

SHA1
d83d811fdb02f9199a7dc3f8772768959eb0b4b0

SHA256
b582976d15a81e42fdfd948ed575218a54944042313e79c7adfff194cfc739fa

SHA512
8c97f6c64dbcd43e1c1a661c663157e4199a3b15570e232fef5ce70939603a74d6e6769e2d9035dc0f7c82b0ba29a09f7bba2f7e75dd3fb64c3d1322c09cbca1

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.exe

Filesize
233KB

MD5
d3ca5d68d03a5e1f8e1727d2e2ab8425

SHA1
81bb55a7eded1158beebbc07f8ec3a6a4f35b901

SHA256
44be3b6336963951507915b0812323d452dac5856161f1ba23961abe94051bf6

SHA512
25f8b0e7439e6380398c0c665269323b65d8bd862c3321b66ea2d51dcf76754e60777585878764bfe59d43213fa0fd8c10689c4888fd7a8c85ee3d8130a309e0

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile13.bmp.exe

Filesize
237KB

MD5
b232dc63b7e5077e2817c032e5dcb51c

SHA1
35179db22d4e72032876d765f9b28109380e4502

SHA256
909199d6ca5b4a42dd199b903f855e4c2a4f57680f522bae203973fb44d58dfd

SHA512
9be43a737eb54f30f9d0bdddba325cd5b5f72db939b19858a18e78db4a90a82a725f8ff3c747df770b17627c59adab8390dacac3e74e64d0da0fdc87a249bef3

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile15.bmp.exe

Filesize
246KB

MD5
23ba2d9e6ef803cb269c88e76f6badd3

SHA1
1231230fb90c38d71992a8d4d1985cf7e0e681fc

SHA256
1dcca03e090e4008bd3da9472918711468f559062eb2514f305595969bb3eba2

SHA512
5f14bdc4e74eb50bf685b68fdc2fd73129c873ebd54f55b1840693580e0ccd00fe2762f777bab7130a4efa73167c0677e730aa1437ab59f95fb8b2b68472d254

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile16.bmp.exe

Filesize
233KB

MD5
f5a60d660ca9f57c958de71e8ea6e2a0

SHA1
b073fec35e5ad869f007e1fa316e6c0eac2947bf

SHA256
5ee879eebfdb32ac9c1bcbba3e9bea0a38798b1dcce1824f22ff046a6969a67e

SHA512
8fc949e2da0be6c59b6aa1a777772e8774f902c8a0c3e5aecc013c47ee923d3cceb5c1e558ed228c8f1a4faefc6f98847e29d58b8ac7c897b117b550ceb0ee63

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile37.bmp.exe

Filesize
231KB

MD5
859534bebc22022b954421991246edda

SHA1
accebdc69c3b0af771f4064c8d9159ad707b6905

SHA256
76b9d101eced2375db5ac0928ccafac97da3a0730db6fd867c236496b0b6305e

SHA512
220f00dcfa79ce97f775287f28a8d1a3a0e8d6e1946db574ccb704f0f283263464adaea67c31fd6bef76631a58ef0decf64e8f29ddbee52e541fd8fde78b6a2d

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile42.bmp.exe

Filesize
246KB

MD5
f983602e288c60c4e62b9685df94aaf9

SHA1
0cbf3dac428b6596e300aca3f5110bbebe73656c

SHA256
7a02d012befac80d5f9644269d6688286559d6e69ceb7bfc4af129c5865a3260

SHA512
45ac68218c50f2313cc606617964ccde4765bd0caff75adf409732e7b8574eee6e6df99a0bf721360203fd1e1d668bafd55dc1af83e65efa36f10b45831f58bd

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile42.bmp.exe

Filesize
232KB

MD5
7d919550bbf09b68caa5aa17b3ecc1b5

SHA1
39e95bf80eb6d89acd9589140b980066f467176d

SHA256
fb4ccc5e6870a192285edbd5a9bc50ac9e0415c420339e7ede67784396e6481b

SHA512
50835e36db51e59c331c7307bf92d58ff067f78c756b4ec647a7c6c29f778c059c8a3fbe255e84baedd51e35f04aca35266f10d292946156fa264ccec699a303

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\256.png.exe

Filesize
194KB

MD5
6607a44d9b3718c255b49c0a342af715

SHA1
ef24816562a09572b25d46aef588552de0760076

SHA256
9c87495eab6fbd3b6127f11baf0ed305168887022f38b356a3bc9ba018e5dc49

SHA512
df88264b98467b24c609b904fa878a32f34e0aa4c649cca23546a04c7e223dfd8ecf4ca7d56900581043e8153d16023cc67366c1505761ed76c2b8436e681d06

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\32.png.exe

Filesize
195KB

MD5
227055f19250309f5c14ba4120fb51c3

SHA1
e79ffefd8bad738ee9a72458f8479a0080745068

SHA256
ad4986a8a3cf8019c0612498535a3d82c1bf19ec898bb01fa88919dd53bd25cb

SHA512
c683f1157628032f409344f8acb3e555f36a5f23985130b844d65325c939c1304b1e4d40de0c29892bd91cb073d2e275cd79fc30f1cc2337d99f105e5fdf78ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-05-25_6d874e41449792478345cbc917bfbb5d_virlock

Filesize
6KB

MD5
bdf926b971c6dacb62c5c764b548f850

SHA1
daf9c28f324a1b0d9886021ad63d84b468cbac20

SHA256
8dd31725432fd800dc2ff4a95567e2d8c8391385686ad0fe88bc480864e8ddda

SHA512
cd7b29d5edb69d0c5642a2c6a7632509503956be80aaf8750f505673bd2c3e5200718412a2f43c8071ed032a35f78480db17d17138de19470e0606567db3f3d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\AEco.exe

Filesize
251KB

MD5
792363409193f70cd6f5a2985a02f64c

SHA1
98adfb7db320c8ff45294c7635444bf9777cb506

SHA256
5ad8a451b1a1b4e8fb7d8bf1b2b0ffa2ea66f4299e01ffac988b32f291cebd67

SHA512
ee841be789bdb51b3d17ae2be8fcbb31b208c74ca1b1b8b39ebdfc71cf604e8bf54490e0576039689c110f1346e80106df625a4a7a94acf0ef8d776b41f4bf3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\AMES.exe

Filesize
232KB

MD5
18121b69bfed419d04ebc1bce66c93d8

SHA1
13e6bfa39c9b3b9e4be75c6925d55c48d58c3e42

SHA256
418b208f39022c09f42a178820450f401e4cdf2c21dedcd42fff602505dba491

SHA512
0fe74f945c48eb8a99e9adc708f154a3e3e57d95daa8ee0d4c926360befe1b9c8aa2c765429e5104e61fc67bf00735d790eeda46d50961d6a8b1acd82b00dc60

Download Submit
C:\Users\Admin\AppData\Local\Temp\AQQy.exe

Filesize
249KB

MD5
38336de91f9c575189330365e13f89a2

SHA1
7f4174fc46f1d29cb6d63945f0d3eceb02272b78

SHA256
a6a2d5dabfe704e0d4c6a4c03e985c30a59de18e627c30a004f8c5c8daab47b8

SHA512
1e6643a2dd50a2e7562443951e0c2f41276ae5a6e11258f6c3f925cf7f5c22d9a7b7b7e27ec7db7c7b9cb91ad6464e572e608e71e7b42b6c6d4d0c8215107fb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\AYQa.exe

Filesize
228KB

MD5
9bb5d18ff456f38aa90879efa91effdb

SHA1
43533abd66c6383649cc5a9fe59ca28607c1e2be

SHA256
034d5e3cb9badbf78e3480d7e78ce57d248617ea0b089a1ea0efe6f9079414b7

SHA512
1492bd33b486a8f4660fc16f8cd15f66692242daa328526b69a0514860e2d74357ccd6820674f899d08aad56756559751dc4540bcb78f5033c881b0cb37ad867

Download Submit
C:\Users\Admin\AppData\Local\Temp\AYwm.exe

Filesize
1012KB

MD5
9249a3d0d5115bd6e8ae4885cb3fb289

SHA1
2e48d8170fb99d7851953eb5e010bcb82e0c636c

SHA256
238e4167cf586605a62abe9a37e2a17dac64f11521f40e3c70faa51393642aec

SHA512
65c77142833c920998c2448580add4244ae4c0301bd8b1b6168c4e6209f4e15719354b6d5cc74def0e7fc5c10a2aa4fb4bd64d9163b057244e230c2a6d423870

Download Submit
C:\Users\Admin\AppData\Local\Temp\AgIw.exe

Filesize
238KB

MD5
c55b3829103d1312d2970d516173496e

SHA1
6925b666597f97c34b18ddf8ef016b7ea1c8cae5

SHA256
2cf997a35653e1380b823854da398f2744f94276dd26a08a7d0352b3a5508cd2

SHA512
b035f424ca487672af48a6dba5aab00dfca30f11f51ac3859b811395f89fd7634c6d48cefd2a7ec1407bd359ee53217f50ed1db3eacd3fea7b906573d1dce60b

Download Submit
C:\Users\Admin\AppData\Local\Temp\AgYi.exe

Filesize
250KB

MD5
bc29020f4c8ddd81106a3b5e188ec262

SHA1
25c54c8b4543f9a0b05475e1b7e055449ebf8f67

SHA256
580a481248df4c77837f6799b67033eefa257e3762b5392f48624a6bafda534a

SHA512
95dd387a1956beec8ca78b4ac338ef17d0cbf00ac1b86acc597f405541d6c6f89e36085f9afe36df42c2e62be7b6c72712c05a3a3a2654194c719f85db76be12

Download Submit
C:\Users\Admin\AppData\Local\Temp\AowC.exe

Filesize
201KB

MD5
7b5e7d432aa0b5ad7891e68a70f37454

SHA1
f32c4dd99da8fabd7c1963e543fe8f14f42b1e7f

SHA256
ceef87eacb475eb4f5554c5f22b54d4440dec091c906b1f403082e56b5fdf7c8

SHA512
26a824fa93005c4432ba2642eb7b53eefdc84a04a3d80d27b1134bb3fa88e638ffcb8f7a4338838538964b2a5c41236969957fc40494c157f08f62d2d412a8dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\AssQMoIU.bat

Filesize
4B

MD5
b2fb51f327b4b3a544262ac25627c72a

SHA1
5259f9ca8451368d7126b1390fe384f08bfac19c

SHA256
5fc124b9a59cf78764544331b525dbee7184301ee275c5bdb65462ec62bf7a2a

SHA512
c16bb01c8cb9c40f63f67a80a8b5c181e3650500888cc46658b597e95ea8327e4ef56f05538e0f5e36bf4945d5b509e21b7cc29d6b80a0bc23f0561cd1dbed4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\AwcI.ico

Filesize
4KB

MD5
6edd371bd7a23ec01c6a00d53f8723d1

SHA1
7b649ce267a19686d2d07a6c3ee2ca852a549ee6

SHA256
0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7

SHA512
65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\BQsIwkEA.bat

Filesize
4B

MD5
057b0b21ade1ce9d8d5172de836aa335

SHA1
da9020610e221538e4e094b01169228aa93cfa69

SHA256
f658503c65e51b326b6355f231753c210aba76ee06c19aa40fa17ba751e3b0d9

SHA512
2a0247496b651f1120fb46e790b28edb2c40c90d0a7f1289f2c1f5df8515bcaf3ce7b0bce1d94ebec14e45cea14b49d681f30c9878e67d0571f377e42aa79b6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\BSMoYQkc.bat

Filesize
4B

MD5
7ccbbc224487ced23df6846ed531b230

SHA1
bd4df6a832092199ab2ba4d37c83d75c38705240

SHA256
e5bd8c4ba4cf6e346dd129dc23ead357c5916de8d3198d87154d1e6b5204eafc

SHA512
b6bbd052e577a05bae5fa4f76ab1b96d7ac9bf45ddfa362da0bc13923660d75c481dce27c59f6b65d3448aecd7951f5b749bb66c70dcb342239cd3da007e51ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\CEIO.exe

Filesize
203KB

MD5
ddd08b604636b9b007bce127644da8bc

SHA1
6528fea0d0cebd4f2e879f28255dd32a6b22c3bd

SHA256
1194c538e980b39e8fb1f0c497511f1c090937c016e42ed777b9fa978e2275b4

SHA512
90a44df50701579275a89633be672942a9ef2816b207b845dab956ce252c2f99870066113e905641f868da4770cbdd8c925c6874715a0b58a48e02cd4bef15a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\CMMssoEQ.bat

Filesize
4B

MD5
d022cbc41ebadea8174097a8be4c2bb6

SHA1
961579b203f3162eb5bd910ecd1d7d2ab772777a

SHA256
ffdfcba46bcc7844674922981d7ffb3b9c4e676c1472eaf93519fa2d8e59bef3

SHA512
400d740ed96deb69f5e3a974c5e9ffa0343ad89c298781075efc9a05b680e7dde0a12771e40116cd42e36609927ec96f73cfb61b8289534e559f6e8ae5307016

Download Submit
C:\Users\Admin\AppData\Local\Temp\CSIIEsAM.bat

Filesize
4B

MD5
128b5cf19511e3099d54e2e5ac4ffdd4

SHA1
68c058efdd9bf0a2be637894277238c8b02d1a2c

SHA256
99466d963dd9ff244ad1cee82f6f3169787bcf99ce500552d634798f17bc2976

SHA512
4f6d7f7adeee9034e69478acf2b2a4fa2aa57c8b665e76baed6ada1e7a0f238229a2b21326e8bbca7d13cfdbe3cb113b170c3e8deeb766ef4f9de23238b7243e

Download Submit
C:\Users\Admin\AppData\Local\Temp\CSUkocsw.bat

Filesize
4B

MD5
f84a72efc15d8f25ac8b1214b06eab66

SHA1
4258c6893555f502737c598c2e5f72f8bbe38f1a

SHA256
b81be383204a999b4f73aa21065b6c6134afdddf40ad7a0ef1c2c73257c751f2

SHA512
e770e05a7ef18649c898714bfd8e206c46a3ebe23a654611cfb04ba7cf9421ca30430db90890dbd268009226fea047df946d56dc9df605683b6051a51bf70c61

Download Submit
C:\Users\Admin\AppData\Local\Temp\CSYsskgg.bat

Filesize
4B

MD5
94ef4cf6256105976ae820f4f2e1f8f6

SHA1
7aed42c93fd89ff7d72e775ee1ef259789b1ecf9

SHA256
73febc44526fc28d5e7ef90b91a460fd5449de5cf726d6d50e5d7980ac9ab8d3

SHA512
c169bb07da67836b4a1a16f4bb7b93f5db097921c9bcc6bcb080e0890797285720797b902a0775c52a955a9484269019dbe8da820c91cf3385418a9c400acf9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\CgAG.exe

Filesize
638KB

MD5
ff02e1ab9b6b276d775408d85fce2433

SHA1
2178a49017cb11e175f640fc8db17bbb9bd15afc

SHA256
a698dd65bba86d887e5918ff6cc9652cd770b1ffea6be58fab0a3ce435ce6ad2

SHA512
3663a2139723f3721e34426d5bc4d48247d05bf73e50674e26c3aef5a029127b82b436cf2433cab4880218ae95dbad612c143fbcbb35bdf7067fc2eb18988b0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\CoAu.exe

Filesize
433KB

MD5
684739ce3833ac77c09529d23ed7435e

SHA1
d63701d29b07a77a1e634f6f01d813eb50581230

SHA256
23c483894866c4ee65c99f686911f2b6b1d05e443aeb0a6d95f0d6dd2b20e359

SHA512
3f495e293dafe272dfbb542682ebba4261d4f86627bf9f10ad909ccbea25dcffdb91d527389fb40d14dfa27f27f9e7737b8e8844e537db63a7b175e963b197a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\EIAQAUkA.bat

Filesize
4B

MD5
11b79afd18334ff7a5619773f18365b5

SHA1
af7bc1ca1d124d4fa8e8243b6086433f02933a07

SHA256
cbcae54d863753589fd342909b1b7f44181008aee2beffcdf4f306f683da6d94

SHA512
788091ff375e6ad0b23819cfa27056edf1460dd6da0eec325833c1f4c9f9be0c3012271d5f11b43e8338274988fe1fb1cfd335edb3414a2c6361b13777085613

Download Submit
C:\Users\Admin\AppData\Local\Temp\EWQsgckk.bat

Filesize
4B

MD5
b9dbc1fbce45369c1c63222e7fb1e079

SHA1
289a7411a017c2db5655211f319a335f4b76dc2f

SHA256
c0f1bd4af357ac238600e61462f9b89de6ca1c6f3455a4265644752d2bb3c2dd

SHA512
ab328babf89e0e641978d758e89e8192e459e0e249e0d8ca33b509edb5ecf68dcc0752fd8d575d83a788c54afe21086d886710a727d25a6bdf518681c832a07b

Download Submit
C:\Users\Admin\AppData\Local\Temp\EsgsIYgM.bat

Filesize
4B

MD5
c3db86932f069f6829e9e0dfcc3dfa16

SHA1
f090c2288131a4e704a0757cf8cf0f3ef9b694f7

SHA256
5b20a140396ee5a213c99aec58e154d47ade5a40dec6e1263787b4c4f1c74df9

SHA512
9071ccf42694a3d7bf7a131a7fc5444febca9f6e889160871d6dff9bacaee303ac8bcb2dec9980b217f5fa762e38476a0f81402cf8f782448c90f6d033dda55f

Download Submit
C:\Users\Admin\AppData\Local\Temp\EwcE.exe

Filesize
252KB

MD5
57060883be0283f9e89d082c823e64c8

SHA1
3c2c7b1c0b673c0ad783e4c2899160b86ac9b5ae

SHA256
c7ecb127098a1b2f64ac474989bc3420e4256ccd3b68e03277c0d020a1822850

SHA512
61d6b486ab1017bedd3d009488c8023f943e79305b931bf4f06b5fc1eb1d29b77c13437fae0e257e275e70367074caad36442896f6cdc6bdd0724211a681e033

Download Submit
C:\Users\Admin\AppData\Local\Temp\FAkIwcwE.bat

Filesize
4B

MD5
d7a431a7f687b68b2ae0526d6d65146b

SHA1
6da522e24b9076da3eb9e3e9d0e4d3d0cab15315

SHA256
83fbc86fdc4c97991bc1b88d5035167c19451c5452ef0ba3d16793c9a47288ed

SHA512
2ba43a9d3c8f66fd3d89b9c2c384e4b6671696990b83825380385a3982bbc4f77a04c4a4b5abbdd8763927f75509288cae01aa83c09dbf4fd2592fded30260d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\FgIsQMcQ.bat

Filesize
4B

MD5
247bf802acdab66d6d87ac1c7df1b7bd

SHA1
33c3284f66df132a697a5c249d34af1bb0b00fcd

SHA256
7e6ba82d9d4d79edef031f885904d28e81199f0fea45b36f4bd727e0576cd140

SHA512
d49e3f2b05d4be32578342d78ed41e9c5bdb263e485ae11e3525277b508f62bbbebd358e2dd815b61b67785b85f35464a549f810879d09bd796cbbdba68c6a4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\FiIMMUsQ.bat

Filesize
4B

MD5
e03ff29622e6a00606c31dc77b74e045

SHA1
a4e37064821f3bf863231a140cdf2bdc4ebc3e83

SHA256
dc7987b2f12ceb6a0679b3ec41bb2090fa32934ad6f2d364ae88f1ba56eb0766

SHA512
4742779c333c4a2d633c962c0250930ed77ff47477b560877f3b567734e07cb9019b806894c1279a742cdc43d0d5675e3591aa09db890cb11152a4d0e8b84d4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\FkcUowwM.bat

Filesize
4B

MD5
bbc2551054547cc53ac05a19fcdfab16

SHA1
9fb06cf34479b4cfc307e0caf2676628b9cc0d80

SHA256
72d14433d996a0e848e3cac335cc863e7aab5f619f8bdfbb25c51681eb0139ac

SHA512
689ce5b6c484f8ffb1f838f4399c61676bb99ff584fc769cb54c986f9d237651525033d0fb499e3405ef8d0c77cb40781653bc256bb6b2a863cdb6b0a1160a99

Download Submit
C:\Users\Admin\AppData\Local\Temp\GEwq.exe

Filesize
1.0MB

MD5
06579c112bf927b6246577cd048661ee

SHA1
82369709819a28afd5c9b0cc4b26eeccf5296ed9

SHA256
fc164e618e6fc0ba4f1612830d40f9dfa73fd38026ad02285b062a0468914cf2

SHA512
fd8b50c0a504779eec05278f2b6e695153c97730d2680ce0c77f2c4ed101199fb98fc3e3a5e9fc08b94986b242d59702a01362aa513eaa646eb160bafdf567d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\GIkm.exe

Filesize
208KB

MD5
ca0e49743dfd8b1eb16ecd0303577436

SHA1
ff666b63563193587412dfd01ac5047f357e7c68

SHA256
fd03fda60df7d757e3b763cea191641a742e7c8d1c380bb8ab71cb8833edca8a

SHA512
36346bbcf09d61c588d0be9d3363b45e9391249ba5df85b3fa96b251bc7dc0b418a1ce529c09e991f3b0c22cfd4380a13c12ab48aa8cb23bab09ce0176e0cf7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\GIoa.exe

Filesize
1.7MB

MD5
d604c1f42848c79491de733f5db823c6

SHA1
5b06cd5f347f7212dd70a9821573b9a4bfcf5eb1

SHA256
3246f8c2efa698886225395de604046b89d5721e2111146593d2868d6679b427

SHA512
f7836018ef32409e70a1ee1d88c7f0fe271c25776432e530677686ec58084298e586eefc00ae50541a6d8b140bd0f76a87a6452f600fdcfe5f7325462887423a

Download Submit
C:\Users\Admin\AppData\Local\Temp\GYAgkQgs.bat

Filesize
4B

MD5
bfd64c30e151df7fd1dcb85725a11757

SHA1
d8aeef912052380a05dc531787d92083de9e40ec

SHA256
9219ac3186f8c3733e5574ed6b1000b0b7406e4782c6b45e98aa7c5ce700c5b5

SHA512
89a2f57862c3d51bba03afbeac9cfd84116626261a3cf05a3fce4150f1d6e3553379929ecfbc9a19ef1a35fed92a86df987209ff0fb93ea8fe8800a3f36cc172

Download Submit
C:\Users\Admin\AppData\Local\Temp\GiUkIkIY.bat

Filesize
4B

MD5
8617d21650c92ed6b583d61502f18ca5

SHA1
c9fafbddd8dbfedafdc274f47829a97b4271d7e9

SHA256
f767ca9f5011f5ab2a9714c38c75ef7d70115d6d8d10c8f78019e5241fcf7f99

SHA512
da748053ebea4e5994b1a557c34e13e3761f1b5cc50f6eb2be044d360ea86f746ee0447d308562fd04a32f5688569150151cae35a5a0422d266f38f2cd10c253

Download Submit
C:\Users\Admin\AppData\Local\Temp\GoAY.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\GuUgwoUU.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\HeIQoQIA.bat

Filesize
4B

MD5
4c43711dd21b6a2ca29c9015da030211

SHA1
a07ed4956b5c2b10a13c3c5726688cc8f2d21dfc

SHA256
576d344d61392eaf06274d804b9b98bc9c76de03920562d163885804bccfa3dc

SHA512
1eaf94d4210feb728886a183791f89a706597057b44e2738e743cb8e078b69222ddaf4d6e96a90ab079c360d12c8a6373470aef2588d0be02a30c78bb1b4f26e

Download Submit
C:\Users\Admin\AppData\Local\Temp\HqAowUEs.bat

Filesize
4B

MD5
f18c64f05806f0a537abd4f7f27b1b7b

SHA1
0f78d90d846977359a3ec36ed09e06cb6729da90

SHA256
17a5763e0cb378267f657db761e15604a6620d70200ff2555457b9e348e1302c

SHA512
a00bed694014a9d4d840488e460f21166dd258261e2b9ae258312a0b128cf9d66949c23b0510e1ea6b2f9727e324146241d9f9c99f7dbcb6a827757223813a05

Download Submit
C:\Users\Admin\AppData\Local\Temp\IIAI.exe

Filesize
238KB

MD5
a9c9d86c3b062cecedd5953a6c8ed1d2

SHA1
e8182f47015ee0804748379c6d52073e0de38e74

SHA256
b5521ca3bc1a53f21d5477e21ddd8e8d232850a1f8b8debc30359e23bd741c0d

SHA512
8a764720a1e1a17b620c8cc7bfa120ca500917e0ac97555cfb0565b5133926c202bddd11974ec72217902e6744be16f582410a00dc14b3aeb9ef152b2b936740

Download Submit
C:\Users\Admin\AppData\Local\Temp\IYEQkEMM.bat

Filesize
4B

MD5
7bf95ffabbd014ebf47d1c618921a283

SHA1
65a50e1460722953b72ae0d9d9310ebc10ba76d6

SHA256
e807e07aabd73e80ee17f46152d482036212cc894cc5eb30e8fce60ec9b665a9

SHA512
85b003b0d2c3fc6d0bc721d33e2cca5909bc3ff157a0895265aecb927e828b2449bdeee250253e2a263b7e670750fcf9080c475dd2acb83fdfce42dad59b4c44

Download Submit
C:\Users\Admin\AppData\Local\Temp\IYEk.exe

Filesize
834KB

MD5
c2a9060134e60aa27a2d1cd41441102a

SHA1
4fa82e6ea37ea107ad4961612b5db3f96e808ff3

SHA256
a13f53260cf05d0f26e82d8f1a134800adf877c32947dea64bb71373ca567662

SHA512
6002508fdcc543d498f63116139270c87112d2176d39f36dd312cea7610862b1b2268442ac86897d6851709a55024baf6321448cd485925f45c5fcedc022ce33

Download Submit
C:\Users\Admin\AppData\Local\Temp\IcMA.exe

Filesize
207KB

MD5
bc6493f3c78936fb22ec658deff5abb8

SHA1
5f4db3231cd1d24caa1840cc41c430d17596a486

SHA256
b2bf465ee5c5d955cbd1c02cdcf8f9ac661c464451a3a0887703a62fe1b1c377

SHA512
780be40b106044c42351576240a6334b159f2630024706a2961347385b84a4abdae46f504d7f94162381aa8d6bf553a8a94695aa0430b31bfd8b61956c49c359

Download Submit
C:\Users\Admin\AppData\Local\Temp\IsAc.exe

Filesize
236KB

MD5
01e62fa7fb718171bba55b27603c88ec

SHA1
a7b01e0f482fffc6a72d792ee4d7bef31965e052

SHA256
aa9149cf25992aaae96b9d287bef331c4e95472d5697009b77cab0429a3d4166

SHA512
815a44e4923df048d4e3ccf4133b72c40e60e946890aaf3e49beed47cddfa7c5fa51349cebd1d89bcb03b5c2ba277ea343132175ab574d20bab68b803b7fa6ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\IwgC.exe

Filesize
954KB

MD5
78ebe1fcfe4fcb97d61c6072ac99b051

SHA1
2d88720dc09cf9e07092cc910cd2c9dd6632a3d6

SHA256
c7f7ec3bd007e7ba4ef11169ac52c766c2d342d57d599cbcca6648311abe11aa

SHA512
3020d5e597c5e3df2e570872fab33c5a4951e5809f77c3140c4d94d5111f87695796307b1c9736d69cf27c0010364d3b83e4c2a1cf33cee04ce88628aabf7935

Download Submit
C:\Users\Admin\AppData\Local\Temp\JGAAEcAs.bat

Filesize
4B

MD5
497bd9478634bc72424663d608db453e

SHA1
9da6d27e373954e75269ae30251d671fa809a11b

SHA256
83653567fbc0624b72b3abacf9c99d43a5637ff127b57403b2d43df33b718965

SHA512
d4ebf74ebe63d2fc1020adca1034c3601ceaf424d18846dbd45a944ec6e0709bf920c717b95c2c5077395adb4bd45fc663f144b21d8e9c20fd485508b9bf8afe

Download Submit
C:\Users\Admin\AppData\Local\Temp\JkUMMkIc.bat

Filesize
4B

MD5
289828693bdd192422673f9bb174e80d

SHA1
93ca41695ce5eb91550cdefb863d3d3090d5ae76

SHA256
3f563e12626177965bf303718a16bfd98ae157740291422732c255aab327d656

SHA512
1a8ce89c3be80a7d3758acfa8cd5ee54cecd271b5c41dfd2328911a4cca7cb3bb9312c13e06057b90272b350df88b160d1bebdf7e1f5db0098918491f9a3c376

Download Submit
C:\Users\Admin\AppData\Local\Temp\JokkcAII.bat

Filesize
4B

MD5
76965d5aa4987df9d0183d03c297af38

SHA1
45a31fe10d45989b337f6f74222468444b79f4de

SHA256
f324b2679a3f309b3ddbcdef06358b090f422340dc292769cd9478bd2344fe6d

SHA512
73251e2bdce43fbec274d972d665cc63ef6a40ecabda898012aef48935722c5abcebfd11659fb69fe8d4be26bd9b3d1b5e7f74dc571a8cdc31775103a97fe9b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\KEkS.exe

Filesize
4.8MB

MD5
cbaf5e3011f5981bb399fc17d4b5d58c

SHA1
07961225a1ab478f2700cde9ee16990683e92a83

SHA256
619de96327b4a380ad1f197c33a4820113a82c7811f09d099bb9b503e91875a2

SHA512
35c7953c237e6ca337c36a1062740bd2bf632b5b40a5822e9ebfe5c17a462ab00f28697d2d53f2dbb8a4497f9441efa843d151f28a417c53f5d5e04a5e8f7c23

Download Submit
C:\Users\Admin\AppData\Local\Temp\KEsQ.exe

Filesize
232KB

MD5
85eaf847ed32e3a5b7600e4aacc6f283

SHA1
ae2ad580502af684af5bec6237c35575ba8ebfe2

SHA256
4534c79d18a62266717ca136c7bbf510bcf54843f19c434d310cc2b786436fa5

SHA512
d64bd6b8bad54fb2ba90cca19266faf195b6426317da7dabff6c1408256b9d439c13ebc99febcdc98d0fb216db8f85a785b9bac946ab5b9454a2288b29dd63be

Download Submit
C:\Users\Admin\AppData\Local\Temp\KIwe.exe

Filesize
208KB

MD5
84ee432c7d024ca03eaabb36f32c474b

SHA1
f475cb73d3d7cc18f518c1a9bd3d8ddcac592382

SHA256
bc9569921584cdcc65b302b02e183a6548169fa4e4f8c51097eb31837fdf3224

SHA512
87e8dfd175d8239e89fe37017ee07d894b8010a87d52e32a299db352996d71a0ed080a5ed84d58deb13ccfb68176184c117963a3b1dfdd9b40209603cd5de58a

Download Submit
C:\Users\Admin\AppData\Local\Temp\KMAk.exe

Filesize
8.2MB

MD5
f96d3fb74df5428505bbcffe1c50a008

SHA1
31d1d95a5918e471da51d5babbd0fee43067e335

SHA256
1741f174bb7868521dbd7766040b7da56c5a04235594a73be1ae07825f2a9e02

SHA512
b87a590e49f79bb2b16cbf2a76d2e4b3d65fe1504afc41d57b8f03a8c6690968ddf4410423bc986fafa3f7cdf867bddc0f398ae89c00fad012f1fff03381b223

Download Submit
C:\Users\Admin\AppData\Local\Temp\KMIy.exe

Filesize
232KB

MD5
f7a5d4712ea30bae746cbb93a5cd0b30

SHA1
8536110cb1883b639d2943897f1eaa91b583ab54

SHA256
99aeafd0aff5ee13c70410f203294a5b6d0c8bb28fb71be0e4902420693cb930

SHA512
c3bc92133982fa7151fba634cd8a027989255e0dbaf2990c7b612f669f17487b78afad4c95eeecb3ece36df5254784073c1f15f848bac46853b1a11342ddf8e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\KQgMoMEI.bat

Filesize
4B

MD5
23b7621cd5f4f2d684bb6aa68056f29a

SHA1
06488ae2dad082e4ab1fd4e1653c2a3f0f8bdd15

SHA256
8d754c8ba945df1a1c34e9985d00b4de8a62098170b84e7f33adcfe88f09cf58

SHA512
1e1b9c6ca4c3a5d378b0f926ddc5318ab6a78802dce61ed486f9d4e8ef36ff901bfaa462b38f517407de4d461c43d89293da99560844957988b8a9897e3aa0b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\KUgg.exe

Filesize
238KB

MD5
d498b968234504d3a3e49bb398042840

SHA1
719ec3a0b7af0a99c36a5fee67bf73fec21ccea2

SHA256
f3cefe0bed9bd0b0675b83e8e867691c649151d3d50b0e710896351999b72484

SHA512
4ad8655b42534546327d0c79188d7c8744d866d75d77e87c48379d8cfe3e00157766c356e41e22dada51bd41be4826b57bc0189e9bb6dc819f3f8e2d0acce104

Download Submit
C:\Users\Admin\AppData\Local\Temp\KUgq.exe

Filesize
230KB

MD5
629e4d79379fa2499ffd2bb9731149ef

SHA1
316b51c7be08714e34ce2b17f6c70c7b9c9731f2

SHA256
456db83337095922df3054cf71a7417d5e060c098b7c1b5f7675c65dd6526d8f

SHA512
f65e62595e0717cac2427a549f30b02e009cacadc04a49f8ca0eee8f11ff803a6e830e501d146c19f4c27e76d4c0e85ee28dc18e0470a93bd7f38949b02c0756

Download Submit
C:\Users\Admin\AppData\Local\Temp\KgUS.exe

Filesize
209KB

MD5
96486f45094baa153bc63b6579274ed3

SHA1
aeff55b32db91b64e45ef563861ff66af5e870ec

SHA256
92d6f6d7743dbee8b3f486b8e2dff89bf9b6a85af74d16ee1c7df588b4924770

SHA512
7f094b555262118ae62e8b8d75884183d5f6e55ad6275305d76a3690aa7515030ececbb1a825b41e0f99f213f7b8ac11b3c0971a0588467fa255614886084937

Download Submit
C:\Users\Admin\AppData\Local\Temp\KwEM.exe

Filesize
242KB

MD5
a62ab5ba9835a94f71741d6eb812dc26

SHA1
4be16ba0cbf8ec4fad8cd06ecbe9cca7121c7795

SHA256
7d6a5c683c4ce46d21789d8375554da05f51e2aea5f50568e6a79f155ef47cd8

SHA512
81f3e4cc504070445df56b8b7707726113f4e055e75cf692f7b133655ed94cf78d7e32b20a938d974ee653ed62694d483956fcb8e24989ecb0f035ce01fcf465

Download Submit
C:\Users\Admin\AppData\Local\Temp\KwwI.exe

Filesize
224KB

MD5
d336341f7ab5f3c26d42b45df615c2dc

SHA1
49f4b5e3f487d2c94981eae69ff77475eb3e873f

SHA256
10f0be9aeddfa695d43d835f89dc0a44a0004a83d7cb5078133493398fc8d393

SHA512
18b4efbd7b01e5629dc720116da52b10f84616e9a08cd22c7f4ead685d4e426729edfaff3d59961098ddbb74970f7f85a5d6f2b3ada5a2f491809393cc8a3bce

Download Submit
C:\Users\Admin\AppData\Local\Temp\LIgYYcQg.bat

Filesize
4B

MD5
dfb22212d956ecb8db46ac96f95ef8be

SHA1
b9a49ffe88c5cbd2a87ea3a05ce4ddaf389a5c8c

SHA256
5d6aeb65fdf506d66b1403ec70d53ffa15ba86f88be2674876b27e91bb795903

SHA512
97b765feda5e7064b34836a5338f35e41929e4f71a84431501d27bc9bc956e25592ffffa1c8ca230ca1c342b405c2881cff5bc055563d46626c375a2ca5ca173

Download Submit
C:\Users\Admin\AppData\Local\Temp\LKQsYoog.bat

Filesize
4B

MD5
09d305e9507e0f80eed933254761a269

SHA1
e0a60242430b5df7bc03d99d4dc23ba974fcfebf

SHA256
2e9d20ec29c4a7f06fb171aa357baef73b7734cb4c74f62340a32410cef6ec95

SHA512
2a0f1cb06df411be4eb5735a5fca40d85f3c8fcddb32c26ab96edf7a0f0314093a2536a93dea340d2de8b507226ab502d4f97c1448d89fd709ed25d332bf3bd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\LUgAYYow.bat

Filesize
4B

MD5
8afc8af7575b8519441a63cc1a9b8254

SHA1
8fb0a869740c8ee43fe2c48bc0c3afc2fb122fd0

SHA256
25153a7f8821ae33f3bc61aff0e7ad5c982e7bc4a68561cde67248485b1a64e9

SHA512
fef191200d2c9aa307d69d9852cb456c7eeeead70c45cf038c81ecff66b2437b71a196194d9f27e13354023f534db48712efe3aef735304d6685e779e781e8ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\LesgUYMw.bat

Filesize
4B

MD5
0d3b8c48644e5d2e066c77ffff989bab

SHA1
156250e8e332646d49ba00463a708fb2461959c4

SHA256
0ec2707457ab6dbe0320cf88e5f268d6859ee3db299d9a54708f4f6feb689186

SHA512
889c4baa34f63eee7d35aef7bda7ee9fee58bcc1ac2ff04c8d8b78c2214274117f97900a20b4da14d196290d65c55deb79971441810d00543b9acbb895b526aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\LykYAwII.bat

Filesize
4B

MD5
53d19b45a2b755408a9e0eef00e12cce

SHA1
53f278cc2e3b01ab772080d52b13a87acc0e0817

SHA256
c14e1938c4564e2a2782d638564e09bf0c899564fdc7474760895ef01c2e51e3

SHA512
cf50c62712fb713c20352f3d758121653c5604f7d04ef037e25101e5d26ac02acf84d4c4021d06effdf890248ca0a6f457de2b89e7ef5214bef2e7959e3fbb98

Download Submit
C:\Users\Admin\AppData\Local\Temp\MAEA.exe

Filesize
240KB

MD5
4dd4e9ed541a9c0f0edc007ee5e6e339

SHA1
f9e4ad9488cce8d7356b7c1f14fe98841de3c2eb

SHA256
87d9a0edb636a542810b4b5368d023282668366f8ff4e9c45a2db028975a934f

SHA512
81a6700be653b5b09c1cb197e770b64fff62e75d33380f41c71c12aedf922b0a140a20fc41bd68670984f131d060b715f19131bafe3b769dec1a4783b49606af

Download Submit
C:\Users\Admin\AppData\Local\Temp\MAIk.exe

Filesize
226KB

MD5
2964085b1789f1ca317cd35b3a12f8f5

SHA1
ed30e0ddde647e0c1268fc3730959ea44813ad26

SHA256
66f9a36ae6f7dab49f05d91b4afc1d13783c6b50a2d89aa6bd0636104f0e9bd8

SHA512
5ccf1853f2cae8834753ea558df04a17900a2815140f78c06db685a029bf4331d4eb3102b0aaf7cf423e0b6d83fa52f2d8c32d53c800da543460d493f34649db

Download Submit
C:\Users\Admin\AppData\Local\Temp\MCEsUgww.bat

Filesize
4B

MD5
ae4f9b7f88c40446435e0690171b1524

SHA1
0c3235279f4c4e61e36f2a8942851f271531384f

SHA256
3f0a2abea92a7c100221b97fc19d919a537b559010b99099757bab1761cf612f

SHA512
6c60ca51eb0f6d1e8524681af388939727723ad0be8f3eb78745ce568c3b9f9966ea7e3c4f5bbe6beeb86cde80f3c497f1603d4ac781c1bbde8fe66a972eac17

Download Submit
C:\Users\Admin\AppData\Local\Temp\MMIwMIoU.bat

Filesize
4B

MD5
afc132036be0f06e40ac2d8e4451f527

SHA1
2930fdfb6f4a77f998479b901d5a82fb7bcc541a

SHA256
9cdb4c1512ac5cc7a61385dc3bda8403f457eb3414ad72542d28ea8ba7219be0

SHA512
3eb3e2ad7ea14c3d4fce64c52a90d0d8d77ad28e7f40c81c8d9a9305002dd35c4a54092088708c25a94ff9187ee7c7dda140a93ab9f39f3305cbe7c75ba54f92

Download Submit
C:\Users\Admin\AppData\Local\Temp\MMUc.exe

Filesize
618KB

MD5
34ecb416182ac848fe3ca5223a0cba8a

SHA1
c8b64d907398646dae5f7268eba54f0bdbaad27c

SHA256
6c2dd2bc547ccf948583500995aa63b8b6b419c24bf1f9b862db085663dc95ef

SHA512
433e8f3b94a24eafca573036fa8049b1ee36dcf6b3a7ebe829d6710f4f5ed570afc6db7fdc3edfdc996e251c31d535392e78a24e81f07b97bd1dab244b84ddb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\MgEY.exe

Filesize
321KB

MD5
ae92714805d3120c294cbc2b7f869a0d

SHA1
b79556bcfb78fe5de6a3ea273781c3e0533774e4

SHA256
8dda0ce755b0db2292d56d021105a010eab38a2439c6d2624504f13e1bded438

SHA512
ef5f1c0a3c5b1404917ba655fa4b934687e879c8690450601f64168068e3a7683e25457be8894278e5cada4a1f145288ddfbcbc198072358397640032a5fa0de

Download Submit
C:\Users\Admin\AppData\Local\Temp\MwAYgYMQ.bat

Filesize
4B

MD5
db662cdf4ce4ae06244832ede26c8de4

SHA1
7afbd60eb83cac046655ef0d65b69c5598720298

SHA256
a5a9909a483ec5af6204d90e8949d0f62e3e06a14d9a3316cc2b3e3fc00dcbbe

SHA512
161bd1280245ed1e5ec4e68d45247b3a3091109be6b7f0bd7e98349f45759a1b140c9be9ed130f086c1d04664c2918a4b18fddeea28589aa9a82930d2052f1dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\NUocAAko.bat

Filesize
4B

MD5
177a13bdc45eb2e9a8541d006eb899b0

SHA1
32aa6769b5164dca5e0ee825bd0499b5f1186b2d

SHA256
f2d2aa70972540eb68dfd50d59e781c1af4681be223960ecb4bbb57486c01f20

SHA512
c873e477c8d671a6193019e93c9ba2b555019188190e3bf47a01a1d1341010c0f0c04d89978a2f7ba075dbfa1f10f0e85860ba782fa27082f30a5e421b08032c

Download Submit
C:\Users\Admin\AppData\Local\Temp\NiYsooIY.bat

Filesize
4B

MD5
90a5a200b5f7fa3a4c728f535d395c50

SHA1
7dab69d74858ad4feb0fa2c8f00a2a86449c178f

SHA256
3bb916f4b973c299476f2414a4c0ff203e1535e779c97da1d0ccb2cb8d720805

SHA512
b5b771ccccf9685acc3e2a83bb3253e5c397fdcfc4ab6cfca64d1969197d320d3331baf16cd30974407ba56cd5368d6691e79d8ba3e9e421b93eb565005dda9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\NqQMIscA.bat

Filesize
4B

MD5
bcf42bc1f4e3c9201894e2474b873c19

SHA1
ea13504ed9e9bb48b9fdadeea9f5b4e4bbe8332d

SHA256
652411e6363701df17e2fce06ee418face5cb060185e585f273d6cf2fe46cb3d

SHA512
bb6a62aaf11d06367a5626928ee70ebbe9784a2c7b59989b687ed38f42e44221e2303f761ace2dbd826a444f91ddf9d8efe4e4640e6599bc83d7f60e75e8d2ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\OAoQ.exe

Filesize
234KB

MD5
f2543a91cd886b36999f1a60790d6ac3

SHA1
95e85df8dc95d69f84913c86f5ac03841e773098

SHA256
4989e440ddb03d9b0c764094387203d7713188bae5ce6f11f4bc70c1b54cb1e5

SHA512
74550b97cc2de8ec2d89fb41666d5a51dcf615e023993c7e4cc370cf88cb9880f40954a7e77e38814452163e19cdd4cc12d446bd5098989967cdbf11f9c91b21

Download Submit
C:\Users\Admin\AppData\Local\Temp\OCoEEQEc.bat

Filesize
4B

MD5
32270bb40b025adc4ec177f238fe18c3

SHA1
61d2d86c5408d1bd2159df8e1b8e2b0cb6377bef

SHA256
ffaf4e2a8fef876fdaf61145e318ea1b92ff12a1495333130f70a12664e49aa4

SHA512
554954d0051ff94448da3534f4a24244287ad0330357c9865fd8358334870817fb9f1b19856bf15d6eaefb43e81254a4824612e43e2a3cbab0e53f8b48d8063a

Download Submit
C:\Users\Admin\AppData\Local\Temp\OEYE.exe

Filesize
554KB

MD5
94291750560d4be1c19749593b4a8c82

SHA1
81218229229bee60397d70092e7b661225f6aae1

SHA256
e8ac81a1b7ae4666b2b2b912cdaf3ac6775d69c237bb97f4143c066e3b7868aa

SHA512
17977b455d17cdf819b1dc73b9e1bcc9b73ff507ff50d5b465d3c00f5c78ea7278b7f41bc5d822429e07ae0174c2c179e47c321fc025cbd8e465fc54c9339b7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\OMgS.exe

Filesize
218KB

MD5
72a6c2dcb3651aad1f3599f36bc59fa1

SHA1
e339fddae4960cb40112297176baf23795dd8502

SHA256
f6b445804d4c7dbdc11d307df1b87c429d47739925824c16d399cce22c2ec772

SHA512
f1280fc2889d55686f98107d1aedfaec619d598189d69f657ab5ef96f068796108b80286dc568ff7690321d11db19c2718d6a686467397b662b7635bf22fca7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\OQYE.exe

Filesize
254KB

MD5
a564dff7bd4591cb3bfc9d6538658c7f

SHA1
0588a122277f0e108c1bdf51292ae1d18febd1d1

SHA256
4904c0ca54f3ba9f417edc6037899ea2b4a4bb312290581db9ca79efdf60f2d3

SHA512
857910ee4f4ab13682faf2b0ced518acfa430fc6f507edb7da42c92d813832c415e8c4b8c5897bfecb12373539134d0ae7e53ee6ebd91654eebae2f5c02be060

Download Submit
C:\Users\Admin\AppData\Local\Temp\OUMa.exe

Filesize
198KB

MD5
72743a77aeda86ffaf8cf38aa776bdea

SHA1
0fc89a469fcf97bbd47582104bcff6f1c8617719

SHA256
1a73ff5b10320ca035d86ae432342562f4d5775aae277f75b7c0e4a402041e8b

SHA512
45bc36e00b105c7024cfadc0bbac18ffda364a916ba6fd2def7e04f180a4c14e454693f289be4bbf4ca549415edbcec3bdd04e89e03b513c71c743f7ab9eae0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\OUQu.exe

Filesize
4.1MB

MD5
50cccfca735f0191bbd3a050d7ed3038

SHA1
c7cfd368657330382f06b4b344fe8de7f94363a4

SHA256
931fdf0230a069fb2cd6789697ff94b3fbb19d25b56a4159704278f98f235b83

SHA512
107aeaa002cdb21fa40f0efa35755db22c9b591b2e8dfe36fb94b79233f50b33994f16da13fc6e655f9416adeb9fceaa71e420fd7a07872db503d9d9fda6e6aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\OcEm.exe

Filesize
557KB

MD5
2668f5591157afdeb8b10ca463af97ee

SHA1
ca8cb91f93653c1543c9a5b04e980c8df1cd5679

SHA256
29d8be9b8cc9a21d5889c00f73c990b721adaa3d6a317aa77e33b9f3a147a71b

SHA512
0dd079aada3b23a155962d7c9c5f541ad639abe8869404113b55e3c517242c6c1d3b7707635198f2a16d94bb147e935dfdd8057932b1333f5ed54ec1a335207d

Download Submit
C:\Users\Admin\AppData\Local\Temp\OisgAgAM.bat

Filesize
4B

MD5
4595d8dd00034d450cc7f5efd579ed69

SHA1
7bb2af3526a6e1d8dcfa0538be5b07029354e08c

SHA256
887586eb2cc224b142d1990927ba6acd11a3fcc2eeadc5e662a6055cec285faa

SHA512
358aa4eea0602080560dc255fbe570fe1dc38230910a0096460cf75a1768ffce899082e702e8c7fe515a428da3a9a21725e00370cb6de217dbe9db024afdd900

Download Submit
C:\Users\Admin\AppData\Local\Temp\PqMswQgE.bat

Filesize
4B

MD5
b322c67cee4860ef2da5cde5c78231b6

SHA1
1d7e2c44d83f610979a33191e5e1d6d50aa204c2

SHA256
047cdde51ea2e57cec771b0eac8bcd9fc70de9e90f660c65226ca3133512ca80

SHA512
7f3f4c0976e9d3e474c9777e6ccc22cf274b7cff13369f0b028d2c4f6d46322cddf52490e13a831ce20e7fbe77e194fc21a07375715f226426bd2422e8c7044e

Download Submit
C:\Users\Admin\AppData\Local\Temp\PysYwYQU.bat

Filesize
4B

MD5
c75ffbac7a64f59f743cdcfbbd594d47

SHA1
409565cefbf83cde05e748c1d87e3b5f309eaf8d

SHA256
a2285229164b6b3bcca765c3dae659b51f4dddf6bb6caaabc4047759106ca871

SHA512
0197353d0e74634581fa74ef1cf72321867f07fe110c82f83eac6bc2d2c72aa5d139b5fb95d84c2b58ee79bbd66d740330d9cb3de2092a647c01531bfcc032e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\QEIYEYok.bat

Filesize
4B

MD5
cecf4a163e846c69097fefdf80813023

SHA1
1049692740e0baac20c3c473f08d844603c021f3

SHA256
2a09e3d72c3a93f06a70de5f1f42de6a0fa37ebca257ad195b11b553ae8e329a

SHA512
99c29b163209e0a9be3a239c37e5e91eb1d987587fee70e8c92e4312012855ac9ed5a37ac72187559698ee8fe51bf7c05f32a16a386d26a0aa16794f186ba56b

Download Submit
C:\Users\Admin\AppData\Local\Temp\QQcm.exe

Filesize
233KB

MD5
1ed9c0d8952a8f2003d5aa9475997f0e

SHA1
aa89d3e80584502c77ce77d375289325a45515c7

SHA256
b3d4f6c94e24483c5f8921ba18cd71f4a11b2248601a65645859dc85b6dff46c

SHA512
b282102da4bde301b4a9e7a4bb7f400e00204463a08560070ae3aac58cd84f7cc9e4d4784b6177fe147fa5d300d40597d5eb0baefb74a0b52b36df406cc7813d

Download Submit
C:\Users\Admin\AppData\Local\Temp\QewMcYUU.bat

Filesize
4B

MD5
a00a786fc673cda4ead32e3669eb9953

SHA1
e63ca298dd406ace5f183c5de896b1efc3c8331b

SHA256
26c8e4d389b077ad872fa547b6d286800e9c755c5e4b978321f1f52630bff0fc

SHA512
dc200b3a6afa151996795105f9799d4a38c9ffb01fc5d36ec2db8b46261cf0eba55ee586525d82fe8e9b60d3b6994ecc410b975eee2de3586ab485b0e175ca6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RKkAcYsQ.bat

Filesize
4B

MD5
22142bb255bc943d9237cf63a41294fc

SHA1
e7423938003bdda48b78373c9a6ee03a0e1c448a

SHA256
a795935da7993e10a9281083fdfa92924212f83fc8a39981ca76e3c9fb1ad59f

SHA512
a89b0155da6fc82b19a45df37e148df02e6b65fbd56c953ef9aa635cde6460af8dbee82a26430c6aff548b644309c664ff8342d287f4c1ab648790052b093f92

Download Submit
C:\Users\Admin\AppData\Local\Temp\RqkEwgck.bat

Filesize
4B

MD5
866a1ad03101e166f8ca6e51d370f7cf

SHA1
cef31712e4a354325177ee3c7425788f6a7fa45a

SHA256
e704a1925750eb43ca7f94fff9e3569c97835dc4ae2f87f6111494b27bf4548c

SHA512
b4618e216e9a50f77b5a61557e5e1686477eef0287bab616ba12c4b3c7d5d44755889ab16730843bee612a336a5a19f5e659673b70ecb70a88698abe551e434e

Download Submit
C:\Users\Admin\AppData\Local\Temp\SEcG.exe

Filesize
237KB

MD5
fd49360d8f00fb13e97402873e85d98e

SHA1
8b089de8aec395c219363f91fa4c1614b0eb8053

SHA256
255edd882ac57dfe10ddb2de1d14b08417e1f7f27ee56e98412bb5f65e3d31f9

SHA512
d311a2837270d072cae5ff4a16c8a84ee61f11b97f4f063edbc10a633e00f0bfe998a72aa49a8e785abc560ebd022fb0f98e877f94f3a78f0e8d414e4bb1938c

Download Submit
C:\Users\Admin\AppData\Local\Temp\SIYw.exe

Filesize
230KB

MD5
97eda9d3bab4ca343f7038b6827b9dfa

SHA1
f9f9c32f750310120c65f92c23e596dc552e1925

SHA256
e8b48ce6a9279d8828beb56ef84205bc8df131551ee370fe57fb85a334dd8936

SHA512
eaacfd78f6e9ddf9f4010eaee33bae39f1e7211cde671ca5a78c67f5b381192f4195a831b4eb75dfeddeafbbb43e8fdfce9763d1a25534af68c9161152a66c1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\SMMW.exe

Filesize
789KB

MD5
7204c1e47b8b50eee0acf08908908492

SHA1
c18420494ed23f8ffc55be3c26aea219eb1896ba

SHA256
e90b3d95993b96777c9afe346caa6701d69d72cf6e575baed12befe501c00f2b

SHA512
fd8d35471c88703b359164d1d3e29551bc1f67f48dd7b0cf4fc56b9d059d47c5fa2c089ae46d095851044a62b8897dbc365d68b7a8d6b6e94455f13a2e0e3803

Download Submit
C:\Users\Admin\AppData\Local\Temp\SMUMwkUY.bat

Filesize
4B

MD5
35ab84b6c48aa4531397be715f75c317

SHA1
d7993be94b32a4d5c357b8ab277afc1e4e844865

SHA256
31c63b5305f0f603b1567ed60cb149f85fec62940c55412ff19c8fc715e726e8

SHA512
58d8772d0572d523331fb43e565c987a1afe047e7635680b8bb0b05ae62a038585e9f9ffafa426d7e71f914f1d911f9151209e7cc36a6b60db25d5ef021edd22

Download Submit
C:\Users\Admin\AppData\Local\Temp\SQMk.exe

Filesize
308KB

MD5
969fb60ad47c284b3b9619666e8baa27

SHA1
2d53fe1c1b9c747e62e352079f3e75df60eff2d7

SHA256
4e22adc495b009bed2f9e15cd82c76e7958761a50da2813f1d6d3c71553304d6

SHA512
851e78596cd627f4afd759074cd2ac341dfc7aa13c85d4e41b89704844b3673e5fe39a9ed922470a18d035024f474322eb85930cdf2e243f7c6bf6e1f50373ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\SYMY.exe

Filesize
239KB

MD5
72d81a4fb732bc80996d75510f20e61c

SHA1
44fd8d28a533937de92e93441f5c4aaf19c2431a

SHA256
ec9974eaf76d1fec3b8a823869afb8b5bb31e44f1daa289475d6f5399c6ede1d

SHA512
08d586d0f449e6b6ebcacb90aecfc9388f3efcb45664bdb0a559b276779951c4e9e80012e127a6441ee361d772b625046116ad5b6f674a71dbd586943e8dc611

Download Submit
C:\Users\Admin\AppData\Local\Temp\SoIgMMkw.bat

Filesize
4B

MD5
2f2401607f0af8d54f4bdc63ae0305d9

SHA1
33598d9224a7c8a3e6389bacc50e6c2591d967d6

SHA256
ffbef08a740af322de62743d54f2e8b049b032a476cf18afceb56141a304a529

SHA512
11f15d94ef9e53427344373aefe2d24d14322cc4f1324ea610e1b819169933d7c0c9cb8356ca101232397d50faf8fc61fc6a3602d481b2241fabae1efdda8c77

Download Submit
C:\Users\Admin\AppData\Local\Temp\SoQU.exe

Filesize
245KB

MD5
edfbc902be5daef09703cd34d563ab26

SHA1
7087a19013956bbeb8ccd39cf4c8ee332cf8c29c

SHA256
4c0f2fc797efc611257959e1091a4a2d8a9f7d7aed2f2202e46976470c57e6bb

SHA512
4357f31ac260d04f7e87603d712eda4aba4cf667a74443f6b3db356ec33e1617462b47f8ba6cf16339634e50d0cb40722818d0127d730f1a54a738bcc20bd7aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\SqcIksQE.bat

Filesize
4B

MD5
3584e3dcb5aab996b29912e602b84d98

SHA1
825e46ac95611301890ff8c5c8b07454381de503

SHA256
b86e0a286d125ce7d1f076e36f54369334a257817b6dca395a00a13c71119092

SHA512
5c335f56008692f4645b714066d97e24c4e26bdb21882d5954606de326c9220158901b2694931c71cdbd556e825dd6bd0b508ae94bd585116eaae13f0cd54c43

Download Submit
C:\Users\Admin\AppData\Local\Temp\TEYAYoYM.bat

Filesize
4B

MD5
fc1ac933a59c549f9b017ceb7cec954a

SHA1
eaf2633e90d0651913d2600b1ae37ad1880ce5fd

SHA256
dfe6f9e398aadd52bf01155140ae8568861ec4ea90dd4b9684d6041b1c36bb5a

SHA512
679a66062aa6e04ae26949110de77d2162d3d59583921a737071c6379b27f04695517864554a737fde7e5bb0bbf7e06b3b366eeaa3a36db8e2da304cc4ba70cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\UAkI.exe

Filesize
234KB

MD5
d0d7ce1e9dced474c040379a67f327ed

SHA1
9d384c196e0c3cdfd7a2e1bdf40965a41c6b1c37

SHA256
76d304baffb158d8faa32ef56203b7f4c4e0a0d38a048188825e5c2f729e1027

SHA512
0645688f0175f8ce280ae10f5e646a7fa595fd65456e6ffc5a7083b35658cfe7bf1c44a5c33159b74d6f70d3fd5c3580549dadc9b190be80f536822a5c9d63ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\UCwYoIYw.bat

Filesize
4B

MD5
177607d5b65de79e604c53e79f0fd0ac

SHA1
76fe99f045bc6d6335204623923c15b663e23b68

SHA256
c018416150d8ec0619b21f5be243d6f4af56460896dbb7968cba9a97376976e6

SHA512
24c164f8f28241593e46e2480ed72f99fec630dcd12001e8d14f9291a6d13f87d431c178684a5400c9ce102f8b90f7ecb07c0f33f3924674f0ae37e66f3ade30

Download Submit
C:\Users\Admin\AppData\Local\Temp\UEcYgEog.bat

Filesize
4B

MD5
e0d443316a78f9488ad1bb37b5e7cb1a

SHA1
7615fe50d15816b040670bd8616a9d84105d9366

SHA256
c862a0a2275a9f1983ed9c51f76cceeee9c70571cc55039ee05743bf1696d2b3

SHA512
274e8dbc07ff813a5e58a1c7c14018a73fb81217ff4158758e010c113bd938d9f1d45e047e129efe2af0878fb1f27940561f89e26d541b4174d79a73e0ce66b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\UIAIAMQQ.bat

Filesize
4B

MD5
3349c2de4cecd4a0625df0a26cb34c97

SHA1
696a66a1c27d8810b3bef5e11e32180cddfdd6c6

SHA256
64b2ac72c5f6cd034b4702663587da9d6da6bb15eec2494555dac574332b864d

SHA512
d94be21f4c4da1f8363b7d17b0eba26279f889a21581249537eee7d0fb78438e61e5d599ff796a90822703b4b1c94bd62a209d8991fd805763bb65aa3146dd94

Download Submit
C:\Users\Admin\AppData\Local\Temp\UMkW.exe

Filesize
228KB

MD5
55db7b800c2f409a8d733e8f77fec9ec

SHA1
e9f0c3e526058529f30c1454d911d55bfb52257d

SHA256
7139801340b0f3c96dcd7453bf87a7f02d64e6c7ee8cf5a4a4d0c3cb7add3991

SHA512
de53afb0d87d8c985aed42917416139f4972a8bbc35ac4864a96fd72d1f5a7fc5a30e6d388ea1261e62936384cce727be8caa75eb649c8e35e013c0daf511688

Download Submit
C:\Users\Admin\AppData\Local\Temp\USsYcskU.bat

Filesize
4B

MD5
26330aaf47842ea2e3717bcb0fea6439

SHA1
41606917e582d72bbe10deded8a8b9ef18b9ddea

SHA256
5df47a9172fb8732ecd92566922d41be43bdd49a30e799e069c13a04aa648e53

SHA512
0cf742ce1dabbe2d943e3ad35c4fde87078ae5cfe06905b7c7e6aeaf68706c2937499013c3ac293d458082d4a54f7fa89298e42fbfc9b5acdf7ec453369cc798

Download Submit
C:\Users\Admin\AppData\Local\Temp\UYwW.exe

Filesize
233KB

MD5
07df2e302866f9b1547d8edea95936de

SHA1
c47aba8eb2f9ee15fb7045eda4c373556e934a8d

SHA256
a153b7d809e2e15485f7ecce1785a2e8052b418104762404bae860c25de42e28

SHA512
4da9919689354f1d8b6d1ce5d0609e770c5f684333ed95414d532428fc25ebcaecd5e1a37dd7324dc57d393f11bdf6414338801ffedc3dbe15986e10172e99bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\UeIUUwks.bat

Filesize
4B

MD5
21e5bbcee31378e842e4d8dfc7541128

SHA1
86addd55298dc07cccd56f0408cbe147e0b44025

SHA256
a561e1b77b5978e6a8f56a09c1528e85cc68d42b8d73ca9c4c9f784b09c5a2be

SHA512
f2ddb398c06c9b163b47731b7cfab48051837a25a4355fd24cfc710e82d7c0536415a59780c715827428c82ed3eeecf1d0709b9a7c27802e2fc8a6f9f2f3161e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Uggc.exe

Filesize
249KB

MD5
077511b02b0b8200990f974e853a4d6e

SHA1
03d35907c2ded554282bed1b9990cfcaca986b72

SHA256
10b78e60cd8e5df57b0f8b37da150287aac65e95cd9f10875dfd329174147df3

SHA512
0701313a497425da19e55441aa4c89af2c230156c769bf45a634a777c9d7b43d7da7b678f52dd7c27382d8bd8f18fb05a4e4937762d5d2329db52a0ff13bb6ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\UsYk.exe

Filesize
241KB

MD5
df5178051433a94391f2c1205c98843d

SHA1
e3c271f6185e3e0c3ae994eec0c46825bfd2b96c

SHA256
704c9d1bf559056f9197fc8142377cd8aa85ae5f87902264ff089f5e60c5abd5

SHA512
c43b9bedbe4154bf7213dd7c74f59c55aa1d4bc3d61d651e42243deead61fe7ca5f010fda762692829067e3a15e89819e0b0ca2a076dd520490611cfc5f527a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\VMYAooQQ.bat

Filesize
4B

MD5
23caf004963e0641353fa5db3f392abf

SHA1
95fe784d415e6bedac6a54253e3e0b1130ac8305

SHA256
daeb6f983a144338ebec8cd32834913f3ac5181d2d85c6d7c29c2f56507a1c60

SHA512
1f3f9fa4fcf05c09b17f74f21c672f2157cbb4072ad9738e452f0ff168976973a89cca87977fbe53da836ddf8025e60c80795ed3ef397192a637e97b567b06aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\VUwEIYkI.bat

Filesize
4B

MD5
90442f161c7883f66818855292cf0053

SHA1
7b8fd78328fd87bdcb7c32a64a12ceafdd3899b3

SHA256
72f85856c8bcfdeaad881e0c1cd75565d45ff29dce84bdfadcdebc2a689b1d28

SHA512
05375c81e3c2960fb70fe11fb0370d858e3fa4c21ed4e0eca45bc09b461537cb0f77f31647300f43fd24ecbf2677e64ce69329c1d80c929a5e9863119bd03e6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\VaowMQYU.bat

Filesize
4B

MD5
a64a8deaa0b1784eb99c730736b5e018

SHA1
e1f324b3412a12112375b666c298c6e1eb200923

SHA256
b2d6fbb3abc78e44c3c241054165775093a62efbe589809d6a92d40d47f255ed

SHA512
0ef0c72c7f68988e702fcf0350ce50e529ea43ca5cb8abbeb77e09916c39474c7ad53c892e9a6899f50128ea10254ce3279a962a42e708791645ed38009c405f

Download Submit
C:\Users\Admin\AppData\Local\Temp\VeQIwUUg.bat

Filesize
4B

MD5
9f39c2ce959efd22f28a39b2c3a68718

SHA1
cf40967d9deb2d347be10c2c4fb460dc6fa93248

SHA256
f85a474d9d74a88731ef4b7bd059370c45ef7aa8dde57dbd97f96fd307124a95

SHA512
d0137dd47aa1af38d32f781f4834df3f12a1744ecfd9f449b82a0d5a9058c5e07c9753311cd19c83289f15451514c1ebf7f1038662b1b3f5a1b2457e0aa74118

Download Submit
C:\Users\Admin\AppData\Local\Temp\VmIEwwQY.bat

Filesize
4B

MD5
1a99b054e6d9685b5dbe02751c959cc1

SHA1
689081e023a6caed2a77e8620ac8abfd0c97e55d

SHA256
0d7535ab0ef241ecf8671c7f196da748b52128cde7a59ad2eb539ffead57ad3e

SHA512
2cb417fc72b284de6ec4c5755ce9d621820be2a8e639ee2002b3f0fcc1741aad75d1b5e74e3c5cec19de37373a2fb35dad2889dd09fd56f59fb1e64249e3783c

Download Submit
C:\Users\Admin\AppData\Local\Temp\VsAcMwII.bat

Filesize
4B

MD5
3b7e5c32c941453dcb026f1288405523

SHA1
6f2613a67a7a4891e14987a204d4a062baaa217b

SHA256
58317f0860a6964646cb9b376bad435ddeeb476c6694574b618249930f3d4120

SHA512
3cf8ba52f18dbb8388bc966e132b6c13ed63b03ea9882ed0ee95bb0fa2c91d0e78fd31be039b344dc86c0524406dba86c5121e4dad02f7edf3e8ed8c5e473ef0

Download Submit
C:\Users\Admin\AppData\Local\Temp\VyUssooo.bat

Filesize
4B

MD5
c2b6a78f406b949f2dda0b4a4db48784

SHA1
fd5832e4ff1fc37fb52f25343e969e7694a7557d

SHA256
023e829315958631d839689e112680ddaa2bdda9a8e4d9fde7cd1a6963f80e7d

SHA512
3dc21231d9aee1c6efe88fdf19852201dc15281972602b153f201c0f53a711a28f0e2c2d5537a7db34d87ef07dc458fcdb124c3c219616642d8f823b34e62d2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\WgAE.exe

Filesize
236KB

MD5
50814294a6fa140774ff1ae4d6e26bb0

SHA1
7cd8a4bc51835c560ef45a33b7b9134c530b3f5e

SHA256
65e3f555854e899810bf8ae03a7789c6763e55dfd583adfd0e20af5a685f497a

SHA512
e7bba51b3f52821d3928aa4864d15a424f82447e9cd62e863f555105ebd727124a2cd44430f362c61815ad2dd0a48b909f3ad2d47d465f9f9b1015dcc128fefc

Download Submit
C:\Users\Admin\AppData\Local\Temp\WkAi.exe

Filesize
228KB

MD5
46f74fb0d6222648fa6b08236bef1cf0

SHA1
6ebaaa22659f0b3763908e3dbab242cda981c8cb

SHA256
ea50ae78a09239532caa54cf32a59ea7bdf0d6566fd78a7b41176a4e5e8b94cd

SHA512
0989067cbdee5d09bcd3db5a5dae8794829a2472c9d12cbc73bb58fcdd3f9bc2be1c9d62be4e0d84dfdfb052c1ddd6b0397b700ae4bb72c18e7c99301933fe49

Download Submit
C:\Users\Admin\AppData\Local\Temp\WkUo.exe

Filesize
195KB

MD5
3fadd97984f4e23c496888c76377a4ee

SHA1
7fe91f339d86957b799f26ae9e7a26a0277ba51c

SHA256
3c16d9c1874723e6f7a97181776c17d2487fd46535bd60ffe42bd93bf8f9b399

SHA512
a081ba92fcc2385bb29b0cf181009cf506fef66367c708f7b16b9eb8a3b057af817ef9e38cceb618f2cd2c3dda5779e3f6d579f18c509a37d6a938d1fbc67496

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wosq.exe

Filesize
252KB

MD5
2bbbd39d0674deb14e2a8cb634c55462

SHA1
2c24e9fd0d0a6881a5e3e805e955276c7ff1e4df

SHA256
9eb56de3863d5eb17e67e31867b9e1069f844c167fbb35b0c4b118ac7891f903

SHA512
0206514139a6f6a4e1c17495bdca98cb472732a86b1a7161157d9446d172d3747bdfcfa199d1e5589127bbe617758bf566acc95a098dfed6e581e02462c84462

Download Submit
C:\Users\Admin\AppData\Local\Temp\XSsMsEQk.bat

Filesize
4B

MD5
367aa83293ced55feb1a7d5a3f8bc5a6

SHA1
e8a16501fcf9a90ae23928b4c8cabf2a6cf211c3

SHA256
8e567604dfe8389b8708222f5268e661f995e4741b76e931759a629c90cec68f

SHA512
c08a50a1e24966c0f7d7ad0159ef16d0c9c981c710cb96f36950ab1ab06bd52da351651c1f9e80fc8e4372d79aa7004cdfa85f1da1ac20eb4d467f068a9a263f

Download Submit
C:\Users\Admin\AppData\Local\Temp\XqMskcYI.bat

Filesize
4B

MD5
a4a438d5fa7e6d3d2d1e03d6e7f6194b

SHA1
34a304364c9dd5c0ab937fea80517623a4d2258f

SHA256
5a736de8831f4ca487d54b3738f4b7de51fe52df7028b621da44ba6ccedf654d

SHA512
e13ca7f53411cf6ca55c40f22c852844a28501981278a72ace37e66909876adbc1cfb4ed7c42b276617d371c68c554b1f506b716635f8b8007f3707339dff346

Download Submit
C:\Users\Admin\AppData\Local\Temp\XykEIgUg.bat

Filesize
4B

MD5
227b90938be7e9e7d23bb9dbf34f639e

SHA1
cc4203efa4e4bd270309d6058f77e3191be0ebb6

SHA256
421d9d74678fdeb6bd314ff17d7d2090c25c0ca9c48c0ebb17027d36d2d15aea

SHA512
2988193ef8358d26de95acddd9f274060fc35c74e550b5408fcec396b6fd99856f4be82d20dc65198227ebb55dddfdfed48d02e0d905a99ba6e957994d3c2cab

Download Submit
C:\Users\Admin\AppData\Local\Temp\YAUg.exe

Filesize
522KB

MD5
edcdfde8eafc6bbea9dcdeb03d8469a5

SHA1
63f6e151d1063f61a0039fb9ba130eaa6731ed75

SHA256
982d971281910091022b5602698b1e355b53c795acbf50759db91a1c96eae9e6

SHA512
750ef3841bf69b4ea05660d798c5bebfe7e586a2b0c3e9b1c1bd0a5f75a7d529af49cfb070d3b289062e771ae71ff423e07601de2f31b103e68c2fb745928f38

Download Submit
C:\Users\Admin\AppData\Local\Temp\YAYs.exe

Filesize
236KB

MD5
fcceb8a87a66dd9d42567764537244d3

SHA1
b3625136686005a9a9d8027c7912e732f979766e

SHA256
13858d0b6320bad8c8d3b8362b60939abcdd71a1ce59dbde967cbeb843708dcc

SHA512
09228a1cc4dd70c0e52c45d5370e5ce3d8ea39d41f41e99a2f91e2e89e35f6fc18929119b8790b5c255a81cf6a07f315b03cc525bb361d37c1068e3dbaf548fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\YMgc.exe

Filesize
623KB

MD5
e879147b2b09da8f802add157ccf8c14

SHA1
5df68fef9cac889f8d61c8a520c58020189afd6d

SHA256
13bf802ab272d50d547fc7d148ddd46074290d9070bb1d587bfd0847eb7114b1

SHA512
5b3afdcbcfff36446dcada23e335c7d3f8f5e5d74f5a499a841582524349eb9a4260f6ae9ebd7368b4f910dbc03b5f7ee0d61a25c3d101b47804ad96723e904c

Download Submit
C:\Users\Admin\AppData\Local\Temp\YUAK.exe

Filesize
197KB

MD5
b5945eebc67aece16146686f9b6462e0

SHA1
b361a7da7bdf8b6e5bedb42839c351bdc58b0ec3

SHA256
175daba46170fa6098f05d44d98c3c0d6bb594783505e82b304e508fdb0ea9ad

SHA512
d925ab9748c039d53e23df1c80d5079f37892f35bce3f0717ffd4378199a63d161c61ecee20f896ff2b7b6ccc3eee7e694e473d0573eb3cf4743eea311a1a8b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ycwu.exe

Filesize
368KB

MD5
531dae6fe9c0318ac7769f095f676169

SHA1
072a7927658f9d8f1a10921692b607626544d90e

SHA256
80581de5ff5a0ec9851f2a5a314e2f04296c3ff62ed83a8354d799d7133cd5ef

SHA512
d52f8f846b82bcbbf5f21ae8d6da2d328016912427d184eeb1fea387906693f1bae9f25d8062956a8a4ed0a1e82fe6d3f4bc719ca685eaaedcc4f737131d6e1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\YgYQ.exe

Filesize
229KB

MD5
2cfb91873058e35502a381348205f90e

SHA1
ddcf0fc8647a2beccf87085fdb4ded6097dba802

SHA256
d5bffff380113806413622506f60ff92429ace76d70dd1d89b77221298c76623

SHA512
f83ae8eb065147bf36262cba6f8904f05d94589d42eb7a8b4353859ced664c79278349f1e4dcfdfda813d9f1f098f2f5361dc0a498314ba303061d8174ea605e

Download Submit
C:\Users\Admin\AppData\Local\Temp\YoAAoUgs.bat

Filesize
4B

MD5
6ca008e648254a16a2d23b2a18a574b4

SHA1
90ff81d0ca0d7e53548a7cc2fc98710116da8ed1

SHA256
c80593466f29117128ba2ebd857152d08be4cbde464d0eb1c3e3174f484374e9

SHA512
f6b54a1ed5a708d150281d99a792714773680762cd61cf3e0fb8adc5f975d69f3175ed2cece16526b4b7ea26e4e0942cb95ded0c502ce1c3000b5667714d7bf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\YqwgAwUk.bat

Filesize
4B

MD5
27b029c82a8b9c3642a3a80cdba5c34b

SHA1
d0eb20bd276f3263b6cee199505c12884d2ce6a9

SHA256
7623e16ded0f79441a0d808cbeaa1bb2e21629f20e2b96a3c00003b89acd8a18

SHA512
2e0af78a2ecf879f32ba2abf3b258ed68b0ba61ba2873963e1d94306abcd5eb52a40b3081cf0aff49cceae80b288904920bb75af4a66567695729cdf87d8a3b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\YqwsAAEI.bat

Filesize
4B

MD5
cf52746a56a62ad685e30f0973ea27d8

SHA1
1831ca4194911604cf8083b9bdeb365411fcdbce

SHA256
ec4b4658d46914cec5e8df6c8e225f4bf9571453cc7f31487615e685c1eca09e

SHA512
c3aa94b001ff53974f64ef526bbeb070fa0377c4dd7a4064baa682b3879969ffa5ecc7c9292ad26eeb9e33b2b7833c6eb4098e60db2cc0d44d17297181e7ee2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\YuMQQMAE.bat

Filesize
4B

MD5
dbb3a2ab0e1bb554792fb1261782c4c0

SHA1
429e5429c5851f34d44f6e689f16b6be752b45ad

SHA256
ba8255bc97d60f0e39f207a528dc0a52f86dbbdb614c7e503d9774e9166cf5e4

SHA512
f2ab53597da07969e6f389a3c5202130484f2b7c82e6ee08a8cb14986fff8fc825a772e1b8cd9b04f3bcf4999184806fc416bc539d9f1e68ef1e45a00b02fe75

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ywcy.exe

Filesize
232KB

MD5
dea0b1fc12127ff888907995caa08d90

SHA1
ea63f2e9c3cc1adaf19cfe14abf39db5104feb96

SHA256
30d1123673da84f313096ffb8c91819dbae8e5414ca474e45758e0611c85f033

SHA512
1a2bce58a3fa6947bd4bfcdbcd5652c840649ca91274f21fb972f02a45d34f9e36ee29d53d48032379805fb6116c2b5071bba744d53c2946853975d42d6a846b

Download Submit
C:\Users\Admin\AppData\Local\Temp\YyIcQIIA.bat

Filesize
4B

MD5
2f167e62d0cd6d74479da497fae147ff

SHA1
e270b4508a7fdc6a3d6b14810b48afd70bf5bda9

SHA256
bdbf54af4b8da41698c2a8e335ff5133a8e6de6457dffde7fdacc07c5fa545e6

SHA512
909c528f502f18c44bc9c766da920a108bfedc53f8522c457cd1e89239000fc75c68b7e48f34264b99acbd9ba1b542496514238310e87543cd73df1405db67a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\aSwkoMAU.bat

Filesize
4B

MD5
3bfbbdc98cb35543c41681dff52100cd

SHA1
cd4765489981e318531f58891a9c4dfcd168e399

SHA256
4ee9156174751c7b232d9fe94bbb8f3d52f16911d6df207a31c518a18389bc58

SHA512
bc00f11aa894c12da207467acde03d644a6ee6bcbb5f883834a9703791ba12e5d3ec0f3ad087d6d1fe8b7189188f2503a0efce0ac318d4c9abcf54b3fbda7de0

Download Submit
C:\Users\Admin\AppData\Local\Temp\aYMC.exe

Filesize
250KB

MD5
13d518b96de0bb442173b8140346a638

SHA1
ac0afde7bf25381cfb396e2cfc914c0de8009274

SHA256
03f613ff2162cf8fb95dcebdaa230607f630bee023269d28f27e4756495ce5b8

SHA512
df0b12915cf08f52465a1783cfc99b2aea306dcbc162dd60f5a4c4e075f6454cf95c201c242821204b5c29014638e699edf80bf7d657cdf8b42a58c791f9e542

Download Submit
C:\Users\Admin\AppData\Local\Temp\acMI.exe

Filesize
239KB

MD5
83b4c3d05d14db27d1e88034c415400a

SHA1
43cb03f9858aa1e1af7785ae322feb0fc5e5ccfe

SHA256
c96d6bae68702a5efa81e79553ebd6427d503e2e8fb0de3a140bcaab4c4be92e

SHA512
341fe1ac7aed5d4d7d1bb71ede2e767c934accdd57751c392d513550cd45b8014859835243733eef50022935bff5002c51967fcc792e3a559545c36300b68bdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\agIsoEUw.bat

Filesize
4B

MD5
92df1520f1d5be9448ae65a617227823

SHA1
fc1164b39dfc67fc32eb8c3fe897b406d989f8a7

SHA256
0de80d1adb0b529723e57b8130700f2b3aa21d8989cfcb3a34ffa09967a3c7f2

SHA512
98dc814ef9ff4e4314336793f15920f67256cbb58bb62c4097084e289f4e4f1f861e20175d1866d812d55e22da642095e4eab7290e585a261b16d3d5162c0b01

Download Submit
C:\Users\Admin\AppData\Local\Temp\agYI.exe

Filesize
210KB

MD5
a019dbd3744c89e8d1aba8c90e095dd8

SHA1
22b9a1c7370e3959fc01e178e5319e0f0833795f

SHA256
485c49359dfe322be55bbef0f03024348ca09dbaa646f823e4d713ac764e5de4

SHA512
dfdcfc2cd9b3ff9b4fee408c3662f9bb46377cc5fd04d7ead8e013684b7ff86f31d33cda1820d126581707304fc2b7504328da4ef87fceed68401ca9dba37301

Download Submit
C:\Users\Admin\AppData\Local\Temp\aowE.exe

Filesize
228KB

MD5
dcef0d311c3097a25cbd43c56a3e27ca

SHA1
4663a699d0b90e8dfa6f5c333272c22c84391461

SHA256
954c09f6d0033459b79718b472fb01a3652f1031838b517b3eec0e21b723fe28

SHA512
3df70115c71d64b5e412c34c24e122de0066a9828d1cf213c22d76a293fdf5824cbc7037a398f3de23b11c9fdf98e39d6a3c32435e80fc896fc8b155a3c1ad8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ayMIUcUY.bat

Filesize
4B

MD5
5c9a97db8f62c1c84cf050241d8c3f1d

SHA1
fe07c38c0b4d48ce1c2a1d4763357e1c2ee7ba99

SHA256
b32955941a2ebee65486637d576e0d96873fd898bd761280be25007f15640e98

SHA512
b2de87de55aba28fe8095e24595185b15f19af2076dafbe4a2f323a3fd5f9377f4d30a75bdf0c001df58544b4589a390462b3291e1f6787b9be730e5ed434e2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\cIEU.exe

Filesize
246KB

MD5
59fd24384e44f9c225daa4ce587c0ce4

SHA1
778e6849b50c86280108fd4d20db3cc8fa92df1f

SHA256
4779d501ac06b497ed3452bfabc99cf597461e5be1cb4657355bd8f95f68c0ce

SHA512
9ae37b2245a00468936f7b7a56c5215ddf168a5d64f76975d89e93c91186e30c6d28e459af17cf8d712e5350be83a102256b59b685bfb30e5cc99a77bca55af3

Download Submit
C:\Users\Admin\AppData\Local\Temp\cMYy.exe

Filesize
190KB

MD5
1d6e84567475efef8d2db26710c09b89

SHA1
3a9b0c0f1a4176886e93e0e31ac1f94c541e3e69

SHA256
8eb782780576fad3b4f63ef441e55f1c5c16a3c70b6a0348f93363be48a57248

SHA512
2b5991c4ae387d98829a463921d7237087c14ff21417b213cf3b1b791b2d49066412550a64918a5e1c725c79e5f416cc5b76cff110d7238390717ee172b21b38

Download Submit
C:\Users\Admin\AppData\Local\Temp\cUku.exe

Filesize
1.2MB

MD5
c848352a092338d122df532cbfdfcd4f

SHA1
a5362e307f634150fdfaf6b491f065bff4bac5ba

SHA256
15e7bec72fe6b857999b7f1fd0bc5af79e91f80313807c0878e5492b6eb2940c

SHA512
348f272d5ba1bc695de1aa27e9581f39bab8bb269893d0c959aa5ee6ddfa2abec6eedb239b3f7139bb6ff4b84a2b7984d3af59baadd40a3f83bc207597d81a3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\cYss.exe

Filesize
184KB

MD5
1075d4d3898f14b4dae2b80507001918

SHA1
246ac92e3e15cc75c24aada2b9c5c344465e3b83

SHA256
982475d914ee245a911c2250d820c40a84c797b12ebe2b01486cbcf8b87d10d1

SHA512
71182e29decacd1ae195a46a2a3d1e9dea26f0815b457c254caa826e8684b04af3d55c4b554212d7b5022aceabb8e8d7821d31ea49ef59c974922f831d133c3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\csgo.exe

Filesize
245KB

MD5
46d0e6c1d3cb9ae920ee0b58f219b4ad

SHA1
54c5ef447c69c2084c7c5096442862aaccf3ff78

SHA256
b52f10012aacbb5d204afa0de0a73ce9f755e44da2410fa0075e1a34e395415a

SHA512
39a29ac469d2d8861da7a7effa4c470065f050d63591dd19f5573e666e2c368304432e22a04022e0508d6b5c7efa09f834431c223989db8b2db35572ec989c2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\cwkC.exe

Filesize
241KB

MD5
40c3b41786150c6ee904c3958be36fdc

SHA1
5cc70bef4530f12c1088ef2623ebc9fb70baaf18

SHA256
33da5bbc7f67477c047fd05c4527da881bf0f356c17bbe4d198ff221941882a3

SHA512
fc2cc5a782384fc26208bb79b4ea6edf40b2435627a3ed34dae63cb45e1b091d0636d08426ebe301d6f65d1b4c652492b13bf6795296958e7d834dc43636b9ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\dCcYYQQI.bat

Filesize
4B

MD5
1d1b8708f3e6e7b46f70a0c73b5c8ff2

SHA1
736f19404bc67943bbb0f4718a2743227903ba0b

SHA256
7a74500e97068e4c2eed314523e2e5e5fcf7577a209cf9aa2b1881726d6c4d11

SHA512
254c181ea933b7995ba934f3ad71266995d6c0d09793c42bcda8a5373cba524aa77e75349975a9c4507c18a50d9933d8650ab10fe1076338a23a518f2699a229

Download Submit
C:\Users\Admin\AppData\Local\Temp\dmAUcgEA.bat

Filesize
4B

MD5
7d1fa70c7a1fb4f8355891b9eb4ea5e4

SHA1
d96cb805413b1eaf7a56742e0aa883d5c933aaa2

SHA256
be96db0f954090e97c740ff7643bc98c080d3c79359c2cb0b49ca84c3853a771

SHA512
26d5285ebb80ab188f38287bcfb5000942c5989ffdbd6c3cc4f6da96492fa199caf51e01a689a46fe5942ed3107d9ae11662f5d0f3b6c00aa3ed31fdb1bb739c

Download Submit
C:\Users\Admin\AppData\Local\Temp\eMss.exe

Filesize
247KB

MD5
d702db7a94620b39c34dc998bf4f79e4

SHA1
56f272171a1e25963c94d51b4538488095e680ca

SHA256
34e0ca69a08b7b27654f4352dc774269f6668241ecd58d6e2ff29b49cc53d4a1

SHA512
c13e74f217a359d48fb8c2e88fc92450e07389564ad2d3ea11f593728cce0fc23a47bbd5f758dfa256522e8d02b5699586a9d1159bd7590f1ab21bdea5f10c90

Download Submit
C:\Users\Admin\AppData\Local\Temp\eQIy.exe

Filesize
203KB

MD5
3698dd7cef080d53db8365164841661b

SHA1
e40436b00ca59c0ff63b4d0f3d43337b5d93f13f

SHA256
ae52420a8dc6aa50166f7a092e03810fd984b62e40b07662d970f79944021751

SHA512
b98228fca6689b6464659c7007a56d0bfb34fcf9a3b64aaf6023f172f095fbe8688e72f709cd035330f68f12d1da077fb819e98474e03cf4ab544024972b4ad1

Download Submit
C:\Users\Admin\AppData\Local\Temp\eQca.exe

Filesize
248KB

MD5
3a3afb89a1202177668e39b5e76475ff

SHA1
04013330921d1690eec41f328a48e16033f5f320

SHA256
46368eaf7ff522fc4509650b706facd97fa129f39c65bf4fa1c97d3a0373fd83

SHA512
61f4139658ed411df582dd1db981af3069cbfbe4ae9c3ef1468c06a7a213b2b05637e5103d641299d6abca5e5d5b93411b7fd05249bee5b05a0d4f8e4d39ef34

Download Submit
C:\Users\Admin\AppData\Local\Temp\eQgUkAYs.bat

Filesize
4B

MD5
ecb82f9dddcb1f0b73465568a0e4b36e

SHA1
3d625ac8cea3ffd1f4c93581b91335987fd40a09

SHA256
463b8404c367d7c2ef86131b80d2fec88521e93a601837a357472ce6205abc03

SHA512
7d82b58ac84cb734e0cccc27e260b66f2d9214041ef4e6e47cabdf9be6a71fc49ec96b32006d41850516944aad14799ef292630d0f10265c15cb3233e7dbb6fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\eScUUckE.bat

Filesize
4B

MD5
cc2a9398819bac88103645591f0e44c3

SHA1
0e950e13fdc06ed89956bfa9d22b7629a85d0a6d

SHA256
991adeb3aef2c5dd96ee91cc47248e82e6318a9c15e5ad96e2e1eff4fb3827f5

SHA512
b2532e3047d0bea2f75beba466cdc04b6c3867a2179c235c2847c455b44eaa21ed56155bc33373a9556c623c6609533464f49ac0a8160637dc0f8a0d94e4ee10

Download Submit
C:\Users\Admin\AppData\Local\Temp\egcEkEkg.bat

Filesize
4B

MD5
2bffb32f74989dab1d41197b3d225dbf

SHA1
3d3da458464500b1177afd162cfec9ba02aca71e

SHA256
53175d2acc7dd996f7931bfb72028f247797d5070d6d61c7d327c4a1714d9be3

SHA512
6b50e45516b2661877fec733cbef48fab6cbd24dfd2ede5be72210d27d6944effa0e48e9e76f06788534d7f2c1863b673dbb0e5165b73d5fbc411b8206e45f57

Download Submit
C:\Users\Admin\AppData\Local\Temp\ekEs.exe

Filesize
739KB

MD5
401c496c3d8dd4afae19f8a0df0e2783

SHA1
105530bbf6051510a16c4af1a101347591118afa

SHA256
b0979ead5bc282fc39a4e3872f7d749cfcfb9751fea2f6ff8fc78aee31f007f1

SHA512
fbb55a72515a6280ba63792920d59b5eece0d79d00e73cb2b34c2030684c99cee0130396af341fb448d8b136756d6af1ba319ca46b9e100b8b21dbb2472c4346

Download Submit
C:\Users\Admin\AppData\Local\Temp\emccwUQA.bat

Filesize
4B

MD5
7d2ad1bd249c50ae58c7226135c3ff33

SHA1
5c3d82bacd1b4164708fe27eeb647074816225f2

SHA256
382d167d6ffa58e56c280a7677a5c224700bda73e23ba68beeb4d848524568af

SHA512
98c9748cbb265a7bb6df683246bd047e476968e8b2907e5348562524e3543153506218f46fefa7937c8ba5473f6a50fbb0f90216cd58046efbbf821c0884c442

Download Submit
C:\Users\Admin\AppData\Local\Temp\ewgU.exe

Filesize
640KB

MD5
6e1aa1ca0973d56a5526e127f7f64848

SHA1
1ff7685ed00f6d622ee56f1783aed63bead431b4

SHA256
aae33b92f688064cd98e5264743670c8cc5ff27e09b064f2b7732ac396b5f0f4

SHA512
23b2b43d849e2f61e62fccde42fe2236506d1b72cc5e4e681be099b812f6143fb2fc0ef27a006217f81e3872665b8b56a10d061ffe4545a499280fefeb4547a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\fOQEckkc.bat

Filesize
4B

MD5
9dd3ec5b4b0031ce2bb87d7f8727f282

SHA1
70c1b8391969bee4a36abf2090378c5eb0912458

SHA256
fde06b1ffb9ff135be952d2c32800b197cce8106b73ff044776e988ab21c8f7d

SHA512
2c7ac71258eb39401f86860c3467cb9f03550729db529c47f16bb55b9b70a9a3d594f96ac8a9a992279945f431b0107beccffd16914e53e24a6cc704c687dbfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\fSgkAkkk.bat

Filesize
4B

MD5
1ad1727bfff25f98de113a338debfb9a

SHA1
5829d56bb8ccd5f63789b8f11fa7838f1e17d6b7

SHA256
5fb3209b58a07a3d74a5cdb0ef697c7883aab7901d9987100f939a85ea7b812e

SHA512
32e4ecf3df82a9369932eb62bd2ff5ab4c66b325973acc4c281ccdcff29ba2e13e55144555c0248350ba413524d2bec89c434e7fef3f158fbc18453b7cfe1c28

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gEEg.exe

Filesize
233KB

MD5
e7bbdac74e68550c178a40338450dc04

SHA1
6cc4291feae1ba613166779177eb674ded759429

SHA256
15ff530c14bfe53235e3648e37d621ff3373857705cdb74604be438697e38d95

SHA512
d84df32cd77ee964969d8f9b9a590003ec82a3b18ed6dacb6d4d11a7b3e82cd97cb01ba744d296bf19d58564836a626f214248e4c2e9d345de59a4dd60675900

Download Submit
C:\Users\Admin\AppData\Local\Temp\gEkM.exe

Filesize
230KB

MD5
b33c714e289aa1e1f15919ef0635dcdf

SHA1
b78f8e226032c933b3119d61fd1c1285e21209a5

SHA256
012cb20e9bc864ffc70cf6cc74805dee4dee699fe8031a9cef3b27475f047268

SHA512
224aa2c14ed41c53c2685f119029b4e00a3499636c5e2be5eb55a35055c72fee6cf1ab24cbe933519a642816ec484d163b73b870f0b86941aa29d69028fba16c

Download Submit
C:\Users\Admin\AppData\Local\Temp\gIsc.exe

Filesize
249KB

MD5
533b019c0c5911a3e633a936e25b8400

SHA1
49135f8c52a21f8a3bd1599c842e70b6e6e76907

SHA256
de6458e8e7aea2e14f1f9113ecf0945c7097b2e412fa28f826839980806d251b

SHA512
aff78705b301941fcbd41f5f9687f949b13e220e1764dd2a7921256e374b6bc91e74e1f6f7319451fe5573df17737f61a15ebdfa5b4313451880e7ca25903582

Download Submit
C:\Users\Admin\AppData\Local\Temp\gIso.exe

Filesize
849KB

MD5
4f7ace381b7274f0c4fe6517806fb391

SHA1
c50bc14494d06e4ed1201fa76bba2ac871d76bee

SHA256
c501793e6dadcebbaa4bf9de1166bcae3f633f72c695232692a9a509b0cbbb39

SHA512
abab04478dfee9dcb60edeb17d3b066f992788b0cce8cade4e2656cdf78879f71c3281768620cf7fd46053f1014eceec33a6f4cdae0a564f4d222de63cb58c32

Download Submit
C:\Users\Admin\AppData\Local\Temp\gMoE.exe

Filesize
616KB

MD5
bceecaacf50df88fe32c76774925d825

SHA1
cabe063e50e28037e8e617cbc5531962c5075faf

SHA256
5ef3e5f0dfecd32a1f91fe66674106dc386933d9538621a4f16f319f8ba0594c

SHA512
45bf38a8bb93d8b22292aabf28a77a3b4f79c7ed2c40d5476e8f8e45c774b6f9db6cb9093cfe0c4fe6dd114ae5c1f522f7149c3e17bc95adcec23cdc44ffba79

Download Submit
C:\Users\Admin\AppData\Local\Temp\gQsAAEAQ.bat

Filesize
4B

MD5
319c14172a7830402d714e2155c525f2

SHA1
40d3fd472fabd35a94be99653f25f22233e2627a

SHA256
d162e12c71a393871823cbf2e0ab40788bc3867de16371b915470aae024c2665

SHA512
039f05f7d75c0e8b95666853bef039d60197a02dfab8221ba38255aea46784004ae2d5bdbf772d49f0049bf5f47ed473961adc3f22a6d9b1af0d0f3516e3e1c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\gUkS.ico

Filesize
4KB

MD5
f461866875e8a7fc5c0e5bcdb48c67f6

SHA1
c6831938e249f1edaa968321f00141e6d791ca56

SHA256
0b3ebd04101a5bda41f07652c3d7a4f9370a4d64c88f5de4c57909c38d30a4f7

SHA512
d4c70562238d3c95100fec69a538ddf6dd43a73a959aa07f97b151baf888eac0917236ac0a9b046dba5395516acc1ce9e777bc2c173cb1d08ed79c6663404e4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\gYAW.ico

Filesize
4KB

MD5
964614b7c6bd8dec1ecb413acf6395f2

SHA1
0f57a84370ac5c45dbe132bb2f167eee2eb3ce7f

SHA256
af0b1d2ebc52e65ec3f3c2f4f0c5422e6bbac40c7f561b8afe480f3eeb191405

SHA512
b660fdf67adfd09ed72e132a0b7171e2af7da2d78e81f8516adc561d8637540b290ed887db6daf8e23c5809c4b952b435a46779b91a0565a28f2de941bcff5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\gagkYYoQ.bat

Filesize
4B

MD5
be11da299c08c72db57fd57993255660

SHA1
6bb6c0b724dc5150f9ab629a1ae5f54932b39d49

SHA256
af78b94afc32cfa951526583da904de9c53e7426e138ebe80720287356eb3d41

SHA512
64ee84265e540f59e51e061bb3d812e23f7f5e4c47a17db8344da3aa3cc357a39ccb9ca15ec2c8a5ef3e57afed03ae33f4c93b35a02a9f87fe7f75ed82e569aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\gcUwUIcU.bat

Filesize
4B

MD5
dad4f41319d1c5df05e3d1082032f5f0

SHA1
c1e3c7ce6489c8229113fb2fdbd2a3bf061efb0c

SHA256
3308bc04d25a30fc31fee243e8b661a5158272b45678b34bb597612acfef1ac4

SHA512
16e520ccecd9699015355014a9c9d442bfd6b4fc966a553a9172da8b1abeabba1180ae8302aea36fa828a0cb2326b2035dc662e08c602ca27651954405c90bbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\goky.exe

Filesize
208KB

MD5
13fbaaaa2a751d92486043d1a21e3262

SHA1
78e3d72af205569ad340a14d566fefa9394735ab

SHA256
0090889f3bc37603d1139f38ea390e2cec87028168fb3958533c5a931e98a571

SHA512
1a5de2a7461b575c7c8faa285cececa2a691b73c1ff72dbc51819e6fbdcfa1aee0075ef6e7460d3cd1d582d36ad85d5d8377d2a17067f02a7c90134ca5859418

Download Submit
C:\Users\Admin\AppData\Local\Temp\gscA.exe

Filesize
207KB

MD5
9106600e6b87ca7a384ae7ee83feedc5

SHA1
c19f06f0e235838936b845b9d3f7497e00dc7912

SHA256
2df944b6bfcedda3db31026a6a25a824463159b11c09474395e3b007af15dc94

SHA512
e754fb37bae63eebd38e9dc93ca44e2dd296e6247075d91bdab4a312dd4783613f1543227940d78d6d8c4b466b4504b0b6af4e1d6d5a045e30d930fcaf45efe4

Download Submit
C:\Users\Admin\AppData\Local\Temp\gske.exe

Filesize
642KB

MD5
91c668706b2eb55343039e0a5d5d89d6

SHA1
3e6bd246d63805abc7c853b556e6caf6a0235656

SHA256
4f616a19753e0cbf15b6fd867538f89ba03b6bc19dde2a654546a387cafb841e

SHA512
96b7b404fc6d7d30bfefd4bfc532b59d74f1f03fbade5a2b8e5ce8c5fb7c318e4575e2a5cc2551aea5c5e13dd84a87c9dfa985380e2a9697055a7d34e83790bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\gwAMQkEw.bat

Filesize
4B

MD5
539dd22aaed6b4f05e0d2133243cdef9

SHA1
6c1faf604b373099b7bd275f8f4bd47af656aacf

SHA256
3a2565ddddc87c430c595dfd26b7693c5847f20e2a4e6cac9c2b80f8e5a7ea1c

SHA512
2eabb5ee01abe62636ea06cb4eb02db6a0fe51e2e051fd5e692c7a0f8c6abf38f6e0afd9d857e773ac8705f4e5855c397256b9945adefbdd79ed52fa136518e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gwsw.exe

Filesize
810KB

MD5
bd6192b35ebfc14a72b2dcc22f1d5356

SHA1
d24fb46649b9f06edabf46d906db564462172a15

SHA256
75c9f92c26153a2c1be560fe221cb329b6f30214d654f3b4e9ebee51821e33d4

SHA512
b218092f2fcd3b7266b5d1bd14ee703204bbe41cad80a003b0ecbecb838852a26ed2177dd8239983e64470353803aa680e0dbb0eca5e73b8d2df902af82d99a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\hgsUgIEk.bat

Filesize
4B

MD5
ee08326459fb9fce1876d8eced6faf47

SHA1
a9ce192442ac423f1d5d950482df43f966d08951

SHA256
26caf7a3baeed88be48048b14a4e2f8a62c2e426f133e7732507213e62fefd3a

SHA512
043c429997d884b664cdf137cd104cdd0cb5bfa6031ab03bba9f9916b20a06798be9d17231a284bf71b8e2f515426f14777ebdb59cd88ae0e2449c9779a32b37

Download Submit
C:\Users\Admin\AppData\Local\Temp\iEUw.exe

Filesize
245KB

MD5
4b00eb91025209c5837fa2dd96d2e2ba

SHA1
7e7174e6f505180e5a2285479ec3a385c65bc19b

SHA256
bb53ccc02a2f666309ab68dc6a9ff13f584a22a5a1175201ecec26b6315037e4

SHA512
2f79ffed748b758152bb76a36ba544cb6631b5477850b82481ce85537a914b0945d7119f6ffc4d1eda2796cc0ff497d83af81f57f1cf03ef188d70701ba3bfe3

Download Submit
C:\Users\Admin\AppData\Local\Temp\iUoI.exe

Filesize
243KB

MD5
48878deef8961cc4329f0f65f3f6f731

SHA1
f61706e0ba027b04255437f4f89bae7524f2f585

SHA256
07008dece748c9a3db441c51ee914d31d74358dc5e3a5ba9948eb098100c37c2

SHA512
5ff7efc912d745d000affff1341d35d16880729271d512dbf577d6b55f317bcbcbe1c479ba0dc7b4436d9fc13b9bef1992c0ec5cb53ffc4fdf067b6f717c2a35

Download Submit
C:\Users\Admin\AppData\Local\Temp\iYUUsEYo.bat

Filesize
4B

MD5
e8e99d126931e4222c155c65799809d8

SHA1
c5f2f07ae2fda51b38d9e82392b818035ee34758

SHA256
9dae746b31e407e6b84b8f3e9e705ca257a78075d3fcc3149f128844c66f4c87

SHA512
26e3366df9f776f982bba6d4291c1012379c9ae87bea6bd044969c924b0af23a3d57b05b63d1f5db6ff14cd073b8d15ac697c9e28fcff3e02b37b6035d7782f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\iYcG.exe

Filesize
189KB

MD5
25d3fdd2bee449e92b589e0a9cbed667

SHA1
7b88c733dea3f69ce054f9b27f800324775c9e12

SHA256
2a986c8c1227cb01fd3ac2a65b8240804f77119e0bfbd1bc5b5e155725ad16ff

SHA512
3e10557796ab73f85a06d50423fac4918c39722b802cdb0bc3c398ffd762505ed9efa1e50a5b4e19ff722fb4bb4588c76f836b211dddc05696a564e1789986f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\icEQ.exe

Filesize
238KB

MD5
3bd24c2261f52013c68dcebb92fccf6c

SHA1
076a3fbe4fa24800895a807907680c78432d9b75

SHA256
b6e207ea6179840d608a1e13ea0288c4ec7a587fbe9695906b2458bea21e719e

SHA512
68bf56f44ae0bf3f2c688e89e62fb0d92ce1710b265a3a17d855c3dc55c9dfb7953bbc7db91c84f760f372791f3fe57d9d02e2733c2ddbe7f17f916750955529

Download Submit
C:\Users\Admin\AppData\Local\Temp\icIC.exe

Filesize
594KB

MD5
fd21d7b96865a53972574872ad558306

SHA1
fc42bf98cedaf3eddefc990886815d1d483a4ada

SHA256
2f665ca5b394011cecd609cc3874a7cde346bc0edbc645d04cc7edb960d4a5cf

SHA512
ebba086ad80eda22ca728ab9776abbb7963cf480ae9a8d0524483a70bd1e033e905c22b0881a982b822195af255623f67fe774b14e14261b8b751df372133995

Download Submit
C:\Users\Admin\AppData\Local\Temp\icsi.exe

Filesize
226KB

MD5
794929717ab4a41619c2ea7633559efe

SHA1
2c6071856f0c8218ea97cb4aee614f7a0f19596a

SHA256
ba6e37bdc63778e9048de9decc93da92b2f08142313e98a8925e6b135f51c15c

SHA512
98a7fcf3a77543b7721960fcbdf3bf2910c67b544223541d709789c87ea7a7ebb1347d592eb8ac3f8728c41561e1bf67d40a01bcf29f60785702fcae1c6fc90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ikMw.exe

Filesize
243KB

MD5
95c56f8b54f628dc411829d5d10ceb28

SHA1
167f08d42cdbc13e93db91211d5582dc04a8cfde

SHA256
8799fdf8e56d8431ac189a41a1169b5bd39570d67039e45b3f48c6cb46930a61

SHA512
85cda4001b254f4499a662b9e31afbb3dad135848628e03c304f95d01cc8c9aae34f6a3ba174e5d1bd13d23c56ce254ecdc3eb6cda9320b63d82984751ac4499

Download Submit
C:\Users\Admin\AppData\Local\Temp\ikok.exe

Filesize
203KB

MD5
ebc7a56bfce4e27700507e415ae0061f

SHA1
ad813aaf2068ad3aacb13163925fff6116ff421a

SHA256
00901ae556ba87478ea0b1c1f2a31f3a644e69493f2d21fa9be6f02b97e9d0cc

SHA512
9ca8af17b5e0c9d1915ed36e7c4ffbc1cd2123e96dfc793d7dd2069754b8bee619d8b1dfc23efc9fb4cfeb5c9ddd87b03f9b26b2acdf5fc65f9871119e489cf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\iwok.exe

Filesize
243KB

MD5
300c73257f2c55445fa9766684837a75

SHA1
5246eabd724bcc1c79f121271fdc21c50fd01153

SHA256
c471d27b7eff17a49aaf3f55cb8f847cd2c6fca3f4bfc2ccc1235abb598cf57f

SHA512
3211b4e69eda308793d079880b06b56d20c4fae6979ac685d073af115591fcaa6388991d4c9d63a9170987369e2df2bd0d77605222c604526ae95eedbdb01434

Download Submit
C:\Users\Admin\AppData\Local\Temp\jEAQMUkI.bat

Filesize
4B

MD5
91bde9b36b9f9083f0681e6db73aa760

SHA1
ff30ecb43c135299df93b32bd6347c4b2b1a2859

SHA256
52729c5bb371b34d7e6a347d744b8013522cbb0370fbe19e9b3a20845065d6be

SHA512
7564a67500d6b94eddb9fe03bd926b4795217f089a566f851d7865869af973a94f12d7800aae17b1c0f79eb793c8904e02c8d04dae9e1d856eaffa67b71d357c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jOkkIgko.bat

Filesize
4B

MD5
82b968339062a243ceb4a9699ea0cfbe

SHA1
69e9623f111c128be146206a7aed20da3bd26c44

SHA256
b25ba2bc0bb5835e399c506e3d92012e8c461eb8fc9fde93178882ee5bdcedaf

SHA512
fce9ff05becf579f437e635c7f5db94af39be05a3468ce68cb01fdb50e57c44aea1945b3764bcf82189e4c15115d33f5a0ff69d09f9c8545df06e7308c1e448c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jSAgowEc.bat

Filesize
4B

MD5
cb28f26698cd2fe41fcc89ecd7171270

SHA1
6b7989eca9731b7499b60c018efc864b9580c6c4

SHA256
5e638c5ba9c1cef76c065e00ad6d5506ae21d7b811a43a9b8ec68ec8ee0e8b73

SHA512
7c1b1451848b33c1051fe9522d76ed385864ea789fe4fba673ef120637cbc3c5e05da5d41db58f80173deb9cc9e5cf49eb18bdc4e246ca7243f0467184e01085

Download Submit
C:\Users\Admin\AppData\Local\Temp\jWsQQAgg.bat

Filesize
4B

MD5
8ffea38a1cebdc1210a2ecc8de811151

SHA1
95512f5bc078cbc4e058fcf80748642a3854ca33

SHA256
c3e48d373147985475a2254ff8d1c33028f118b24026d9d4bd5d9ad2750e0dab

SHA512
c5d714c9c2c9d50b2a4cc024f97d26a9e8a39c3a8f48fd0f2e22b164417c68773113732e7b2f62679b840f64714188868dd14b04e396a679cf9049801cf9a0b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\jkUUcssM.bat

Filesize
4B

MD5
cf109351dbb8aa5d4657522d15148ca6

SHA1
5338a446c6e70272c147a7e4a2d9a287a1d2f391

SHA256
3444b55b6da9c6771d0ef78b85b1dce94e0356a8654155a0a0a8616aadeecc33

SHA512
6d839e1803e18474f39ff4d896823e34558a01bec981ce7f4eebe27d8355967e7b04ba51d829ef652796dd79a4def3791a661fac319e2fde5f07cb26fd416467

Download Submit
C:\Users\Admin\AppData\Local\Temp\jqAsgYsE.bat

Filesize
4B

MD5
c5ce1c6c57aff3bf8e9b91a7bf44a8b1

SHA1
4fe14fe5171d35b28ae8e669ff9b703fb01ce587

SHA256
9280ad0a5bb7fe52244c4bc2e42f91d4d7bbca9035c31c1a79cf4d2faaf58ced

SHA512
0aa034a7854dd9fbfa7cc402acbf9fadd857f83ea116466a0aed6354445c830c6906b9864a9f928cbd399581707c3160568873cc392ea26ea1528dd4b9f729a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\juMEIEkM.bat

Filesize
4B

MD5
85691233daae87504de3bf584c6ecfb7

SHA1
04789f56778cf114f526c5ef126230aeefddb3d1

SHA256
d7223ba85535c7ac29a6958f9166a54f144422dc609ac213980032fa76466946

SHA512
d5e5b36a2e927854ae169fabd2a9774d3929a6811925b82537ec6b59d26fde9711781e8aa3de69dc9c063203a112e98d881b466062b2ce879aa6f56a7d1a6d46

Download Submit
C:\Users\Admin\AppData\Local\Temp\kIgK.exe

Filesize
231KB

MD5
1c863568a7b4e6627bb7df4f77340282

SHA1
c1211221a323a630b2753fef58ee372f92f4b136

SHA256
a83c8f0d2ca6e3b5f8467949e02a7fa6f84969fe6bf6a1c042300893875b3d99

SHA512
dcb4fa5fe195ae8faebc6de14fc7921227d3517d7e1f29ed3c799b847213c7f3ca8ffa36b830f28c99f610d6bb259dd85a65d7c84d87360f529305c3b403668d

Download Submit
C:\Users\Admin\AppData\Local\Temp\kcoE.exe

Filesize
237KB

MD5
2a69cb031d403086fb156bee521a82aa

SHA1
957243916de123f234ab0b11f1588b64c9b5eecb

SHA256
09d2d149f70379a1c6290390b7a2eb73665a7b7fc60a1849f7bd2d17ef2db158

SHA512
0361634b75fc00451381cc7ae7a5eabfb9169275ae2b25b4213dc9c4b44e9a27cd8e9efaf643da27e1e239326a862eb10f6419874101f3d008e813b78d46267a

Download Submit
C:\Users\Admin\AppData\Local\Temp\kgEm.exe

Filesize
238KB

MD5
217ef0b9a0fb48dedb9f61e5cee81cb5

SHA1
a007f838abc1ea0878887da2c08d55afb39d3758

SHA256
3b35200c95a0f8652c9da08b7e42f6eff62a66b39df1abf14ff1a6c44a12c837

SHA512
55c9faad22793ad290b43b9a30c6c207747ae07d5f8605e79d690b0d73c032eeb88aa37157c3010f655d530d66700bf4abecc49b36434702b856701cb0c1519d

Download Submit
C:\Users\Admin\AppData\Local\Temp\kwMa.exe

Filesize
185KB

MD5
a39fa2110c06cb9d51b3af619cd8df57

SHA1
ed2d7d90d2daf86059bf73eff7ab2362778853fb

SHA256
623749fb11eb6b769b7c3d305f26cd19a8a2f89d4f2a36bcdb02ed599c1be4cd

SHA512
565c5c958173a676c98a8064ed54464677bc7305e1757f774a369d8d5487f3cb2bbd2464c539c32ca930e08018a0be9e2c475be8a7059c9138ebc75fc1934d0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\kwwC.exe

Filesize
203KB

MD5
0c74967fe9a372fb4a824e6c274124f9

SHA1
b9fbc856ab88748ed848a7c5c9067d40560a458f

SHA256
a819d5466e54422af2da2dbfa4e66d9936b139d9de825c6186bf417bb71284fd

SHA512
60d73974670ca67835ba2118c25728a5843bb41daa53ac4b667f5ff829d4c76b9f70bc3d358a2ba649334c21e3776e16bba466316edf24bc7e166d38e7a1d5bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\kwwe.exe

Filesize
243KB

MD5
ff32b61f8d84985eb351efb80d361607

SHA1
c4d9c63ad05e7bdf79391d3f15a69afc1c8d4e3c

SHA256
5d99e85b2dc355b3d17ad3c002700b8510375cc22a88028c44d5fd942be2c05e

SHA512
527abca833ad5e9f2ac111820a04614ab6e8b351eb731364a9609a799ae3451a09130bd63e54e17aa7ca6fefd9f223831c90306aee964519dfdf14d96aa37003

Download Submit
C:\Users\Admin\AppData\Local\Temp\kyIooAIE.bat

Filesize
4B

MD5
cc351f80304bf4c1c3130cb14989435d

SHA1
c4c908e96d56c2fc8db4acb7b786dfbd40756b7e

SHA256
176db50e305fd20a43d06dcca33cde680bc49d34b61aad1a55ebc8a0c680b5c4

SHA512
dc5ad80cc2f7ff788ce64f1a1571c78561848eb4764b6afa99212ca13ba98bb88f9859d04a1d794207adb4d486d907cb90db89d43c53c1f476f014ed9aa99f16

Download Submit
C:\Users\Admin\AppData\Local\Temp\lGMckMYs.bat

Filesize
4B

MD5
1c8b0437012e9c21ec80d8695a044c8f

SHA1
33c45b0c6686c8670aa604614849400bd56e0a49

SHA256
4bfd6cbfdbe89df46f7bc1f9ea9106b898865e1ee44401378d74a7f9b9d13479

SHA512
1e827707d20cb5fe1c46abcc5b86d9e55ce228bcb471a2fd3ac495b70c02c59d9369debd117cee7de7a45d0d9e75906393e4b7ef85e0f73e32ef2d55dff99f14

Download Submit
C:\Users\Admin\AppData\Local\Temp\lOgcYcoQ.bat

Filesize
4B

MD5
5cf6fa53b1d2831de939fef3b2ec3f60

SHA1
a8e8343bfd0d128914afce6be1e4ab79e8a39c7f

SHA256
4ed20364261e55b6eef05f49b73bf2e63a4bd75a3328e1a1b9c23284afcb79ce

SHA512
61f561ac9ed1fdc25376cd7fb35eaee6fec037943610875874183bd5c1b22fee348162cb12d7de9ed56d2ddbb45f92dd060a69b9dbe0e445e44a1e318309ff85

Download Submit
C:\Users\Admin\AppData\Local\Temp\lagIoUAw.bat

Filesize
4B

MD5
36c0d0e12d1fc76dddfa301d500285a3

SHA1
5692e1309e07e825ce44829d60be7dd5c30d954c

SHA256
4e95a1793a0a7f31f8167a674e86ace245ff6188634e8a00743230af06f9f9bd

SHA512
9c87b4c8da4bd2bb9c44717cc21d3fcfe838011508418d1aaf2d1b07acc08b3eb0364a2b2edbf82c29b41995d2e18ef127e379370a27127ed9705d89fc67cb9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\mQEq.exe

Filesize
249KB

MD5
6daf5226dc58441a6fd5a9dfc496007b

SHA1
c015b6c912f0e7485c276568f66a763473a8d271

SHA256
244a1a4df00622dd50fd9b46b61239da6f4de297907e1e52f4f705ee293a1701

SHA512
90380a3c6759efe1b2f11686c07d13932a642310f543dada18ccfafefc1f06a0006e8c0a19f651be267aec4de9c547b3b763af68ba8d6a91a6273c9e3119f7b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\mQsi.exe

Filesize
947KB

MD5
834e786023b6dd95228bf930462a6565

SHA1
768d3891f34de69dd25e6eafde4508f0ccb9c7a9

SHA256
b855a0f20733e53340b4bad2456be342759a641a96baa53155896269d6c51390

SHA512
aa2411f214f79349855473869df80654f6a9332640f24e42978557de52e592cbf303e30f701b6203b9efe88c251ef93710d465bdff57e082de2fd4c0c3aeaeb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\mUou.exe

Filesize
230KB

MD5
438b423a7b3921d7cdcb1100218b80f8

SHA1
eb065bebdf52ca9ca9921bbcce4b5114ff5b21d7

SHA256
7342cf4deb4df36d4baed1efa2a8abd7e6ae38983f9294d0fe9831c03f3a456f

SHA512
9e09c0b0cdd260d68855f4f57f4960fe998420e1ecc3305661fbcdf07f27ed42307dc5435cc8538b975099685a84580775231207a8d7d40e26912c52f8506f7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\mYgq.ico

Filesize
4KB

MD5
97ff638c39767356fc81ae9ba75057e8

SHA1
92e201c9a4dc807643402f646cbb7e4433b7d713

SHA256
9367b951a0360e200345d9aa5e6895e090fc3b57ae0299c468a5b43c0c63a093

SHA512
167328960c8448b4df44606d378f050ca6c24969fbd7cc8dcfe9ddeb96ac7ccd89e507a215b4c1debff0d20a0a239d547f1e496635fa2f06afad067c30597c46

Download Submit
C:\Users\Admin\AppData\Local\Temp\meQAgUgk.bat

Filesize
4B

MD5
3ee949a0da3b8ca52b810d01a6523a87

SHA1
58c17460e572333c2e57d08e175ff2ceb9221caa

SHA256
c8af5305851203302257708b7e313d44306677bc05f36ec9ab170e8d797f96ce

SHA512
2af0989ddefc3a0002ca517b7f68d9b88d2682bd44c27ec5dc2a399e08fb464eafcc948a713713854ad9814ac3e5a487b2c15ad5e03d6c4d39c2679af9f78d51

Download Submit
C:\Users\Admin\AppData\Local\Temp\mgsUAwIY.bat

Filesize
4B

MD5
00e23691a5bdf91583142b434ea02070

SHA1
6b81dd202545fb8df245960246f304e5875eb48c

SHA256
d73db82f001eb0a5dc918945681e182301f14c8a27c007c03726263d09f4050e

SHA512
2310f5d83c0c50d09ee8d830432603f7cba9077b9d731ff71a594016b88703c3389762cd41253b01706af101f7043267c285aacb1c3f5265e6371090ebde2f99

Download Submit
C:\Users\Admin\AppData\Local\Temp\moYM.exe

Filesize
238KB

MD5
e692400fbd7e126e6379e381e0141dcb

SHA1
662874b76f941bc5ccfc9086cbe7769f65a9578d

SHA256
79d07d9bd0a174e3316365e604ed6ae60eac9cad78ae3b01e6c407ef5d46e52f

SHA512
48c4a813a13ad29648f0d9c04c999eee09dffc7b94ec0421e377db8667f014885912b87f58eed33e3445be3fe2a9c8c1461fae48adaed6af1595e640de3a7138

Download Submit
C:\Users\Admin\AppData\Local\Temp\mwsEMoII.bat

Filesize
4B

MD5
3f8aa436174fab0f919371a80a25d2d7

SHA1
e398c465432030d05efd087297b4e7a247875526

SHA256
dea7d45dfe737465d2cd110bf16f5668b079f5dbf0ccd95b8dfa555a12366d6b

SHA512
d305ed305866e2523c798fcaef0c31db75aaaecdb0da06115912251007a6cf65dc37fd62c43650b2f258592b8ffc0bc939bf7b0d497760813cfc1bf44be90bbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\myMkokEI.bat

Filesize
4B

MD5
b2ec20011b6dbbd6d4c031340f72e24a

SHA1
df9da6f7dcc8ebc5d9a0fe4a02cbe1fd34f0a034

SHA256
01d0461d495a780b6c243b32cbec596ad4a4c19466b7c507ac103a7ae770f8c4

SHA512
f4f2d12edd3626f9b3982b2ec7180529920d75fecb6a196f23a3b89cc0167f24d477f650e3967866c51f71c18b9717d86ddfdd0963f63eecfcfa6148e83687c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nGMcEMYQ.bat

Filesize
4B

MD5
5e9d188895a31de99dbc05fe6a63c78d

SHA1
37448e328f81bcee5acfa0fe5069fb977c3efc96

SHA256
cf6a5810419d654a7fcb2df26b2575bde481faac33f363741ec3c79cf98e10e0

SHA512
8e7492f75f6f6f3d63625a37b2d8c0b6709b507520022e90d58d350bdca9a2ebe7f76fa47ae44dbdfb8414c96a1ade335dac3047d1905d00a7359467755431c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nGkowEMc.bat

Filesize
4B

MD5
845717dad77bacdfde9c81efa47bb906

SHA1
f81a51f862319cbf2dc79575641fab432a1456c6

SHA256
68a6a13e4a227bc06b8d0a889918db06ca9cee90ffca69418133aa54ff1b0ec8

SHA512
71711e1ce956735dec97c9d1b757625bdc7d906291385f298d8b428c52f3d3b4c765e554e13a5d6251a4d3d2d466990d17f0665305060d833b1febf726ef90b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nGsQUIIw.bat

Filesize
4B

MD5
ad424e5583dc49548ae9c981f7bc8951

SHA1
1223d48f2633893dfc6bba09b03e72f4a4ab3c19

SHA256
ce170ac0e1cd31c1ad912b3fa2271b1e8ecfa5bf824ec52bd2f9e1aa10a40550

SHA512
0d60a5494eb79130c892dc1528ef1a06f08311ca3363c54a6f54762c93a7ec51bbfa28d84cd0dfcf081b4d217a055869c62960a484a6979d1ceed4c541c49b21

Download Submit
C:\Users\Admin\AppData\Local\Temp\nUMEkYEQ.bat

Filesize
4B

MD5
f820eb400b4aa7f5165c35928fcd51c2

SHA1
844b399df23a24fdb1543508802162478997a8f5

SHA256
d898b4085a67f9f19116bfbbc0894e33a98b81a068d6738e0ff8bbbe04767189

SHA512
28653b91a3958c8d2d8d34b3a9392b204900210f142075f73732f7fc4365b922bea9163fbbeeb03ac046c329b56d04167f4273adf44b2425b4ac82d5bc72a64c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nYYkAkgY.bat

Filesize
4B

MD5
f148da6278a0af2b08cc39e3fce5f276

SHA1
6a66fc22c7240a96e923ea7f11fc040dd1461a89

SHA256
9eddbbc9eced7f90b02867e198c7a9954d41f47237ed48ad511736f8a5d564c5

SHA512
8363436c89593b3993710a41d03c7f092b90c67c1fb12161dfb807369626deba0979bad9961b76bc2893bf33af0efb7f41cfc31ad3a4e8e086722ab5ae3c52a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskEkswU.bat

Filesize
4B

MD5
f1753631e6b2603185db243a3a50448c

SHA1
27456a53c863e27cd102d045ee549002df5c3e59

SHA256
5a5dc13a298cf565f1f1e5064e4c9650a2a9a848206e5144d3aa2b1ccc0d7cd6

SHA512
505ddc1ff69344ecb4f599ada54c46d1f9aa8ff8d4e20bbc685392cb06458dc92bd071b38a4d37f35cdece0c8710d6e3f3f66139f90b9b650eda546cddc034ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsscEUcg.bat

Filesize
4B

MD5
5294c4fe113c0344c97ada0896ba0e1b

SHA1
9751e849ba9e6c7ad2a17c517b19cc2f513191f0

SHA256
9fdfe3851afbc64ae884f2f2b802654cf55d529fe27626d5402d9c1a096e5bce

SHA512
1a038f71aa22e999fc98fbb23f009f5f7100e467482d30f238a577b246f2d9a1ce592baf5d602397587c0fcbdeca77309180e005a5fe3b5064820a56720c0120

Download Submit
C:\Users\Admin\AppData\Local\Temp\oAIC.exe

Filesize
229KB

MD5
eae99380d249387764ea0b57290d71c3

SHA1
961812ece0228aafdd8a4e382639d1e659f42aa8

SHA256
8b961e1fac614ad6969507884701d73de094e85491216ca1968ac83bed089b18

SHA512
fa76c7375d36a50607bee2580b2b9bc9aa4fc7030e5e35e5b46e00576eccb9be6f97184b945d710c1bc508c219026c208d3f1a67a0237751ccfe858ac41f4573

Download Submit
C:\Users\Admin\AppData\Local\Temp\oAIkgUQk.bat

Filesize
4B

MD5
f2918d8438b5ead081d16c27e3a8a800

SHA1
136998a3464ed26dd065e2e254e1b0357ed06cd3

SHA256
791084f721e62b2a93947a98395cc80cfacb8984937f0fa8ebb24e83022f08d2

SHA512
43bfdea162ebc1ae7cfd4de90f98c5b575b35d9e912907c08d849419aeb108c225703f740b85877149bafae93c7e2b737f8aa9ac861d5614381643c42d9b5f10

Download Submit
C:\Users\Admin\AppData\Local\Temp\oEsC.exe

Filesize
919KB

MD5
9cbda8e0fb710c754fe1711c5db82278

SHA1
1f0eb3c5cc2b92e5992442c7b2c1009a1c10a66f

SHA256
e951d251b9976e5b39d40cbf2f9d90eb3827840f69f9bd259b6039cab599e2a2

SHA512
4b460721e6d881bbe33e9bbefcbc7e363a6d4444837ae2661e023f752b5a3d467dfe4d52de02b8e0fb1070f7c26bcd86fe31e8970c1318fbb897aa51668e2c6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\oIAM.exe

Filesize
774KB

MD5
978735a73a3546bf3b7de68e48c846b8

SHA1
c6b244106b890403858c4c9367597185658cd136

SHA256
ff89dc9e58b67cb743a9d2bfcd320e5e1acc5dc3c541cd20aafe78ed6ab264fa

SHA512
dd6770c2f438f8bcdded1954225f618d5ab531ada2375a37d7c4685db5a0bdbeb7891bc730c06130d2ffc07c19053a9147ea27fa515f71a601151048a87f3629

Download Submit
C:\Users\Admin\AppData\Local\Temp\oIYM.exe

Filesize
542KB

MD5
3fb9d4e1a528f47f48935de211eb0723

SHA1
e15d96fad1e7c01e5c32abbbf2f631d0cf5572cb

SHA256
7cbbe5929194ea1af7d75566ff2c0f722a237bf9c3034f6a7ceca2c45c82e0dd

SHA512
c9eb783b076ab156b0a18d52a816587828e5817e579d81c21dfe6251b02e81e03080f8b29f52ca8a43e300993d7dae4be47fe9e06cc0d232afcdfd14a8771db4

Download Submit
C:\Users\Admin\AppData\Local\Temp\oMAM.exe

Filesize
185KB

MD5
e3db5f3d3be0fff1a331f3080d72a5fe

SHA1
67d28d5b66bd0fa76eca20b314a76e49376aea02

SHA256
8b18cb02aa026f0e584660e73fd42f87c6378b8b7d172978eb40bdb36339e615

SHA512
430015bfb5d13b6b76f6f4150adad4b345eadc0d798a9c19a1eb0a82bd0570ae1373284bf587c16d17f7d76fbbe161da589aac6e22300368237776c8a15d9c95

Download Submit
C:\Users\Admin\AppData\Local\Temp\oOgMAkwg.bat

Filesize
4B

MD5
84b72868f8b43fb360390ab8a84adaf4

SHA1
b1bcd266074b3510057f8ed60258a512202390e0

SHA256
8ae7c8b10859a2c4b1ad623a6a3db3b77c9a75e97cbdc5c5a5c3f36c1ac33d28

SHA512
2e7fd2f58327b577188387c3d7fed217167834e511a403fa8a3a8694aa52b38db7d25678cbb864bc6895105d66fc3436c328eaf44342f3179c6878d8c23faa68

Download Submit
C:\Users\Admin\AppData\Local\Temp\oUMo.exe

Filesize
238KB

MD5
476f534e571b86d0ed82dd8f0afdfee6

SHA1
31c8a36cafd746f012d0fd0fb88adaea528b8404

SHA256
d5ce5d283447f35d6e9960e324f90b81cc8c75db6904b7fb6af203e72fa4eb5b

SHA512
258c776e148a7f5b0a5437f77714f58de6d7b1e7b5b130e6fde1d48c7c9a95a4fe614efa8e555bc81fbe0bfa896b52ba0c4176a4cea88953e3aa8a08177b39ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\oUso.ico

Filesize
4KB

MD5
47a169535b738bd50344df196735e258

SHA1
23b4c8041b83f0374554191d543fdce6890f4723

SHA256
ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf

SHA512
ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\oYQQ.exe

Filesize
237KB

MD5
3381673f14c4dab823a2dc6eb7a64c61

SHA1
1ce357fc141ab364f65cb6cb0e29b4922dbebeca

SHA256
3c04313c58734394ac458d552f4bcc773b7e3abac86e83f1b429dce999359036

SHA512
4de5e23383c6ca68562a51a4041f5059301dd81ae56037ce0cddfba28d091c78fcd1b3283079131aaecbb78ee45b30190ddbc543b91394d578f8ff1d58b1b674

Download Submit
C:\Users\Admin\AppData\Local\Temp\pEEssYoo.bat

Filesize
4B

MD5
9190189953291a74c5e5c00468a34922

SHA1
3d789e24583528ead49bc255535b5d150b0a1995

SHA256
557d416297b8a19eeff1aa18f5f091c4ab1ca9efee88646940093a7fb0357420

SHA512
bc47cb00bb976f8c56c07e6597a1cbcd97239e7730665be3d5a67abe52550898988d2477565d969b122e247c88dd42c1e044ddf6763ced59204d22c8c11b60bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\qMIK.exe

Filesize
240KB

MD5
497463bd4d58bf6ce7a82d2c4edf8a55

SHA1
e854d506e0200b6257e5e4ed2f94d28a322d96be

SHA256
970f9b697f2362f4eba743e4516bc47f2c2c7eea1ba23bcab5fc6ac13fa8c267

SHA512
1472afd8c2791071f921ddea1b7fecf675be8ff5646df63f8ce31d9c3ce0ef7f60f333016684ca545130b24aa195ff9dc5f11af603f8a2a57b1987322b52a0cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\qMoO.exe

Filesize
319KB

MD5
aa9679f803a37ffe494ca04701aa4443

SHA1
2c5046ba9de5fe3585c5c1d205f70cf596dfce77

SHA256
37be5c7d2315389035f2f5d71f892ccb0cca44b284673cc0c40153d4633774ae

SHA512
cff69d486e49e6f3744b6e5e29a7e5c26fc7baeb737cba9c93cb3df0c8c53845bb3097e895b013e3db07cf50ac23759703d2f6cf23b976101eb8f9ebc185daf9

Download Submit
C:\Users\Admin\AppData\Local\Temp\qWEoIswg.bat

Filesize
4B

MD5
7cc3209d81bd972e7fcbc0341298700b

SHA1
e03dbc78e3e64bf60540b61bebb0431a0342d923

SHA256
4c64330c3e67ec1ef28fea8b1aa0edfe7776d6c271b6ee05630a8be5c1968ed1

SHA512
f62539cf3c380b5147a29bd9a35053d25ada7bd12625bcafadc0ce602e5f9254d602e94eda58b586b12e0ff612a0573c7743bc09f7fb6bc10d66e1ea1a736478

Download Submit
C:\Users\Admin\AppData\Local\Temp\qcoE.exe

Filesize
210KB

MD5
48515c9c334874ac542d51da3e7f6125

SHA1
1dfc0e7c9d536115812398dfe7edf756e6b674a5

SHA256
8933371b1e4063fe04a623a6e10c90c179cbf80a76fe933a327f8feb4d0549ac

SHA512
d845c8af3752ec7db715c74ac5f7a6ed4bc87405db2f4ae901b662bcb83fba49e350a9365f06f9cc3233afe8730cc672548d46ea4715f46629a8308bbcb32412

Download Submit
C:\Users\Admin\AppData\Local\Temp\qkoc.exe

Filesize
203KB

MD5
c9557e10efc326eaa8a503d40d6d66df

SHA1
eb39a2442549d3a77aa1b522ce5885cde8115213

SHA256
273ba223870316f9de0bf3773a338b2e1ab13d6a881045c29c8fedab4a98b5d0

SHA512
40fdc2a00a1f6b52f0a7a4c84287ecb16e155ea167cfcbdc9872f04b70451dc96dfec00398ded0d7944df931fb5eb41739dcf3744117abeea788afe88968f101

Download Submit
C:\Users\Admin\AppData\Local\Temp\qkoe.exe

Filesize
184KB

MD5
9de679111e37fbaa1ce63ea10e5e2224

SHA1
2fddb8d70edc1dccfc542841e018793ad87d6209

SHA256
2cb45ffb0faa5436db04904faa25d5e3444103351d1369b58e5983feefad04ce

SHA512
67442d7e21401c77cd999a2011013006db7959c510a9b018d1ab064cba28512836bfb925d182f76434289c88556f3f42389bde6c856d00d2a99f1e73f8beecf2

Download Submit
C:\Users\Admin\AppData\Local\Temp\qoUc.exe

Filesize
1.2MB

MD5
47bb231987c780c8c9231f709139d173

SHA1
054a12814fe719e05bf8f3cc43b9c1ece71efdc4

SHA256
59349c4e2abb08b96d0b5ec5b11c29a2c89274e6ebd576e288db38707df3b9c8

SHA512
fa272fc30cec4a3ef96d2455bd0b3752bb963c4dfbdf9c89228f339120891170c1a430ae5b528f02f10d40c554f9cb81352f66851eca1bf43ae733453abad18f

Download Submit
C:\Users\Admin\AppData\Local\Temp\quMQssoM.bat

Filesize
4B

MD5
2bd13778b0aa081323e705f33e5c6583

SHA1
73f117f162a98a7ca66d3974ec52e715f601d6dc

SHA256
5f3f88e0f31af84c8d6cad0eca1518b54d498a06e21bb17f6c98b11b3d9d625c

SHA512
bed570eb4e32aaf9b348ab02dc28f7ca7be639783ebbfe16b9605088dff3a4d22e89bed5c65f96ee69b84e9684ae2b3780dbf8a1d78129a17d48a5834960729d

Download Submit
C:\Users\Admin\AppData\Local\Temp\qwYQAAkk.bat

Filesize
4B

MD5
840474a51c1f1a8ed90006eb6ea8a41c

SHA1
45f4f83fc54bd79125f2d9b8aaed54d575d92fbe

SHA256
f226f102e9a933d907dc7ce8d5066ebca3bc206ba6eadff8b67a70d6af296639

SHA512
5a5c6dc39bed81b6dc523455431a238ce5c424e8f3fe0b24568c7b9f242d5ecae65b4e01d6e53bb60151f985f305141e7371ed6a2dc4de90fbb1e754f6a909b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\roIMoccM.bat

Filesize
4B

MD5
139023fa9a8772c29beb53319dd4c063

SHA1
006cdfe6ad2b31bee510d4cc8ef302a74886d5cb

SHA256
f2cd08be7c8b3a975e62cacd64b0bc90309910d90a96eec852bfc3dce766357c

SHA512
54ac07d4619a546193c6b121fed0d7659fc08b514e811ce82907d1f6ce048f4777cb5c99ac65d309048ff098a58bf512d56446d9fdc27b70c3e20062013f8f41

Download Submit
C:\Users\Admin\AppData\Local\Temp\sAMS.exe

Filesize
246KB

MD5
71d20a75b538b2e8ead2f7e4a5e487cc

SHA1
a3b53de5f7b60a8d45fc349f3fcef2a5b6b4aaf0

SHA256
c7d15acc69695a4c5f4cf5756dfbb32955651004a39e8cbc2539a78f2adb786a

SHA512
e4d27ee009f370ce131c6f6765c0ec8bc79c70e6fbbc6c33b969352793cf1372225f8e70ce7cdeff8c9ed7d4dfa4fb1c1acc17ff283505904e2d1dacc632c3f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\sAog.exe

Filesize
231KB

MD5
a81446b4e6cf804d382a31c7986d6c8f

SHA1
a824edbf16aa8a841482fa3ebe7aa9b1cc5ffe35

SHA256
8f9eda7f6791d1a244b1ce7100c18fe0f2959fa69628cb8fc7e4e604d0ea70c9

SHA512
ca2fa9352e9bded7523d40aacb4fc9a1fa14c263f9fcc6443bbb16c2bb6274ff9c463cd7f42a6e8f190cb8032a83b92a7495ec96986f893655d49f49896bd990

Download Submit
C:\Users\Admin\AppData\Local\Temp\sMYS.exe

Filesize
244KB

MD5
f199de9e2eab95cefa19898667255541

SHA1
6cbc34982019727d9c203e283e2eb0c990a85611

SHA256
07f6035367d95b8a516cf538e2785b83df8059a6ac3b6ffccba9f45a1ace127e

SHA512
50c60e913d8eded70f14f265a8cd84a2829eaec8668dff3c4287a0fca82102978dfbb7ed996d96a6d629a39cb554dd0a754fef382bae4e45ca7b54e521bbca4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\sQse.ico

Filesize
4KB

MD5
5647ff3b5b2783a651f5b591c0405149

SHA1
4af7969d82a8e97cf4e358fa791730892efe952b

SHA256
590a5b0123fdd03506ad4dd613caeffe4af69d9886e85e46cbde4557a3d2d3db

SHA512
cb4fd29dcd552a1e56c5231e75576359ce3b06b0001debf69b142f5234074c18fd44be2258df79013d4ef4e62890d09522814b3144000f211606eb8a5aee8e5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\sYsU.exe

Filesize
1.3MB

MD5
d75350a03b6db6706419663bccedb20c

SHA1
71e73ba662b9736e70158ac1c1835048d51f7cef

SHA256
feeea12b27026c3f59107004d9bff7851cc46f1cbc7017da12eb1c3dac3fdfd8

SHA512
180e1656a3315cf4fd9769a3aa570afa11edc87207ada8cd477b9995243f14db70c89f04ce33b3445fa5dba7250b9b62fbf30433c88d5b61092c363f0626b07f

Download Submit
C:\Users\Admin\AppData\Local\Temp\sggW.exe

Filesize
686KB

MD5
8aac92d10a0d66e6178347b984713d2e

SHA1
8763e0c853b72713df9c404857c58d2ed703cd31

SHA256
151e8c562b6d538050a1368e41e0b26dd949fdda999a35a6c4335f5995ac1c00

SHA512
719a7fa3821bef0a87339708dbd3cc9c9eacfbf336b3931065ce74996df95f5a3b696b3f64192c73638edac6b4fbabd0ba8b2484678d7c8e3b8dd340097ad5e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\skki.exe

Filesize
817KB

MD5
a31fe29040f92a560427d35313477e32

SHA1
ba63c9b6ccff116d8284ceedea01f1cbabaf3acb

SHA256
6894c7c2a0ef69dac8a89203ace88b3cd17787fffc390ee4bf12404d35b92262

SHA512
82f32feb420c7584f829e483f428436078bf1c82ac46f2be7db58f2cf50435cb9bd86dadac6f13289303534b33471f8c8ac5ffc9159f37fec39a1a8f8c77ef6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\swsw.exe

Filesize
206KB

MD5
6899a1a4013f7cc12d801915088eae73

SHA1
69118f7232d9b1bd6be8ccbf0a5f02eda2327670

SHA256
b8ed4474069eddf2ba202b0cd75abecb66bba2933d2a45dcbd116ceccbe9a3e9

SHA512
1a87fc04036bbfac6facdcace32b7345ebf53a627df4b60f3bd24eb08de1bded3341de5b33c02673a952a6d1166175b0d8c23555b9ce8db1c237b2f11dfa2cfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\tCIMAcMk.bat

Filesize
4B

MD5
f0b2c9bb6ad8d92adb277bf1bf8be08d

SHA1
4af84f3867e4f1f0c177c3e37ac56aa7f5a88946

SHA256
87b928cd658e59204dddbf9fca32a3b4066069978684a4ea9cdb24866aba86b9

SHA512
c519f90b02ce502013daffe381ae5954f8375ea3c7515831ee7fa2356dfafc7d00ee4d73dcbd25afbd952fbff387a66cbe31a34f8aeaf1ad3aaa8c24367f8646

Download Submit
C:\Users\Admin\AppData\Local\Temp\tCYcEwQo.bat

Filesize
4B

MD5
f1caebdec60a025747b0cf066f3e22ca

SHA1
443f5ba92f14d5774559a12959d9b0ec4ee91fdf

SHA256
2dcc4edd728964c1dd1f7e646e55bcb7b70ea4701e27d41f9d83d3b2b2263cbb

SHA512
e93b585f98e48a96519c7ef7c336de7108ada09280edf2875cf2e452b24a94ef310741240ff1c84d8d44f548022d93bef6f5ae97533ae10327d6160f51955ff4

Download Submit
C:\Users\Admin\AppData\Local\Temp\taMoEkcM.bat

Filesize
4B

MD5
9f72e466f498d6f015b40c0d6e2bbee8

SHA1
38855a5c67fbabf601b29703980342f44807c6a4

SHA256
33bd0a7ae1c5567d7365dac08f5ff57f7f437fd920870f4324368b1e6d2badf6

SHA512
16467114eeb2e4591da855548371e37632b1edf13a5b038494d242c7753fd0c8fab080fd30f5be68c6682827b32165fcbe44745c48a65f0a7f30a61844b9f632

Download Submit
C:\Users\Admin\AppData\Local\Temp\uEEUIAks.bat

Filesize
4B

MD5
a7e5a0d0a88c100bafea36164d1ff49c

SHA1
3f0a10879bf50b95f6b266766dbb9a7d110106f2

SHA256
cefd4d2cb03e21ca6e9ae7fa6ec64935e12e842757d840c8cef0af0514fa09cd

SHA512
a9cca1dac4c22d25730043957d37932c6e2db4ad7d34ac9ebc78e643861f583e331f76a5696d60b99003754fedeaf43388054aa396eec5cf75fb356c4ea5f802

Download Submit
C:\Users\Admin\AppData\Local\Temp\uUki.exe

Filesize
232KB

MD5
3e07c2de2ab5c0b7648bff97c98e52a3

SHA1
dc6e021d0a30156b8a99bbf76e9361d9d5cc42ca

SHA256
f427d25e35e3d92e2827e3e80422742aaf026ad364d11a80855691cf9cea9200

SHA512
d280dfc3d159369f1eba8e3afc3b2a001a54367b8ee767c10cf744d794558c492c6e67836ae9d653c6ae343959174891b2b79699d43763022cedddb2e9f26db1

Download Submit
C:\Users\Admin\AppData\Local\Temp\uccu.exe

Filesize
229KB

MD5
e5603413efac772eba8d2c0583cfa8aa

SHA1
65391cab13d758d41115030bf1dbd5d4ed08e0d0

SHA256
1792f1c22403e2bef4150e41fc862a62a64f9f4634a554e1279779fe39464496

SHA512
48eefa048c765808890fa32aaf56e2644025c009134a802fd01b730c39e633062ffd96666746e6da4341f9184cd7d48a3f288320fadd1b99a5d085930c069584

Download Submit
C:\Users\Admin\AppData\Local\Temp\uiYQIgIg.bat

Filesize
4B

MD5
f533f9b7ee2a9f207d441fe96b928ce6

SHA1
3a165d449a3ff6d8484e96ecc60bec4ad954b75d

SHA256
3ff37fba441ea14f4cba090adad4c680281a6221121ec30ea11817195a86fa56

SHA512
295dcd3ffbedda0d8d6a1a583336dc403b447701ea3d2c0b691446af20161cc40184a76a99181c24d8d786c0a1e8fe288f1dff62ba4cfcad030803e9d3cc8a7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\uqgwgswE.bat

Filesize
4B

MD5
8192fb71a5abc31ac37ec98b8a3b27be

SHA1
c3f8ccd1198f36437aff7136a47865e30d45e935

SHA256
ab5187f01312d24271b96e9b686940e69d6abb6acf897c99c02750da23f34d71

SHA512
4b02d5ac1d7d9d0649b32e555e66cd706ce667902ea7e78592c7888bd32d60dc25c55e6cbbd5b0da308ab93c4f859bcb058749cb4fa311e798cd7e065c4a4833

Download Submit
C:\Users\Admin\AppData\Local\Temp\usIa.exe

Filesize
240KB

MD5
6fca5b2c886c23229df6cbaf145e9097

SHA1
b4f80696e335f42371e39ee476dfa469dae3d9cf

SHA256
67d3650949d954ad44beb8a4d11b0f7f52c00eb3e257d3845880136f7a621863

SHA512
cba7d19c22c152b1bb376832d6576ede367736740f0edf3d96bc96f5f057b225e5d64a40163bf0c261997e3cba402dff907f24fc15a1af6f6ff6706b020f4d4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\uwEu.exe

Filesize
229KB

MD5
eb868f5c7a928fc7b8d3ad4f2d833f84

SHA1
2bff6f33e2c2e6bf8d879557b7730faf98b73da3

SHA256
29763ef2899345e3b90d561c97826d98fc047da4ed52467181a2897fc9157dfb

SHA512
34d3c0250042668e57a59a0965789a4fdd4fa6ee2f9919dbfbc14749b5ecfb0b5db61e01cbfefabbd95b1ad87e8f614131d5e34576d6fe7430603dcd238bed54

Download Submit
C:\Users\Admin\AppData\Local\Temp\vWQswMgM.bat

Filesize
4B

MD5
53176742cd356c01f36adad2e5f4979c

SHA1
9c2f10faa3afbfa63cebbb81397d08342793ebd8

SHA256
e74fbb99901e539d7c24a28380ae50ad6f3bca5abff210f0d9b6deda90d20e41

SHA512
39cdad7010bdbad10a2c05ec0121777b9c57217ad119d5f6adf29769d282e204975306e357433f5029d3b8e9bf505b0066b1b61de7ddfa4a2c78107a2b65f76c

Download Submit
C:\Users\Admin\AppData\Local\Temp\voAAUscU.bat

Filesize
4B

MD5
dabcfd6f2b105c448c31293ad5fc1a95

SHA1
dad9332b7c40d82b197073123e246f248124bfa2

SHA256
26a9007f5724274c9f0db08d8ab821ee09580305489f4f99cae127f42b7cda8d

SHA512
436c0dd149501954c3143b9799cf150b235c1f508114ac3f2c94c115ec489b97bf722a8c9ada5cdfdee9e81702c54ece2e93259a539673b7d6402cbebf9549fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\vyMoYkoo.bat

Filesize
4B

MD5
7e8167f8ac1e5386a594be00ad17455c

SHA1
6bc5fce0fcda8574682c8ef683ba608f197dcf2e

SHA256
56e6723dddfad482df1cc1150dd4f4a83d6abdfadc08c745afb5fe1dee482947

SHA512
5f9b9f4d61d971abe3e33ded50e157a55bf4386a3d86e5c168cfc5b18734287bfa15fe8b6448efc1c03987d1c18865798726375a0ad9647a2599291e2fd5857a

Download Submit
C:\Users\Admin\AppData\Local\Temp\wSsAUIcA.bat

Filesize
4B

MD5
00bbd6806f9dfddbb84ed4002c5426d3

SHA1
b16f280fea0511a27a8bd1858da0afd6f49cc27d

SHA256
df619a49564cc7ad28c43c0da323c45822080bb3599316790b659220d1c8b0a2

SHA512
0acf4171d64a4e271e7925fbb51841a2c7538c1d9dc17d28bfe028de667cc5af0ec0c5cd2c8695426c6f170ad2e2261f1e75e5055e8c3b5f972099c5ab856cca

Download Submit
C:\Users\Admin\AppData\Local\Temp\wYYc.exe

Filesize
204KB

MD5
82da1ee233d95e8ee421a3268f904c52

SHA1
bac4a5724d7447285887b04a25fdb4482be52791

SHA256
c45e66c28d9b2a3ba981569ca87585d9812979747e411cd4738bdcfad3730e9d

SHA512
872d50c8dc83d906022d034e43b180db4a400295adcad1c84221c29bb64333f94f3d7267834c709aa7c8b7b677daeb2f5299f86d6f2d7573f818e5e3f622ade2

Download Submit
C:\Users\Admin\AppData\Local\Temp\wYgg.exe

Filesize
498KB

MD5
afc75c7bd65059cd77cf049ef7d8ac94

SHA1
9d78df63fb36c3cbf74ed80e25c819c5e3fccd54

SHA256
5ce0f9212f5cf486cfd90aff53670fec1504efba630d089c0adb76369a74f245

SHA512
281ba08304722bfe93a30ff603e1f2e5692d1df27cb44d39c3a5a773adb5c39fcf05254a2d2b380a39ea06fc817926226406f1358b72c1bbd9bf55bba23f6898

Download Submit
C:\Users\Admin\AppData\Local\Temp\wcAi.exe

Filesize
468KB

MD5
85a487a02cf083ea11f9b088ebc832be

SHA1
807a2375e4f91ab2883dbf4bc402375359098e47

SHA256
875e5aca48d562c831a2370f94e20c04ac00dc05956a57f0ef30dc4aa67e61fc

SHA512
138cae55327669b61d6c9177bd6428b94e17ced283ac96a9400b64eaf898a60ff53efae19f8642814c9cc813629a2b24abccb0ba5e2378847d08ca99d9d3dde2

Download Submit
C:\Users\Admin\AppData\Local\Temp\woIoAQgE.bat

Filesize
4B

MD5
49d816ee6c34d968af4f1e0e3620adbc

SHA1
6cddb7a6e477f07e513cc05587d46aed4744db2c

SHA256
150fcbd49fd68a029c92a3efb3470f06ebf64cea646d926be8d26f790e0fd2a9

SHA512
b09d1f32814f605a9b5a88d67293a2f9fc1e8af00759af6726347872ee27d5e57ebddbc237e8c94726a3b0858b019c48fa2995c9a68d3aa6128165489fc17973

Download Submit
C:\Users\Admin\AppData\Local\Temp\woMcEAcU.bat

Filesize
4B

MD5
93d02164d4210fad91f496bb1b551f20

SHA1
ef9c736a1d16c1a3528b5146fd78fddfe834bbb7

SHA256
a0a40ce41b96efddeab26c8e0e75d46200ddc7c607906504d88a7c4ee0696c92

SHA512
659c9beb021cc8f92f0150aa8a916bbaa2699be8e9b54268fc7b503a708989d1107e7529fb7ed7ca9760bd07a3f29352b12b947fbd9d6148c0f9b045d5052be2

Download Submit
C:\Users\Admin\AppData\Local\Temp\xocMwsMc.bat

Filesize
4B

MD5
940a07a4d111003718b56517c81d03b1

SHA1
dac1eef87326b235f7324bd7edb6ced7ad71ab5a

SHA256
b7970ac92fd6823bcf6d15ca10ddddb80b7b0dc4ba74141e2fb9221027d80575

SHA512
965841f9edd678e54769f93585f64455839158317d07b8bf277eca27e8e9e1e6dfb99bebd456da2d78435b8e5aba44e6f626839bac4906921d4fa807ad8a637e

Download Submit
C:\Users\Admin\AppData\Local\Temp\yEkg.exe

Filesize
236KB

MD5
1f4b0c116caab71ef6be188645c30314

SHA1
1124301a44265b505df34a6f1e8f493953697ba3

SHA256
b64a369bd6e53e2bb227dd50bc9f922aa42f1f75c1dd23a9564e671ca09c708f

SHA512
bb49607382c58774ddd5f143b368439a07cd93cb6dda566a099e1a83bc3828e188be685cece880e03819b09a8b486c00ccb727d1606c64fff39bd38d171d7b5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\yKEoosIc.bat

Filesize
4B

MD5
58183161b3f3ba909b9e6416c45d9774

SHA1
12ca6c42c46886251d07dc074fd663b6e5f00397

SHA256
91646c9172abf6b2ab93a490925647909e3a06577ef36a755a4407c0807ac8a6

SHA512
80178a40615a33884e159cef56034edcb7f1899a99116ec35a6545624a109897f695a0e76ceabb09aca23c38379d2103729918ea60ac62e0aa4af95b4f04aa0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ygMg.exe

Filesize
191KB

MD5
02dc19254df18dc3d3cec17013a68618

SHA1
77d01e06e20b174d5455bd2f6ac2bd10255b0922

SHA256
50e7af1f09cddc7c6cd35aae91f1e424902242a3c1fd1a3c1311b3c56f5ee14f

SHA512
e7d140805c3647780f2ce3ef24cb2e61bbeada65f35e664d864e9f896daf6151528326ee8bacad3962beb7192eb6bfe27f60fa435b06a62743d4f177607229a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\yikkEUUU.bat

Filesize
4B

MD5
bdf212fbd0eadd3f952d5963415c55f0

SHA1
8050707903914777e9409e456944a3184f385600

SHA256
6923e33697974d102c2e73cb35daefe64001b4bc342e1d8a7f90d053f2bb9a58

SHA512
9ae8cdd76af781af62abbbb00c009005f911e49cceafc55ee774f1103be35460b094d8f3119c9bc0590dc6846439e3ff6d72ddc2b1f25087497b74b0a0f92551

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCAgkEYg.bat

Filesize
4B

MD5
51ab4971e8d31e6eb30e7fb552fd23a7

SHA1
d4ea2c84b6e561275719e31bf43cc37a454e0918

SHA256
b846889daa6485f2e0dbe9fa85726be29a2796fae50e87a89e6f90dfbde14ae4

SHA512
e971e097063b203a4a7653c7c9ddbc8bbfcc6cd59f939fea6720db931ee3cd7beb86cb0b23c110eb2798533a9f84ce52290e83066393d1d5184374a7eced481f

Download Submit
C:\Users\Admin\Downloads\InitializeReset.ppt.exe

Filesize
355KB

MD5
e6d3f6725b93508fa9de7e64231819df

SHA1
b6bab98bc0f4a78fb350b51f2604cf99f37899e0

SHA256
4547e734d32a2977c12b4d025b3f39274d3e28f8382d32f932cbdd6a9773d2c7

SHA512
8d1e9181d8793a79b1c75db22ca7d014f2bf823ee8ca828f457eb2ed5505064023d06b0016b56f2218711b1324663feb651561935c81bc57e25cca915d4ab021

Download Submit
\ProgramData\zaAIkMEQ\zGMUckMY.exe

Filesize
191KB

MD5
7f44c2ed41151d230cee3307c23211cd

SHA1
7f29fc4a34ee0d0eaf4c7cb530371b8d339c2e29

SHA256
29ba47726a83f4d014489e052cc0192ff504f60b1f8696b930240018151ded80

SHA512
5eb22684adbecf3ab1d5deb7c5c5bd3f521d5719867b77c56f42bd4aa71364093ee5574a8c7db5d51bf90ff25ca6a3f154b81f7297617582631536415a79f459

Download Submit
\Users\Admin\DuIQgwQc\bQQYAsYQ.exe

Filesize
185KB

MD5
c6b2483c0c5d9c4a124ea7edda9d6222

SHA1
b8059f793669b3c2a7a5643833f53f6e90afbc72

SHA256
4dec57ceb82c79716697aef747fc054bc2b81d21d920e51d52eb127cff225d8b

SHA512
ade0bcc5fba0b8277e76bc9bf8438649f81e28d2550d744c68d2b794ada93f0b663848d96ef8af48a8dedee73f6a305773d6d37de8c48a56d34cc8b1b97af2c2

Download Submit
memory/276-490-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/276-520-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/300-594-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/300-130-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/300-296-0x00000000001F0000-0x0000000000221000-memory.dmp

Filesize
196KB

Download
memory/300-295-0x00000000001F0000-0x0000000000221000-memory.dmp

Filesize
196KB

Download
memory/300-595-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/300-164-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/348-346-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/348-378-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/372-553-0x00000000001E0000-0x0000000000211000-memory.dmp

Filesize
196KB

Download
memory/668-573-0x0000000000200000-0x0000000000231000-memory.dmp

Filesize
196KB

Download
memory/680-105-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/704-273-0x0000000000120000-0x0000000000151000-memory.dmp

Filesize
196KB

Download
memory/772-306-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/772-106-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/772-140-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/772-274-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/880-154-0x0000000000120000-0x0000000000151000-memory.dmp

Filesize
196KB

Download
memory/928-129-0x0000000000120000-0x0000000000151000-memory.dmp

Filesize
196KB

Download
memory/928-128-0x0000000000120000-0x0000000000151000-memory.dmp

Filesize
196KB

Download
memory/1036-413-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1256-625-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1256-596-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1268-466-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1268-499-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1432-554-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1432-583-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1448-543-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1448-511-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1452-510-0x0000000000160000-0x0000000000191000-memory.dmp

Filesize
196KB

Download
memory/1536-440-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1536-475-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1556-368-0x0000000000280000-0x00000000002B1000-memory.dmp

Filesize
196KB

Download
memory/1696-664-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1696-635-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1776-202-0x00000000000F0000-0x0000000000121000-memory.dmp

Filesize
196KB

Download
memory/1796-414-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1796-449-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1844-424-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1924-563-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1924-534-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2084-9-0x0000000003DA0000-0x0000000003DD0000-memory.dmp

Filesize
192KB

Download
memory/2084-17-0x0000000003DA0000-0x0000000003DD1000-memory.dmp

Filesize
196KB

Download
memory/2084-42-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2084-31-0x0000000003DA0000-0x0000000003DD1000-memory.dmp

Filesize
196KB

Download
memory/2084-12-0x0000000003DA0000-0x0000000003DD0000-memory.dmp

Filesize
192KB

Download
memory/2084-0-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2108-400-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2108-533-0x0000000000180000-0x00000000001B1000-memory.dmp

Filesize
196KB

Download
memory/2108-532-0x0000000000180000-0x00000000001B1000-memory.dmp

Filesize
196KB

Download
memory/2108-369-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2272-321-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2272-355-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2380-81-0x0000000000260000-0x0000000000291000-memory.dmp

Filesize
196KB

Download
memory/2380-82-0x0000000000260000-0x0000000000291000-memory.dmp

Filesize
196KB

Download
memory/2384-282-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2384-250-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2392-391-0x0000000000800000-0x0000000000831000-memory.dmp

Filesize
196KB

Download
memory/2404-644-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2528-212-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2528-180-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2540-57-0x00000000001C0000-0x00000000001F1000-memory.dmp

Filesize
196KB

Download
memory/2540-58-0x00000000001C0000-0x00000000001F1000-memory.dmp

Filesize
196KB

Download
memory/2576-574-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2576-605-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2624-32-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2656-488-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2656-489-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2684-439-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2684-438-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2712-464-0x0000000002270000-0x00000000022A1000-memory.dmp

Filesize
196KB

Download
memory/2712-465-0x0000000002270000-0x00000000022A1000-memory.dmp

Filesize
196KB

Download
memory/2716-259-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2716-225-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2716-92-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2716-59-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2784-655-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2792-616-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2820-83-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2820-115-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2856-189-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2856-155-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2880-249-0x0000000000260000-0x0000000000291000-memory.dmp

Filesize
196KB

Download
memory/2892-319-0x0000000000260000-0x0000000000291000-memory.dmp

Filesize
196KB

Download
memory/2892-320-0x0000000000260000-0x0000000000291000-memory.dmp

Filesize
196KB

Download
memory/2908-654-0x0000000000180000-0x00000000001B1000-memory.dmp

Filesize
196KB

Download
memory/2968-179-0x0000000000350000-0x0000000000381000-memory.dmp

Filesize
196KB

Download
memory/2968-345-0x0000000000420000-0x0000000000451000-memory.dmp

Filesize
196KB

Download
memory/2976-16-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3040-297-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3040-330-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3056-34-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3056-203-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3056-68-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3056-234-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download