974c10091ad320289f4bed8895fa0d2646e5fd0f2dbce3c1adc4f1f14f1b0102

Analysis

max time kernel
150s
max time network
126s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
09/08/2024, 09:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
Size

206KB
MD5

05d20461f13f59e0d898e1d34e023f5c
SHA1

6ebb248de86aca8ede20ff0e7811ca0e4d50a2fb
SHA256

974c10091ad320289f4bed8895fa0d2646e5fd0f2dbce3c1adc4f1f14f1b0102
SHA512

d82627e6092d949737adddf1538c1608cde6e80f97ae09797490124676555edc81db50eb23126573cef2620783a2c0cd6418834520adc53ead871bc27759cc8f
SSDEEP

3072:lSLjO5gXGxvV8znamLjtBfrDMtCpwDpiB3gNiQIhk/IuPoOa/MXYrUGOs5K617:lSLS2G+tTfr4U3gRIGgn/MXdNs7

Score

10^/10

discovery evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Control Panel\International\Geo\Nation	XCQoYYgo.exe

Deletes itself 1 IoCs

pid	Process
2872	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
1244	XCQoYYgo.exe
2044	heAAEwQs.exe

Loads dropped DLL 20 IoCs

pid	Process
1412	2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
1412	2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
1412	2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
1412	2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
1244	XCQoYYgo.exe
1244	XCQoYYgo.exe
1244	XCQoYYgo.exe
1244	XCQoYYgo.exe
1244	XCQoYYgo.exe
1244	XCQoYYgo.exe
1244	XCQoYYgo.exe
1244	XCQoYYgo.exe
1244	XCQoYYgo.exe
1244	XCQoYYgo.exe
1244	XCQoYYgo.exe
1244	XCQoYYgo.exe
1244	XCQoYYgo.exe
1244	XCQoYYgo.exe
1244	XCQoYYgo.exe
1244	XCQoYYgo.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\XCQoYYgo.exe = "C:\\Users\\Admin\\uEgcMcYY\\XCQoYYgo.exe"	2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\heAAEwQs.exe = "C:\\ProgramData\\OKEAIssI\\heAAEwQs.exe"	2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\XCQoYYgo.exe = "C:\\Users\\Admin\\uEgcMcYY\\XCQoYYgo.exe"	XCQoYYgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\heAAEwQs.exe = "C:\\ProgramData\\OKEAIssI\\heAAEwQs.exe"	heAAEwQs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\hCskcYkQ.exe = "C:\\Users\\Admin\\nWwUAUAY\\hCskcYkQ.exe"	2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\auswAoAw.exe = "C:\\ProgramData\\AqoAgcMQ\\auswAoAw.exe"	2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico	XCQoYYgo.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2508	2656	WerFault.exe	1378
1736	1020	WerFault.exe	1380

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hCskcYkQ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
888	reg.exe
2732	reg.exe
1500	reg.exe
2028	reg.exe
1716	reg.exe
688	reg.exe
1704	reg.exe
560	reg.exe
2892	reg.exe
1324	reg.exe
2080	reg.exe
2572	reg.exe
2140	reg.exe
524	reg.exe
3012	reg.exe
1620	reg.exe
2532	reg.exe
572	reg.exe
1020	reg.exe
276	reg.exe
1736	reg.exe
2968	reg.exe
2092	reg.exe
1148	reg.exe
2408	reg.exe
1488	reg.exe
3004	reg.exe
1204	reg.exe
2220	reg.exe
2876	reg.exe
2732	reg.exe
2652	reg.exe
704	reg.exe
236	reg.exe
2752	reg.exe
2868	reg.exe
1044	reg.exe
1508	reg.exe
2912	reg.exe
2532	reg.exe
2856	reg.exe
288	reg.exe
3052	reg.exe
848	reg.exe
1916	reg.exe
3012	reg.exe
108	reg.exe
1948	reg.exe
2680	reg.exe
2140	reg.exe
2500	reg.exe
324	reg.exe
2376	reg.exe
2352	reg.exe
2020	reg.exe
1840	reg.exe
1916	reg.exe
288	reg.exe
1948	reg.exe
1832	reg.exe
2104	reg.exe
872	reg.exe
1920	reg.exe
1776	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1412	2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
1412	2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
2644	2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
2644	2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
1572	2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
1572	2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
2416	2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
2416	2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
288	2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
288	2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
3036	2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
3036	2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
1284	2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
1284	2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
2552	2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
2552	2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
1548	2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
1548	2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
516	2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
516	2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
1948	2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
1948	2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
1972	2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
1972	2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
2828	2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
2828	2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
1540	2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
1540	2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
2648	2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
2648	2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
2020	2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
2020	2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
2220	2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
2220	2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
2900	2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
2900	2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
1616	2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
1616	2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
2368	2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
2368	2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
964	2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
964	2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
2104	2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
2104	2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
1956	2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
1956	2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
2960	2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
2960	2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
2644	2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
2644	2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
320	2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
320	2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
2420	2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
2420	2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
1380	2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
1380	2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
2892	2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
2892	2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
2508	2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
2508	2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
2500	2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
2500	2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
880	2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
880	2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1244	XCQoYYgo.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1244	XCQoYYgo.exe
1244	XCQoYYgo.exe
1244	XCQoYYgo.exe
1244	XCQoYYgo.exe
1244	XCQoYYgo.exe
1244	XCQoYYgo.exe
1244	XCQoYYgo.exe
1244	XCQoYYgo.exe
1244	XCQoYYgo.exe
1244	XCQoYYgo.exe
1244	XCQoYYgo.exe
1244	XCQoYYgo.exe
1244	XCQoYYgo.exe
1244	XCQoYYgo.exe
1244	XCQoYYgo.exe
1244	XCQoYYgo.exe
1244	XCQoYYgo.exe
1244	XCQoYYgo.exe
1244	XCQoYYgo.exe
1244	XCQoYYgo.exe
1244	XCQoYYgo.exe
1244	XCQoYYgo.exe
1244	XCQoYYgo.exe
1244	XCQoYYgo.exe
1244	XCQoYYgo.exe
1244	XCQoYYgo.exe
1244	XCQoYYgo.exe
1244	XCQoYYgo.exe
1244	XCQoYYgo.exe
1244	XCQoYYgo.exe
1244	XCQoYYgo.exe
1244	XCQoYYgo.exe
1244	XCQoYYgo.exe
1244	XCQoYYgo.exe
1244	XCQoYYgo.exe
1244	XCQoYYgo.exe
1244	XCQoYYgo.exe
1244	XCQoYYgo.exe
1244	XCQoYYgo.exe
1244	XCQoYYgo.exe
1244	XCQoYYgo.exe
1244	XCQoYYgo.exe
1244	XCQoYYgo.exe
1244	XCQoYYgo.exe
1244	XCQoYYgo.exe
1244	XCQoYYgo.exe
1244	XCQoYYgo.exe
1244	XCQoYYgo.exe
1244	XCQoYYgo.exe
1244	XCQoYYgo.exe
1244	XCQoYYgo.exe
1244	XCQoYYgo.exe
1244	XCQoYYgo.exe
1244	XCQoYYgo.exe
1244	XCQoYYgo.exe
1244	XCQoYYgo.exe
1244	XCQoYYgo.exe
1244	XCQoYYgo.exe
1244	XCQoYYgo.exe
1244	XCQoYYgo.exe
1244	XCQoYYgo.exe
1244	XCQoYYgo.exe
1244	XCQoYYgo.exe
1244	XCQoYYgo.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1412 wrote to memory of 1244	1412	2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe	31
PID 1412 wrote to memory of 1244	1412	2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe	31
PID 1412 wrote to memory of 1244	1412	2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe	31
PID 1412 wrote to memory of 1244	1412	2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe	31
PID 1412 wrote to memory of 2044	1412	2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe	32
PID 1412 wrote to memory of 2044	1412	2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe	32
PID 1412 wrote to memory of 2044	1412	2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe	32
PID 1412 wrote to memory of 2044	1412	2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe	32
PID 1412 wrote to memory of 2764	1412	2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe	33
PID 1412 wrote to memory of 2764	1412	2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe	33
PID 1412 wrote to memory of 2764	1412	2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe	33
PID 1412 wrote to memory of 2764	1412	2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe	33
PID 1412 wrote to memory of 2896	1412	2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe	35
PID 1412 wrote to memory of 2896	1412	2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe	35
PID 1412 wrote to memory of 2896	1412	2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe	35
PID 1412 wrote to memory of 2896	1412	2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe	35
PID 1412 wrote to memory of 2532	1412	2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe	36
PID 1412 wrote to memory of 2532	1412	2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe	36
PID 1412 wrote to memory of 2532	1412	2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe	36
PID 1412 wrote to memory of 2532	1412	2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe	36
PID 2764 wrote to memory of 2644	2764	cmd.exe	39
PID 2764 wrote to memory of 2644	2764	cmd.exe	39
PID 2764 wrote to memory of 2644	2764	cmd.exe	39
PID 2764 wrote to memory of 2644	2764	cmd.exe	39
PID 1412 wrote to memory of 2804	1412	2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe	38
PID 1412 wrote to memory of 2804	1412	2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe	38
PID 1412 wrote to memory of 2804	1412	2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe	38
PID 1412 wrote to memory of 2804	1412	2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe	38
PID 1412 wrote to memory of 2868	1412	2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe	40
PID 1412 wrote to memory of 2868	1412	2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe	40
PID 1412 wrote to memory of 2868	1412	2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe	40
PID 1412 wrote to memory of 2868	1412	2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe	40
PID 2868 wrote to memory of 3000	2868	cmd.exe	44
PID 2868 wrote to memory of 3000	2868	cmd.exe	44
PID 2868 wrote to memory of 3000	2868	cmd.exe	44
PID 2868 wrote to memory of 3000	2868	cmd.exe	44
PID 2644 wrote to memory of 692	2644	2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe	45
PID 2644 wrote to memory of 692	2644	2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe	45
PID 2644 wrote to memory of 692	2644	2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe	45
PID 2644 wrote to memory of 692	2644	2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe	45
PID 692 wrote to memory of 1572	692	cmd.exe	47
PID 692 wrote to memory of 1572	692	cmd.exe	47
PID 692 wrote to memory of 1572	692	cmd.exe	47
PID 692 wrote to memory of 1572	692	cmd.exe	47
PID 2644 wrote to memory of 852	2644	2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe	112
PID 2644 wrote to memory of 852	2644	2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe	112
PID 2644 wrote to memory of 852	2644	2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe	112
PID 2644 wrote to memory of 852	2644	2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe	112
PID 2644 wrote to memory of 1548	2644	2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe	120
PID 2644 wrote to memory of 1548	2644	2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe	120
PID 2644 wrote to memory of 1548	2644	2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe	120
PID 2644 wrote to memory of 1548	2644	2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe	120
PID 2644 wrote to memory of 1684	2644	2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe	123
PID 2644 wrote to memory of 1684	2644	2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe	123
PID 2644 wrote to memory of 1684	2644	2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe	123
PID 2644 wrote to memory of 1684	2644	2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe	123
PID 2644 wrote to memory of 940	2644	2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe	52
PID 2644 wrote to memory of 940	2644	2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe	52
PID 2644 wrote to memory of 940	2644	2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe	52
PID 2644 wrote to memory of 940	2644	2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe	52
PID 940 wrote to memory of 524	940	cmd.exe	56
PID 940 wrote to memory of 524	940	cmd.exe	56
PID 940 wrote to memory of 524	940	cmd.exe	56
PID 940 wrote to memory of 524	940	cmd.exe	56

C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1412
- C:\Users\Admin\uEgcMcYY\XCQoYYgo.exe
  "C:\Users\Admin\uEgcMcYY\XCQoYYgo.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:1244
- C:\ProgramData\OKEAIssI\heAAEwQs.exe
  "C:\ProgramData\OKEAIssI\heAAEwQs.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2044
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2764
- - C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
    C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2644
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:692
    - - C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1572
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock"
        6⤵
        
        PID:2840
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2416
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock"
        8⤵
        
        PID:1632
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:288
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock"
        10⤵
        
        PID:1708
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3036
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock"
        12⤵
        
        PID:1596
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1284
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock"
        14⤵
        
        PID:2896
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2552
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock"
        16⤵
        
        PID:1848
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock
        17⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1548
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock"
        18⤵
        
        PID:1888
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:516
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock"
        20⤵
        
        PID:1836
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1948
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock"
        22⤵
        
        PID:628
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock
        23⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1972
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock"
        24⤵
        
        PID:2156
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock
        25⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2828
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock"
        26⤵
        
        PID:3000
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock
        27⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1540
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock"
        28⤵
        
        PID:2216
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock
        29⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2648
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock"
        30⤵
        
        PID:316
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock
        31⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2020
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock"
        32⤵
        System Location Discovery: System Language Discovery
        
        PID:1492
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock
        33⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2220
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock"
        34⤵
        
        PID:1628
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock
        35⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2900
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock"
        36⤵
        
        PID:2748
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock
        37⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1616
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock"
        38⤵
        
        PID:692
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock
        39⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2368
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock"
        40⤵
        
        PID:2364
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock
        41⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:964
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock"
        42⤵
        
        PID:1716
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock
        43⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2104
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock"
        44⤵
        
        PID:1708
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock
        45⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1956
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock"
        46⤵
        System Location Discovery: System Language Discovery
        
        PID:2472
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock
        47⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2960
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock"
        48⤵
        
        PID:2812
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock
        49⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2644
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock"
        50⤵
        
        PID:1840
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock
        51⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:320
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock"
        52⤵
        
        PID:2000
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock
        53⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2420
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock"
        54⤵
        
        PID:764
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock
        55⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1380
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock"
        56⤵
        
        PID:1412
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock
        57⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2892
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock"
        58⤵
        
        PID:1372
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock
        59⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2508
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock"
        60⤵
        
        PID:1484
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock
        61⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2500
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock"
        62⤵
        
        PID:1156
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock
        63⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:880
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock"
        64⤵
        
        PID:2656
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock
        65⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock"
        66⤵
        
        PID:316
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock
        67⤵
        
        PID:1204
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock"
        68⤵
        
        PID:2512
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock
        69⤵
        
        PID:572
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock"
        70⤵
        
        PID:2384
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock
        71⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock"
        72⤵
        System Location Discovery: System Language Discovery
        
        PID:2692
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock
        73⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock"
        74⤵
        
        PID:988
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock
        75⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock"
        76⤵
        
        PID:1924
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock
        77⤵
        
        PID:1848
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock"
        78⤵
        
        PID:2952
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock
        79⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock"
        80⤵
        
        PID:2360
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock
        81⤵
        
        PID:1508
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock"
        82⤵
        System Location Discovery: System Language Discovery
        
        PID:1140
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock
        83⤵
        
        PID:2668
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock"
        84⤵
        
        PID:2912
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock
        85⤵
        
        PID:2536
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock"
        86⤵
        System Location Discovery: System Language Discovery
        
        PID:324
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock
        87⤵
        
        PID:964
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock"
        88⤵
        
        PID:1924
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock
        89⤵
        
        PID:844
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock"
        90⤵
        
        PID:1596
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock
        91⤵
        
        PID:2552
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock"
        92⤵
        
        PID:912
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock
        93⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock"
        94⤵
        
        PID:1632
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock
        95⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock"
        96⤵
        
        PID:112
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock
        97⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock"
        98⤵
        
        PID:2748
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock
        99⤵
        
        PID:1440
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock"
        100⤵
        
        PID:1148
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock
        101⤵
        
        PID:872
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock"
        102⤵
        
        PID:1460
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock
        103⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock"
        104⤵
        
        PID:1140
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock
        105⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock"
        106⤵
        
        PID:2124
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock
        107⤵
        
        PID:1832
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock"
        108⤵
        
        PID:1236
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock
        109⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock"
        110⤵
        
        PID:1956
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock
        111⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock"
        112⤵
        System Location Discovery: System Language Discovery
        
        PID:1068
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock
        113⤵
        System Location Discovery: System Language Discovery
        
        PID:2756
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock"
        114⤵
        
        PID:1924
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock
        115⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock"
        116⤵
        
        PID:2960
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock
        117⤵
        System Location Discovery: System Language Discovery
        
        PID:2508
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock"
        118⤵
        
        PID:2836
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock
        119⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock"
        120⤵
        
        PID:2904
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock
        121⤵
        
        PID:1848
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock"
        122⤵
        
        PID:2928
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock
        123⤵
        
        PID:1044
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock"
        124⤵
        System Location Discovery: System Language Discovery
        
        PID:2056
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock
        125⤵
        
        PID:1560
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock"
        126⤵
        
        PID:1128
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock
        127⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock"
        128⤵
        
        PID:2796
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock
        129⤵
        
        PID:2232
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock"
        130⤵
        
        PID:2304
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock
        131⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock"
        132⤵
        
        PID:2012
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock
        133⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock"
        134⤵
        
        PID:2236
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock
        135⤵
        
        PID:1140
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock"
        136⤵
        
        PID:1548
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock
        137⤵
        
        PID:2440
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock"
        138⤵
        
        PID:2764
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock
        139⤵
        
        PID:1204
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock"
        140⤵
        
        PID:852
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock
        141⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock"
        142⤵
        
        PID:2768
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock
        143⤵
        
        PID:784
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock"
        144⤵
        
        PID:1492
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock
        145⤵
        
        PID:2536
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock"
        146⤵
        
        PID:1232
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock
        147⤵
        
        PID:2372
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock"
        148⤵
        
        PID:1684
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock
        149⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock"
        150⤵
        
        PID:2856
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock
        151⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock"
        152⤵
        
        PID:2960
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock
        153⤵
        
        PID:432
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock"
        154⤵
        
        PID:2504
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock
        155⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock"
        156⤵
        
        PID:1612
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock
        157⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock"
        158⤵
        
        PID:1980
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock
        159⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock"
        160⤵
        
        PID:572
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock
        161⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock"
        162⤵
        
        PID:2092
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock
        163⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock"
        164⤵
        
        PID:1824
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock
        165⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock"
        166⤵
        
        PID:2288
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock
        167⤵
        
        PID:1224
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock"
        168⤵
        
        PID:3052
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock
        169⤵
        
        PID:2556
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock"
        170⤵
        
        PID:1912
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock
        171⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock"
        172⤵
        
        PID:2440
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock
        173⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock"
        174⤵
        
        PID:888
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock
        175⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock"
        176⤵
        
        PID:936
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock
        177⤵
        System Location Discovery: System Language Discovery
        
        PID:2532
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock"
        178⤵
        System Location Discovery: System Language Discovery
        
        PID:3020
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock
        179⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock"
        180⤵
        
        PID:1912
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock
        181⤵
        System Location Discovery: System Language Discovery
        
        PID:1632
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock"
        182⤵
        
        PID:1968
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock
        183⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock"
        184⤵
        
        PID:1788
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock
        185⤵
        
        PID:288
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock"
        186⤵
        
        PID:1960
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock
        187⤵
        
        PID:768
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock"
        188⤵
        
        PID:1748
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock
        189⤵
        
        PID:688
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock"
        190⤵
        System Location Discovery: System Language Discovery
        
        PID:2344
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock
        191⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock"
        192⤵
        
        PID:2800
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock
        193⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock"
        194⤵
        
        PID:1772
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock
        195⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock"
        196⤵
        
        PID:2828
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock
        197⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock"
        198⤵
        
        PID:2968
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock
        199⤵
        
        PID:2568
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock"
        200⤵
        
        PID:3036
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock
        201⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock"
        202⤵
        
        PID:524
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock
        203⤵
        
        PID:1216
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock"
        204⤵
        
        PID:1028
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock
        205⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock"
        206⤵
        
        PID:2364
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock
        207⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock"
        208⤵
        
        PID:2916
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock
        209⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock"
        210⤵
        
        PID:2292
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock
        211⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock"
        212⤵
        
        PID:1056
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock
        213⤵
        
        PID:784
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock"
        214⤵
        
        PID:2060
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock
        215⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock"
        216⤵
        
        PID:1008
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock
        217⤵
        
        PID:2532
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock"
        218⤵
        
        PID:1076
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock
        219⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock"
        220⤵
        
        PID:1480
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock
        221⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock"
        222⤵
        
        PID:876
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock
        223⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock"
        224⤵
        
        PID:2472
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock
        225⤵
        Adds Run key to start application
        
        PID:3004
        
        C:\Users\Admin\nWwUAUAY\hCskcYkQ.exe
        
        "C:\Users\Admin\nWwUAUAY\hCskcYkQ.exe"
        226⤵
        System Location Discovery: System Language Discovery
        
        PID:2656
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2656 -s 36
        227⤵
        Program crash
        
        PID:2508
        
        C:\ProgramData\AqoAgcMQ\auswAoAw.exe
        
        "C:\ProgramData\AqoAgcMQ\auswAoAw.exe"
        226⤵
        
        PID:1020
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1020 -s 36
        227⤵
        Program crash
        
        PID:1736
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock"
        226⤵
        
        PID:2900
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock
        227⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock"
        228⤵
        
        PID:844
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock
        229⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock"
        230⤵
        System Location Discovery: System Language Discovery
        
        PID:2364
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock
        231⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        232⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        232⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        232⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        230⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        230⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        230⤵
        Modifies registry key
        
        PID:2876
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\EigoQEoI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe""
        230⤵
        Deletes itself
        System Location Discovery: System Language Discovery
        
        PID:2872
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        231⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        228⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        228⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        228⤵
        System Location Discovery: System Language Discovery
        
        PID:2380
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\mGwUwAwA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe""
        228⤵
        System Location Discovery: System Language Discovery
        
        PID:3048
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        229⤵
        
        PID:108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        226⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:1248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        226⤵
        System Location Discovery: System Language Discovery
        
        PID:2620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        226⤵
        
        PID:516
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\KIYQMEoE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe""
        226⤵
        
        PID:1216
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        227⤵
        
        PID:1028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        224⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        224⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        224⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\VCsYcIwM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe""
        224⤵
        
        PID:980
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        225⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        222⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        222⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        222⤵
        UAC bypass
        Modifies registry key
        
        PID:2220
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\VQMIscIY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe""
        222⤵
        
        PID:852
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        223⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        220⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        220⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        220⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\leUQgwcg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe""
        220⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        221⤵
        System Location Discovery: System Language Discovery
        
        PID:2680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        218⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        218⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        218⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:2684
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\dcQkcAQs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe""
        218⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        219⤵
        
        PID:764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        216⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        216⤵
        
        PID:112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        216⤵
        UAC bypass
        
        PID:2200
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\fMUkYIMA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe""
        216⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        217⤵
        
        PID:1100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        214⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        214⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        214⤵
        UAC bypass
        
        PID:236
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\NascgYos.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe""
        214⤵
        
        PID:1216
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        215⤵
        
        PID:1148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        212⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        212⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        212⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\skskMcks.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe""
        212⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        213⤵
        System Location Discovery: System Language Discovery
        
        PID:2944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        210⤵
        
        PID:572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        210⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        210⤵
        System Location Discovery: System Language Discovery
        
        PID:1584
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\KWooYkUY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe""
        210⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        211⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        208⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        208⤵
        
        PID:432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        208⤵
        UAC bypass
        
        PID:1840
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\sSAEcEEQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe""
        208⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        209⤵
        
        PID:2572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        206⤵
        System Location Discovery: System Language Discovery
        
        PID:1968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        206⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        206⤵
        Modifies registry key
        
        PID:288
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\GOIYooYE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe""
        206⤵
        
        PID:1772
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        207⤵
        
        PID:1448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        204⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        204⤵
        
        PID:1008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        204⤵
        UAC bypass
        Modifies registry key
        
        PID:1948
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\wMIQoAUo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe""
        204⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        205⤵
        
        PID:316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        202⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        202⤵
        Modifies registry key
        
        PID:2892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        202⤵
        UAC bypass
        
        PID:1612
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\DaAoQwIE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe""
        202⤵
        
        PID:984
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        203⤵
        
        PID:2588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        200⤵
        Modifies visibility of file extensions in Explorer
        
        PID:576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        200⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        200⤵
        
        PID:1056
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\RgYEoEEM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe""
        200⤵
        
        PID:980
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        201⤵
        
        PID:2372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        198⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        198⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        198⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:1768
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\hAcQMkoE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe""
        198⤵
        System Location Discovery: System Language Discovery
        
        PID:1568
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        199⤵
        
        PID:964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        196⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        196⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        196⤵
        UAC bypass
        
        PID:2876
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\TwsQUsMM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe""
        196⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        197⤵
        
        PID:2580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        194⤵
        Modifies visibility of file extensions in Explorer
        
        PID:112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        194⤵
        Modifies registry key
        
        PID:2104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        194⤵
        UAC bypass
        
        PID:1704
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\JCMoAwEQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe""
        194⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        195⤵
        
        PID:288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        192⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        192⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        192⤵
        
        PID:236
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\JCgAAokc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe""
        192⤵
        System Location Discovery: System Language Discovery
        
        PID:636
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        193⤵
        
        PID:1008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        190⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        190⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        190⤵
        System Location Discovery: System Language Discovery
        
        PID:784
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\uaYUooQk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe""
        190⤵
        System Location Discovery: System Language Discovery
        
        PID:1756
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        191⤵
        
        PID:984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        188⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        188⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        188⤵
        UAC bypass
        Modifies registry key
        
        PID:1044
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\SgMYokEM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe""
        188⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        189⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        186⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        186⤵
        Modifies registry key
        
        PID:2868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        186⤵
        UAC bypass
        Modifies registry key
        
        PID:1832
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\mqgwggkg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe""
        186⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        187⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        184⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        184⤵
        Modifies registry key
        
        PID:2752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        184⤵
        UAC bypass
        
        PID:2624
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ugQcUsgg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe""
        184⤵
        
        PID:760
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        185⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        182⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        182⤵
        
        PID:2552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        182⤵
        UAC bypass
        
        PID:1756
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ouoYQwkg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe""
        182⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        183⤵
        
        PID:316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        180⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        180⤵
        
        PID:1308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        180⤵
        UAC bypass
        
        PID:1492
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\TsAIAQcw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe""
        180⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        181⤵
        
        PID:2588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        178⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        178⤵
        
        PID:876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        178⤵
        UAC bypass
        
        PID:2064
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\pYosYQEY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe""
        178⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        179⤵
        
        PID:2508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        176⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        176⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        176⤵
        Modifies registry key
        
        PID:236
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\VoAoUAkU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe""
        176⤵
        
        PID:1412
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        177⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        174⤵
        Modifies visibility of file extensions in Explorer
        
        PID:612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        174⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        174⤵
        Modifies registry key
        
        PID:1776
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\feEIYUMY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe""
        174⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        175⤵
        
        PID:2504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        172⤵
        Modifies visibility of file extensions in Explorer
        
        PID:524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        172⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        172⤵
        UAC bypass
        
        PID:1456
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\SAQAYcAg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe""
        172⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        173⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        170⤵
        
        PID:1008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        170⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        170⤵
        UAC bypass
        Modifies registry key
        
        PID:2856
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\aUYgIYkw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe""
        170⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        171⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        168⤵
        Modifies visibility of file extensions in Explorer
        
        PID:984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        168⤵
        
        PID:2704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        168⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\mIIEAMsc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe""
        168⤵
        
        PID:1028
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        169⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        166⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        166⤵
        
        PID:2628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        166⤵
        UAC bypass
        
        PID:872
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\SacUIYcg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe""
        166⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        167⤵
        
        PID:1284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        164⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        164⤵
        
        PID:776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        164⤵
        
        PID:1204
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\wwgksgUM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe""
        164⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        165⤵
        
        PID:2320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        162⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        162⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        162⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:2900
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\gyQYYsYc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe""
        162⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        163⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        160⤵
        
        PID:1216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        160⤵
        Modifies registry key
        
        PID:108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        160⤵
        UAC bypass
        
        PID:2604
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\jEwsAcIQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe""
        160⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        161⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        158⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        158⤵
        
        PID:1772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        158⤵
        UAC bypass
        
        PID:112
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\nmYogkEU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe""
        158⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        159⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        156⤵
        
        PID:1328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        156⤵
        
        PID:2232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        156⤵
        UAC bypass
        
        PID:784
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\DAEEMQcY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe""
        156⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        157⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        154⤵
        
        PID:848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        154⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        154⤵
        UAC bypass
        
        PID:2728
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\hwcYscYw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe""
        154⤵
        
        PID:2992
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        155⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        152⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        152⤵
        Modifies registry key
        
        PID:704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        152⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\jgAIwkYQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe""
        152⤵
        
        PID:2996
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        153⤵
        
        PID:1456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        150⤵
        System Location Discovery: System Language Discovery
        
        PID:1088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        150⤵
        
        PID:2532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        150⤵
        Modifies registry key
        
        PID:2680
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\mGsAoMEw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe""
        150⤵
        
        PID:1152
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        151⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        148⤵
        
        PID:2612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        148⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        148⤵
        UAC bypass
        
        PID:1988
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\cGYsUUAE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe""
        148⤵
        System Location Discovery: System Language Discovery
        
        PID:1844
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        149⤵
        
        PID:764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        146⤵
        
        PID:1204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        146⤵
        Modifies registry key
        
        PID:1840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        146⤵
        UAC bypass
        
        PID:760
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\KMsAEYIA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe""
        146⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        147⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        144⤵
        Modifies registry key
        
        PID:2020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        144⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        144⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:2704
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\yqcAQoos.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe""
        144⤵
        
        PID:2508
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        145⤵
        
        PID:1772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        142⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        142⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        142⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\GmoMYQYQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe""
        142⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        143⤵
        
        PID:1072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        140⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        140⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        140⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\hgssQEsE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe""
        140⤵
        
        PID:1540
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        141⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        138⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        138⤵
        
        PID:2476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        138⤵
        UAC bypass
        
        PID:3012
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\piQkMIYw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe""
        138⤵
        System Location Discovery: System Language Discovery
        
        PID:2400
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        139⤵
        
        PID:2556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        136⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:2568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        136⤵
        
        PID:108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        136⤵
        System Location Discovery: System Language Discovery
        
        PID:2968
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\RAMgAkAo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe""
        136⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        137⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        134⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        134⤵
        Modifies registry key
        
        PID:3004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        134⤵
        UAC bypass
        
        PID:276
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tWMUwggA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe""
        134⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        135⤵
        
        PID:2612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        132⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        132⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        132⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:1020
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\XUsMIMEw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe""
        132⤵
        
        PID:1888
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        133⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        130⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        130⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        130⤵
        
        PID:1772
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\TYUMYAEM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe""
        130⤵
        
        PID:1156
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        131⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        128⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        128⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        128⤵
        Modifies registry key
        
        PID:3012
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\mSsYYEMU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe""
        128⤵
        
        PID:880
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        129⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        126⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        126⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        126⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\SocMAwIM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe""
        126⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        127⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        124⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        124⤵
        
        PID:888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        124⤵
        Modifies registry key
        
        PID:1916
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\sUwoUwMg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe""
        124⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        125⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        122⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        122⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        122⤵
        
        PID:1148
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ECIUQgkU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe""
        122⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        123⤵
        
        PID:552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        120⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        120⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        120⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1948
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\eMkgMUQo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe""
        120⤵
        
        PID:628
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        121⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        118⤵
        System Location Discovery: System Language Discovery
        
        PID:2552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        118⤵
        
        PID:1248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        118⤵
        System Location Discovery: System Language Discovery
        
        PID:1184
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\QCUMYcQQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe""
        118⤵
        
        PID:1840
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        119⤵
        
        PID:1844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        116⤵
        Modifies registry key
        
        PID:2352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        116⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        116⤵
        UAC bypass
        
        PID:2856
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\LsMoIEko.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe""
        116⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        117⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        114⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        114⤵
        
        PID:1308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        114⤵
        UAC bypass
        
        PID:3028
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\jAwQcQog.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe""
        114⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        115⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        112⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        112⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        112⤵
        UAC bypass
        Modifies registry key
        
        PID:2408
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\BCcswMsA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe""
        112⤵
        
        PID:580
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        113⤵
        
        PID:1832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        110⤵
        
        PID:576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        110⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        110⤵
        UAC bypass
        
        PID:2268
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\RCkossgM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe""
        110⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        111⤵
        
        PID:2740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        108⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        108⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        108⤵
        UAC bypass
        
        PID:844
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\mEoAcIQA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe""
        108⤵
        
        PID:2652
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        109⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        106⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        106⤵
        Modifies registry key
        
        PID:276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        106⤵
        UAC bypass
        
        PID:1380
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ogIoIIgU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe""
        106⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        107⤵
        
        PID:2352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        104⤵
        
        PID:320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        104⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        104⤵
        
        PID:852
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ekgIIokY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe""
        104⤵
        
        PID:832
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        105⤵
        
        PID:2584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        102⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        102⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        102⤵
        UAC bypass
        
        PID:3028
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\oeMwcQEo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe""
        102⤵
        
        PID:2372
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        103⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        100⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        100⤵
        
        PID:1232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        100⤵
        
        PID:276
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\yawQAQEo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe""
        100⤵
        
        PID:1560
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        101⤵
        
        PID:2992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        98⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        98⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        98⤵
        UAC bypass
        
        PID:2040
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\uKoEYwcA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe""
        98⤵
        
        PID:1412
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        99⤵
        
        PID:980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        96⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        96⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        96⤵
        UAC bypass
        
        PID:2092
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\LycUMwQk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe""
        96⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        97⤵
        
        PID:2508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        94⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        94⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        94⤵
        UAC bypass
        
        PID:2020
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\VqwIcQIU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe""
        94⤵
        
        PID:764
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        95⤵
        
        PID:1308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        92⤵
        Modifies registry key
        
        PID:1148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        92⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        92⤵
        
        PID:1524
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\hckMYQcc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe""
        92⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        93⤵
        
        PID:1272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        90⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        90⤵
        
        PID:2628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        90⤵
        
        PID:1508
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\jkIYMgYw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe""
        90⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        91⤵
        
        PID:852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        88⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        88⤵
        Modifies registry key
        
        PID:2532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        88⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\rekUcgwU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe""
        88⤵
        System Location Discovery: System Language Discovery
        
        PID:2496
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        89⤵
        System Location Discovery: System Language Discovery
        
        PID:1608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        86⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        86⤵
        
        PID:2468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        86⤵
        UAC bypass
        
        PID:1644
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\lEggocso.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe""
        86⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        87⤵
        
        PID:1308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        84⤵
        Modifies registry key
        
        PID:848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        84⤵
        
        PID:472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        84⤵
        UAC bypass
        
        PID:2836
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\KwsokwoM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe""
        84⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        85⤵
        
        PID:1824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        82⤵
        
        PID:1152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        82⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        82⤵
        UAC bypass
        
        PID:2784
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\CqwIEkkY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe""
        82⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        83⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        80⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        80⤵
        Modifies registry key
        
        PID:888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        80⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\CmoQcUUQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe""
        80⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        81⤵
        
        PID:2512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        78⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        78⤵
        
        PID:768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        78⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\WEMAcwcU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe""
        78⤵
        
        PID:3052
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        79⤵
        System Location Discovery: System Language Discovery
        
        PID:316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        UAC bypass
        
        PID:2084
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\MWAYkkoU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe""
        76⤵
        System Location Discovery: System Language Discovery
        
        PID:2272
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        77⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        UAC bypass
        
        PID:2904
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\MuYoowko.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe""
        74⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        75⤵
        
        PID:1764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        Modifies visibility of file extensions in Explorer
        
        PID:984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        UAC bypass
        
        PID:472
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\JUskYoEY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe""
        72⤵
        
        PID:2896
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        
        PID:2500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        UAC bypass
        
        PID:1980
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\vSAMYIME.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe""
        70⤵
        
        PID:1128
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        
        PID:560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        UAC bypass
        
        PID:1708
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\nmMssscg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe""
        68⤵
        
        PID:672
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        
        PID:1236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\LYYkUEsY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe""
        66⤵
        
        PID:1508
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        
        PID:1832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\rcQgIEYo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe""
        64⤵
        
        PID:1888
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        Modifies visibility of file extensions in Explorer
        
        PID:936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        
        PID:1324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\VWcQckYA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe""
        62⤵
        System Location Discovery: System Language Discovery
        
        PID:900
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        
        PID:2320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        
        PID:704
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\BosMIcEE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe""
        60⤵
        
        PID:324
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:1548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        System Location Discovery: System Language Discovery
        
        PID:1768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        System Location Discovery: System Language Discovery
        
        PID:2764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        Modifies registry key
        
        PID:2092
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\sUUEsQAY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe""
        58⤵
        
        PID:1560
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        Modifies registry key
        
        PID:2140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        Modifies registry key
        
        PID:2652
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\OQwMAMoo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe""
        56⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        Modifies registry key
        
        PID:1920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\OaQAYMwI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe""
        54⤵
        
        PID:108
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        UAC bypass
        Modifies registry key
        
        PID:1020
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\wWYscMwY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe""
        52⤵
        
        PID:1056
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        
        PID:1448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\sYMskIIQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe""
        50⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        Modifies registry key
        
        PID:560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        
        PID:1128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\qIwQUUYo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe""
        48⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        System Location Discovery: System Language Discovery
        
        PID:2712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        UAC bypass
        
        PID:2688
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\raEcEogA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe""
        46⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:2500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        UAC bypass
        
        PID:1412
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\VUQgsYgo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe""
        44⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:1768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        
        PID:1044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        System Location Discovery: System Language Discovery
        
        PID:764
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\hqQUYAUs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe""
        42⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        
        PID:1020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        UAC bypass
        
        PID:1148
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\rIMMkokw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe""
        40⤵
        System Location Discovery: System Language Discovery
        
        PID:2084
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        Modifies registry key
        
        PID:324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        UAC bypass
        Modifies registry key
        
        PID:2912
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\zcscMMQw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe""
        38⤵
        
        PID:880
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        Modifies registry key
        
        PID:2732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        Modifies registry key
        
        PID:1916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2500
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\zcUwosoU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe""
        36⤵
        System Location Discovery: System Language Discovery
        
        PID:1284
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        System Location Discovery: System Language Discovery
        
        PID:1776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        System Location Discovery: System Language Discovery
        
        PID:2612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        Modifies registry key
        
        PID:2140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        UAC bypass
        
        PID:2196
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\fCgcgQUU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe""
        34⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        Modifies visibility of file extensions in Explorer
        
        PID:876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        
        PID:1008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        Modifies registry key
        
        PID:3052
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tuQYUUsY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe""
        32⤵
        System Location Discovery: System Language Discovery
        
        PID:1932
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        Modifies registry key
        
        PID:1704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        Modifies registry key
        
        PID:872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        UAC bypass
        
        PID:3056
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\SYwMsoso.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe""
        30⤵
        
        PID:1568
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:2372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:2916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        
        PID:432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        UAC bypass
        
        PID:1772
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\aoYIEgEg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe""
        28⤵
        
        PID:636
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:1848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        
        PID:2556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        UAC bypass
        
        PID:2192
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\csYMQcgs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe""
        26⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2572
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\qqwwYMoo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe""
        24⤵
        
        PID:1284
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:1076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        Modifies registry key
        
        PID:1508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:2512
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\amgMkcgw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe""
        22⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:2892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        
        PID:1044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        UAC bypass
        Modifies registry key
        
        PID:572
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\sacAokQk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe""
        20⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        
        PID:1204
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\fogMEkEc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe""
        18⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        UAC bypass
        
        PID:1964
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmMAYswk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe""
        16⤵
        
        PID:848
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        
        PID:2508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        
        PID:2504
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\nGkoEIkk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe""
        14⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        Modifies registry key
        
        PID:2968
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\nagoMAcU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe""
        12⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\risMoEAo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe""
        10⤵
        
        PID:1068
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        
        PID:900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:1060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\FskwAAcE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe""
        8⤵
        
        PID:760
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:1972
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2848
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        Modifies registry key
        
        PID:2080
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        UAC bypass
        
        PID:1088
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\GGsIAEQM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe""
        6⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:1224
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:852
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:1548
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:1684
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\AWIUIIck.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:940
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:524
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:2896
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:2532
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:2804
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\eIsUsIQI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2868
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:3000

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-615117038-165226680-131239729011552662651095360284-15460689211356377976-1493558956"
1⤵
PID:852

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-718961364769291776-1092369692-1967384900-49100044212745318611344613676499088203"
1⤵
PID:1684

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "176825038832849793872986668-1784756272-1577075785486016050-990124332-1927893094"
1⤵
PID:3036

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1747936276-572466607-310307701-312593011-1536430495733977422-1052177293-1306704328"
1⤵
PID:1708

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1995712368-1222339258-19235814701696021077-1590843188-190672626206749511666775627"
1⤵
PID:1972

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1116224653799358044166443983074080838455262343641130871620971390-348376528"
1⤵
PID:2560

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-66272749717555202761962182175348516352-771835800-1981542029-6937933831292578148"
1⤵
PID:2556

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1798344785163006180-858683424261054155703262884621845154-1497107980-1291584930"
1⤵
PID:2292

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2843095101081787783329540219-7517793641422482793-652830658-5281606702126292727"
1⤵
PID:2552

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-82888611210066601321503582241-2040444920468343194227898949168249482-445820777"
1⤵
PID:2968

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "19064362761023465821-444039902-15892689961862021037593760961137442891-1312124837"
1⤵
PID:1964

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "17977459281230590739-1464698667-555988755780987359-284763860-12849734601395566367"
1⤵
PID:2056

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "981574212-4389705031289928145113340610017479589003113415751706418703-46781267"
1⤵
PID:2416

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "13710808482060151610-881953688-219115657260781695-1794031626-1935965604-946863479"
1⤵
PID:2524

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-472519846-184358202620702615142159493331984352912-2147334573-1340128024-2057059544"
1⤵
PID:516

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-86257390-15944688851302675461029379409-179622746670307424118595950911897140253"
1⤵
PID:1060

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "461649576-60487602010920994820908095251421544640-808668171-1511795829-1334462110"
1⤵
PID:432

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-101753510220697531959917027081618288902-165434118811174742481656261324-1354724784"
1⤵
PID:1008

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1650467371135798571-75514288217667540241701965190625525325-1546571946-1888866526"
1⤵
PID:1708

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "333437626719535602-686953440-147164000612937452001727632004-259394979-105690990"
1⤵
PID:2192

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1797575891158791230075748292313786580241476812535-2116788372-1266441683-134804559"
1⤵
PID:1540

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-17143596525420683301771057646113495690010310560761335038837-1482112257-1836527908"
1⤵
PID:2064

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-221429179627396001326999391-301517254-136405836019912953861715091006-780908576"
1⤵
PID:2572

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1377208248-86257918253879921-450257823-1153329060-91039409618082331151189851149"
1⤵
PID:692

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "491807270-2044063132-14423651526515662257605277651985673014-12260140-1382807638"
1⤵
PID:2024

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "146983180823496062-181324402211989748711406639768-304247882-1667502438954654639"
1⤵
PID:3052

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-76184696-282150573-4413004582921797301303796083179829689-182473715590610597"
1⤵
PID:2360

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1509303520-75520153117871880111822221658-93657647615610508361683397203-31922072"
1⤵
PID:1772

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-209359501719743141642065704085576920722-1875436457-1163422256-234167105-1827567630"
1⤵
PID:1572

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "770252476-804359744106394802916793140188752971811932249038300802600152578013"
1⤵
PID:2000

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1540863995-1511591295-277848088206463118-1609038109-871573467-2081254919-874060677"
1⤵
PID:636

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1007062150-364874577-2855426852107828293-215393823-20290326952060786012-1776417917"
1⤵
PID:3000

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "331389784-17861041-1821842711-282434067-1213168870-1004460137-817444263-1076376294"
1⤵
PID:912

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2058673062-2031793825909072507-666744820-1193894853828930266145814493487809403"
1⤵
PID:1076

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2048864376821907074232848997171462296819981399711640785391-1234021691397438461"
1⤵
PID:2648

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1287900804-511315588-1930209195-15285145191803137-8807141871921256562-1199303154"
1⤵
PID:1460

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "225201379-42543020767791415713795870031893057987-178137763853769064-1932860875"
1⤵
PID:316

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2055671838-826671310279675678881571842-183161695616213275791380780224-796521096"
1⤵
PID:2748

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "149209115928694452-1877253428-10250246031250573331571557782-1426009484688440519"
1⤵
PID:1676

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "15316292407331863231396225825-1515664833992978243-686553486974797057872912180"
1⤵
PID:2584

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-475363295-18958448736298485041117392457497260603388059631-29840733-677324087"
1⤵
PID:964

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "697100269-305962636650409158-919273897-520957521-1756776122-562301379-567600296"
1⤵
PID:2732

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1338302951-209478042462245359749859812469903815915463928017517868802121185211"
1⤵
PID:2512

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "10999256451305538470-1889381518-10678844561039676683106806030413635709621866549924"
1⤵
PID:324

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1723079368-1920342339-299844679-79781792112946554213167930282022832445-205084457"
1⤵
PID:1932

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-827687057-5038853111740218579755756620-8174297792108315329-21113432151745529456"
1⤵
PID:2668

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1384313394-1369502785-208297868513649841221459224956246164253942748391749674836"
1⤵
PID:2496

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "34689804413089139581779241505-1463757666632044483714464224-19374595891384045180"
1⤵
PID:880

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-450536934-95069372911940641882018239886-247379023-1453661512786508673-618659374"
1⤵
PID:2040

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1318676300-1941776079-1110693036-1101201336224347302613648814548803066-1704624837"
1⤵
PID:1956

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1640019268-17179805771061745399211485370892603011-8450777221440943951223580261"
1⤵
PID:1596

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "75503529-2021482438-1187720097-1416855015-316732033-963453311370090423-1933230307"
1⤵
PID:2500

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1521318988-13356731921075612597-459375126-606236058983034667-13394787182049221151"
1⤵
PID:1236

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-188286316-401884022151077593-147013737321840009917587441921753885661654664499"
1⤵
PID:2408

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "43955454267388062-645010925938033337-288514157-2104265175-11423614521492711178"
1⤵
PID:2080

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-6547160051018500246820802396-15931562601125995645-1966387408276867869-624045170"
1⤵
PID:1616

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-770793850-2001894065-1265934239451242714116814036-1154207747-9432522751369229640"
1⤵
PID:2912

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1240869706-75308644815799030522061522490580446214-1680498621852890318-2018230715"
1⤵
PID:1072

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "368293901-412415031-1931813905-1317156530-1819406274947826502622854419-1728375669"
1⤵
PID:2536

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-256444686212594232816878716751334902281-1171885291651700669-966323241-697023418"
1⤵
PID:276

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "33271565915990351-1832758497152790786911161933011832758333675501586-1466598474"
1⤵
PID:1540

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "108236422217751868537331849-622286329299558282328944611339907091787921895"
1⤵
PID:1328

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1084598148-16689348631820668813-1595977075-1269219553262156355-20623248511396789583"
1⤵
PID:2768

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "875094799781213175-1585686215-1557819709-1686020098-125395752146122013-1544633624"
1⤵
PID:900

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1154711275-877319217721784426190529362-805122788667726272-14412589351645298881"
1⤵
PID:2944

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-17618622221747283246-573127931-20477042839297427781381386504-966531264-1974556124"
1⤵
PID:1088

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-924316512651542946-1382497202-6370758641123018058352091040560872905-1096845431"
1⤵
PID:2384

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2143429410634220819749479243-1851698092877366265-1359286029-11608343331040094550"
1⤵
PID:1940

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "20902054151134805888-108044489147080122210929729721296021801-6779664141358201582"
1⤵
PID:2376

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2055690081135113271547293580-17862794321263711585573032706-381179181-2001373821"
1⤵
PID:1888

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "227289420-692782053-354311377203124473153885468-1329201283-724385890-614224306"
1⤵
PID:2960

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1206781816061582748697625797620012-53371089-86785338416721027981038104264"
1⤵
PID:2500

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "625604837-347959144148372468710078701561264168137-46601913014882145321746762897"
1⤵
PID:2476

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-17409845521418671818-292205800-196548630010258566891567762511-1151083242-447434561"
1⤵
PID:1484

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "664342475-4033702141014744945-4643416991876114201-1053430829-232454439-2065191796"
1⤵
PID:2304

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1266839897-14150519771179253987196614195093210941276348993210590896112124037149"
1⤵
PID:1616

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "124405039781139121745289970-1200404524-1249041166345919792-535188350-231722072"
1⤵
PID:1220

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-977607721922568572-4848008001904890528-2003027385-1147236165-1431550172050873840"
1⤵
PID:1552

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1639749494-21421606261171311901981425572-1333744114642405917-1580396160719811780"
1⤵
PID:1824

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-11004107811997012760-62552955713363628951115313303-2859903231897815330-771772054"
1⤵
PID:2848

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1465309999-407872590-8866038811581764231655892668-15406010491732434927-684551283"
1⤵
PID:1676

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1522159696-1959256851-1211447605-137009726912693698991771733590-1656119701-1404211557"
1⤵
PID:2904

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-222726941-3883637815914546882006942899-1677366620-1206999831-1048615203-1963110554"
1⤵
PID:2688

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1128253718334257887-3002937718777095082050106851363925624-9039107491072662865"
1⤵
PID:472

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "13709658381361363900-1254470055-842129885981706384-161779536906208912-1529373644"
1⤵
PID:1148

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-5730463421710689995208902783-171208919-20576444862045941120982668963-457547992"
1⤵
PID:1440

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "185167336616851519271230330341112372328616970720811713427097488942773-1323202340"
1⤵
PID:2020

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-542569738-847029334-1236491796-1386131961607470037745954505-1012525881-1271496584"
1⤵
PID:2756

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "7133905615869520271983489115-394858473-4354268635705842188986757181453067831"
1⤵
PID:2024

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2136251951-240209972-95340375411692812618120903201927737872794856673-1807998420"
1⤵
PID:1928

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1438404728-5911005831152193009-1640034178783011894-1903343187-1890932855-1220832482"
1⤵
PID:1044

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1250950699-447949218153848076216967247451915537148677492835-20031544921617420389"
1⤵
PID:2712

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-345478519368751913-11293219071086272689-1046593481-238217188-1693411357236255439"
1⤵
PID:2360

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2900060912004126868646032795191999713416247742107120243161562729200-1473150046"
1⤵
PID:1912

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-799449291114496555-1887153550-1427367159-405914890-69529313-20127927591815632681"
1⤵
PID:1812

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "441096540312913416-96090562-1956890529-325969336-1316477207238097172-387213693"
1⤵
PID:1128

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "974933402-19419641111570690813696772154-466678154-278258656-450501658-1398124942"
1⤵
PID:3044

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-336078148-3433823221399534851-1942745477-1763016441-468539691-8808318901084195811"
1⤵
PID:2652

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1685741355-6713929682030461371164758821-1838590494680333252286301306-1471294627"
1⤵
PID:2648

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1813023134-651841099-476896364-7650843901949303233-476256114-1707567019-1649176308"
1⤵
PID:1788

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-212940061-177443501-16483568131488326921-17435518731391129974-19434762851130734257"
1⤵
PID:2400

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-9950101091781800283-357068199-1265515467768316630178112978057300248496477789"
1⤵
PID:1184

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1115733483922822782606916733-1944654262-5176429011519023408-470121875115850007"
1⤵
PID:768

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "13061658831073703853140882369298837502248417165478698351918219096791155425252"
1⤵
PID:672

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-994040296-169447451855750677443120101656368274-1254100649266628509584472666"
1⤵
PID:2812

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "540124051-13971728504467087761026801301-41586119619278055001163633717-2011614362"
1⤵
PID:2580

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "11839078769150265371212189461632491968870212108-1213063456-286847511-1455418414"
1⤵
PID:2204

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "113630099712018186151713199009-9557549601059179172-213347813311051714971275172290"
1⤵
PID:2612

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-806785287-1178494430-1109362205-37462775717548077251287160834-1473843103-1256146248"
1⤵
PID:612

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "12895474661949939071-1011135897-1432660879868421392-269255150121186049694506730"
1⤵
PID:1956

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "818125532-55166234014887315451697623453716418665-2079272087293167086557317668"
1⤵
PID:2504

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1891294623-298504842-12636915692470118531021695959519098109348244955-1977300026"
1⤵
PID:1620

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-530683601-1608143912-1157280666-14201040091532166149730420051067304898527022594"
1⤵
PID:2420

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1971857958-1977615957598142159874759287-21062423291510773383-19884390342053882424"
1⤵
PID:2804

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-5510689851146662056-595719842-11449616231957663447-227748550-634731406-1000685716"
1⤵
PID:2236

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "18225609301549562306266981583-1875815621-1278233332-1600730733684058284-1859804049"
1⤵
PID:2272

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2114116917-12090223651971619468917609371-2094393124819684042-15514644351605065419"
1⤵
PID:316

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "19208760776608113321432248017634817601839704081-9162639951247221296-1078625318"
1⤵
PID:2244

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-20110304762917664581494583917-1647550906-88661801-251547706-2090274225-770471114"
1⤵
PID:2008

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-322670489-12895000451399585012719159657-1078264872-15088049651005791237-1412044239"
1⤵
PID:2124

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "7741985071961110264177448210911918617141534605822-1361774106-19485541421204599057"
1⤵
PID:2312

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1167409476-3196174031242721027390451917-489429727145870995014258138661388631174"
1⤵
PID:1372

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1920049400-11105136816875025733255839281203887700327935527-7786781831933942305"
1⤵
PID:1548

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-6181364732060159390-20601156631810409237481778508-1457543141-602542893364438924"
1⤵
PID:2012

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1417106672-98786064298169624211277741961884060029-10278345135964223391172795763"
1⤵
PID:1272

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "75549599613177883015737166161913857867921446705-663035707-18260141011221395166"
1⤵
PID:1584

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1684116085-2080277123-1733477486-66457140680447849-464716962-1433604574-1719866643"
1⤵
PID:2864

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1465636896724844044667672039-780305596-1910713622-1971840-354398288-1457155569"
1⤵
PID:1920

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "598779259-1552541296403711271851586935-1717699240-1553358299751977789-1344532784"
1⤵
PID:2028

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "316130185483724735-301020093-2085655215-115060806-97296798881380667609295490"
1⤵
PID:2156

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "257011843-609679316-1358234280-3369227781832022841-1314413465-16521397592070203761"
1⤵
PID:2344

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "623105081991481981-15215493904733924911813743420-631357138-74713331-1732144149"
1⤵
PID:580

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-10353637720436263891631690060-573617482-353082771-1093545574-1005333118-1066999018"
1⤵
PID:2092

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-9888455822081774481632759532-379289757351102847-4991755631899270252-509158091"
1⤵
PID:524

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-5570955991991237049-79924467810773092711917911399-100962446890809485910778325"
1⤵
PID:2420

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-19781194951872154291461532614656707913-540259414699844911986880148-757893494"
1⤵
PID:2764

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-43386169-836181605984509650-1028238744-14152143111119271133-392755055380869735"
1⤵
PID:2896

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "14401991174461219882097750712666844954-94403634-882900828-14183824841574857858"
1⤵
PID:936

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "203797935352529088911478200831577760125659478708257747850-269993805303797658"
1⤵
PID:320

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "18994776771021958614-1314180229-68278468378519043763311170-258079859-1721105928"
1⤵
PID:776

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "228895638-8459441771385150996613663728-1417904681-4779113876404062-1935839180"
1⤵
PID:2692

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-18475212613202426122119338421-1955046104-159518157219437776281443249895-299465808"
1⤵
PID:288

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1747796360-144184214-1165961238324316024745126406-1274063739526878995-2104198822"
1⤵
PID:1528

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-200971572490826930219862668751448002208-923447629-15701175431668942686347394638"
1⤵
PID:1456

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-485272671-432934591185619452614639166760499722213735089461630710163108600395"
1⤵
PID:2856

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-175670860-2037327656-1860717665-13803476591198023737-1446512399-170167655-671656841"
1⤵
PID:2232

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-11689763451537147640-9533376221970990098-2054037135-7070821441498534656543823969"
1⤵
PID:2748

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "7648880381750500135-730576534-1133491433741734794515382149868782291-1621264423"
1⤵
PID:2916

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "15033769841219128940-662134197-15844737732782232741736047566-9552676641747415487"
1⤵
PID:2440

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "362260898-304299801-20668045771025393413-1268225184858788591-43758111-1808432689"
1⤵
PID:2632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.exe

Filesize
331KB

MD5
ae88610682827f6a72e7b991830a4579

SHA1
e3061309e399c280175157dee97f89773124a4bf

SHA256
a8fdb0d0992f48b20c93e4bdb9b79b035f9b7ac5377b72115371d10c5614db2b

SHA512
5704594209effcd5c6408abb86ffb475816407f6f3cbec9a42cf4a7bb8c575cd9c7a97eb6826cf488724079ff8b75ca50c9ef69c17107fa520ec7db424cf1116

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile11.bmp.exe

Filesize
234KB

MD5
d573ba68c4c60f33f311de6b9b10d90a

SHA1
35406ee7e2685e7c23a65405537b3c972c8af18c

SHA256
95addc20d460e98fa47689e55d18f5e06f5c5c135eef0aafc78ea03f0ffa32f5

SHA512
eb6d92afea218d551ffb88b727d1884d0d0e092619ba5dfd9a3fdbd7e58a078585ef2beea1bde211fb5133e6a96e307606718b2cd6c650993795d6695c02d6c7

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile19.bmp.exe

Filesize
239KB

MD5
0883244535d9603795c92ed865669c99

SHA1
37e71f9f9141962534c992e540cd35500d991c70

SHA256
1f9761010aad31b7bd3650e6e2cb140d7d571108b6d169deb650779c046c2c36

SHA512
6a3471a660d924cde4c18a4c2d2544b403fab64a608c71aad2de4771e53629096131798b83da2f81dfe3354071c1ce5b6fefc04a4e741e27d2da4df92b1a1670

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile30.bmp.exe

Filesize
239KB

MD5
c1545826dabfc2e00c9eb924d159bf6a

SHA1
684565d76ee10c378e3a02051423e31e2eaa3e6f

SHA256
0d4960c0bec4c6f13f47183655e55c978e208865372a4698e3a71caae4d2a1a0

SHA512
818c1a35198049b9817d9d88f8ee9ad47c13d63db8fc8f60788c24f011533d42667ce2ee272ed6e1456bd342afcfdb7890486fc94d6415433332bba1928fa25a

Download Submit
C:\ProgramData\OKEAIssI\heAAEwQs.inf

Filesize
4B

MD5
a109df8f7c21cf76324a3e2169240756

SHA1
b8a503370a3d5df1c85aa20270d2d9837b11f7a9

SHA256
63480b6eef4aab63436bb529cf67797da235e9b4c533a322cafb61e8ba9cbdfe

SHA512
4781c574e1dcb26afa6b71db93afb372973b2574de4aa94349d584fa29a6a4b79a86b4aa2ca6c1ae39e1a50e035515f3251c93d3041163bb868982fd324890f5

Download Submit
C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe

Filesize
825KB

MD5
8f5e04706f844ec369e3d48debd73636

SHA1
503ce7121b9a4fe95d9cfbc3014fabb7e2b9b212

SHA256
b2510e2230a4c24c1f53f9dc014f982f451058bb8ac026d89c1fee8ef57ef044

SHA512
3dc6f4fc945d4642e971e9b8b298e344d94d644d5b16a3b0c6822b2467a5f751b6c1d6b72d6866c9ac21122a6e6aad9f012b808c1337f8a354a2b509c63e1680

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock

Filesize
4KB

MD5
bb7255458e1c816ccb888d604135a4f1

SHA1
e9f95173da05c5a7f1f79f9dbfc90dd39230ac07

SHA256
b8b202a482f05eeb568a70a96db66e5d928f3b386e1866821c58d4c8b736817f

SHA512
7cf471a2a27b7aa96a5c01e178af7c3e41520f23c49983f95f062fa07dc3cef7a5ab77b6ae3aab73bf64b902ae25c5bf7bee963b090d64adf4e6c62bdee2ab5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\AEMk.exe

Filesize
213KB

MD5
de7033517040806614bef6b6193c7b3e

SHA1
d95513fd5e8486b81f3c10464f2804ccb972a22e

SHA256
248372ba530de15fd9f71112984add38197a7b70f1a07db96a5a7a4f44385358

SHA512
dece96550d05355ccc2079ae704988699afee42c11f703467f80a18b632b3c7520972bd7d338e0481dcaf3c5ab4580467755e763348906a8884747314bef0ccc

Download Submit
C:\Users\Admin\AppData\Local\Temp\AQkY.ico

Filesize
4KB

MD5
6edd371bd7a23ec01c6a00d53f8723d1

SHA1
7b649ce267a19686d2d07a6c3ee2ca852a549ee6

SHA256
0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7

SHA512
65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\AUAi.exe

Filesize
244KB

MD5
4a21e09f34b251867bf1aa932fdc28d5

SHA1
78c78acd293bce05aa2d593e5609d4597d1fa354

SHA256
18b7bbbc2e669cfd15b3cfadcf3ff99bd5c31bdde11c6b58af17bb6cc3e0ed12

SHA512
ba979d08c65eb5efa96963550f3367e6e0576a0e0bc3d1e617a75d9535c466598a9c614f35fc7c44e83ec67e6cee7d3d6d8b3cb58b7bb6ac93eaad8020467182

Download Submit
C:\Users\Admin\AppData\Local\Temp\AUUs.ico

Filesize
4KB

MD5
f461866875e8a7fc5c0e5bcdb48c67f6

SHA1
c6831938e249f1edaa968321f00141e6d791ca56

SHA256
0b3ebd04101a5bda41f07652c3d7a4f9370a4d64c88f5de4c57909c38d30a4f7

SHA512
d4c70562238d3c95100fec69a538ddf6dd43a73a959aa07f97b151baf888eac0917236ac0a9b046dba5395516acc1ce9e777bc2c173cb1d08ed79c6663404e4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\AsUI.exe

Filesize
324KB

MD5
c9b63100527f70ad8e2d40f494d9b42f

SHA1
922f35c3b2913906d2911ebef80e2d5ae4c75f81

SHA256
67c036397633e5f9612bf6dce8c67c2b0a1f5f968553cb6f50739bf23cff6928

SHA512
6b90a9961caa5dd9f8189435a868dd4618fcb275c86de9cb5c3d7dfd94c114593e0e46afabf8e1af32c04cd015590a3a1a119f029065f5e38984afce0f7f9676

Download Submit
C:\Users\Admin\AppData\Local\Temp\AswQsQcU.bat

Filesize
4B

MD5
9ca4843590ccbd0d638a6fb036143c34

SHA1
25475351fb891bdde1bc4b75901dec5b2bab3734

SHA256
7841ff1fc9296e5f9586a41bc3dd274af319984b796912f41f31b2a1e566922a

SHA512
2162a7a59ea588518b5c9861be48b0c8a722b63a33936ac63768789f740176acb47673b0cca7dcdd86a14a151f3943ae71559a4a9096032c86784d51f7e8fd18

Download Submit
C:\Users\Admin\AppData\Local\Temp\BIssAgMs.bat

Filesize
4B

MD5
8abafd295d317fb341b275e111741aa5

SHA1
ea80a8b46f14dc95c9db95d0cec4e272fb4e806b

SHA256
3d100207471271b713f1646579496017900c9e9703a0ae28c8706fd762599242

SHA512
d25694e5bae5db3fe8741bb5222d39b580389fd293fb0a17b2fe8eddd78151d165132bc2f6c5c77417ae3a81ece22fab949051d3cf1ff6941850f242dd46e3d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\BiEIEgEU.bat

Filesize
4B

MD5
bdd7aad7fc297cfa67edd97cd8de41b1

SHA1
28f2e242b20ef9afc242a9eeb7a0f72ad9a1b3c7

SHA256
64641c84227835dbdcb94b988a9cd9ec2ef1b7e02b2998bf35e389e9c334408d

SHA512
d388cb5e115ce7c0bfd415801faccc6daa4dab00c3bc4ebca8725fbbe8b699a8d08439ace36f1ae933e0671b03e072ea9b895a033fa72b2beb3286bd386aa0a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\BqAwggMw.bat

Filesize
4B

MD5
28f1b9c2330bd0a64e23e91ce6bbe245

SHA1
4bac976ccedada1523f37a47fcfaf43fe1a1313b

SHA256
eee68aa0389bd40410b533aad2e390ca33104be99213e8fd4c38f5616bdbac8b

SHA512
490d12c69ec8051766cefce0ff55b285abf6826e712c846ce7cf61fe3613670785761f1181edd49897203da35de3441b668a646b69d7fd61879a0e28c607fbba

Download Submit
C:\Users\Admin\AppData\Local\Temp\BqkUgQkU.bat

Filesize
4B

MD5
79ff99137807d2533bf4fd83cf6d823c

SHA1
1c79d3c71ace6530a9389c3f5ff9fdd1381ce6b6

SHA256
a2a64da2842a6896ee1ecd1b6fbfffbb87cb8f533a887fabb00d6a99fdb027be

SHA512
78d783827dd3ebb26bb30ccf26aef944c815f1a0500a70e34e2b83d16edf5c97bdd05f253b7f4d39be38efba22c436365790123f02dd5cf458158b190cd0c3be

Download Submit
C:\Users\Admin\AppData\Local\Temp\ByYkUQws.bat

Filesize
4B

MD5
a058a00f9a7b16c62193602e0a4540bc

SHA1
70ae0d44cfee412ed6744458156be5658b42d8fb

SHA256
0742b50a2897162bf139144e2239cab75b9d14f311fe6cbf300ce14cb598c60d

SHA512
73a387821d71593b2f1684b0aa9089ef4c0525406f84459f7631ad24610ac9a81c947fba9e6089505dbf5b4650ebc45e5899a4ff29a002d21d897c66abdfe6f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\COQIMkQw.bat

Filesize
4B

MD5
c2e41d4f07b1306cf8adb41bafdfaf77

SHA1
3f0e33b6c65696cd78d81b67ad91071e6ee9a210

SHA256
e43d3762631f60bad9cd0b1fadb08b80807bcd8a7fd5bff956489041bed3a036

SHA512
964b50915441fc2051c2b56e1fe73e919baf62532cd1d3ba1463507667e591c0daf8134cdfb94f06e7ea40862c47e3fe9b706dfc2ed6e32f705af477ee0f3225

Download Submit
C:\Users\Admin\AppData\Local\Temp\CagUAwsA.bat

Filesize
4B

MD5
22a2534fe98c491d653d58f444d3cfc9

SHA1
5e0176e6780e2f7349fc7f079d4376356368fc71

SHA256
494ff2eb39e0977f1c5e74c65b9218a283907f455d1f076e970f80302eb928ab

SHA512
8e029a7edca3bfa85a687bbd3e320b0039c7a171e334a7c7049cb77c27dd751cd84d85a2ef37001d81bb945d1fd4970e950757e9dc3d6e0f410b8beff404a0bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\CagwUskc.bat

Filesize
4B

MD5
02cddec4f28a19dfb76e6df4e31c0193

SHA1
2ee981c37ca42437c1320b77751e3867931ce0c7

SHA256
3a0d0a8e61408752a808959857e37e18cfb1c9f29b2f22a9c8862664b2df1ad1

SHA512
40dbc8ae732753a6395a5938ae8ee169df8d6159475ecfed9fd60ca918e648388f3f63534b6c338b25dfa1bcd720a77b2995a62b1c7e108201fd96ccb21acd43

Download Submit
C:\Users\Admin\AppData\Local\Temp\CqUAUMQQ.bat

Filesize
4B

MD5
a2217601cd0acb1e45eefad6c32cf78f

SHA1
65c40f24abb2398a942c292018e64a174b832c15

SHA256
cd7eec7de6b9dd19e82d00826eab2e8872ed47d84d65678c9ff69d263d5931e2

SHA512
d5e29e683e4fc6b78a42a5344ed40d3284c92b99f519977544783a8ba4da72b876c6626eb3e9d1b149e9b5837dcf51b0431f90337f539650f292b1b14d9c772d

Download Submit
C:\Users\Admin\AppData\Local\Temp\CwAy.exe

Filesize
251KB

MD5
d82f65b71d9ac5fca788979df7c9ae9a

SHA1
e14902ed8fdfbe0686265954bb3a32d31dddde73

SHA256
4efad7b325ec99abd91c78a8d42f3e97b16a50d3b19f715a4ffc86f4116ddab6

SHA512
b2b72a3b00e001cf27e12262e7a3a36866f2b8c45c954ddbb06049323093270bf9f9a2780cb88a569a97840c20b456022d3e860d3479f72a90e4917319d062f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cwgm.exe

Filesize
245KB

MD5
c2fd17db65bfb5db3460148cc18138e6

SHA1
492ff30f54885355a0874fc1d46743ae29b85c42

SHA256
115aed60c446d266cd45e12a75a5a8027f814d864dec1803b754cd606de67400

SHA512
89a19efc9619ef2406180d5de3a0a6a56fdf77de6f01ca90afb892043fc06a88208f8e3bc10208d1f61bc33b2408b039b68b49cb64c6bb4e3728f2f133461612

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEAMUQQU.bat

Filesize
4B

MD5
4ab04a8f9ad3d41e974c1914ec7a55d7

SHA1
be13411f6ad5fcd11313b6bf54ad320853e24611

SHA256
11ec666b99b08be7d244a7e66bdc6170e696f0c519e309b2f848865ec2cd82ed

SHA512
902d1bee73134ec35552b9d1c7e9eac9acee20c882d223a91e626cf4021143e630e5071f35ca7167489bece30dc9bf69e4e4ed80873f97724fbc9077426fbf8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\DiYggIEo.bat

Filesize
4B

MD5
4f5cd8beec9b8c5cfa06bca7ad0c289f

SHA1
31d1d52fc60a54c53abc2e60cc9d696d6f19b99f

SHA256
494ae066e522fbe2188a5a5f481e734654bdde76589b2ef8eaa793c97f6854e4

SHA512
3c8cb8bf3b42b17584fe4a36460128eb0571ffe438fe2a7582955d8b6cc0ed52d73c7851bd6d5e83d66caf305fb6638620930a854e6fc2be70e8935c738184cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\EMMi.exe

Filesize
242KB

MD5
0e5bf2c4aebbdd4324fad6de841ac033

SHA1
dbccebb38bf80f616212dff1e81b90e4d8f705ea

SHA256
86659e4b1c844ce88898dcb6bc679c688a9a78a6ed5eb165153074633f16fe60

SHA512
642626c6f045670d0964125f1ec982479ba3f5d005d411387e0ed78700bcdabc9d50a11717969ff5cfe2be2e3d78cdb55a4e7e08b1d84e25907e37454256bf20

Download Submit
C:\Users\Admin\AppData\Local\Temp\EYQa.exe

Filesize
230KB

MD5
f98e38eeb49e4f3f9ec8fc204e2bf625

SHA1
2f16c8526cb8d065bc7a6ee6cd9dff2d38cd6805

SHA256
55f4492a05e11e6537effe5893656c73aa61510d522c14ebf199ba57eb04c8e7

SHA512
11a0d611b22a308165244f49388b31fe82b25490761f3d454ba3545d397785480b5c194b229db88093b5a465e9cd442085b135c3911ab48084c20dbaecffaad0

Download Submit
C:\Users\Admin\AppData\Local\Temp\EwMg.exe

Filesize
238KB

MD5
0e0e7d55c05b00054b85ca1554e20a97

SHA1
0feba396d1660345f025b03e606a0c0edf28953b

SHA256
c4286957f87733138fb953020fc813be6a2cb23a73713f179ee36b50dec430e2

SHA512
01f7fb2a881fa78a8505ac2918b720f2aa762978647e19e91c7c55048b496c73c15911b6af1ddc1d02c226c732c731cd9650d6d2b1cd5e952ec5a79052ef810e

Download Submit
C:\Users\Admin\AppData\Local\Temp\FQYskcEw.bat

Filesize
4B

MD5
3fe49815d2744a824e05b9dc8e4987ae

SHA1
e2a4743813d2961ee6fd591dc88b9b87bb98b789

SHA256
47b324ebc3b79b223010d3f172d5f508b5c5e8f319630204da8c856e298270d6

SHA512
085ee8de448bb4d089b75410172d3bacc3ba1161f0fef19c869af0b5d350a5bcf2a5e806b26092b40eb810727eee4664e9d323d9648343edac88b9c8bcad0f9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\FSEQMowU.bat

Filesize
4B

MD5
e85fdf62bc8e48f864fa4beb64729bff

SHA1
5474bcd8571b4e677bfde433dd186927d4f85af1

SHA256
5cf2cbe60de1c1b9d11159a0aa1f9ae2a5ce2cf9ba5b19d1e217ac5fc7857b30

SHA512
868282f208433a033412b0c1c62eba04e15dc7bedf2e37a8b987d6575a16080c7c877f3657583003bd64276ba97353b6f789aa9c46dbafc143762207af3d48cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\GAEw.exe

Filesize
780KB

MD5
46d30d738632605afb88c39a390d70c3

SHA1
0d1aa912ae1b11b8a0ca9b87f2bc492d30ec4d24

SHA256
89042153c81adbaa436e44fe34ff978106c389950b3425566e9eea39207f8214

SHA512
a143da56182213556c676910bbaf02f8f6fb5a64010d3183ce521243b50c388ca3c1f57d6ade0e702fe15a9252c3e529dc22e73dcad90b0ad5a7e83ab3c0af16

Download Submit
C:\Users\Admin\AppData\Local\Temp\GEMa.exe

Filesize
241KB

MD5
5a60e0d00ec48974dd3cc870a7a8e17f

SHA1
95877ed2c319c06f1c56740daa2800e3f4251feb

SHA256
aa1f3744993aa6a92b8022b74946caf9a78cc0f79571b207e8e30563b0cb910e

SHA512
ca2a2ee49a04d89efc361bc5b200f326229261666bda8591ed6aa50387d6f04194ba5cb4b3416330d8dec36e343686b295a5459c92228a3471d9692294298277

Download Submit
C:\Users\Admin\AppData\Local\Temp\GQsA.exe

Filesize
246KB

MD5
feed561330ed70fb5580bfe25e9a964e

SHA1
7c724b2d8ba991126a6506e2b9596379b2e3b42a

SHA256
2e3b1d8ced6aaead611b0610ee71091936fb2beb442ae180d7444954fe62c125

SHA512
cbeee54a8e386be56de697985b3b283168c39f2eab4dcb1bffc3241f84be868453651c807ad644fb2587477a8706aadab6c11b3f2079744d717b82aaa2ea225e

Download Submit
C:\Users\Admin\AppData\Local\Temp\GcYK.exe

Filesize
1.7MB

MD5
3a1442ef33a3d3322964575f26c44946

SHA1
c054e368a8dbfc3be97bdea2c5b6dfb104d4444d

SHA256
46f81f84a5087b67624a1b9077d53a0cbe2f23f465cac5471e30230ddc3d3dfb

SHA512
74cf3b9c7cbd325c1ce81423917a8d071143fdfde27e643599c6230dbdc3e910dc48a3679b937bcba7490fae911838bcdb3c4125d86a83d6fd187f77085c008f

Download Submit
C:\Users\Admin\AppData\Local\Temp\GgoYgMcY.bat

Filesize
4B

MD5
273d13ee69b84ba1064011cfd8b3557f

SHA1
f1c40bf5b149ea2b29a96921ec6efaa2c657dd98

SHA256
fa6906b572b33ef45f956dd5608c94ae2ff03e85c4aa9c43556daaedca1cfef8

SHA512
8b233b75497f239dc2437d6e4ee0c2c6afdc48935f3918db60400ad982b4fa2ca92223d3b98f28a1f129c809ada324aaba80ce808918314216f2e230fe720ce8

Download Submit
C:\Users\Admin\AppData\Local\Temp\HAMQoccw.bat

Filesize
4B

MD5
d301d6c7bbef9bde6e5359d3311bd27b

SHA1
06a480d78097993ccd69c5fa3a843d1c379185a2

SHA256
98ce8f08c99a39e9b1ff03049a380afb5342f26e6a6e40d60fb56eedf5569aeb

SHA512
a552e02a59e214f4ccd83ef4ac13877ce9adc64b6b95e89fb42202a87fb9b1541446262250ee195cf42c2e54c1539a5296c8fdbe764d950fd8eadb8b12ae331a

Download Submit
C:\Users\Admin\AppData\Local\Temp\HYkoIAcw.bat

Filesize
4B

MD5
d78263013a01426811d3fffe23c4c670

SHA1
0c723f761114265aea5f123fd52ff2dd0e2e705e

SHA256
a46816692aa784287bba64ba4e6877293df4fb2f3eb6b4209de5d185c98fd79e

SHA512
1a95b013055c2ff6113dad852d4307bbdced1c04df7780601d607c75c0d43e231c2a8abc17c96423ce2719cdc9ed8c4e53e7a1adb63f8bf6a79f6941e51e4b91

Download Submit
C:\Users\Admin\AppData\Local\Temp\ISMwMwgY.bat

Filesize
4B

MD5
48c44f2e7598f04adfc6b02676f03b6f

SHA1
23dc0cd6e36526b1200008f29532af58a63d7ff0

SHA256
b0971f645afb756812fb1ae04903ad791cd6338ed3a66c4796b56dd9b7380323

SHA512
9c290fde3646cdd098a8b5abd31de259e342226140c97ec241d721f5e9a76b0e9f86cd928d2b94bc76577d47607f0f2093a7334aaf30937d6ffdf9e9bfdccfd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IYIU.exe

Filesize
227KB

MD5
70f56f53133e370c7292eb8ddf9fcc39

SHA1
a0b72a2f7c863ee22b3a569052e8fa203365035e

SHA256
38edb34438ca5e939a52106db786bdd5d084a40e53912d389f1df9dfc11848b9

SHA512
77d6dcb36ce5c8674c656c362b2d3320cd66f40ddf0309dfb947efcf08e052b1ba64ff4183a3f855d1c87c0bbd08746636699bfce505b49b6e9682a975b8c8e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IesUoMAA.bat

Filesize
4B

MD5
c27274ca7eb0b0f4304955fb797df388

SHA1
7ff35b738861af48153c3ccf2780ae1cd6fa72a1

SHA256
43252a3232ab75ea0f8b1ba028e11d73bac4abc46a1c9ba8869cc0f80366568b

SHA512
4b107455906aed7072018a2f3645b7faa3a9de5421970bbce6cc3aff1b8f32b5e898df141300d73cd1cdbd4f329bac284aa6697c0c322bd7d155a95b4c9ea07a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IgsE.exe

Filesize
242KB

MD5
ce38021981ca6f088c5065c606e149a4

SHA1
3316ce89cc182e660f94bb90db691fbb3600676f

SHA256
d35dbf41c2e33e7a98f17a6628687854b5cc3582dbeda2a0d97cf6ad45b6c0cb

SHA512
4c42e45cc51d07dcff85b50fb37cb6d6043375c6542938b703b9f62b29c1e83d2c8aaa03ccdd7edb1f8f654f017a2964a0776f106faf5d40059680674f471248

Download Submit
C:\Users\Admin\AppData\Local\Temp\IoII.exe

Filesize
233KB

MD5
5171f5294d76a97a2d924088d816afed

SHA1
7e110c1a2f9672f9601f131bb5ec8326822b6fee

SHA256
f549de675c8013a87c9e39a750a3e4e781e630c6e3aad9ebcf88d9e356f25c10

SHA512
50912aec7990a9834f8c60056491b00532497d3b509b22d5bf25a83b807569619370def03201f308ce6985d5594688da6fb8419a06ea91908875ea8728524c72

Download Submit
C:\Users\Admin\AppData\Local\Temp\JoAUUIco.bat

Filesize
4B

MD5
c4d4c031648c56000367e3441d675a90

SHA1
95991180d52ca80f84f694c125ed29345f140b2a

SHA256
0272ea1e52332a27b2e8ed420dd5dcbc2f901df2431e2ffc3db4a025f99583f6

SHA512
ab8b3eb42549a03d9ff6cf582f05b3a20a42ab1940567579055c96884cc7aa6d3a4075a33d390ce14d85fa449e8883443e1ec101f444a2f546becbeab17ed5f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\JugwAgIo.bat

Filesize
4B

MD5
b2883c2499a9e0f817445d1263446fc5

SHA1
1f1dd94f174e47933f813e9dab4a0c6d83dbc3ad

SHA256
63c9544f9b3a235aeb2c86a1b1b0d704995835530a57a379469e472d660a84bc

SHA512
ae57299711e231625528a4f869159dd604cc94cf29ff9e6c1a1cb2eade9dc3a23da3062f776af7f34c92eb4392ccab6f4ff19f747d0ec815eaade1807c0cedc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\KEgI.exe

Filesize
249KB

MD5
cf4bb0580393b9f8e2d179eb09650a9d

SHA1
903ac29b15d82e2def4965ac50772778d232f122

SHA256
8475ef660cbc8716c1e024ff7e2c33d212279bc2874c568d4460bee3331e3d84

SHA512
b9cb907ba4dd4f9986a4a5000b19bbc78bde55db439c9133d6c1624079e0446aed4b1a002c49a0cb9cdc64ac20df64e07224f4864148ce88329d4eb21783569d

Download Submit
C:\Users\Admin\AppData\Local\Temp\KEkI.exe

Filesize
232KB

MD5
5fbe717dad64701c5868cff278c8c1e8

SHA1
e79da157dc1dfbe715b55474d042352e0e92ca7e

SHA256
fd1783cc2e7f5e3891e1eb694388059db0842505643ceb18c87a8de17c5c11ad

SHA512
f2c13e2355eedbdd57d76f5c02d52d4fd41a7b0db93eefe8abdd95ea1f370de4de99283f8668594333213f8b8180550ccb6a1c487558676ca9593907fe853a4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\KMEE.exe

Filesize
939KB

MD5
03ed52721624ef52c8a16f0ead5cea2e

SHA1
985b48c2ce908369a93c6b8ca1c244a13ec1c74c

SHA256
232ebf7d8ad0d1a3e60e6333711c4a4855e7c088fe22394349305dbeab9aa8b7

SHA512
a4208f72a3bb35f24db21bd787d4332178495560651b3a7aa382078890edb7623b05e89fffc2b82ae4f7d93d76c828e868d98426f81a20870d57817570b8118b

Download Submit
C:\Users\Admin\AppData\Local\Temp\KcAe.exe

Filesize
236KB

MD5
2771d929fa0ac3412c3af33300937038

SHA1
0a0a0f3343c7c0bdf95899b627a2d5a4e1cb02fc

SHA256
d44d689ab1d6761618428ec31f1b7c7d5866fa59e0cd4c23dcada63dcf6a25e6

SHA512
ebdbc307981425c8d946f12e4419adb8759abd9afd0b5c52a67fb14ef92abc3c865d71d200420141e38e460243d250e8d3a29ab4a6043a0aadd1b3ae9e8175e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\KkUu.exe

Filesize
237KB

MD5
d9e298ac844e9a508d66d209b21e5d35

SHA1
d7520c2a6e1b690c95deea2d822f845090fb774d

SHA256
adb4705197a7adafe54d525dbc74b58bedea77f410a745e9c1b510fa8f1c4548

SHA512
7b707ed152089fd6d38b679405b5f27a6c35a28c3f7e01b5b8e0088571a038c50c27f2cb79aafbc732182df16eada9045d6fc4fda56894c6c5be7836f32d37c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\KskG.exe

Filesize
965KB

MD5
8b04277fcdbe64aa87fbbe61ca84c04e

SHA1
17827c54415a9aaa8f6831e18e81f2df71951856

SHA256
9d86737f41b32bf77c40784241974cf21364ecc6772eb36a3f6e54027cbc4216

SHA512
aac2c09969c86bc2f3fe6b63b0af41c6feb65529891817e2dd31e61bc49b48b45b4eddd11aa5ad9fded072e612d20fa71c823f09d8cfd0cb0697e53642973878

Download Submit
C:\Users\Admin\AppData\Local\Temp\MMgO.exe

Filesize
4.8MB

MD5
c2a3e3f1a178ee5e82d3536fd1c30b1d

SHA1
b5914d2b87c0f98869ecab5d5129d0c8473dcabe

SHA256
17f0511836684ce1fd3aae3fce5c88e720ba8da55064050f8e8cecad3b196fe3

SHA512
874cbce4164643ffd8c08a118f9989c74df6280c3546f767bbb335416407e58edfb11fdfa56f1c59cdd7e61831f6a73d045b68866a3a2175e8489d45adb632b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\MMsAsYQM.bat

Filesize
4B

MD5
3ccfe196711927d09b70d412261987f2

SHA1
40324f18af3e9649f7bab80c578fa171111589ef

SHA256
d50de8d1244ce6b3ed75971a61499f09f0d8a90af20cd388740f78e7aa94fda9

SHA512
33042a9d5c11911708e74853e24dafcc59c9b5e4ce270705275fd2204d5474b2d707a6e9bd484fe9afc03c7cb06a74139c97b7e0f6d96c7e18f3bb2a3eb67182

Download Submit
C:\Users\Admin\AppData\Local\Temp\MgEW.exe

Filesize
244KB

MD5
c34df0058c5b1ce9e490533dbbed11a1

SHA1
5a41286d54938ff1019bd19eff0feb7738d30c66

SHA256
2e76210ee99d99bd31681920be1be5136503224815ff1ded8305eed76b34cded

SHA512
244c343e52a00a92091ee98f3c0c94680d4f67af7f7d628da455eff86d78d80988b76772db39978ca0224f569dfc9233b2d8f1e52033d491aef1d6fabc747b26

Download Submit
C:\Users\Admin\AppData\Local\Temp\MkAoIkgY.bat

Filesize
4B

MD5
a25fd4bda12e4caf528923fb4e5a0bf8

SHA1
86625370972aa1ef0b854f9bbbc03ceb09b5f66e

SHA256
e9b9f2015a4f4a2c8bf467eb6cd04ce1e91f373de8fd21623921be7ca0de8dd1

SHA512
5d3e3579bce967c78b33677df4397dc17fbe669abac03e5709fd41f775e5c64c31e956101fd32a9fed14a0e97a048ece0ee39757b6f9aa733b5f6c0c68c4f61d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MsYI.exe

Filesize
447KB

MD5
05d658482a809bb91b119707078516cc

SHA1
c2b98f2b368a1ba08d081188e35d3177e3961bdd

SHA256
4621231851548a6a05249525e94fce0c1a27452257571cd1523c4a1ae89c3805

SHA512
85b8afd7ee13b29c1467fea4248962253cbefdc735cde0d88a05389ff9a1b026eea6389ee3bceeb6847e42292abc14d23f78c17be6ab69b53c52e53130c18908

Download Submit
C:\Users\Admin\AppData\Local\Temp\NIwkkkos.bat

Filesize
4B

MD5
7cf87ddcbbd83e29a01e0dabfd43c9ba

SHA1
9f298a70738c5d33b70dd701dd8eb0ba2ef629ec

SHA256
305a6175f51f16fa4ff3cade0ea1cb3eb98db3bb3680d087ca683fda3e17b2fe

SHA512
ea0add1fa0278cf6bca305962d3016dccf1f9b247e326ec02394f65572fd1bdd29bbaa80a251fa304b12e0d051970373f76c37c9279941a019d5d1c0fd9c5ea1

Download Submit
C:\Users\Admin\AppData\Local\Temp\NykYAUcM.bat

Filesize
4B

MD5
c56afc7f8e82818375118a60248a5e51

SHA1
d0c1f57f7ffc023913eb6993a589921be400eddb

SHA256
608bc05894cd2bba8cafc69ebce6fe2281d07534887b8ae9d7338770969fe427

SHA512
74881fe662358796b386d8d5772724732d80e7e77ddb1f1f84ef3a08ee904b0fc5707eae18785294f187119578d1e45701084901529d818ca9efac3585bdf5de

Download Submit
C:\Users\Admin\AppData\Local\Temp\OYso.exe

Filesize
233KB

MD5
791f25db1e3b13a3a10de038fef14fe5

SHA1
1ac28bf2a2e7b97c8e27b5f6bf8a9225f29de99c

SHA256
efed95cd9f279a4a483f4cd374027e40012a3287f0e39b96592df37da720ed9b

SHA512
6da81cb95fc55fc064e50831dbac43ed27cead6950f53c772526d49703d49e658d97213b227fc09d5f5802ee654412d508888bf105ebb15a65feb6e8d91207ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\OgogsoEY.bat

Filesize
4B

MD5
ab22e0b51c67897f848aa237579c1ed8

SHA1
213bab3f8071a9c6ece66266278fb2ce5fa3a2e8

SHA256
3151c28afa9472f3460624be0cf6a6befe719c73d06cf5600e84aa62c7149bb7

SHA512
d773f4df44de35742ded9a0981a78e4fca44fbd3e332464cb0555d7d97c8bc7d320f045562d63ddc97b64302a12953eaef8694338c2e6f5b5be3ca9df2ac92bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\OwMw.exe

Filesize
230KB

MD5
6e3fca8bde706c5a43f7f8d336a2697c

SHA1
8e10387635340c7fe3b754567e1ffcbb045f6806

SHA256
ce8c82d096efcff39921baa2bb93299fc97700c059fa366d962097f3bb261e80

SHA512
15b5d44ed49ec6cdcbe5d541104c761322c5cc14e97c6a636bfcfacf3ae8ac5d41ea65ea8669577c6592930c6eac7feea467fb2bbb2eb082361fcfc01902a5a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\PYYMscgU.bat

Filesize
4B

MD5
c9823741a59d097534f170ec459bd68f

SHA1
93ae977a781fc70d19b8b9cd0472cce8ef0919ed

SHA256
1196c9e18048af4b017e1f23c2a830de240d037dba092aadda85443a1030c56b

SHA512
bd12691f14fba57a6c11e5fbecfc59fb454e89396e6afb2125a858d0e11e9929ba1919d36c691f0813ec1d2cd51e85c7bdc1185a31053ec9d1a2a2a029e561f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\QEUsosAY.bat

Filesize
4B

MD5
544b7d4be1ec4d456e282932e7732436

SHA1
72d291c27c396bd2b9b9670d04d572d75760cb53

SHA256
23a4e3a2ae0cfa5dc14cc1c4d3e79c632c1c0b774bdbf966bac48c97579ee1a0

SHA512
6374bf3f39b36acfa0e33bcb4636ad55579d2f55d6532608e9a75627cdab5d2ca6f6eaa4d1546f568e9909f93100c041f878e9cce4799d50d122fb4f7f7e2615

Download Submit
C:\Users\Admin\AppData\Local\Temp\QKUUYIco.bat

Filesize
4B

MD5
21927404fdf4bb282a2b505360067433

SHA1
56b85f6fb50d35521f336fc40285fb411ce47de7

SHA256
9029e3944bc45c20d3a177504fa4f0d85500b9cbde7fc06f33545f751967016c

SHA512
1bbedd4a4348b1d53f95fba8eb49d4cd911c7690ab1606cb288982bedbe8ba154ee20994521bc68768b327dbc7999a0884facf6df9fc879f7e40900448a21888

Download Submit
C:\Users\Admin\AppData\Local\Temp\QUAU.exe

Filesize
239KB

MD5
92b8682826507e221aab709ec08acabf

SHA1
51cbfacd4c5cc977ffbf996cf31dd18073fac249

SHA256
2c41ef23e4ca9101b7c33780623fe366a94d426ba7c05cf80426215aeffeca8f

SHA512
63d7a5a25ca3a4cd047d8a0734fa0acbffadd2f6121f06792e0d7409db7ddd6de88f9506ce899d0d574e5393c41e8ce703ea16f697dfad35978adef3dfe006fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\QYsY.exe

Filesize
425KB

MD5
f08d5951904ddbfe2f12af3df363910e

SHA1
2e6e26cd24072be071ceb9c9845847a2abcac4b3

SHA256
ba308e673b141c36c356eea4e352e772e94f5b8d5593013c2148759d5c492bcd

SHA512
c819f59299d4bd9970992b3c0a83a28f25ab5bda52bf0780b75a5ee58a1edeff532781506e4ee8c2809efdaf6dd3ac81d46f6194ccdd4f354e73741aec3ecb2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\QkIA.exe

Filesize
235KB

MD5
1011cbb61bf7df11128c9500374f688a

SHA1
3d10cf237cd04d40a9c04e7ac97183d0c33747f6

SHA256
3a0ad03c90e0b8b1202dccb3af9f48086e55c008db94d5408e5098d553342f32

SHA512
160da84161dfdf2f8b1aa47a918d5ccf979840d0aa4bd0c84cb5beee2ea67cc784e4db806b2c9bc9964b98bc8988b1d4c55007f222b5bada4cbe96361bb53dee

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qosm.exe

Filesize
791KB

MD5
ec4e401bb700dd6e01318a67b1b00f94

SHA1
d82635704a09bcfe22f2514a4f80dc815d611fda

SHA256
cfa0c46ce3ddbe11498188f668d4079562f570e31a54f39031b02b85819b94eb

SHA512
1bebb21ef2245e36927c7ce7ff9daadd157ce2a2ca854da16f554a1e76e86381b6e81cd17cace877a3e35d4324227ee53b21011b30c7b7000b7e463c75c630a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qsgw.exe

Filesize
245KB

MD5
face549bb8772fb32cb3c28fe8ae756c

SHA1
ce4d551ffff033503a23688b34522f462744ca7b

SHA256
5c77b2b7318c6eb6f19c84bf24c4c3d2dc7b57ac756b54d7bf9bff8315604bca

SHA512
6f7ced4979e98757256aace11faeabd41faa23f7fcc0dbdc9434a2695591b922d8743a703a7c6c58984b96050c71ab38a0fd22c9664c1e84be977fc8ac92a836

Download Submit
C:\Users\Admin\AppData\Local\Temp\RKAQEwUs.bat

Filesize
4B

MD5
5be21cb889d8ede6ecd759d05c281719

SHA1
bee1b0bf63902792d5eb7eaf0a9895d83cf826f4

SHA256
5f40b951e77ea4c068db4855aeafd2612697a4a4f889c83e092c5c76ca7f985a

SHA512
8ba969d37340a06646c93b09a43c52ef61d34f1adcbcdf3a03993bccb8becd722f1688853f990f2f167875ba49c01c23788a0b520524d716096c00a88fe61674

Download Submit
C:\Users\Admin\AppData\Local\Temp\SIkkkswk.bat

Filesize
4B

MD5
834f657604f3fa3b0efeceb89deb0684

SHA1
0daa379e690becc0978732fd4775242284a1bfbf

SHA256
b39a6f93ae32a601601b9c16569f7e02c921683950c6c7823bade96542af1494

SHA512
a326406b32adec82d71e215a57f8e638e388b42bbdf87aa4d6d4216ecc75b0f9daec82865a0bd5bc3905e984e7604f1ad0216cd987df272919c8a6862cfd07bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\SIsckAQw.bat

Filesize
4B

MD5
618f9dda02e8aef02840eba2451742c7

SHA1
412f5798990c2ebecd90c426bc94e0b91e72749a

SHA256
8c8b722449ce27a2df0e7602f550c5c00073851093ebdf9df975d3afc0001952

SHA512
dc938421834a3feccaeb394d63f091a58109d4d5920a94a1c8bff74a73fed2068ea814723bc79d6765648ebf6795e47ffbf6f81ad5f5dbd07251f91ab4f1813e

Download Submit
C:\Users\Admin\AppData\Local\Temp\SUIi.exe

Filesize
245KB

MD5
2cd5474b7516a7ace79e04e2aaa74648

SHA1
e4326009298ebcb1e47646b5747e7239ef016e7b

SHA256
8899a59ee2e83d36d270d4ec2d66fffdd5b10636ba93aee2f85e5119782891d3

SHA512
d610d8c4271029cd6464451475196acc590fc7c5ebc04ca20afe503333a87024af0de7019cd0bea867c36229720c5c119a7c762108d71a64f470de354ed3dc5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\SUQu.exe

Filesize
228KB

MD5
4c5ec8723d9e7de906654d87dbfc4a2b

SHA1
d23b2e44c3b3e9eb891b81db47d5d2ead124e62f

SHA256
07e0492bcb24f9f6140025388d942be4301c2323f62faebf4d364d3fcbd5f7b0

SHA512
94ea4ea1ac5ba69aeae90b2ba7fcdc8f1b7871177aa0442a080af44db6baee5f4d05e3566855410bd10bb0004c5277e52ba2a021322090b6f28e48e03506ceb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\SYcA.exe

Filesize
239KB

MD5
119776010eb45ea5a4218904a7fcb708

SHA1
bea64b38232637e3f3e8eaa70625aca0aaacb7c4

SHA256
eddb4d72d1992b14085c62119f47b9e1b04cfd048ce66fee70a8e3bd9f33893f

SHA512
06d92b619cfe939eeb4d935941b3f9be1107900fe25026fd93b9629bcaa36895bde5544091a189e10ff1bf4b3146560772f1e332e818f655f677bc5706eb388b

Download Submit
C:\Users\Admin\AppData\Local\Temp\SgMgAQcs.bat

Filesize
4B

MD5
512b48a7b886cb33ebdedacd22c880cd

SHA1
581a9c581baad07a702221ffad20d08266ffb37f

SHA256
4608e9103071a7e0d098c314182d1b0f49aa3d33d86f48f863a8b324fcc827f3

SHA512
e4e59ce0cd940d30b90e97e4c671517a460b17591bafac3f22b17723792f336c761ac547620dd2c855f3b1025ae070a55fcab06972764590e455edbf16bbef40

Download Submit
C:\Users\Admin\AppData\Local\Temp\Socu.exe

Filesize
240KB

MD5
224aaf58308f66f73505de8e56a4008c

SHA1
50fb327b2804986d8fe94947894d083d6f7f95bb

SHA256
19b4280259c7c3298793ea8de3899be7ee2045d2251497b86ba1f9faebf098d8

SHA512
b7db2e9ff3f93ce5593cdaac7810bdaa8134b87a92c619bd77e8f5c4c1fb56ba6ff46f897f50f6c91d50d72d71217b7472fa29ea6a3995e431f4b50ccd8aa894

Download Submit
C:\Users\Admin\AppData\Local\Temp\SwYa.exe

Filesize
250KB

MD5
186f16b9d28382a898809b323b4d73fb

SHA1
012024cee19019e5b8e6af4fabed0b33af8d3905

SHA256
4eb844f00ff7dc808ea32d2442216fb9e68fe9ed9575c7049dc380cd681b5782

SHA512
219925631f663cc1e9ef9f09b4a051e23790bfa768b65d2d423eba39076ad0e771342daa61867c62901cbb2e1aff12544c8fb742282c8bbe3cfe5d6c585e7443

Download Submit
C:\Users\Admin\AppData\Local\Temp\SwwI.exe

Filesize
253KB

MD5
6d13c09c07f475d3f8d456c127ec1d47

SHA1
c8ae3fe244996ac98762e4dfe0faf72520f580a1

SHA256
96f51ffea33e9c43bbf60eb28d90adef1337876c9e5c43ab2c5c66fd2cb91a61

SHA512
cbf16dd55992be1a417f073a2e31d46b45f6926bcb156e004ebff8db6d9a06997a9086d5fa4a2fc788f5c66eb0abd8fe8489b6db21d3caadda0cf4f659d46311

Download Submit
C:\Users\Admin\AppData\Local\Temp\TMksQMMI.bat

Filesize
4B

MD5
06da0f32b4d6d75cc772e32f60127d42

SHA1
ed4e86cd4d4955207321e0a251e1c86dcf5a2b20

SHA256
b1c3306a7cf17af79dd016dd58361019ed3229a20b88ee0c78e27670c02ebc83

SHA512
cc775099b3275f6d0724faa388d612ac6e59d5d695b2baa90ba93eec218414f58e025e73d0a892d25b9b08832b9a86b5f412cf3c4d6f4e6e1051434317876d10

Download Submit
C:\Users\Admin\AppData\Local\Temp\TQAsMEIc.bat

Filesize
4B

MD5
92cd9aaf7dcce4dba1efa4d20c197cce

SHA1
d4cf2e442e91ca03c85146abb444cc106c031270

SHA256
5c29ed09599ad6d0a6eccdae875d82487a1fb1a68bc7e7cfdac606fbfea5435d

SHA512
beb8c7603c59130756770af79a73dd7170354737f161aa1c4d3c98b216efdc38bc058561e5c878bf554e844b8e1d76f74327081678af79996ed059eef9ecfe5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\TWsEAIwo.bat

Filesize
4B

MD5
5508d6b79e7f66400004f25090091ffa

SHA1
7f44227a2e5ea301016f854180788a663b2b0299

SHA256
d4aefdb32dfc266c592a5ee6797729172f0e3a4db8322bc3548a8b37cda8638a

SHA512
11bd37f07ba33cb596eaac4f26f9ef98808fc63006b0af99bc2712ae4f43e48039141d59de8a7fdd001002ef07bfdb2f035e5c8f05463cf285868ca478f35c83

Download Submit
C:\Users\Admin\AppData\Local\Temp\TkMsAUsY.bat

Filesize
4B

MD5
a5649d6c9e67cc8acc888e5d808adbaf

SHA1
c71170be6f74f57e8769dc10651efe70d0086be0

SHA256
1af0ee3cb580748daaf97f9817aaba49fcef4c0408d4082bcfcb6e6c140d8b27

SHA512
4691c6b1af50e4bf97c82d83e3b1f789643aba76c4d8cdbe6663875ed5a7d86866d8039f9c2fd7f5d79972848768fceaec1a769908f1e1da939c56bc80c9edca

Download Submit
C:\Users\Admin\AppData\Local\Temp\TuMokUEA.bat

Filesize
4B

MD5
8b06c24a35189b03c190a75f7c3c18df

SHA1
88c34754e535eba11c6dffe84eefbe7164b1fa39

SHA256
f496aaf58d486af40b89bfc069b190f3f845376afa3453a4d901aa102e422869

SHA512
2ef51b70e7f945e1b65cd64ad87c471a77de39f8e6e57120639c5912be583864e144eef75d7362485ee1e5720b3aee8652705119eaec3b9c72a4b6463f4b33bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\TwQAEIwk.bat

Filesize
4B

MD5
665191e1a171a4f740eb50dcab9c79ae

SHA1
ea5d18fbc2b11099688312eba9fcd5a148746540

SHA256
3293c9b67a8b5b56d0eab120f29f08afc34c73b205b9e64cbfcf2d844109f8d6

SHA512
b00b142cd017a8ea2549dea7369cafe72887428e81a12ca993671717920decf63db0b17049e94ea6c336dbc514671c800993afeee59a3b4a6a800772791f48e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\UAwA.exe

Filesize
770KB

MD5
98299158b27e63f1b20d5f2beac5da29

SHA1
9cc8f11598e23f5ad7c90bae1542883c156d08af

SHA256
a8bc987508c4e1e08378d56bfc8ce9120aed5011c07af120dcc395d13d4f79e1

SHA512
6d97c02007518cbe0a4c81325f5a55c371a552522de70b716440b671a893e33609d1109db99c416ba7da52fc801963ce98495dd03236ea9f6bdfe69005248b3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\UCIEwUcw.bat

Filesize
4B

MD5
dfa73102109355db4c31893898efb0ba

SHA1
b9e53dc2efa79cfb06d9018e29f36fa73a2e50d2

SHA256
d041aa305515beefb66dadb15f1c2364dcda07acedc9e59b07503fb0aa31eb71

SHA512
7091e2c0b33d6c67363b0ad1448abee6cb3b591f1cb9d89165d788e797a7c617b7369b423d73c4437f5ccc5e132c72400ff2e40e775b82c1910b09659d10311c

Download Submit
C:\Users\Admin\AppData\Local\Temp\UEskgcsk.bat

Filesize
4B

MD5
b91a3548d6c9f7751db0394c512f90aa

SHA1
f4d418909bcd9382459aa21a79f11c3a9da550d0

SHA256
b512e74c5ec3e6f3b5528084d128e8167c10e968f3a10b8a732cb6f94e1459cb

SHA512
8c152f1de199b010e9c2dd8520e1021d361775822f353e298b3a5e527a0ce4b9f02c6dd0854e29e8c379826d9c10734bbdac2495fec08865bdf4fdf786e516f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\UIMq.exe

Filesize
247KB

MD5
c5b5b9f7d6a743def6da2215068fe99a

SHA1
9797ab204728a22c069b64f54abb2e7b274753c9

SHA256
7ad225b04a91f4e56702afa427b2f171dc0ca48b86f09d5e9aa4fcfada88d16d

SHA512
13931ed813178523cfbbe2a39b834be345ec3f93574e62ee1fba4db974351e513b72bba31582500a1e4f29cd41443a92ec7374a52f30467b0be94a5d1fe12897

Download Submit
C:\Users\Admin\AppData\Local\Temp\UOcsMYgM.bat

Filesize
4B

MD5
ca8a9b0dcfd6187fd697f1047791b2a1

SHA1
50ad3ac14c143a730f78ce3757610d5b45ca6b27

SHA256
e09520e6a54c914e16c3c5dad84d721fdaed895ab71cde947fb126ea95717ebe

SHA512
7110d47e2485fa2de09ccc6d345b387db65c9fa853d5b5e2128a49f463e8f50d15f4c48ff8a6952b8e71ef498af4a3041f684cd7fda1ca76dbdd2606027c9b26

Download Submit
C:\Users\Admin\AppData\Local\Temp\UQIc.exe

Filesize
240KB

MD5
9edfd0ab5910f155fabb92258c8f75c8

SHA1
751c9304920c79614bc507ae19ea3f1c3e779f7d

SHA256
8091bc045a364e5f7327f25c5478f7c6dd6678f482bfed96d268832f43a5acbc

SHA512
34d29bf93fab5c1269e8ef8273f58b2eb32d9815144d71383625524d237ce9dede0d95636948201506fd34c41583c85470445408f486e403d9c28783506bfbd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\UQUs.exe

Filesize
632KB

MD5
0ca04b467cdf029f99507be393797b70

SHA1
c0adf8a4bc23a57ed18c8b12d2b2c9cfb268c496

SHA256
31e1c2d3b1ebd614f44c98187bfe95df2fa514080bd6be8cacba77a0f680b298

SHA512
7a28e47a21a9d20c707e206f395aeaf2c15dad2f0c60c82f38d15262cb7e2c323ee79143b70e4d2a144b77dae6c175692135d79bb30e52140aaa01e8d7887252

Download Submit
C:\Users\Admin\AppData\Local\Temp\UUQU.exe

Filesize
237KB

MD5
44278f01636cb56ca4635a5269961b80

SHA1
090e6795e358b5d5a7ee431655f314b7eba339f7

SHA256
edab7ecc1607eaec1f400804d8cfb43ce5a3e5f75201658b2df2f3d3fa8df7b9

SHA512
be67f5bbde7919438163d7f917416773614041d2ca482167551ebc8d9cb8cbd4b2b0a0a3129958d07cc62f3c47bc0198d1f55606933e63c2078b40993f385808

Download Submit
C:\Users\Admin\AppData\Local\Temp\UYoksQUk.bat

Filesize
4B

MD5
9231d33ff8365843cc18696c3e96ab1a

SHA1
21de84d786515da61cbdbda846edf6aab0aa7012

SHA256
3b28e12d200026902500207f5c6eab7d700b7cb1af67d28d446232ea987f3d0b

SHA512
2265b429f2f5899c488c4103fbb47a336079129cde4c651b9c10d5f238b24528bd5c34d6366efd7c428287c12dea688699f83cdbb876f47d2808e74bb6db8e86

Download Submit
C:\Users\Admin\AppData\Local\Temp\UkQU.exe

Filesize
229KB

MD5
0119b69d7f66f5f5b5c2dd8a7b15945b

SHA1
f9ec9d68c8295d75350dc68e37d7af57664df1cc

SHA256
dea84f204d4bdac29b890f3b2577997341b4860bf1bfd5cefe589697a6521bc1

SHA512
5e2fd518aa4c1096056071e3c120817b2fb8258f42b6a50e00b0718892c3c3217c82ae05708fe492162195e235e5a016dadb998d01da96cb4b2cf02794871d42

Download Submit
C:\Users\Admin\AppData\Local\Temp\UwcQ.exe

Filesize
236KB

MD5
01b979c8525d1ee4688a89bdadb00af4

SHA1
668459db5c41027aa0ff5341f946f2075cc595f1

SHA256
391777bc64a24fd408a2919f3384fc6ba4c5b617aa7ab43055a8ef7691f04de6

SHA512
8a556ecddd3ad7da8c25a78cfebeada425b0b126966df73994d06bb62a24f52299dab0757ddaa1747fd2cedf8e23456df005e8e7cf89ce0d9ee6996cee609ea5

Download Submit
C:\Users\Admin\AppData\Local\Temp\VCwwgQgY.bat

Filesize
4B

MD5
561c3f273a1f099c5e6efc4609988c87

SHA1
f5482e641bdd24349b340b7a21aef98baaaddf78

SHA256
4ca4bc485ec59f2fbbfeda825d54ec64a0acbfc32f0c94859055b5068f701e0c

SHA512
26ddcef6eb22022958376f00ae231fe7945311e5678e20184a9dcdd47cfae7f4f4c1095434c2cdbb65dd9bb930595fadc8d5b27a08de9149a6e4000ab7e1617f

Download Submit
C:\Users\Admin\AppData\Local\Temp\WMcM.exe

Filesize
240KB

MD5
088e30e3d142ef2495108ca5511ca4cd

SHA1
67d0d0bbbc27fcf4ef62624ed3e6216a4951cca7

SHA256
d0228576ef9f91cc2fdc61bad3445eb1e31f16cf3c793f5ea63023688eb9458b

SHA512
336f6c72da1d11edb6748bb448a9783d51d42b039ddd8de5abdf0a61424859f0040e96f2cac200852bab5db967e9f2d47b4c829e37d87f470d89f6e9f0138de7

Download Submit
C:\Users\Admin\AppData\Local\Temp\WUwi.exe

Filesize
228KB

MD5
0f91684b2f07771f1bdc6d51193c8ea7

SHA1
75e95bdaaeeb30908d88b0179f971937aa955387

SHA256
cf7cbd5226ccf0265fe7a6d077edcc7943137aa4a235fc865ec8563630762b39

SHA512
44a5cda7d0b74fb8bc9c44819e9a06ab9bc771a8aef654a5e601061463f9f749ab726804c43c3f16a149e939111a000e1dbc7fb4ceaa5070636af9f7fd89d240

Download Submit
C:\Users\Admin\AppData\Local\Temp\WcYcMgoA.bat

Filesize
4B

MD5
947596f9c5ad93110f09499303669d8f

SHA1
f920212d3c0ba49992b0379987fbb0425e7533c0

SHA256
eb752e71e1fbe0a53ca0ef4511332514c38ec7b1c22e43fc0b649cc6ac41b912

SHA512
a6d6c1dfe56b87f189d8f5f096ab53db6fa94d19cc0ef471d4f8139810002250179717401151233b6273b4776752debe925a7a50bb81c6b7c6671f7714a7dbb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\WiEokQgs.bat

Filesize
4B

MD5
aa5539d5bd77c913f4437672f636eda5

SHA1
ebe225a3acc68485d8741dfd5e26f6cac76b6391

SHA256
8566d0672f774f8aece75c6b531b00c18fbed6aa46b0b078ce3d574d4da53488

SHA512
18eab19e389776c01313d262b543bd203510feb55a1d1582cafa799e0843d1a4961a3830e6ab5e7f11524f12da5217b96ea78dee9e9c531675973827c688007b

Download Submit
C:\Users\Admin\AppData\Local\Temp\WowI.exe

Filesize
1.0MB

MD5
1dd46be8dc196a73d324f3949599864f

SHA1
f2c3c4546ac01e2cbbbee136365d8ea0ba6ddae0

SHA256
c783ad2cc4eaaaec1ff1a0d92e47a733cfe756d17d668be49a1a000796c677c1

SHA512
9ebad21bf8551669196d4ee29628894416a7421a2bc3554a08c82b56e4441d01925d79d7a00dae6411e2d84f58ca4184411d6efdf8ebe44c1038a4713cca397d

Download Submit
C:\Users\Admin\AppData\Local\Temp\XoQosoUc.bat

Filesize
4B

MD5
3f7411918c2fa77ec2903e03dc80e127

SHA1
4802ad98d7d5d30b6f56844090e5912c4acfbfb5

SHA256
1c381c295a1cff52ba765b94a61c224fe94e0e5527a6b4e0b37a3d70e8a7ced5

SHA512
f0a1fa2c8a997a80099356f560a81e457e5513ac5df0f45f9e10c4108594ad35f5705d0f813516d91c5b24fd769171dbeba37401d6872c68e743a06c50ebba46

Download Submit
C:\Users\Admin\AppData\Local\Temp\YAUi.exe

Filesize
237KB

MD5
4f9f91f9cf483f130c54e4390e07c49c

SHA1
784d6b190d85160c06e9ec734ff0896bace06274

SHA256
2bd09d17eee2f5f9fd29b834d4dc7a5b2e7cc5463badbd82cbe7a2e5423b30ae

SHA512
707a811b18011307cdc1781ef99cc0ae4cc14cc8b18cfc6432fa46a346f6e33779efda0c2878eb287ac2792bb52c1bbdb18dff20126b4b2654116fdc24a7793e

Download Submit
C:\Users\Admin\AppData\Local\Temp\YAcu.exe

Filesize
1020KB

MD5
e9f89ebf158b90439d0aae6dc95c69a3

SHA1
5551c7d87e9d92d08dbc163f7430fe01a575f98b

SHA256
3635f80ae492cd627840dc863daf54cdda55286d84665f1cf5050a358204fdf3

SHA512
cbd4e7910a5aee1a2943a98533344c2e00d2ea718cc5c0e27953404b01ec775c7d08946b526aeaf3c96f7a66f56e747c349b7dfefd502ffe980644be9246d0e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\YAcy.exe

Filesize
235KB

MD5
923648e368a952bf26a4959bb3d29950

SHA1
ecaff0fd19e5a97b355e1d097742a610524f02b7

SHA256
8a51fe0a6af88af744a6cc3deaed4d57e26287155e00fbe3d87dfc0c482f2f74

SHA512
c8e74a1e90e211370ed226fd158ae3f62b3a0336bf2c761c7b07a6e4eef0ed1e3bc46bc273dfa37286d5f245427b793c48b3d4d9a316ecd20a875331f2d16efa

Download Submit
C:\Users\Admin\AppData\Local\Temp\YCQAMIYM.bat

Filesize
4B

MD5
52c74446064cbfcab39f4a27966ec8da

SHA1
0c4893b1bb4c080cfd4356a9b192d0605360abd9

SHA256
5222ec30f5942dee4adb01dfccfb1f1b142bc33e2695981ad3d9c2a1e9fdd2e8

SHA512
02112bf36b2ddf1faa4430692be7b69121d81ed5d461d47dd6bcd5499268bc6d951774516c6d1be8cc14b4712cfc5b85749ca94b6f65c19dee2a5a7a794af0b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\YCkUMQsw.bat

Filesize
4B

MD5
ba4e5ef4d1ca25b4a3becc409298a0d8

SHA1
99cc624a3aaa553e720f492403838e1684c6585c

SHA256
7bf020b233c55b9db4b017dbc7e81ea0a9af3efa2843a82f7a7d47b83722e888

SHA512
53cd792b06debca0fc6d014241809b60d69dcc907872c93affe4d86b40a48bd01b87053a3aee3c8c1a8329c7633518deacb32075bcb0711958ed25e2757ccc43

Download Submit
C:\Users\Admin\AppData\Local\Temp\YIUY.exe

Filesize
240KB

MD5
a23bc9db7b076f604e8569f2a5db0222

SHA1
11f42d324c2ae2dcfe7f225caec8130bcdf00a5d

SHA256
f8c2dec3ede18536e2bc57f1be0ea44eb9c388c1ef75e5fbe30b5161de994be8

SHA512
8d9f6cf418d4d32813c85e8d3a310c1c2bd62d775005a7b019c61c9d42b0a049b728ddd87d402f6dbdb0444323b5d17809e4d34f813975eeeb5b3c2b29609416

Download Submit
C:\Users\Admin\AppData\Local\Temp\YQEa.exe

Filesize
657KB

MD5
60b31cb0e193c71b504dd142f56029a2

SHA1
c4bab38b73cc93fe279dfbd5abd46bfdc6fb104a

SHA256
ef10de294d5ca641fd2b2d739c52dc8424bc122359d60fd2f07b1171ac8744b7

SHA512
7af00c32c127252c1acdee5d080ff9e7978e29047e8c178bb3cff0b46d1fd0772dee44450c2a582a28b82def625fd889c8c4aaba02c747636f70b57057471e59

Download Submit
C:\Users\Admin\AppData\Local\Temp\YQMu.exe

Filesize
228KB

MD5
d63c41e116d4b9064474b03c7df1050b

SHA1
3a32d5e659c31c685bc62bc63ff8878356a32477

SHA256
1277a7e5646ab9fd8c299f9f753e538f246bed6f29a8867c2b380e5605dd58da

SHA512
8d05f43c474956acc558172f2632b8956b5de69a5adc51e620353aca3c93b4df04a46b12561b5fb7a4b87a88c905edb9ce740f579613f53f35f9b0c47c32933a

Download Submit
C:\Users\Admin\AppData\Local\Temp\YQQu.exe

Filesize
242KB

MD5
a86ef76178652ee7fd02ce31c871a7f2

SHA1
c9a1b34fc5c89af7521a904599bc2197c4b1a111

SHA256
ee62a5cfeb4457772f1ea8b650749ed0b8600efb0b7bf3dfa55bb1401243e05a

SHA512
632be500aba7cb169aeed718f2ccfa2c61f2707c7d87ba6ebcdd9541fa6af84f83f58f48d2754d017ed4492a007e353ab98ab03f248936071189476d8e00d4b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\YQoc.exe

Filesize
233KB

MD5
1508caccf3df2af699a780405b87fd16

SHA1
6d9333b0153e10979d68e77e95be1cfc86e728bc

SHA256
267fd949401086c66698e53a6d25d4d6e844c218e62aa167a36020de01ee2b52

SHA512
70bbfc61b64b0ff43188c587c4bd2840adcd67c1d49cdc3dd62de819e40af73429c044b614640cec3753cfadb8a5436deacc0ed0fd9b9dc35fa5112fca3c5ca4

Download Submit
C:\Users\Admin\AppData\Local\Temp\YUIm.exe

Filesize
247KB

MD5
cbf16c3e392a9ae533e29ee208f77f85

SHA1
56d6241a0babf892a0aecd3cacb165392de1ef47

SHA256
6cc070737d210df4456729187b2209e1337c9abe3843fb273eda1e5c31c129cd

SHA512
f1fb1954f5f277f7f4074f300324de2371dbbf66770589255f7287506614c2186fccc466efa1b09d56dac695c6baa8f431c3486d617c0055440724315064a91b

Download Submit
C:\Users\Admin\AppData\Local\Temp\YUcEsIEU.bat

Filesize
4B

MD5
42eb63d3e97b6c4369f93a9454a902ae

SHA1
3c975439372fc4254c6f2027cec9c77952b8346e

SHA256
3031b4a93e1c19a28ae3f5132d57d076e402f1750feba135849c8890183565c3

SHA512
9a8a13a9c43683da30c74f264ac32d9f910a7a5b2682a7d79dc949da47cf2c556ed49f258c26e041c69303501b73b6c25fb126b75115ca64bb25c5ea34987cc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\YUkQ.ico

Filesize
4KB

MD5
47a169535b738bd50344df196735e258

SHA1
23b4c8041b83f0374554191d543fdce6890f4723

SHA256
ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf

SHA512
ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\YYYQ.exe

Filesize
230KB

MD5
1418b17c375d8eafa2b012da46faef99

SHA1
59919579df84bfd694cba86a3f586aad9e7dc0f8

SHA256
2d3a7b6a1f222d0d25625d1e5e5d349a793c7c5b5eedaabbc8a92e7ea16422c3

SHA512
5144aab0937adc8bf89631415abd85aaec2b00ff886626397b97dda4af1018de7dfd129145a034286ab068337e24c560613a87b713b293058abe3b3f1f6ea1eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\YewgIsko.bat

Filesize
4B

MD5
7edf71f2c96836205b06e249e4ffba58

SHA1
f39d93eab3c74ec6b1fd226240f8e0d1cf4163a2

SHA256
f96a897682fdb93ec65be38fc5e13e5ed6b51f1496305beb8dabed92e7501132

SHA512
7eed8ded93762243e1d4d230204ce8f03807681c08b34c35f2298b37569408111b42c190cbf573dd516e93bc4db55fa1a55a1c32ab209592edf1f0f2f5535aba

Download Submit
C:\Users\Admin\AppData\Local\Temp\YmoYAQQA.bat

Filesize
4B

MD5
369bca316ab2004242e88392a869d234

SHA1
15f56118e9ed6f224a2e0c2ef56f5ff417fd4c94

SHA256
9d05343d4a398925c977792346a35cb428dcb12c01f8a70211cb09d4121a9e8f

SHA512
d9b7ce05a9f91cee5d4a733c0a8f1f789112325f254ef01cb2232caae48a84239eeb529cc1c8a1e40c7f69654385a78a9fe307ea9e6ef92c8e621e70aaa7ed4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZEUQwoYU.bat

Filesize
4B

MD5
fc82124a55d337bc4e033e1ba9201f4c

SHA1
86e28aa8d4bb57e69c62108b4bcb8aa5e291f120

SHA256
50722f5f30d73c382e22f6de753657f1ad454efc04bb14d86c9eab64b5b39c7a

SHA512
3a8a71f4d26823de362ca425f1ad63e6c5c007314d041064140165602d4537f7d61f01c7c85b9f08d804ee3814f8124f3ade4a7483eb0342c4c7b1acf9e13b7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\aIYQ.exe

Filesize
206KB

MD5
c4c27bc694d11fb5b5c08415f6622409

SHA1
5d045f4a7b32eea8b895b1e04bc5eaf420cd1b80

SHA256
37a4ed4b8f5bad4e01b071fdbbb61aeda9bf6d3cedde6db592d837854f6438d8

SHA512
380d96ca20c91a3a5e9f1b3f40618b91c06beec756bfb2c3952190dc32a0c86fb66bfd00c72e5a36b38f282eee8abab8883e0dd1377dd5dd9ced9995b7a28367

Download Submit
C:\Users\Admin\AppData\Local\Temp\bQsYgUYE.bat

Filesize
4B

MD5
7670f24c812b59f0b6ee2fed105050f0

SHA1
26f2c24ec8e22a956ad076529360e55e52988d5e

SHA256
0bcdac315409bb877e7f897e474c3bf468f336aa7399b7a2617524074fce2ebd

SHA512
3f6f98482eb910e1bef2b2a5f638331002793a6a27b8244fd7d42afbd1996dc9f37afb26aaa62898cc8e82e082551bf557d8402bfb7536e113e37ef06a699747

Download Submit
C:\Users\Admin\AppData\Local\Temp\cUgC.exe

Filesize
229KB

MD5
16aa384519ce2388afd784766cd66a80

SHA1
51553993b2da07380992fed4906ada7b814b9011

SHA256
0a0d8be0816e66e13d8eff3cade0ed7acb0c33d4d856f6ba073fa46cf05abf31

SHA512
e867eb88dbbec654ae0cff2de0d8c5684be825a23ebd622c9b82ae1a79314b51062e3365946e4a74ca28a14804fd61521c67979d64beb050b2904f039f057742

Download Submit
C:\Users\Admin\AppData\Local\Temp\cYIM.exe

Filesize
641KB

MD5
270a99fe230936d86ff924e0c803b9b7

SHA1
4924ff114351237056657c336fce497843e55819

SHA256
c7e50992f386abd7297ea7cfd0be6e625d0ab876026834120fb5b1df2b7b48d6

SHA512
6a87710791d5fd4d055fb464402e63e32710ab6cf8f813ffb53efc5a8e831143bddb7ed61316e22ce3e6f16980136b33960199c179ac79871e3eb5fc7d9feb3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ciMUsswI.bat

Filesize
4B

MD5
2731f02f904b9e9a2b622133a0c82884

SHA1
e39c8f67c7beb606f573924eefe8c8b5e4145820

SHA256
6b527f48bd1dcaeb14bbc016eea2720c994154a98c774f4485d1b5e53b74e321

SHA512
af2f945bf355856fa1d1a99ab6d66361d626a69d84cfcd6dc46c9b1fa423bbd44d130617f1ca9bbb38281fba04d791acc4ada1e28f1b6a7a5feecbf738ecee33

Download Submit
C:\Users\Admin\AppData\Local\Temp\ciYkswok.bat

Filesize
4B

MD5
5f3a8024a3f22e4fb3aa0752aa5d0588

SHA1
33553c07a332d4ab343ecbf03cd2ee917865c2a7

SHA256
033bbbaf324e0763c80b57cddc8193ce8165c244eabb2f7c96958b1f2b735570

SHA512
e8568ab457334bd29be634e0c2d08df37b0bdad7f6462afd381298663919f59b1b10da774b23947c07643601e2f25905a202ad55cc4e7f0a8b6006722b1b34cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\ckYW.exe

Filesize
878KB

MD5
4ccba1a320aeb945166acfd0792403c4

SHA1
17ff5b6e5637719b45998b0d19c55af757dd9d93

SHA256
11eb528886ff03ad4a10c98f5eb34372b4e36785cbdf692a0214f016dd93cdf0

SHA512
8ef74840ec4b31b3c0ba1734f1b854bb64d6cfd4dafcc8b5f91827df6886b05b3e9e32f21322d8d6dccb4f5c8b49aa20842c427abf4bb83d9f4b18666ba915b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\cssG.exe

Filesize
1.0MB

MD5
0304803f1650e0f34e73447e9e69d566

SHA1
b702bdd67b0f252b17a948fcb1c885327648a024

SHA256
59d83965b1bd744255e2b564ca950547d7f808cf842bf046931cece8d7431104

SHA512
0c64b1c0089a220dcc22b99b53fb5ba5d2b63bfbf3a7cf2f613d93ca754cd0ab376c3cef98cba14e10ca2fbca7792da2fdd4498e3b46fd55c8eeae46e04a61b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\dAcocEoM.bat

Filesize
4B

MD5
02021951700cdec1a38b6f442ef7a76e

SHA1
6d653eaf9687f1d8b5613568e10134ae6a72de9b

SHA256
927fd1b718b31a8719315e9dd4f9e3a042bdcab8d9d2066df12df346cb037ef3

SHA512
3b14521e3380008fe6ef3b21e16229e796b03d07148ef7ec7a32fe31d863421f0803b2cc76034dc9204d52422b157ec70c6c5b0c6cf672529dfbf3a902ece2a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\eIMkIcUs.bat

Filesize
4B

MD5
c8c80841c4ad43047cc4af2488576aab

SHA1
5d56b67fefd187267089adea818edf21fa7b2308

SHA256
82a6f8893e5ca3684efb1d6ba5e5ddbe786746a95b7663b1f2cde803607cf0c5

SHA512
1a6a9e27a9aac70cf7e967d64784fe2bbfc10d43fd53d6d20aae58214ec1bded1121e085b6ba3e9c8ba7f4d48249cbe8c243716675033f34565f1f7f5b32831e

Download Submit
C:\Users\Admin\AppData\Local\Temp\eIsUsIQI.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\eMYy.exe

Filesize
250KB

MD5
a6e11ba9922dce1e3fbf79accfc93311

SHA1
5930e13180d072c726b888df5dfbf93f971f4f39

SHA256
4a3df1439faf4192941ac6011a5034fae57432bb82250d1f323c17e8774cf55b

SHA512
17a2e46c6c36bb1ee8fdfb095de9e3df8660711f24b78058160f23dbe367dd83aa1c7c14bdc836b30c175254500e903790197ab469513af4cb9d2a0d2fd4f142

Download Submit
C:\Users\Admin\AppData\Local\Temp\ekMksMAI.bat

Filesize
4B

MD5
366e615da912c24ccd3e9e9ed1e54320

SHA1
3d7f09194d072d9ce5d8fd22166b82071d247c45

SHA256
10ad97a55e2495402b97823db35a32ae25df930259ea819b764421ede8cef63a

SHA512
75c00814efc04ef53f6877ae93af425ce8a305871f201e4ca395dfb7b04666e9522cb84844a8f69e90a3d7e38559ac488de21b54b012c4c07231a7bc7b594e0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\fGoMkIMY.bat

Filesize
4B

MD5
bbd69a7e8a5bec804542c96a973ba705

SHA1
fb7f301094a81b0a1b7cfc67e71a811b44f14dc3

SHA256
ffb72ce2e9827500fa44ed654ddd6f43b2749125fdc2bbffac1c89745d875ea7

SHA512
a90457afcac6899d38b7a8ab198c8d836bc2d492d4a1bf9b483cc9725318c70d43b3155be22053283b92006b02fd1d6277c4f4202c773753c55ba455ad9fc02f

Download Submit
C:\Users\Admin\AppData\Local\Temp\fKYUsUoc.bat

Filesize
4B

MD5
a4107a4871dda388457faa931bc806c1

SHA1
66d88c7f46d1f2cd7da429fe61bfe531260adbc6

SHA256
6a85ce6d9a60b7540eece2dc5d6ad91340aa37745ab18e981525f1a999ca37ac

SHA512
769367fe0f7ee4ad48202aed851f433eef1833d0cdbcf11b403cf0867b93e985485885b1eccb35ae4a084db62046fe3ac8cc373ac79d277030e01ac606671838

Download Submit
C:\Users\Admin\AppData\Local\Temp\fggwkMcY.bat

Filesize
4B

MD5
c2f50cd129ec63d8077560ba91288b96

SHA1
15180ae12a33d1ffb2404f47661c6143ce56327f

SHA256
7b86f81650bc1797571fa11b4d5ae4eba9f13976618d44d759337fb979df7a1d

SHA512
ab275fee9c35af932b77ebc53ac7ab12e32d72dbf1ec174aab7ef62f8655615a1576d149840877e9b22448b08c0cedc601cd4fa198f7b8b976625396991818e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\fwgIUoYc.bat

Filesize
4B

MD5
4df076178ede310a9d64b14979d414b9

SHA1
f614129b5de3e7c270475d1b2123927bc0eb54bc

SHA256
bb72e0557fbaefaadc157d72819352e39e33b643e0924a9c81344301a5c74706

SHA512
85f6d3f7865366d6b7faaf438686f8580080a3d1519a25cec83c091725dec648521a11bb57f7d5a638f1058157419c4012cdc147431d3c0d83d1b1b4193aa84b

Download Submit
C:\Users\Admin\AppData\Local\Temp\gAwO.exe

Filesize
246KB

MD5
04bfebeec8a8aa4043022354dbe58e6e

SHA1
86b17580f9e58145efff62ec459548cbd1e7f815

SHA256
d0231567c5f7e9c70cce4210ce106d516d45c301e14ca7bb04a3b508814f5897

SHA512
c3bda4955307a530711b9d9711d4a0cf77a9a00aa4c758d365b828adb67e228feb8ed5428eb6ea89c8ce8a20497b08ef632762e916429f9e165293f044a0534f

Download Submit
C:\Users\Admin\AppData\Local\Temp\gIgIEEIE.bat

Filesize
4B

MD5
6e45bc9d4ca729a991b3aa360056b7e6

SHA1
e35f18cd4a82ef3bef5f26290f4f36b3b3d10872

SHA256
bbea479182b3fd44c0e8022efe59d612f4e03bf623a76bb3aca02e275eb79907

SHA512
2c47d149f34cb3fb40531026e1e53fad564639cc374f9ef5238c4688d946c8e081266aa9d846dd8a5c37bf1d1a0985500256bf330155784416fa1b7a102c8ca7

Download Submit
C:\Users\Admin\AppData\Local\Temp\gIoG.exe

Filesize
231KB

MD5
ca133c5e9e0205b3d3c28be1c6cf874b

SHA1
0333a8febcb6e231cd27aeb997c4bebe1c5c6e78

SHA256
389efc16504c618f5410bf03d3afff3f624a9d4bd046f64bd173b8ff98440e79

SHA512
931db866137ee7f8982d391ba56e8d39251551d94d5b2c6f5bc064af0af95ba5dc0cc732722a9409db4d6b97bf9f6e3e7b1206d1dc74f9fe622112c421480c2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\gMEQUsEM.bat

Filesize
4B

MD5
69af619e27771563d3229a9941c5d4c2

SHA1
7eb61f59120c24b3807572bc531755272894b761

SHA256
639148f8a41366ad5d3935067eb055ce486e6e2b9156a4bc6fa7c86f051dafef

SHA512
713a1528d887b19f2354008a2fb0e1c5dd44f22e49a4a7643fe6ee15ae75b8bcd33c67888643ed8298c3536fe4d758111632925d827721c0a6d1751c64a32b9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\gMQy.exe

Filesize
231KB

MD5
4cd5020fec09808563651460c127a62c

SHA1
ee11ed785034f02fd3d366f460bb3a6dc5dcecd3

SHA256
f8800c494c4fb644bb26273a5b1c2bd9df1fe62b2236243e7981768f82610084

SHA512
1bf6205f54c9f6ee126ed952a324ab998e062db0b97c638581c6a4b2138324d78f9d8664f9be3c3d25a8a07bbbd60512b035baaf9ed542991eb4f692b5ed7052

Download Submit
C:\Users\Admin\AppData\Local\Temp\gYAM.exe

Filesize
243KB

MD5
6dd2e45bbb7f61c542143a51b1d959b2

SHA1
0b0acc886e846d9cb61ce063dc3d1d8692ee8946

SHA256
9d450bf9ecb40560b0d328d46c9fae361b711980ec847cd422231bc16e2f0d9e

SHA512
5ba70e573c14c43ac82785fdfacbc849467462559db9e046e7386bf45c56e5df4903dfe3fca35c883a3bc6d338e94169a553f3222f51906a569ed8399166f0c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\gYsy.exe

Filesize
1.0MB

MD5
fa85e749e544afd5739475c34f7a9d19

SHA1
d9b751e0dc90328b617d1b5a75ba6e2628433ce0

SHA256
cc1a2e71aeb1d6c770c9c874937f4f7a222501ca0dd447ccd4ae8afb43468c6a

SHA512
7998d8d2d63d2d95ab38d3c52f1059f127dad24edd9ed82448cbe282dfad641ae47fe6ab0dd1e57d5aa2c2bd438824f781a5c32a686b090de73208e2e2bec1f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\gcsMAkAc.bat

Filesize
4B

MD5
0ed1e3d811ba71193371a9e3ccc4d0c9

SHA1
7056c8ee54aed40c960a344d6af20327b8a2e177

SHA256
53dfbad3b6ac35b0513d85c4b539c4325cb371ddf6d87e66ebfdd8035c73a4ef

SHA512
30efbd22b3d80e512c177862ad071b0fde6838bccca2749433de008a30a322bc1479af5f839fde6f682bafcc14a8663e3cfe3bb3b52f012705770b3a78e15ea2

Download Submit
C:\Users\Admin\AppData\Local\Temp\gsIc.exe

Filesize
230KB

MD5
3428fb96e9fb8c193c5a9266a841af0d

SHA1
bd1ea0743fcb924ea288ff2a7c9a6986518f9ec1

SHA256
f191b1b5a33f0eac2f8fb962690a49c565eb9917ad684a347153cefdc0aec0fd

SHA512
c51dce3c8501cea2e05dfaac1f78bbf78c0f6ba94c9919ac3474989c41408d795d27d11c80a38d96e7b7af57bfed39971938a088386658c11b332c4695b8bda0

Download Submit
C:\Users\Admin\AppData\Local\Temp\gswO.exe

Filesize
226KB

MD5
01cb90e409eecabbbccfa2f4772a7dea

SHA1
447d5d0a8475586ff5b71d038582d9bf784f069d

SHA256
e5e7fe855dde146b93e6b4f5f0c3bd723dc83a9c19a25a9a7d1fd60ea4785e42

SHA512
9ddf40a769111aa378e32101e0d0b67cd468fba7996f888185ec6ab3f096e48594a40dce7b670b573051d4bfd99c80c450829be091f23347c9da06dd5d9d7c07

Download Submit
C:\Users\Admin\AppData\Local\Temp\hMQggUgg.bat

Filesize
4B

MD5
a24abb46baad9d376a39b805b478cc78

SHA1
17100071015aa0912740544e8e3586c645664e8b

SHA256
9aa00da5b7b30c49d8f1bc89861d405220f4da630c9aa239f05934136914ada8

SHA512
99287619aa16db586336de7f9d04181774834aef8476c1aa14eb5dcab92651d4b22b034aba25fd45fb8c8ee5bc4e4aeaaa02eb48ddb9b3726d0b347a76859554

Download Submit
C:\Users\Admin\AppData\Local\Temp\hggMMwkA.bat

Filesize
4B

MD5
dc8abb54f042d284820eb6c12d436b59

SHA1
de641c15d625cd53574bf3f2b67f981465bd20e8

SHA256
bee9aaf05d4d386ffab7a95a8f3026fbd491a5f0f8a288b72934f56fba6be80b

SHA512
c82b4933d50ba6cd98ae0654979d1589411285529c082670b15c82446091a77cc817a27b4b0c2e607c8865fb248cf9cb38c8e029a38afcbac92d0335f814a07d

Download Submit
C:\Users\Admin\AppData\Local\Temp\iCoccAQw.bat

Filesize
4B

MD5
55177458d5c1340c8a2b461fa91d570c

SHA1
ba60c447570699616c111d9c47860fdb6c55b04c

SHA256
9be590077327137aa72990f98f9b5f2ddcdfd5f5e28542b7f4a49bce8361ee48

SHA512
d50faa2b7c77aa4a415e820d6cfcc14be3c33ef7ba8c0503784fd7cd3ef33952e746ef33fbd6c0dbf091759575f4cf5a98602f31787f47ba618d15e2533da67d

Download Submit
C:\Users\Admin\AppData\Local\Temp\iIQA.exe

Filesize
237KB

MD5
d4deee96cbc5c202086543d81132b10f

SHA1
867dd06a8f743404afa429b5806a6da744a00c42

SHA256
e267984241d7d566a84b139e5a2adb5baf54be37fd4cc218b3fd8f9b2d784a2d

SHA512
56ebe63e0c6116d98d93160d39d5ce2bcdfa00078874b1d47d6ec4a3dd84cc7416432073be3af644e6c8794b139db95b434c67e0065d23a7ce1c254e4178678f

Download Submit
C:\Users\Admin\AppData\Local\Temp\iQEK.exe

Filesize
226KB

MD5
81f01592b3d5ab494cab1510000546f6

SHA1
b7afbdee508f012cdb7803338c6d22ed4e672d61

SHA256
a6b39eb33456759d35af048efa69a295c31ec3cc90ae3a40105761af2f457a90

SHA512
421f18ac7e0e2d2d62fb202762d1ce52ebb786cb06133461b610e86b212cc766e090f487a5d1cff46034c1de6a5d9a4b89a4788c25b4aab816c5c5bc36808181

Download Submit
C:\Users\Admin\AppData\Local\Temp\iQMw.exe

Filesize
740KB

MD5
71cbf10463de443b7194ab5a10c2adb5

SHA1
b67e23a1b7b561990e91ae428efd6c5aa8b47627

SHA256
b486e621e222b82c64d1e1caec847d524e2594de18bb27f6a4e881cce015f74a

SHA512
260669720c47de79e03872f69f85a57b8ba76f02d46c958df567586870645d1fc95ee813d73263ac40656b93540b6eb4d14c51caaa23de025b00aeb93912107f

Download Submit
C:\Users\Admin\AppData\Local\Temp\icYO.exe

Filesize
238KB

MD5
cd96e31880a10cf40b0278fb2c6fd5fe

SHA1
c35ea1615d37b42c0ac2e6aba64cf389a7657713

SHA256
2da07369814cf709d706015c22f5088b1496eaff76c2bdb4ecc6dde3578a69ac

SHA512
2cae052197e45f7666ca31e02d4e1d231054ed1b522316f2275dfc040b736829a8d4b4a0edad5ec79ff1dbaaae1075b0946118b67bbb036f88a56f7cf52b4fb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\igAu.exe

Filesize
322KB

MD5
b2e176521830403082f045843991a1c7

SHA1
5e570232f98c402ac8b3264b1c588bb766668ea9

SHA256
64f1ac8a0edf0af4081f291581a663f35b535959cba876c7cfc8ab0138f94cd3

SHA512
9d899112f0f2f9ec8e71192e8f2a7133a3aee425f366b49f80b68242cf047ccd3285a28a508528498d1198905d5c1cdb6a9e7d614d336f6b6dbbf852f4e611a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\iikYAkYY.bat

Filesize
4B

MD5
f231ea46770c07a4bc48c1e54d739773

SHA1
5a1d3f834bd0314b8babc00ebaa409b91c021cde

SHA256
9cb4dd71a44e984c3387d286961c3bc6f0983f90486539f8c2ba5ef8e8bd146e

SHA512
daa8aa112f4789957e6a9ebd020ff66d71fab6893f5481a09d91800cfdc440ea58f5cf50e62a6bcbe26217f9b5b36ebcb2dc5e674ee881ecd93f903446ce1455

Download Submit
C:\Users\Admin\AppData\Local\Temp\jGEYwAEI.bat

Filesize
4B

MD5
344090edc6d2f58320b07fee85e4f75f

SHA1
88b4de4e346a6a264222aaf76575ae5228b4c2d7

SHA256
410f83a136ec615d000f21276dc7ec32628c542750bcd912f2734859115a836b

SHA512
17bd83b715407eda7606057ee77cb99a43b708f02620748fd1f490b4657583504c0055fcd9a6d2025cd8620231dc9ea74b00ca888971dd9abaf31f140a027743

Download Submit
C:\Users\Admin\AppData\Local\Temp\jUgMQgcQ.bat

Filesize
4B

MD5
c2c98c3b7732ff76e7757c286c499de5

SHA1
cbf2674cb4c545f0c25c1e9c94c37926f9464cb0

SHA256
724be2c9b8f39b9f60571b464e0f918721df2c99791dd206249eb4ba01e687ee

SHA512
d561d234ef671c0abb0b1d7be1c06e74b9da7ba6aa648641a9ab936ac014c1189f3ca59fd0822d75ff8e49e7c09769620ba0c39a5073549feb4e1663054211af

Download Submit
C:\Users\Admin\AppData\Local\Temp\kEkI.exe

Filesize
236KB

MD5
b3b46528fcc422088adf8e6c3e11498a

SHA1
69aa945463b1a7285551d183ad77b2fb4821b4e8

SHA256
543b63b87d8c4dc0c3a1998710d387c8c25cb4a2a43c609aab07368f6c1dd20b

SHA512
d08bcba8867ce263c9fb027b9c4d4349454245c78953814505fff4bce127198a641ca0a70808875ee75484ade90f2b7bbc694eb3a2c607b8d7011d9efda81e5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\kQUs.exe

Filesize
247KB

MD5
db8833124b9fc42f1ad525ccc2585fc6

SHA1
e31469935967367c32e84c1b3fa9c6bb70e15d2b

SHA256
45f8d6c0e695ecbaf14de281bb48edc99ef45df4b260142dc78bb00a19f3d949

SHA512
d982f7c23ae751a6d75e95d3cf6e95460e898d2118e25bbb9a028fa6fcb8524893c0753680712a8880fb777d709024dc640a8fa475bc3ce562e8aebd2f9d518b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ksAcoAwc.bat

Filesize
4B

MD5
2708e72d4d9c345eff48d21e665d4e4f

SHA1
7d9a410da65cec497109bc2df1a25ff900b36e1b

SHA256
dbdfb11c273de6f4b04ddec16c8f45b07f04d599de0ca1daf85cc30cc53c8ebf

SHA512
e180ba314dc6abc19949bc3a05a9a12abe2d64a9e66297e123e179e56e8615a188f5fc066b7f141c21e3f8d0117bf98ea4ab77060f21b4ab76541efa9e75418d

Download Submit
C:\Users\Admin\AppData\Local\Temp\kscC.exe

Filesize
638KB

MD5
74e50221d402ba15657cec83755d4940

SHA1
aee436df091569910bc2cc4847a702d9ffcf2190

SHA256
304ad0ff1d3155dd6bed7cd3acfd8c39b44d6758cc696193812f1e56cbb0635f

SHA512
c1580f7d9ae435dc3cd4a5059f66c0dc2a3076c0bb38cf702439cb3408633379a973473f15f6f1bc45e1b099c05c24ff7881053a40b2551d20009fd6862e6733

Download Submit
C:\Users\Admin\AppData\Local\Temp\mEAk.exe

Filesize
237KB

MD5
32dd0d4ee4a2cb3d272de38cac3d9854

SHA1
87e030424215bf3a155cb2fe9edb1d43a81fe80c

SHA256
2d73af9b30335e0bb363f079c7c27be404a9323c1f247b6a9355f93c18edc71d

SHA512
f07a9718390c38cc1b6a4e0a27cb8dff01fde6a4f4862020012facc6c41b893e9f64346774fd6e6d4838a2a6c602b000d172c70abe72ccda4b55545214449ae9

Download Submit
C:\Users\Admin\AppData\Local\Temp\mIUy.exe

Filesize
235KB

MD5
92cbb805db11771fd78aa796a3613da4

SHA1
d4f515dba2070c788de38d8439afa49e03801c69

SHA256
d59370a45b0cd825801de3e7c19ed1526c333c4287a2b106af6935710fb5dafb

SHA512
fba82d3f03a9f6d2b8fb67b18385c7e1e5036cd2318c06b94ccfc23db0570a138f6b3060a1788f933b284ee6f849a88969dd71d267ca1201aa5de49674a20daf

Download Submit
C:\Users\Admin\AppData\Local\Temp\mIsgAMYQ.bat

Filesize
4B

MD5
3e27cb2c0031b9cc5c29ede45da41721

SHA1
403180eb7609ba3426f2cc819d56c5cb835f9ca4

SHA256
acc780602834cee4977ca2d85ae6fda299980777fbd4f9930aaeacb707f33b81

SHA512
57e2da9d5d26b45ba385e190e289b26fa9f6d2cc91c5353366db050faf8c626e942718b848986215c75d70d3988c49317ad0d322ea7184e3ab68170f4c2830b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\mUcg.exe

Filesize
234KB

MD5
8ed7523eddad3e01bf77de30499dcf5a

SHA1
d74a5a66932564465423337b9d295993d062f51f

SHA256
0266bbbc0f305131cddefbdd01c89af27fa7e603e346b7c7b1d3102dc8a04f93

SHA512
95ed0a04ec9bdcfbe2c169f41b73d5280c482fe21dc1ec2b15b16e5a75eb8b9eaf105d4b448cda493542275e35c49075200cc0669f5a543bce541e1881edd577

Download Submit
C:\Users\Admin\AppData\Local\Temp\mgIC.exe

Filesize
239KB

MD5
50de0d4e385ba8e1e5294426cc60369f

SHA1
d6311def96b9971a28c1cc7da74af46145f78090

SHA256
c12968a7a8a84027ccfb885f248d76a7995d5e641012740f3552677965fc4692

SHA512
88b7fcc0d97fcb621229856066a90fb29b526da01714a11c03f053d0f94b782177a34015e2ebfc3027dde9f12697cffd402d3e3fa363da93e9d1548965d80b12

Download Submit
C:\Users\Admin\AppData\Local\Temp\mswG.exe

Filesize
239KB

MD5
25c384f5f3ba32f1d4f34cdcf41ee1df

SHA1
fcbb09db1d3528f0d89e97383db5624ecaeee44e

SHA256
eaaa403178d06141defb423f6e5af3df300c4d7d39cce0d7c2b28c6ea3db7c7b

SHA512
080fa4c0a2a196376936736545af0af64bba4671e7d2007d9600d0174b9521a926ccd40d81b43d55e4b52ba58d15b66549bf3de954762af2d03d1eb7f22c9574

Download Submit
C:\Users\Admin\AppData\Local\Temp\nMcEIMsw.bat

Filesize
4B

MD5
ad1e849015bdd1c874b7c6f0dc04030b

SHA1
2430f97c85999164624dc95044b0e0d03585722d

SHA256
a0a310051ad456a240ba1479b4c106728e1ca8266ab4294b881b405e4fc97c0c

SHA512
f7a7fd9e94a8bdbcfefb710cf0bc34cea28be956d70fa305f5294b57df2a918d6fea42b2a6c66c2b1efd624a1b62c74280f84e8c1a2c128be5b23cb53d733021

Download Submit
C:\Users\Admin\AppData\Local\Temp\nQMcoMMk.bat

Filesize
4B

MD5
daca9ad0369d57abbf97766692dbfa27

SHA1
aff9588477bcfc57e3e8370b4e2e799ef0b646c0

SHA256
855ee39a22f4789c0b086292180b8668e481aaf57c0862373ba803805175b6e4

SHA512
1f764fe6733edcad4cb22afa57f26ff30ea1dea766a09d5ebcb3aa288c76bb2fb2165278f2f24a0bcd0e41ebadbfbcf2a5bc6fc3d9558a437e5828bf6b0947b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\oAQI.exe

Filesize
229KB

MD5
bceb4c5d65ba9540574e6d4684a3c5eb

SHA1
a00b6ac8f6db96b513a7d3a65cf067f2bb507d92

SHA256
b1300c81106387d127729fdeb3b08a8df954783b6b70d8039d580151eb75ffee

SHA512
0d7f3ccc439f0d5383c90a43a9f66828da4d7d7a436500d225772642d5376c4e6936696e2467128f6cc933716ed6813a87720d0d2c48eca5e40b579cd3af2d0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\oEcY.exe

Filesize
236KB

MD5
492fb1706ee6d5539fec62d51b22d1f8

SHA1
6ab7ca41ee5fba50a36e01731fdcdb85ca49ec36

SHA256
8dccc68d101d69ae3dfe37505acf27e07f27286492fb7d0d2cd9f3f2ef250916

SHA512
0a988aa7fc2fc2d0c738ef134d5fda160ecfce45d0b68d2b2f29e9a18fa170e9f37d67d5846f0477b3efc9a625701a6496a5e956cffa79570bfc7c7ec85eb649

Download Submit
C:\Users\Admin\AppData\Local\Temp\oWskgAAM.bat

Filesize
4B

MD5
478f7fc3e9a2d4a608970369fc7c3bda

SHA1
eb49fefb63d07be614b2fecc6ace4efd5e766bb3

SHA256
8e0a4159e8df2ae1acee8d0dc6c23ae8b3af10e651b4f56a7c08be2adcb5abb2

SHA512
8ce37511d18b92de4e8fd7265851cb274f2d8d4c4ae2ef57da514a4f68e6cffaf1d56ba3a9e399a42fa5cf7d367a32e8dbf91ba7189d1b7a10f183cb2370154c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ogoC.exe

Filesize
230KB

MD5
bac02f69d921d1e4a168c226c775134a

SHA1
29cefd4ff28571705f0f4d5251d3c8fb1e580edb

SHA256
954f695080a0f6a007ba6316bd7c432dc8dd3bd281f8f90c437b31027a34ce66

SHA512
62cd758bc19ce4d99e871b72aeb7b51d73fbf7b67e8a53ad63b3fc39a1b5d91b56fdf7854feb3ccf877f06f3f6077ae471a9f2044f86e8d1a0d5a85b2a1248b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ooEe.exe

Filesize
219KB

MD5
9e9834543f76251d785697fe277c5d32

SHA1
62a221ac140ae78e33e6591bfcbd5d39ee97a0a0

SHA256
e4d8444a3a848d3afc1245b0c1982fcd33f3cd3e4a9ca2cbe305ed2791b1f4c8

SHA512
cf7b85bb03db901a8c6b09cf0ee6ab743927bae2bef5f74b5a57e15bfa879acace6d96d911b855fa8f244fe77b3dd36a91235035fcffde9eb44fae77979b0bdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\ooQE.exe

Filesize
232KB

MD5
6e1a76add07c749cfc853ce10495c7dc

SHA1
10ed7e04d50da9985a5166ddf7f009b8cbd823d0

SHA256
8efc9403a63e85e3d1df614b184f09e33a8fbe51655d993b3291e40a8a5f646d

SHA512
23d246f7b41809538ca53b642056409f21b5d1364cb5f6ab9c0cf7879f3cd0a25336ea9a1e02d96a7273aec3ac7e7fa171790d96e37aaf0ded417c928697e5af

Download Submit
C:\Users\Admin\AppData\Local\Temp\oogk.exe

Filesize
1.1MB

MD5
d63f21f6257a7051e7f075a198a20a2a

SHA1
d026d10a4c9de93b5cadf570dd7214976a4c5350

SHA256
1920199e68f866cb5d25144207dabb0a4d22925d55da101fcb74d38e30d44fbd

SHA512
2f46c7e9d699f5163bc06f2a4011716feba953f3aed82054fd30c9ae6572325e0f44bcb067d9ad91d9d05b491e1dc4066759c89e4049fff3a83d25280132a8f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\pUokYEgU.bat

Filesize
4B

MD5
fc9a7e0b062c11532df275f3b009d993

SHA1
7121eea06c796100f0d1125fe63dee7f06a3f12e

SHA256
1c35662d9f76113aed79ce4b65ffdd0f18e5e47eb815022aaeb86fa5018299d4

SHA512
0dd537467e49f952b27d9547f175bf0eb44aa707e869f95de1767f728b9ab47f7e2df98dddb98d27d4c0e7dab835feb7381ed9ff4ab05c2ee3554e3806a26bf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\peoYQsgQ.bat

Filesize
4B

MD5
d09a080da2596c4abcb82b9fb4194d43

SHA1
8246aaa42344fe8c267db06e62bf1e0ec1cf10b0

SHA256
119c26a07a8ddaf373e946fea5a377322ab8877e76e624bf7e48f4c307b520d5

SHA512
b5cc98506721e7696068dbf09683b8d24eeeed16723c2dd75c2f552bace4faa84a0418a0eb884a30795b0891e39ace5dda92cb342c262b2054a361008a287366

Download Submit
C:\Users\Admin\AppData\Local\Temp\qEcMUgkk.bat

Filesize
4B

MD5
8d2268d59efc1f71b567a49c8e50acd4

SHA1
84489d7d0ba8c7d14bb83767c0ab33b491b6bf98

SHA256
4d012ffa5aa279306b08ae31215e0942158207fd4b478708ca987806301b046b

SHA512
0ff18cd00c402aa74335837c707a56df55e83192714c49cb643e8ac95c89efa7bd7631e7a55a36762e01568b9af79c0c99ce8289d12e3d5707c19fb90a1036ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\qQEw.exe

Filesize
231KB

MD5
1809e98374147dd46d317b1abec14088

SHA1
1cc49529143cbde4ef394499690a5e433406c8ae

SHA256
e591b9bff3359559206066f9bcf6e68e0551f96ef8119f6c95411f7f118fec3d

SHA512
d270a085ef230c6891e9747f195892b5693364077a6f68fa1fb074e51fd659f073142b0e739e72ab8ea593e063481eb8fcb30e4d451b141f153386fd449314ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\qUkK.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\qYwe.exe

Filesize
1.2MB

MD5
05a4b4c63b89e230a7f0ea1dda5806cf

SHA1
354eb710512fd185e398264b20aaa212b3039bc1

SHA256
47a3e69031d8266d684871f4f0851a05f703a709219d9de1136c3bbe39d02260

SHA512
c74e72e9354a94477994907e89d4749a49e3883f2c6178316d12f4be3331a0cce90045d106209dab7087bda2b53c8688a5a51e95d82ffd17076789a0a95bc5ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\qkssYggs.bat

Filesize
4B

MD5
fcf86f779c19d7828522db4dda94ade5

SHA1
7b5246912365bba1cf7c15cc94c1026df209e64e

SHA256
64afdab7519b2da88875c99b0b5252f79fe917a56e040bf52dd6a9bd6e60e6e0

SHA512
64c3eeef6243f4d46bcf68bb1cd1141c48bbe237644a868a033eaeda6bbafe8f37723f501230129e57cfd7f4e1804254babefe5057b9d4ff1d2bd533b7e8d6ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\qoQy.exe

Filesize
246KB

MD5
e8bcf597190400479239c3801dfe6279

SHA1
fd6361b8a512a652ed0ed7c3bd52473bb7a1d569

SHA256
e7b5ea050df47fb682cc8d69924b31df24d5c9702118ec9274f871187e52d506

SHA512
6279ba4198ee15c26fa38abba298d15388fdee71288f9734e57a0cce2654a3f374e2ae08c81ed66850a9d185cbd798d258e73b86e53e7631227282e519ae6cb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\qsMe.exe

Filesize
1.4MB

MD5
0f2a9f7af406b262031d6ff594e0ece7

SHA1
3fb0118b4c8aafab476e98d59f32b8ff33f70a40

SHA256
d5181a3f394908ce71dce00bbaec45abc6f67d98f1a4ad9e89afe2bcb6539a6e

SHA512
2749378d10e91bb8559ccd88e590a1fe119372ce12d0e84ad7518c855df4ad383001dab07aae9a59d7858ba3010c4369b4837296e2eebbb1b5237fc23f1952d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\qwUO.exe

Filesize
8.2MB

MD5
c2b92fbf44df6e6bc4dfd148a7b7422d

SHA1
9e9b5f1e764087d753ee66ab5b01d1be8c8b6924

SHA256
72024014fca23cbb07943a3cab3a66fdf9ef759fd2886510c5b79e527fcbea3b

SHA512
98a6a3192182990bcc4d8efc80d1ab95506fdf32ce731559ff4cda09a69e7257651d2a1db30a86350ef529411b2bf79c08fd26b8909bd6fcdaacdcba8dcdd3d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\reQYgoMQ.bat

Filesize
4B

MD5
c38fdf913fca5208b327659e1dd35a72

SHA1
617fee8beb03dfe86394d3b25e0f9f72da710cd4

SHA256
f46d2f6e5beda3e5977bee63773ff7225f22caf9db84a53df3dc24c34bf4c46d

SHA512
bb7c7891e76e7b9df54103eba0b72d923ac5d0d3578d306de1c4393df26c6c8a0aa563f642f0bab00abed833180b0695513a6682fabee7f5669d5475903403a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\rqYYAUEg.bat

Filesize
4B

MD5
a64bec7215aad88c98fcbd819fdffeea

SHA1
4e7c18c288e0ac39ac4822fdb3239a21616ab115

SHA256
b389f338aa37c59d445e8ba9c0912987f83810bf3c18fc97a755f7e81bc5f444

SHA512
e6ecd53afc62af88e42b02378ed4dc7398ae924a7561ee7d4bc590fb28883caf6be9440305294337c89f2ce51cff43e3c7823e5324e800bac1f213d3a3d5f5dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\rqkUAAgU.bat

Filesize
4B

MD5
3a87184f69fdc776194d4d1a8ac12050

SHA1
d910dacb407c746a0ffa91290d16344c884e8008

SHA256
7f4d213f69919f23783baf240a3242a8e43eb8ae550aa0934cefc3d73d153a77

SHA512
eb763b8824ac5782990f8641ad4e83dd8166de7305a15a1e1a4bbb0a8b57760bdaf153a79589db9628e6bb660aa190ede1b1391a2eaaf360348bd53af6745cb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\sAIE.exe

Filesize
1001KB

MD5
d8b2232302934488c4b74509c9422681

SHA1
6ce84bb71babf968476762fb36c1134de54ee1a3

SHA256
ad76e62f278bf27012e08cdc75dbc854e60ab333cfc812ac4e4f5057606c4f3d

SHA512
d59cd827d9680b458365dae8bbe5e2c89b470a7925e3d3f96bbf8ece9a0bc5503754eebf0c6ad47e6c5a99fee8ebeb847b9c9a3059ae1d11c0f839d3831848b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\sQkQ.exe

Filesize
957KB

MD5
894d935becd70d994e8c302de5a2c275

SHA1
ce66e50b5236e803b0f8bb37267a77cd8c48aa2b

SHA256
2594bca0f91a3fdae352c091e863581cf4e2283825199afe17ab266b77ce7d45

SHA512
b51e3b3ba7b2d37d232e9c3f172596ba920540a766cedbedb049c2b4bf4086ce7432050fdb69f97ae4423be1ec32c10d249a634fcd3a6957522d3800f648a567

Download Submit
C:\Users\Admin\AppData\Local\Temp\sWMEwgEw.bat

Filesize
4B

MD5
54cc4eb649a1413aacb667674fbbd18b

SHA1
64b93db245d255bfb9693bbe400e602b23304e3c

SHA256
1408477fa4f30f4bcbe4ccd89fb467a394595e31abcdde65f1610e110e33793d

SHA512
6f5991631decb25bb23f010542192d4a5d2f8926e9f0890b22c120f0166ed758a7228ba92ea2be4394467c2c11bf1356ea1a6c426fc67052d01a68840772e6e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\sYgsIwwM.bat

Filesize
4B

MD5
26ca9670df294989e447fe0ad881c840

SHA1
bcf84e85505463501399171e3d2c2b580e48fdae

SHA256
236da5de08403c502d4c5459e418615c8b6c7d68c3cbedb5353036c32a2983a1

SHA512
0b57933ce063b4284feb4da219f6abdb023fa62cda498db777b0e78c9af0a4c4968d58597855cc730bc9b68253b824bd9ba785cbb78ab3869a21184b0aa016f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\sckC.ico

Filesize
4KB

MD5
68eff758b02205fd81fa05edd176d441

SHA1
f17593c1cdd859301cea25274ebf8e97adf310e2

SHA256
37f472ca606725b24912ab009c20ce5e4d7521fca58c6353a80f4f816ffa17d5

SHA512
d2cbf62540845614cdc2168b9c11637e8ab6eb77e969f8f48735467668af77bc113b8ac08a06d6772081dde342358f7879429f3acc6984554a9b1341f596e03a

Download Submit
C:\Users\Admin\AppData\Local\Temp\sgAUEMgc.bat

Filesize
4B

MD5
6c8ee5497c8fa7a06b163aa044126aa6

SHA1
308f139e760f36fa94ec6be512e4c69d6fe85e67

SHA256
a6d0c66bb43345f29178659a32aa60a168433e2f99aa223e08358d1eaa12f6cd

SHA512
3783f0e8c6d9cdb7acde4e2bf0a7e7151940210635d19cf8dc1ef702460359a5356478435522d5eb0bd00f8d3f041b00faccb977bbfbcb615cc986c0cc6374b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\sgcQ.exe

Filesize
232KB

MD5
2981ba052bc948aab893ddf3bcb138f1

SHA1
d8c770292c0a0f0401b2d3afc2bc3419caa0f9d8

SHA256
056bbb60bd8dff63874887003341e97f494ffb47a32ce94458bbe2d5d6e582fa

SHA512
ca5b19cf3f59d31b3c55432f7e13f0133a6dea67961fafb5aa8a2a79ff7dc6450f54a118414155b13d88e80d0b38c47c6584cae0aae7ecc9778df728beac93ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\swMq.exe

Filesize
581KB

MD5
c344a4c035592586b6fe5e61b308d8c5

SHA1
6fd4557db4ed9831ef1606b7f7eaad79a7a9fadd

SHA256
0019ea2cb38063c2ddc8126c6ae5057dc34a2d8c451d08b215877cfe1ff3252c

SHA512
98a7e918b0350622bf811efc8681c1d0997bfb95c9d7062e276eb58f51c4f7db444700050d39430d73e8d3e9e58490b27112aaae4ce304406cc840a321186834

Download Submit
C:\Users\Admin\AppData\Local\Temp\tCookMIg.bat

Filesize
4B

MD5
6bf3e3fe35556b2a8647a64ac8160fae

SHA1
8325dae5696ebedc974b285ca8449cdf615ad682

SHA256
f11162f79a4e887e6ae71985ea352207222a02ee385f02d706fc4fd6884c9174

SHA512
c55ad22b64d21e6853246667983dd74f8be570060765e0eed0c1127df1f6eea364bf810418ffee44d21cfafccdaa548754c6ce4a899edf7b1ed76c37ede34853

Download Submit
C:\Users\Admin\AppData\Local\Temp\tEEQMAkA.bat

Filesize
4B

MD5
abdc010e765c5abc617b0328bdd42a06

SHA1
b0f181e4d533010d941808996860a947b4bfc794

SHA256
7a277c7b82b66fb3b3cfe1f84b30c82d8c9367b61ec001c25f855c1d8d6a2883

SHA512
156afe56ee673d23d42ec973abe5733b61ac8810519470802bf5ddff47403d705b3d919a04c550d84bd0dd22ad904c38f74eae31a3ed3cf08134bccaf4461468

Download Submit
C:\Users\Admin\AppData\Local\Temp\tOAUcIME.bat

Filesize
4B

MD5
f00515fddd4dde8536304351b7a4adc8

SHA1
dcd5e275d1d4d6907863e902fdc9dbf9e34acee9

SHA256
826b27d9f845c6ad0f3619a44cc9047d56b718998bd88b7245ac477d0769ceab

SHA512
4250d44990c7f584d8b0b0478ddaa96dc8f626f78057975deb91d93d18c104a2afbda4ecc57cd21f5370eec4958afdbe265fc539fcc6217f97ebe20deafea075

Download Submit
C:\Users\Admin\AppData\Local\Temp\tOoMMcoM.bat

Filesize
4B

MD5
2dda7b37bbd2ab56df52ec4e99178340

SHA1
215706806aaba3d1fdc6c5608005e7062eb958fb

SHA256
c108bfe00e07f572440c385f4d11a911e36e2cf0b56296d3d383ea005465488a

SHA512
fad6c4cfb307bdeb59ed79bbc2b9992ce16b5ecfee7211499b775d29ad3ea85920e6878971eb4a49e12f7b550aac4de0fa7c1a8a818761c886160ba6f636acdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tSMYscAM.bat

Filesize
4B

MD5
00dee29c09db99efe0d7d035cf7c1b95

SHA1
9ea1d0639f68de8d68ea8209df88c31010cf9dae

SHA256
2d7f22965b803bb88f7b99bdcefdf29f45de258fc28af34c94eb21c07702836e

SHA512
ea66eca7af9bc97ac2994c59c98a38bff17d3aa7622c59d490a369d5a882ed27643c0233d3730d03b09a42f529b6c7e912ad0be39fcc1999d4d2e5d352ff1d45

Download Submit
C:\Users\Admin\AppData\Local\Temp\tkEUcUAY.bat

Filesize
4B

MD5
d479ed595958d513f6e906e6463c8233

SHA1
9439dedf4d86fe706180a5f90806014783773b87

SHA256
8157c5ac21ad5a3a6fedd9769e45617a482011a00b7215711b854be6f95b1b73

SHA512
5dc90652824f872b1dc5c0127158c78b4f1132cc2cdb8d73fadcdc224f6e7556e05745bcdf1ae29323ec12b35833420729358b0ade95b79fceb05e72bbebf1c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\uAQsYcMM.bat

Filesize
4B

MD5
ff2f558f6a99905b21155c93fbcdebf2

SHA1
600cad6c88ed3dae031ce28f59ac277a7d6d1602

SHA256
be88838f82b182ff60b3ca541a1c77c11769d9683696da26efe4e01f0ed9b84a

SHA512
e97e7277ba110c3bd716c8e8084090ea5cddcf3e7d76e1ee895e1f40c2a0af91db3b34593b25c2e16b03eb40bd0afbe90b5c2ba2c682aa227e9e6582974f6a5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\uIUq.exe

Filesize
234KB

MD5
12de76f0f2c216160967da06f19f8073

SHA1
7075e86e9e943a1b6680a7611f923581342895be

SHA256
7e941f7e5a3840a1c7496bc929207a60a466f8efcc5516924e0614e4df3d46f6

SHA512
56b7b9133c91f05f53a9a53b6c527872448b9fe9082f0ed5f072d7caf13232ea5eb454ab2a8b81fe7e17286a3030ce29549c8d17269db1db0d5a7bcb0771bb1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\uIgoYAUc.bat

Filesize
4B

MD5
fd622b96be518e3a1d6b61527f2a7c88

SHA1
f15bdd981beed7fd6acae199f4a8ee0a33a2b75c

SHA256
c9f552ba146cb40d8f2c5e747efcc971c82e753c5157e6834b7798443953979e

SHA512
eeb24df909c1c9f6b09c5f34531401b4a205e2efd32e14ba63a43c0686f116800c1922e959a2866a98277e55180d3c4d8c11d179eb755b8c34ba767f418e17ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\uMIwMgAE.bat

Filesize
4B

MD5
4c48f75372a9f67bcab5f8489c4296e0

SHA1
10ba1e29da638122922f2b7de2550ecb88a2ae8f

SHA256
ac43b62b34b94e5d7f081a1689140181c434fe27d967d6cbcd8233ee7ec611cc

SHA512
78e026ef7044ec1ee5086988647edc3f9e0776a73eb86207fed2395707988789602afebf1cee61cf8d00460fd4bc85cde6111caa8cdeb0c4db97d16b1a1aecb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ucUm.exe

Filesize
413KB

MD5
bdad059fd942c34b1c275e3db253f7ee

SHA1
737c7a9acec74a8ae6cb05e027057e6048178971

SHA256
c86eb71edb4459a498bc279742c9f691ca24d168a8c32ecd2e622a6d4b7f3af5

SHA512
46ebf7c1a12e9c7622568a8001edb80638983e8071baf948bcd164db03137a8573d3dcf7e2bec635e20a7caadb2aa89587aabee46d9416543a9e83b982d92e1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ugYQ.exe

Filesize
818KB

MD5
4eb960fa3ab62fff82b1a5a0ef5c5f0a

SHA1
a964975f9d4643454aa142fc59212bde11ae2e33

SHA256
391aa6aca604f06c515eef2db4c6cbec1249f519167fd26731dc34a9c5eea09a

SHA512
0bd1c4e24c4e222e188534e43690f0123aa48a6b9b6044c8fbbc8b5d2b17df7fb244f302f41231a1dcd0ad26d426d8bddb558c713254c13f8e1c04e99bd91457

Download Submit
C:\Users\Admin\AppData\Local\Temp\ukkIAcso.bat

Filesize
4B

MD5
a3ab5749a31515c7f2aa512a28fa67cf

SHA1
0f21655b6d6bb419daf2d27e479cf816ec3f6db6

SHA256
8bac64e265025c928a7025c93d5170d3083431d7d2a0affb0fe79fd391ad14f6

SHA512
8916537d9f9fce26a93f66191fe6cae529e54e4b4adc305ea76a62d450f1b6e8120d1de55c3865f065bae74ce2e0ac98861a2f1825d986b9583c9682ce9b095f

Download Submit
C:\Users\Admin\AppData\Local\Temp\uswk.exe

Filesize
244KB

MD5
d59e8dfe53584a8cadfc4022a413a343

SHA1
7cfefd26c46490fd5720378d6695a944e30da0ee

SHA256
dccd89bf6443bdebbce4577a17ab485f148b81e657e347686bb9e9d27f4a9f03

SHA512
7a7579cb486f1bc34faeb984b3edc734b2e8325b141f7bc8d088219d9ffd02aef0e9da1c819b5115d8cd21f235a243525394d291ad1cdc62e038c3f706a84d3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\uuEQUYow.bat

Filesize
4B

MD5
7b9482e9d99b194cfc7404d1cd7a96a5

SHA1
e3aa508df30e7d2ba17746e380abc7957c7804e4

SHA256
5aedc7d947de78ba0aba9adf6959fd8a0df6bd19413a5045c0f004acdab2a137

SHA512
8cdda2648d83201f5cb90baae43202e8e872db5a42b55da21f03055f1fccc03f71d078ab822409457aa1bb625b817f0cf3929096ab28f6a8c166eae3d1a53ed5

Download Submit
C:\Users\Admin\AppData\Local\Temp\uwUA.exe

Filesize
247KB

MD5
bde9d678239484cb206aaa715659bf96

SHA1
4d3b7f2e9595588dfac21b67aaf295eb48784d49

SHA256
536eaaae8b2caaf86703cac146558248f8a095204c718ea850ffe29dced4bc95

SHA512
56311f38f2989981be618d89fc6eea8f61d18ad175dd59ef374e1e20cc00a459fd5c7aef00616c0bf6aafe39159351f750ed4a1a7e8f178b8eb0f6224c0cafaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\vWwwYAcg.bat

Filesize
4B

MD5
6975adb55f73c4e473cd391b300d4ec2

SHA1
216bf66ca0910d41869ba35bf87bfdc8c6e86895

SHA256
b78c46f095c393a878e21e5863373f50f2fd5f970d9170437a3ad2e15e9d5549

SHA512
aba8268cf7571b29ebf2ec0b88823ea13403803e2d04c811f6ae6bced9d1ff736617f6174090ec3d370d8552b8741ab9b531c3bb6377202c7a71e21279bf24c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\vYQUYQwE.bat

Filesize
4B

MD5
290a47226eb273311436329eb0589ee0

SHA1
2ac7c081bee26044fe124697dce3412b426890bc

SHA256
38f23b76aad2f7120b1a79f214113c619c828f2c876bd990a7881e3f21643751

SHA512
96569693120cac3add966a6df0cafe95f45af781fcad9a666d2b8c1659f3d53c49f89a1a08db52f51b88a1999730eb4f1df402b7a77e18d5372d5c87b69c1248

Download Submit
C:\Users\Admin\AppData\Local\Temp\wAUa.exe

Filesize
233KB

MD5
c3c32ffb13dce3aa262b4c9aa5a70270

SHA1
791a3185c5e039218ddab8e53a21b1be18263b45

SHA256
b5d4692f501db2930fd40ae09ee0f234473ed8d604b94d04ee33cba7c654debf

SHA512
82cd66eff69dd32abcca4f3f53cb7c0430935b512a7994b3b2dbb8aec07bd1076603e1a6e2a698923170bd3c85f36d25436b8d3018f5b963f58cc6c7b875d533

Download Submit
C:\Users\Admin\AppData\Local\Temp\wIYcggMM.bat

Filesize
4B

MD5
5ac13c08f71005a25c5370cbca9b2ede

SHA1
fbc485397c3bf4e0837cecfdcc53e94a8e39d184

SHA256
8b881396a1d6a9e5266206f3c131e2652d9eeaefd4c2fed7a42488c1712e8edc

SHA512
544e895e5b52a43270d60e2cfeec464a716f516adddc3925f6848433cc801a4deaa1ecf23b953d9de87f62658e0e7880f87f2e3a3dc549ea591d488513f09488

Download Submit
C:\Users\Admin\AppData\Local\Temp\wKUEcUgU.bat

Filesize
4B

MD5
586e22747563c44915d5f5aa82bb0d13

SHA1
2093e8b235a29efeb8ff1b677a64f9658f97f642

SHA256
4ced578f27da72149247f4daa887d21885536ec54f8e0d8a3877555f0650a271

SHA512
7c87bef2296750f546f492284b0c701ac844305f5b180e18d51f9dcce131dd005f408b2f915019d3c3799e79f049ee5a34c70f0e15843d103601ada88dea4601

Download Submit
C:\Users\Admin\AppData\Local\Temp\wOoYIsMA.bat

Filesize
4B

MD5
8273a287eb34809cad39b37862b21d42

SHA1
2ec70db2cabc20387381c9738eec41380b84fb39

SHA256
8e2f34c88a93dc09a17cda9a2e7288d8fae39675f76c7e7d3c77d992ba9d4a11

SHA512
f9a0c2ca9645849abe8fc2f33f6508479f53d84bf27791cb8351751c09926f9f76f71c034fc5c8cb4f518a22f82552e42191e09545ba666378b84a361cd95b65

Download Submit
C:\Users\Admin\AppData\Local\Temp\wQoU.exe

Filesize
245KB

MD5
4da3a9a8f6b397befae4441ea04f8fed

SHA1
6b4660455001d877991475eb4f45956372732bb7

SHA256
993e7bf0ac215e825ee3d17b793e0665b651df43d7978c1ff844f8813ca2177b

SHA512
846a9feb8a4cea0d3b2141a22ae3c4a91fb1f397de42d81b834792dbb7e48e2f6ff8f52623d4e51284d8f395556c406d8e78021c973949cf9514415db05f98dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\wSkEwoQM.bat

Filesize
4B

MD5
c5a259e9d465c0d0a47b2c1894c554a0

SHA1
7ed84ab4c331138b1a127394892d361914146327

SHA256
3ffbd677354c88d439da68d14733dd353a52db4b634c521568f26dcedf0f953a

SHA512
a3af72eb7033298645d35d5baf85005230016f154d491a3341e2b2aa756a0eee2f09e7b70ae8412a6c0e357d1208bef8ac403ef4bdea8a31382cffeeda0add15

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmYgwYUU.bat

Filesize
4B

MD5
0b3c6a894eb4bbdcc86c79f8c0b00f21

SHA1
ed41d6cc38930320d8d6683916543353437997ca

SHA256
31f69496b46146393748f2a29c7d2c766eaa9fe929b41f3d6a4a8aa84a2f3f36

SHA512
612f38858fc30182f30f461364b67bb49eb69317d40790257f5c5e23f30a5cd4ad7c715f6b73fe7e17fda1e773800809b64f6016b247e74784d4dd00e07bdda9

Download Submit
C:\Users\Admin\AppData\Local\Temp\wwAy.exe

Filesize
249KB

MD5
39ee79ccb1b90fe51552b9e54f454b07

SHA1
57a55c8fecfef981f7eee3b12040e7dc7ebd8775

SHA256
4e998a5eed3e8b7c7b453dc833c2dda811a76ea596d2a8dec6d0f84ed04ed07c

SHA512
b37ed486f6e1405d00fe7e815445d32af837f42782a0e819efc53a4991097b37d55952affc4bc2a4de46b67c3effbd1c74c9c03bc8f67df3809347dce3789e9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\wwEq.exe

Filesize
250KB

MD5
39f81497a9c9b6a076f755c25828f418

SHA1
70e17006cd27e77a98e6f3e0cfcc0a1b1a64cf19

SHA256
170888c4a326e83fb9fd72de662b697b6e6025c3f1281cec8eb6f2fc5486308a

SHA512
39973d158510943d558c291416ff3a274372bfd9a37908ccd9566b7ea5244824dce65837b536ae9274607e59ed01b01f5c59c7590018c41faceaa8db393a1889

Download Submit
C:\Users\Admin\AppData\Local\Temp\xAEwEoYY.bat

Filesize
4B

MD5
8f107665e83a0626f690a2356255beaf

SHA1
343f480c0366fab7491811647e82e4fcfdef3b2c

SHA256
88070ff8191a51f73d431736884d61390bd567274dfe98fbd77089c6c023b70d

SHA512
c4ad679e7306c0117a7ee4c0fa0bccb2dcd38ea432f8b0584db8a80e4a7ac02cba16155ed55ec39f8d03c8febf940a48dfce7d8e601ed66020008f95d0c1a35d

Download Submit
C:\Users\Admin\AppData\Local\Temp\xGcIgccE.bat

Filesize
4B

MD5
172a271dc772699ce7d75816707cb8ae

SHA1
dc816512a90909a73cede31d33e03d0e98a93618

SHA256
c1052846e092d2b3ff4ae9d72750cedd5651e31b7dcf067f33c196fb7c73bfc7

SHA512
32ac6640a848e42789e777374ff69ac66ae8190e4984f28168dee671bfbf1004d3adbf2a2d1d6f0c9446903641901b5c5a72c3b66e9102d1f2058c929d74ccb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\xGkUcUgw.bat

Filesize
4B

MD5
8520e79b3e55d74d79674c3ff5a9a65e

SHA1
15d51613784ccadb96e097e58245468df19606c8

SHA256
2f5332552ad9bd4c7ce9c304a76dfb6371145896e8133a97d6221eadaa1336bc

SHA512
58ccf5c132020eeed838e25e52a7ce6e1341d8c819a25f4a8a52774b33cd4e55c243dbdd1a75f3824c8810f1f4f09cf7ac644c1d511a8dcbdcdda8cde1fea973

Download Submit
C:\Users\Admin\AppData\Local\Temp\xewUggYM.bat

Filesize
4B

MD5
f1387ab39faabe433b3e2ef61d0f7354

SHA1
a3af1526cfe9fa79cdcbe387f3f941cd35da849c

SHA256
02a53b6fc4edb27b992349d8ff16c45478886d4859f43dfa87a69d5bcf850c64

SHA512
d9f27d1626c96dad7ac0a9854fe74a28c858a732c31eb3082e74cd03e2ad17643aeb394b5414dfd465925852f1d913df8131db175590d0107cb0624bbf25fc7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\yEkG.exe

Filesize
218KB

MD5
2d8022a552c30feb89dfd8d5c97c195d

SHA1
bfcdc7d87cd6f9761cc84ea8b36e0ae81f129077

SHA256
270a074a24c9a44044cd27238f087d5546ea505a159d9d2a09af77c1bf3e76dc

SHA512
15d3344ec1cf64481a7f6a691586d83bd4f3618100a6a7cf76ce452450f586adad2231e12c8cae243ab844d2de3c94c79142d8392dbac018f0d145b7f6b1c17a

Download Submit
C:\Users\Admin\AppData\Local\Temp\yYcS.exe

Filesize
326KB

MD5
e572aebd14d4dfa744cbc1736f52084f

SHA1
8f792653f7e8b5d0df050f1fdf9c663071b2cb08

SHA256
02b4661266bd25ce38bbd6edf3b7d4b7ff07b016ff512dc529689af798325d4a

SHA512
d701a44ffcefdf1caed489944967d5df7a770f8570ad3e649cae89fc92f4c6f9031eb907ad3c0375b3780a7fb3d408945aedde0371be80916914e398b4dfa09a

Download Submit
C:\Users\Admin\AppData\Local\Temp\yYksAsUc.bat

Filesize
4B

MD5
c10cac0977d25098912eaddced69452a

SHA1
20c91ec89307c296a02fe3ccf4f67fa24d320add

SHA256
c3ca01fb3d7c3c3635f21430183fa6944a3b27a2f9c9f18ef7fa8010a75cc8bb

SHA512
aed86e81318e625ae377967dfdc19804c999d0e5e2c28c34e0f4d3c5bd60ba8bfb3668f4dc13c4fe4e390b72dd74a8f43a2669fc8ba8ee355bf246ed307b7542

Download Submit
C:\Users\Admin\AppData\Local\Temp\ygAUssoU.bat

Filesize
4B

MD5
af11f5bcb9133a2c4e3b47c7bd642eec

SHA1
e774e68346a944c195af8f3d5f035066731faac9

SHA256
a409a53d96ce5161220082048c2d31c134017c964dfe28529c2817279cd21ec9

SHA512
8c9ad0b478020b57164c3bbc0a1534860c77d38d77d4936e82a891562dd646803068c537bee6e884a4a572e653689d36a406c1933815b70a2969b3af23127015

Download Submit
C:\Users\Admin\AppData\Local\Temp\ymUMMIUQ.bat

Filesize
4B

MD5
42c7d41d573884cb05a236df5d795ebd

SHA1
eee4f43d766083ddbc7eb7b11cd56a38755e1ba0

SHA256
40d1794538a0c53c04b654e9acd4a8ff0f6495a971ac746dd4c7a98f92dd5636

SHA512
6c2bd0b8ee14578ea8cf7e954924b42cdf8c5141d5c6666df00cc3d758a13ebd6c7a5019c584a7d5f2ee439b260eddc8d8998927a9d2ed07a4fd55c3ebec06db

Download Submit
C:\Users\Admin\AppData\Local\Temp\yoIG.exe

Filesize
4.1MB

MD5
9137c42cdbd6b28b57af2c8afde4f43e

SHA1
a7b350b0e015cd189d0c1ae54fdb13abd4e5b2ed

SHA256
6cf76abc819947f265f52d6e8e68273cbda090a238acd3cde4f3d9b1b7a9b4f3

SHA512
e136811bb5cd9bde47c0b22810726cd754cab6066008c727e017945c2d83ee14a8fe16fac2f4628d532dac746f0ce0e8bfe35afbd501abeb759f039a41913b7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\zYAgswQU.bat

Filesize
4B

MD5
d96d58b272ec074ac243547d7427ecad

SHA1
207b4b2934317075042eb4100746f62281184457

SHA256
d5b4a928fdbaac1faf86d7f05cd2c2857c0ae406812a12ea465b0d656f72d734

SHA512
1acd54ebd7c4c2bb55f42cac624e5f36d333ca7a966a612bef1b57a237851023c87c83ba21c949899e5584c3223c68b0f82aaf51bc50149edf019644e6f35847

Download Submit
C:\Users\Admin\AppData\Local\Temp\zeIYwcME.bat

Filesize
4B

MD5
f5c7c2ca699801a0b5c2cd34be969b49

SHA1
445d459af25923c3f99f8f88e7d7c1a37755e86e

SHA256
6ec00ca6da249df26ed0c2f954c01213bd3312cf46d033efb07248589ac22f5e

SHA512
5fc1ccc1f41aee6d297448f9086935e722eb4abc05a4a9d1520d70b089fbd485b5fd8321b791a541e676abd344f5e30c11e3ef3291c64d7e30c04f3db222e53a

Download Submit
C:\Users\Admin\uEgcMcYY\XCQoYYgo.inf

Filesize
4B

MD5
196d923e83bd58b015e3fbd3c9e5d33f

SHA1
4ae69250860197f15e43cad5c31f3fe2a308a669

SHA256
c3d2540682580be5bf524ba048c2dd2a4ea90937c1f150448302f36f16a3c2f5

SHA512
6362e3185ce55f97c347161bd23f534ce4b5faf74a38b0958d243d43b143a055ed1633a5cf24a8dd23f9beff16b3eb7d8db54d421b92fe046c805d4a5fdbede7

Download Submit
\ProgramData\OKEAIssI\heAAEwQs.exe

Filesize
193KB

MD5
9771537981a3b2a1f26e1053233ba6ac

SHA1
ffd928ac5b40f01f621496c3ab14303e67e9e55a

SHA256
3b2eed247f940ce3b3ab1a2be34395570c46426975c94ef2dbe59c794a297d1d

SHA512
e416db5a60715105c50a6bffc331016dbad93d9883ab14c06a441410b7fa139ba5762c29262499dbb2a9f0a1d414bd845512c13659920d42a39b6047fd1053a4

Download Submit
\Users\Admin\uEgcMcYY\XCQoYYgo.exe

Filesize
193KB

MD5
4c1301a43646e12362e65397564640ca

SHA1
dba59054657b73d0da3cca4018867c55073e5452

SHA256
428b34aa31944cbeb6031983d757e6da1db305a6bc51689b7cf09f630f4eb504

SHA512
69a608cef07d2f677659b1b43696b918f2b8d748a47ab54a152dc41c8d4de8fab08f4453dd6c7f367ec5314b07cee7aeb09fe88b8a159c33ae75328a2fcae741

Download Submit
memory/288-105-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/288-135-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/316-370-0x0000000000570000-0x00000000005A6000-memory.dmp

Filesize
216KB

Download
memory/320-624-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/320-592-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/516-258-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/516-226-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/628-280-0x0000000000270000-0x00000000002A6000-memory.dmp

Filesize
216KB

Download
memory/628-279-0x0000000000270000-0x00000000002A6000-memory.dmp

Filesize
216KB

Download
memory/692-58-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/692-465-0x00000000001E0000-0x0000000000216000-memory.dmp

Filesize
216KB

Download
memory/692-57-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/964-517-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/964-496-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1244-13-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1284-185-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1284-154-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1380-674-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1380-657-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1412-41-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1412-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1412-5-0x0000000000460000-0x0000000000492000-memory.dmp

Filesize
200KB

Download
memory/1412-20-0x0000000000460000-0x0000000000492000-memory.dmp

Filesize
200KB

Download
memory/1412-675-0x0000000000310000-0x0000000000346000-memory.dmp

Filesize
216KB

Download
memory/1492-394-0x0000000000440000-0x0000000000476000-memory.dmp

Filesize
216KB

Download
memory/1492-393-0x0000000000440000-0x0000000000476000-memory.dmp

Filesize
216KB

Download
memory/1540-324-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1540-352-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1548-234-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1572-59-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1572-88-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1596-152-0x0000000000180000-0x00000000001B6000-memory.dmp

Filesize
216KB

Download
memory/1596-153-0x0000000000180000-0x00000000001B6000-memory.dmp

Filesize
216KB

Download
memory/1616-475-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1616-442-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1632-104-0x00000000004E0000-0x0000000000516000-memory.dmp

Filesize
216KB

Download
memory/1708-137-0x0000000000820000-0x0000000000856000-memory.dmp

Filesize
216KB

Download
memory/1708-529-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1708-531-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1716-506-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1716-507-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1836-248-0x0000000000290000-0x00000000002C6000-memory.dmp

Filesize
216KB

Download
memory/1836-247-0x0000000000290000-0x00000000002C6000-memory.dmp

Filesize
216KB

Download
memory/1848-198-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1848-199-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1888-223-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1888-225-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1948-249-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1948-282-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1956-532-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1956-560-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1972-281-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1972-307-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2000-613-0x0000000000410000-0x0000000000446000-memory.dmp

Filesize
216KB

Download
memory/2000-612-0x0000000000410000-0x0000000000446000-memory.dmp

Filesize
216KB

Download
memory/2020-372-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2020-403-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2044-30-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2104-540-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2104-508-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2156-298-0x0000000000460000-0x0000000000496000-memory.dmp

Filesize
216KB

Download
memory/2156-299-0x0000000000460000-0x0000000000496000-memory.dmp

Filesize
216KB

Download
memory/2220-395-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2220-426-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2368-495-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2368-466-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2416-113-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2420-655-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2420-615-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2472-550-0x0000000000160000-0x0000000000196000-memory.dmp

Filesize
216KB

Download
memory/2552-207-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2552-183-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2644-68-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2644-601-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2644-581-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2644-42-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2648-379-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2648-353-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2748-441-0x0000000000280000-0x00000000002B6000-memory.dmp

Filesize
216KB

Download
memory/2764-40-0x0000000000290000-0x00000000002C6000-memory.dmp

Filesize
216KB

Download
memory/2764-38-0x0000000000290000-0x00000000002C6000-memory.dmp

Filesize
216KB

Download
memory/2812-580-0x00000000001F0000-0x0000000000226000-memory.dmp

Filesize
216KB

Download
memory/2812-579-0x00000000001F0000-0x0000000000226000-memory.dmp

Filesize
216KB

Download
memory/2828-308-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2828-332-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2840-89-0x0000000000160000-0x0000000000196000-memory.dmp

Filesize
216KB

Download
memory/2892-676-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2896-176-0x0000000000120000-0x0000000000156000-memory.dmp

Filesize
216KB

Download
memory/2900-451-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2900-425-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2960-551-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2960-578-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3000-322-0x0000000000180000-0x00000000001B6000-memory.dmp

Filesize
216KB

Download
memory/3000-321-0x0000000000180000-0x00000000001B6000-memory.dmp

Filesize
216KB

Download
memory/3004-2126-0x0000000076D00000-0x0000000076E1F000-memory.dmp

Filesize
1.1MB

Download
memory/3004-4106-0x00000000004B0000-0x0000000000502000-memory.dmp

Filesize
328KB

Download
memory/3004-4105-0x0000000000470000-0x00000000004A2000-memory.dmp

Filesize
200KB

Download
memory/3004-4104-0x0000000000470000-0x000000000049F000-memory.dmp

Filesize
188KB

Download
memory/3004-4102-0x0000000076D00000-0x0000000076E1F000-memory.dmp

Filesize
1.1MB

Download
memory/3004-4103-0x0000000076E20000-0x0000000076F1A000-memory.dmp

Filesize
1000KB

Download
memory/3004-2127-0x0000000076E20000-0x0000000076F1A000-memory.dmp

Filesize
1000KB

Download
memory/3036-162-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3036-138-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download