de0e001e8d17580cf7cc10b8b46abb574623077871384cbc3744bf02bfeb4bcc

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
24/08/2024, 11:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
Size

195KB
MD5

a12fdb18d3868a6b3c58d2fdd11bc5ce
SHA1

f3d90972b72c95b438a9ceb08717e63ffb4617d1
SHA256

de0e001e8d17580cf7cc10b8b46abb574623077871384cbc3744bf02bfeb4bcc
SHA512

eea56efcde21887c39fcf7efeb6146bbb8a65e190682eec3eb9098896780a85260ca0f9fd9bc220eccd2534838238dce8003acf95d3121ac2af8f44445facd37
SSDEEP

3072:/y3uVDAnoRMxAxDR896OEUD/gqyfwkS2flMVlbBgyWvq7l2aDvu2TlQC81yXX8:/e3wK/T4bnflCgyeAl2aKK81cM

Score

10^/10

discovery evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Renames multiple (53) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Control Panel\International\Geo\Nation	deowEogY.exe

Deletes itself 1 IoCs

pid	Process
2760	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
3032	wokYgwEw.exe
2800	deowEogY.exe

Loads dropped DLL 20 IoCs

pid	Process
3036	20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
3036	20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
3036	20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
3036	20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
2800	deowEogY.exe
2800	deowEogY.exe
2800	deowEogY.exe
2800	deowEogY.exe
2800	deowEogY.exe
2800	deowEogY.exe
2800	deowEogY.exe
2800	deowEogY.exe
2800	deowEogY.exe
2800	deowEogY.exe
2800	deowEogY.exe
2800	deowEogY.exe
2800	deowEogY.exe
2800	deowEogY.exe
2800	deowEogY.exe
2800	deowEogY.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\deowEogY.exe = "C:\\ProgramData\\zcUooogs\\deowEogY.exe"	20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\deowEogY.exe = "C:\\ProgramData\\zcUooogs\\deowEogY.exe"	deowEogY.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\wokYgwEw.exe = "C:\\Users\\Admin\\cGoYMYgo\\wokYgwEw.exe"	wokYgwEw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\wokYgwEw.exe = "C:\\Users\\Admin\\cGoYMYgo\\wokYgwEw.exe"	20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico	deowEogY.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
2812	reg.exe
2568	reg.exe
332	reg.exe
956	reg.exe
2172	reg.exe
2052	reg.exe
2276	reg.exe
3020	reg.exe
2680	reg.exe
1672	reg.exe
2124	reg.exe
2072	reg.exe
1900	reg.exe
2932	reg.exe
1344	reg.exe
2692	reg.exe
3012	reg.exe
1564	reg.exe
2824	reg.exe
2308	reg.exe
1616	reg.exe
2544	reg.exe
864	reg.exe
2812	reg.exe
2348	reg.exe
2644	reg.exe
2916	reg.exe
2216	reg.exe
2864	reg.exe
1324	reg.exe
1660	reg.exe
2672	reg.exe
1344	reg.exe
988	reg.exe
988	reg.exe
1380	reg.exe
2812	reg.exe
2440	reg.exe
2056	reg.exe
2448	reg.exe
2824	reg.exe
332	reg.exe
1644	reg.exe
1964	reg.exe
2784	reg.exe
1832	reg.exe
2752	reg.exe
2324	reg.exe
2220	reg.exe
1872	reg.exe
792	reg.exe
1748	reg.exe
1580	reg.exe
2204	reg.exe
1368	reg.exe
1520	reg.exe
2536	reg.exe
2220	reg.exe
1020	reg.exe
1344	reg.exe
2816	reg.exe
2556	reg.exe
2168	reg.exe
2104	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3036	20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
3036	20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
2732	20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
2732	20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
2864	20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
2864	20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
1088	20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
1088	20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
1880	20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
1880	20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
1860	20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
1860	20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
2308	20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
2308	20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
2712	20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
2712	20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
2732	20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
2732	20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
2332	20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
2332	20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
692	20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
692	20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
1620	20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
1620	20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
2656	20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
2656	20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
2496	20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
2496	20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
1348	20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
1348	20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
2340	20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
2340	20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
1436	20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
1436	20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
1984	20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
1984	20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
2660	20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
2660	20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
2308	20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
2308	20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
2816	20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
2816	20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
2712	20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
2712	20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
1544	20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
1544	20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
1900	20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
1900	20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
2280	20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
2280	20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
2656	20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
2656	20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
3008	20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
3008	20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
2560	20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
2560	20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
1220	20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
1220	20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
2460	20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
2460	20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
2836	20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
2836	20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
2688	20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
2688	20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2800	deowEogY.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2800	deowEogY.exe
2800	deowEogY.exe
2800	deowEogY.exe
2800	deowEogY.exe
2800	deowEogY.exe
2800	deowEogY.exe
2800	deowEogY.exe
2800	deowEogY.exe
2800	deowEogY.exe
2800	deowEogY.exe
2800	deowEogY.exe
2800	deowEogY.exe
2800	deowEogY.exe
2800	deowEogY.exe
2800	deowEogY.exe
2800	deowEogY.exe
2800	deowEogY.exe
2800	deowEogY.exe
2800	deowEogY.exe
2800	deowEogY.exe
2800	deowEogY.exe
2800	deowEogY.exe
2800	deowEogY.exe
2800	deowEogY.exe
2800	deowEogY.exe
2800	deowEogY.exe
2800	deowEogY.exe
2800	deowEogY.exe
2800	deowEogY.exe
2800	deowEogY.exe
2800	deowEogY.exe
2800	deowEogY.exe
2800	deowEogY.exe
2800	deowEogY.exe
2800	deowEogY.exe
2800	deowEogY.exe
2800	deowEogY.exe
2800	deowEogY.exe
2800	deowEogY.exe
2800	deowEogY.exe
2800	deowEogY.exe
2800	deowEogY.exe
2800	deowEogY.exe
2800	deowEogY.exe
2800	deowEogY.exe
2800	deowEogY.exe
2800	deowEogY.exe
2800	deowEogY.exe
2800	deowEogY.exe
2800	deowEogY.exe
2800	deowEogY.exe
2800	deowEogY.exe
2800	deowEogY.exe
2800	deowEogY.exe
2800	deowEogY.exe
2800	deowEogY.exe
2800	deowEogY.exe
2800	deowEogY.exe
2800	deowEogY.exe
2800	deowEogY.exe
2800	deowEogY.exe
2800	deowEogY.exe
2800	deowEogY.exe
2800	deowEogY.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3036 wrote to memory of 3032	3036	20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe	30
PID 3036 wrote to memory of 3032	3036	20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe	30
PID 3036 wrote to memory of 3032	3036	20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe	30
PID 3036 wrote to memory of 3032	3036	20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe	30
PID 3036 wrote to memory of 2800	3036	20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe	31
PID 3036 wrote to memory of 2800	3036	20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe	31
PID 3036 wrote to memory of 2800	3036	20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe	31
PID 3036 wrote to memory of 2800	3036	20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe	31
PID 3036 wrote to memory of 2892	3036	20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe	32
PID 3036 wrote to memory of 2892	3036	20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe	32
PID 3036 wrote to memory of 2892	3036	20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe	32
PID 3036 wrote to memory of 2892	3036	20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe	32
PID 3036 wrote to memory of 2568	3036	20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe	34
PID 3036 wrote to memory of 2568	3036	20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe	34
PID 3036 wrote to memory of 2568	3036	20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe	34
PID 3036 wrote to memory of 2568	3036	20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe	34
PID 2892 wrote to memory of 2732	2892	cmd.exe	35
PID 2892 wrote to memory of 2732	2892	cmd.exe	35
PID 2892 wrote to memory of 2732	2892	cmd.exe	35
PID 2892 wrote to memory of 2732	2892	cmd.exe	35
PID 3036 wrote to memory of 2632	3036	20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe	36
PID 3036 wrote to memory of 2632	3036	20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe	36
PID 3036 wrote to memory of 2632	3036	20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe	36
PID 3036 wrote to memory of 2632	3036	20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe	36
PID 3036 wrote to memory of 2556	3036	20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe	37
PID 3036 wrote to memory of 2556	3036	20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe	37
PID 3036 wrote to memory of 2556	3036	20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe	37
PID 3036 wrote to memory of 2556	3036	20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe	37
PID 3036 wrote to memory of 2536	3036	20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe	40
PID 3036 wrote to memory of 2536	3036	20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe	40
PID 3036 wrote to memory of 2536	3036	20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe	40
PID 3036 wrote to memory of 2536	3036	20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe	40
PID 2536 wrote to memory of 2804	2536	cmd.exe	43
PID 2536 wrote to memory of 2804	2536	cmd.exe	43
PID 2536 wrote to memory of 2804	2536	cmd.exe	43
PID 2536 wrote to memory of 2804	2536	cmd.exe	43
PID 2732 wrote to memory of 2208	2732	20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe	44
PID 2732 wrote to memory of 2208	2732	20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe	44
PID 2732 wrote to memory of 2208	2732	20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe	44
PID 2732 wrote to memory of 2208	2732	20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe	44
PID 2208 wrote to memory of 2864	2208	cmd.exe	46
PID 2208 wrote to memory of 2864	2208	cmd.exe	46
PID 2208 wrote to memory of 2864	2208	cmd.exe	46
PID 2208 wrote to memory of 2864	2208	cmd.exe	46
PID 2732 wrote to memory of 1808	2732	20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe	47
PID 2732 wrote to memory of 1808	2732	20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe	47
PID 2732 wrote to memory of 1808	2732	20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe	47
PID 2732 wrote to memory of 1808	2732	20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe	47
PID 2732 wrote to memory of 1500	2732	20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe	48
PID 2732 wrote to memory of 1500	2732	20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe	48
PID 2732 wrote to memory of 1500	2732	20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe	48
PID 2732 wrote to memory of 1500	2732	20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe	48
PID 2732 wrote to memory of 1092	2732	20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe	50
PID 2732 wrote to memory of 1092	2732	20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe	50
PID 2732 wrote to memory of 1092	2732	20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe	50
PID 2732 wrote to memory of 1092	2732	20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe	50
PID 2732 wrote to memory of 2600	2732	20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe	52
PID 2732 wrote to memory of 2600	2732	20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe	52
PID 2732 wrote to memory of 2600	2732	20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe	52
PID 2732 wrote to memory of 2600	2732	20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe	52
PID 2600 wrote to memory of 2572	2600	cmd.exe	55
PID 2600 wrote to memory of 2572	2600	cmd.exe	55
PID 2600 wrote to memory of 2572	2600	cmd.exe	55
PID 2600 wrote to memory of 2572	2600	cmd.exe	55

C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
"C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3036
- C:\Users\Admin\cGoYMYgo\wokYgwEw.exe
  "C:\Users\Admin\cGoYMYgo\wokYgwEw.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:3032
- C:\ProgramData\zcUooogs\deowEogY.exe
  "C:\ProgramData\zcUooogs\deowEogY.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:2800
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2892
- - C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
    C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2732
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2208
    - - C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2864
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock"
        6⤵
        
        PID:476
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1088
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock"
        8⤵
        
        PID:1300
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1880
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock"
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1508
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1860
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock"
        12⤵
        
        PID:1516
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2308
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock"
        14⤵
        
        PID:840
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2712
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock"
        16⤵
        
        PID:1488
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2732
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock"
        18⤵
        System Location Discovery: System Language Discovery
        
        PID:2344
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2332
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock"
        20⤵
        
        PID:2008
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:692
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock"
        22⤵
        System Location Discovery: System Language Discovery
        
        PID:2092
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock
        23⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1620
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock"
        24⤵
        System Location Discovery: System Language Discovery
        
        PID:2676
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock
        25⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2656
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock"
        26⤵
        
        PID:3008
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock
        27⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2496
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock"
        28⤵
        
        PID:1096
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock
        29⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1348
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock"
        30⤵
        
        PID:2744
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock
        31⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2340
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock"
        32⤵
        
        PID:2868
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock
        33⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1436
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock"
        34⤵
        
        PID:992
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock
        35⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1984
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock"
        36⤵
        
        PID:2680
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock
        37⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2660
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock"
        38⤵
        
        PID:2368
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock
        39⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2308
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock"
        40⤵
        
        PID:2560
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock
        41⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2816
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock"
        42⤵
        System Location Discovery: System Language Discovery
        
        PID:2024
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock
        43⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2712
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock"
        44⤵
        
        PID:1996
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock
        45⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1544
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock"
        46⤵
        
        PID:2888
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock
        47⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1900
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock"
        48⤵
        
        PID:1732
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock
        49⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2280
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock"
        50⤵
        
        PID:796
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock
        51⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2656
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock"
        52⤵
        
        PID:1224
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock
        53⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3008
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock"
        54⤵
        System Location Discovery: System Language Discovery
        
        PID:1072
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock
        55⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2560
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock"
        56⤵
        
        PID:2144
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock
        57⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1220
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock"
        58⤵
        
        PID:1544
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock
        59⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2460
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock"
        60⤵
        
        PID:2532
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock
        61⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2836
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock"
        62⤵
        
        PID:2676
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock
        63⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2688
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock"
        64⤵
        
        PID:2172
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock
        65⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock"
        66⤵
        
        PID:2816
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock
        67⤵
        
        PID:1020
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock"
        68⤵
        
        PID:2024
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock
        69⤵
        
        PID:1824
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock"
        70⤵
        
        PID:1272
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock
        71⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock"
        72⤵
        
        PID:2580
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock
        73⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock"
        74⤵
        
        PID:2660
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock
        75⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock"
        76⤵
        
        PID:2160
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock
        77⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock"
        78⤵
        System Location Discovery: System Language Discovery
        
        PID:1092
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock
        79⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock"
        80⤵
        
        PID:2436
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock
        81⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock"
        82⤵
        
        PID:2008
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock
        83⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock"
        84⤵
        
        PID:1624
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock
        85⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock"
        86⤵
        
        PID:2588
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock
        87⤵
        
        PID:2232
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock"
        88⤵
        
        PID:776
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock
        89⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock"
        90⤵
        
        PID:2060
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock
        91⤵
        
        PID:672
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock"
        92⤵
        
        PID:1548
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock
        93⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock"
        94⤵
        
        PID:1968
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock
        95⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock"
        96⤵
        
        PID:1988
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock
        97⤵
        
        PID:1148
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock"
        98⤵
        
        PID:2764
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock
        99⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock"
        100⤵
        
        PID:1344
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock
        101⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock"
        102⤵
        
        PID:2024
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock
        103⤵
        
        PID:624
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock"
        104⤵
        
        PID:2500
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock
        105⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock"
        106⤵
        
        PID:316
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock
        107⤵
        
        PID:888
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock"
        108⤵
        
        PID:2656
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock
        109⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock"
        110⤵
        
        PID:684
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock
        111⤵
        
        PID:560
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock"
        112⤵
        System Location Discovery: System Language Discovery
        
        PID:2660
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock
        113⤵
        
        PID:1176
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock"
        114⤵
        System Location Discovery: System Language Discovery
        
        PID:2644
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock
        115⤵
        
        PID:316
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock"
        116⤵
        System Location Discovery: System Language Discovery
        
        PID:1340
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock
        117⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock"
        118⤵
        
        PID:1000
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock
        119⤵
        
        PID:692
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock"
        120⤵
        
        PID:2584
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock
        121⤵
        
        PID:1200
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock"
        122⤵
        
        PID:2756
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock
        123⤵
        System Location Discovery: System Language Discovery
        
        PID:476
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock"
        124⤵
        
        PID:2428
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock
        125⤵
        System Location Discovery: System Language Discovery
        
        PID:2568
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock"
        126⤵
        
        PID:884
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock
        127⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock"
        128⤵
        
        PID:3008
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock
        129⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock"
        130⤵
        
        PID:2924
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock
        131⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock"
        132⤵
        
        PID:2756
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock
        133⤵
        
        PID:864
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock"
        134⤵
        
        PID:2600
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock
        135⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock"
        136⤵
        
        PID:1976
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock
        137⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock"
        138⤵
        
        PID:3048
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock
        139⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock"
        140⤵
        
        PID:1832
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock
        141⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock"
        142⤵
        
        PID:2952
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock
        143⤵
        
        PID:744
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock"
        144⤵
        
        PID:2604
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock
        145⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock"
        146⤵
        
        PID:2932
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock
        147⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock"
        148⤵
        
        PID:1300
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock
        149⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock"
        150⤵
        
        PID:2672
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock
        151⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock"
        152⤵
        
        PID:828
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock
        153⤵
        
        PID:316
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock"
        154⤵
        
        PID:2340
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock
        155⤵
        System Location Discovery: System Language Discovery
        
        PID:1740
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock"
        156⤵
        
        PID:1380
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock
        157⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock"
        158⤵
        
        PID:2856
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock
        159⤵
        
        PID:672
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock"
        160⤵
        
        PID:2564
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock
        161⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock"
        162⤵
        
        PID:2192
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock
        163⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock"
        164⤵
        
        PID:2780
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock
        165⤵
        
        PID:2436
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock"
        166⤵
        
        PID:2284
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock
        167⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock"
        168⤵
        
        PID:1564
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock
        169⤵
        
        PID:2536
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock"
        170⤵
        
        PID:1340
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock
        171⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock"
        172⤵
        
        PID:1352
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock
        173⤵
        
        PID:1348
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock"
        174⤵
        
        PID:1664
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock
        175⤵
        
        PID:1364
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock"
        176⤵
        
        PID:1576
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock
        177⤵
        
        PID:2160
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock"
        178⤵
        
        PID:2100
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock
        179⤵
        
        PID:1048
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock"
        180⤵
        
        PID:1548
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock
        181⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock"
        182⤵
        
        PID:1488
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock
        183⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock"
        184⤵
        
        PID:2108
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock
        185⤵
        
        PID:1188
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock"
        186⤵
        System Location Discovery: System Language Discovery
        
        PID:2164
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock
        187⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock"
        188⤵
        
        PID:2124
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock
        189⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock"
        190⤵
        
        PID:1500
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock
        191⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock"
        192⤵
        
        PID:320
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock
        193⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock"
        194⤵
        
        PID:1200
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock
        195⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock"
        196⤵
        
        PID:2628
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock
        197⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock"
        198⤵
        System Location Discovery: System Language Discovery
        
        PID:2388
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock
        199⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock"
        200⤵
        
        PID:2744
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock
        201⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock"
        202⤵
        
        PID:2336
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock
        203⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock"
        204⤵
        
        PID:2200
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock
        205⤵
        System Location Discovery: System Language Discovery
        
        PID:2440
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock"
        206⤵
        System Location Discovery: System Language Discovery
        
        PID:2224
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock
        207⤵
        
        PID:888
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock"
        208⤵
        
        PID:2644
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock
        209⤵
        
        PID:1380
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock"
        210⤵
        
        PID:2444
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock
        211⤵
        
        PID:2628
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock"
        212⤵
        
        PID:3040
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock
        213⤵
        
        PID:2740
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock"
        214⤵
        
        PID:1536
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock
        215⤵
        System Location Discovery: System Language Discovery
        
        PID:1600
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock"
        216⤵
        
        PID:2284
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock
        217⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock"
        218⤵
        
        PID:2200
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock
        219⤵
        
        PID:1216
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock"
        220⤵
        
        PID:928
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock
        221⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock"
        222⤵
        System Location Discovery: System Language Discovery
        
        PID:1032
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock
        223⤵
        
        PID:1380
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock"
        224⤵
        System Location Discovery: System Language Discovery
        
        PID:2748
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock
        225⤵
        
        PID:2628
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock"
        226⤵
        
        PID:2556
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock
        227⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock"
        228⤵
        
        PID:2892
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock
        229⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        230⤵
        
        PID:2536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        230⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        230⤵
        UAC bypass
        
        PID:1992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        228⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        228⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        228⤵
        UAC bypass
        
        PID:2508
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\bgoAkgcY.bat" "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe""
        228⤵
        Deletes itself
        
        PID:2760
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        229⤵
        
        PID:2440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        226⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        226⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        226⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\NWUUMQcg.bat" "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe""
        226⤵
        System Location Discovery: System Language Discovery
        
        PID:3056
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        227⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        224⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        224⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        224⤵
        UAC bypass
        
        PID:1680
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\gGEcMcIU.bat" "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe""
        224⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        225⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        222⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        222⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        222⤵
        UAC bypass
        
        PID:1964
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\UkYIokMU.bat" "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe""
        222⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        223⤵
        
        PID:352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        220⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        220⤵
        Modifies registry key
        
        PID:864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        220⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\uKYkYwoU.bat" "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe""
        220⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        221⤵
        
        PID:2052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        218⤵
        Modifies visibility of file extensions in Explorer
        
        PID:792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        218⤵
        
        PID:604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        218⤵
        UAC bypass
        
        PID:1376
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\aEskwwYU.bat" "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe""
        218⤵
        
        PID:2608
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        219⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        216⤵
        System Location Discovery: System Language Discovery
        
        PID:2348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        216⤵
        
        PID:1092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        216⤵
        UAC bypass
        Modifies registry key
        
        PID:1872
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\NwAAwgwk.bat" "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe""
        216⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        217⤵
        
        PID:1072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        214⤵
        
        PID:2532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        214⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        214⤵
        
        PID:1484
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\VocYEAEk.bat" "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe""
        214⤵
        
        PID:2232
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        215⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        212⤵
        
        PID:2324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        212⤵
        
        PID:580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        212⤵
        Modifies registry key
        
        PID:2220
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZMQocIAg.bat" "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe""
        212⤵
        
        PID:1436
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        213⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        210⤵
        Modifies registry key
        
        PID:1964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        210⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        210⤵
        Modifies registry key
        
        PID:1900
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\HeooUkUo.bat" "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe""
        210⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        211⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        208⤵
        
        PID:1788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        208⤵
        Modifies registry key
        
        PID:2168
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        208⤵
        
        PID:824
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\iWQYoEMQ.bat" "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe""
        208⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        209⤵
        
        PID:768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        206⤵
        
        PID:332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        206⤵
        
        PID:1376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        206⤵
        
        PID:2552
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\QOwEMMUc.bat" "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe""
        206⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        207⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        204⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        204⤵
        
        PID:2508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        204⤵
        UAC bypass
        
        PID:1952
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\qcQgEsIc.bat" "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe""
        204⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        205⤵
        
        PID:2652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        202⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        202⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        202⤵
        
        PID:2556
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\KuEIsEws.bat" "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe""
        202⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        203⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        200⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        200⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        200⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\vKcUAwoQ.bat" "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe""
        200⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        201⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        198⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        198⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        198⤵
        
        PID:992
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\HkgQYosw.bat" "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe""
        198⤵
        
        PID:536
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        199⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        196⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        196⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        196⤵
        UAC bypass
        
        PID:2788
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\lGoYAQcE.bat" "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe""
        196⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        197⤵
        
        PID:2500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        194⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        194⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        194⤵
        
        PID:888
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\huwcEkkk.bat" "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe""
        194⤵
        
        PID:2928
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        195⤵
        System Location Discovery: System Language Discovery
        
        PID:1968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        192⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        192⤵
        Modifies registry key
        
        PID:2440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        192⤵
        UAC bypass
        
        PID:2272
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\GKAwEgcc.bat" "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe""
        192⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        193⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        190⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        190⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        190⤵
        
        PID:1484
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\IokIYUEo.bat" "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe""
        190⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        191⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        188⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        188⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        188⤵
        UAC bypass
        
        PID:1324
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\eecIAMIU.bat" "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe""
        188⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        189⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        186⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        186⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        186⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\CEUAQAsQ.bat" "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe""
        186⤵
        System Location Discovery: System Language Discovery
        
        PID:2916
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        187⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        184⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2196
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        184⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        184⤵
        UAC bypass
        
        PID:2812
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\NIooogkw.bat" "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe""
        184⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        185⤵
        System Location Discovery: System Language Discovery
        
        PID:2644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        182⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        182⤵
        System Location Discovery: System Language Discovery
        
        PID:1644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        182⤵
        UAC bypass
        
        PID:2080
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\lkAQMkMM.bat" "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe""
        182⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        183⤵
        
        PID:928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        180⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        180⤵
        
        PID:320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        180⤵
        UAC bypass
        
        PID:1528
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\dgEIcYIc.bat" "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe""
        180⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        181⤵
        System Location Discovery: System Language Discovery
        
        PID:2592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        178⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        178⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        178⤵
        UAC bypass
        
        PID:1824
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tIsgcEYY.bat" "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe""
        178⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        179⤵
        
        PID:2176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        176⤵
        Modifies registry key
        
        PID:2812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        176⤵
        
        PID:864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        176⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\qwIMwkck.bat" "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe""
        176⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        177⤵
        
        PID:2740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        174⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        174⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        174⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\iygogYEg.bat" "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe""
        174⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        175⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        172⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        172⤵
        
        PID:2432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        172⤵
        UAC bypass
        
        PID:2664
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\euIsEEAo.bat" "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe""
        172⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        173⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        170⤵
        
        PID:1380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        170⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        170⤵
        UAC bypass
        
        PID:1752
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\IcYIUowg.bat" "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe""
        170⤵
        
        PID:2544
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        171⤵
        
        PID:1512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        168⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        168⤵
        
        PID:2508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        168⤵
        UAC bypass
        Modifies registry key
        
        PID:2932
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\zgAUAIUQ.bat" "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe""
        168⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        169⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        166⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        166⤵
        Modifies registry key
        
        PID:2680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        166⤵
        Modifies registry key
        
        PID:2072
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\bMcIoYIs.bat" "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe""
        166⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        167⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        164⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        164⤵
        Modifies registry key
        
        PID:2544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        164⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\RGkMwMAM.bat" "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe""
        164⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        165⤵
        
        PID:2548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        162⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        162⤵
        
        PID:2892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        162⤵
        UAC bypass
        Modifies registry key
        
        PID:1644
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\dAQQQEow.bat" "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe""
        162⤵
        
        PID:1088
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        163⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        160⤵
        
        PID:692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        160⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        160⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\CcocgUMw.bat" "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe""
        160⤵
        
        PID:1316
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        161⤵
        System Location Discovery: System Language Discovery
        
        PID:1564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        158⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        158⤵
        
        PID:2896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        158⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\WoAcIAwg.bat" "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe""
        158⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        159⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        156⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        156⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        156⤵
        UAC bypass
        Modifies registry key
        
        PID:2864
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\iyYgEwMc.bat" "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe""
        156⤵
        
        PID:2444
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        157⤵
        
        PID:928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        154⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:1552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        154⤵
        
        PID:960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        154⤵
        UAC bypass
        
        PID:2388
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ykEAIUos.bat" "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe""
        154⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        155⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        152⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        152⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        152⤵
        UAC bypass
        
        PID:2604
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\WSEcgIws.bat" "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe""
        152⤵
        
        PID:2896
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        153⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        150⤵
        
        PID:320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        150⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        150⤵
        UAC bypass
        
        PID:1984
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\dsEkMwwc.bat" "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe""
        150⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        151⤵
        
        PID:2568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        148⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        148⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        148⤵
        UAC bypass
        
        PID:1736
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tGIowQsw.bat" "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe""
        148⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        149⤵
        System Location Discovery: System Language Discovery
        
        PID:1652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        146⤵
        System Location Discovery: System Language Discovery
        
        PID:3028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        146⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        146⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\TMowUsIM.bat" "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe""
        146⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        147⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        144⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        144⤵
        
        PID:2608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        144⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\LcgkwUEI.bat" "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe""
        144⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        145⤵
        
        PID:1176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        142⤵
        
        PID:1296
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        142⤵
        
        PID:1144
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        142⤵
        UAC bypass
        
        PID:1736
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\OSoEQUAE.bat" "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe""
        142⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        143⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        140⤵
        Modifies visibility of file extensions in Explorer
        
        PID:884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        140⤵
        
        PID:1888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        140⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\MCUosYco.bat" "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe""
        140⤵
        
        PID:1328
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        141⤵
        
        PID:2928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        138⤵
        Modifies registry key
        
        PID:2536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        138⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        138⤵
        System Location Discovery: System Language Discovery
        
        PID:624
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\QUAEEQoI.bat" "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe""
        138⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        139⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        136⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        136⤵
        Modifies registry key
        
        PID:2216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        136⤵
        UAC bypass
        
        PID:1996
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\WswwgIAg.bat" "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe""
        136⤵
        System Location Discovery: System Language Discovery
        
        PID:2684
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        137⤵
        
        PID:2476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        134⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        134⤵
        Modifies registry key
        
        PID:1520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        134⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\UuYssIkU.bat" "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe""
        134⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        135⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        132⤵
        System Location Discovery: System Language Discovery
        
        PID:2700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        132⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        132⤵
        UAC bypass
        
        PID:2400
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\PmIQsMko.bat" "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe""
        132⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        133⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        130⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        130⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        130⤵
        UAC bypass
        
        PID:2828
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\pCosEUEw.bat" "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe""
        130⤵
        
        PID:580
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        131⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        128⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:2168
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        128⤵
        
        PID:1884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        128⤵
        UAC bypass
        
        PID:2496
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\RKAsMsEk.bat" "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe""
        128⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        129⤵
        
        PID:2316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        126⤵
        
        PID:2544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        126⤵
        
        PID:332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        126⤵
        Modifies registry key
        
        PID:3020
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\VeEEYwsw.bat" "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe""
        126⤵
        System Location Discovery: System Language Discovery
        
        PID:2024
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        127⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        124⤵
        
        PID:2740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        124⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        124⤵
        
        PID:876
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\gAQEAoMs.bat" "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe""
        124⤵
        
        PID:1548
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        125⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        122⤵
        
        PID:2564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        122⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        122⤵
        UAC bypass
        
        PID:320
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\aMgkAQow.bat" "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe""
        122⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        123⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        120⤵
        Modifies registry key
        
        PID:2276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        120⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        120⤵
        UAC bypass
        
        PID:1740
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\OkAMoMsw.bat" "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe""
        120⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        121⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        118⤵
        System Location Discovery: System Language Discovery
        
        PID:2900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        118⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        118⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\BgMgQkkI.bat" "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe""
        118⤵
        
        PID:744
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        119⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        116⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        116⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        116⤵
        UAC bypass
        
        PID:2208
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\bqUAMoEs.bat" "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe""
        116⤵
        
        PID:1092
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        117⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        114⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        114⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        114⤵
        UAC bypass
        
        PID:2456
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\RcEgEkoA.bat" "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe""
        114⤵
        
        PID:2628
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        115⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        112⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        112⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        112⤵
        UAC bypass
        
        PID:2820
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\dyIAUgAE.bat" "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe""
        112⤵
        
        PID:604
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        113⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        110⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        110⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        110⤵
        
        PID:1272
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\uoEAgcgk.bat" "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe""
        110⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        111⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        108⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        108⤵
        
        PID:1832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        108⤵
        UAC bypass
        
        PID:1148
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\euEsgMMk.bat" "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe""
        108⤵
        System Location Discovery: System Language Discovery
        
        PID:2160
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        109⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        106⤵
        Modifies registry key
        
        PID:988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        106⤵
        Modifies registry key
        
        PID:1380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        106⤵
        UAC bypass
        
        PID:1556
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\YwoQcwMs.bat" "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe""
        106⤵
        
        PID:1548
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        107⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        104⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        104⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        104⤵
        
        PID:1744
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ScAIwUAY.bat" "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe""
        104⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        105⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        102⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        102⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        102⤵
        UAC bypass
        
        PID:2692
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\zKAAAQwM.bat" "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe""
        102⤵
        
        PID:668
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        103⤵
        
        PID:1148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        100⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        100⤵
        
        PID:1368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        100⤵
        UAC bypass
        
        PID:1072
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Nsowsoss.bat" "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe""
        100⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        101⤵
        
        PID:876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        98⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        98⤵
        Modifies registry key
        
        PID:2824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        98⤵
        UAC bypass
        Modifies registry key
        
        PID:2556
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\DWQgkQUc.bat" "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe""
        98⤵
        
        PID:2892
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        99⤵
        
        PID:332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        96⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        96⤵
        System Location Discovery: System Language Discovery
        
        PID:604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        96⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\FiAUMMcM.bat" "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe""
        96⤵
        
        PID:1324
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        97⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        94⤵
        
        PID:888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        94⤵
        
        PID:1296
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        94⤵
        UAC bypass
        
        PID:1608
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\KYEIQMgM.bat" "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe""
        94⤵
        System Location Discovery: System Language Discovery
        
        PID:1788
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        95⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        92⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        92⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        92⤵
        
        PID:2332
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\gKYcYosM.bat" "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe""
        92⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        93⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        90⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        90⤵
        Modifies registry key
        
        PID:2172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        90⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\WYAIosUQ.bat" "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe""
        90⤵
        System Location Discovery: System Language Discovery
        
        PID:3008
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        91⤵
        
        PID:1224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        88⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        88⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        88⤵
        Modifies registry key
        
        PID:2752
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\kCcEocUg.bat" "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe""
        88⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        89⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        86⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        86⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        86⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:840
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\aiwcsIQE.bat" "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe""
        86⤵
        
        PID:2580
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        87⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        84⤵
        Modifies registry key
        
        PID:2916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        84⤵
        
        PID:1324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        84⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\rgwcMQoM.bat" "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe""
        84⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        85⤵
        System Location Discovery: System Language Discovery
        
        PID:2220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        82⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        82⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        82⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\DAAEossk.bat" "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe""
        82⤵
        
        PID:1096
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        83⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        80⤵
        Modifies registry key
        
        PID:2204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        80⤵
        Modifies registry key
        
        PID:956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        80⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:352
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZEQEMQwc.bat" "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe""
        80⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        81⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        78⤵
        
        PID:1188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        78⤵
        Modifies registry key
        
        PID:1344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        78⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\vEIcsggI.bat" "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe""
        78⤵
        System Location Discovery: System Language Discovery
        
        PID:476
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        79⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        System Location Discovery: System Language Discovery
        
        PID:1784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\uuQogkEg.bat" "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe""
        76⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        77⤵
        
        PID:2500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        
        PID:1492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\OykksQUw.bat" "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe""
        74⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        75⤵
        
        PID:796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        
        PID:604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        UAC bypass
        
        PID:2220
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\uSgEsIog.bat" "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe""
        72⤵
        
        PID:2476
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        Modifies visibility of file extensions in Explorer
        
        PID:560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        
        PID:1176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\UIcswEog.bat" "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe""
        70⤵
        
        PID:1200
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        System Location Discovery: System Language Discovery
        
        PID:580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        
        PID:928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        UAC bypass
        Modifies registry key
        
        PID:2448
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\gOgookAo.bat" "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe""
        68⤵
        
        PID:1144
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        Modifies registry key
        
        PID:1748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        UAC bypass
        
        PID:1676
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\naAcYUgI.bat" "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe""
        66⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        
        PID:320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        UAC bypass
        
        PID:1328
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\HKIsokcA.bat" "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe""
        64⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        
        PID:536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        
        PID:1484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        UAC bypass
        
        PID:2556
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\rAcIsQkQ.bat" "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe""
        62⤵
        
        PID:2160
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        System Location Discovery: System Language Discovery
        
        PID:2924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        
        PID:992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        Modifies registry key
        
        PID:2644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        
        PID:2584
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\rikEYEkE.bat" "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe""
        60⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:2608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        Modifies visibility of file extensions in Explorer
        
        PID:988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        System Location Discovery: System Language Discovery
        
        PID:1648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\QAIEYQME.bat" "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe""
        58⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        Modifies registry key
        
        PID:1368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\wAkgUQQQ.bat" "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe""
        56⤵
        
        PID:1352
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        UAC bypass
        
        PID:1960
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\weMEQcwI.bat" "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe""
        54⤵
        
        PID:2436
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        Modifies registry key
        
        PID:2056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        UAC bypass
        
        PID:1328
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\gSAMsEso.bat" "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe""
        52⤵
        
        PID:1124
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        System Location Discovery: System Language Discovery
        
        PID:2600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        Modifies registry key
        
        PID:2824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\TWocIgQw.bat" "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe""
        50⤵
        
        PID:2324
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:2776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        UAC bypass
        
        PID:624
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\RaUgwUwQ.bat" "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe""
        48⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        System Location Discovery: System Language Discovery
        
        PID:1508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        Modifies visibility of file extensions in Explorer
        
        PID:988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        Modifies registry key
        
        PID:792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2124
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\TeAgcAck.bat" "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe""
        46⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        Modifies registry key
        
        PID:1564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        UAC bypass
        
        PID:2256
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\JaUwkwYg.bat" "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe""
        44⤵
        
        PID:2396
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        
        PID:1020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        Modifies registry key
        
        PID:3012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        UAC bypass
        Modifies registry key
        
        PID:1344
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\yaEIwAsA.bat" "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe""
        42⤵
        
        PID:2436
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:1744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        UAC bypass
        
        PID:2736
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\IkUcEEoA.bat" "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe""
        40⤵
        
        PID:332
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        Modifies registry key
        
        PID:1616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        UAC bypass
        
        PID:2904
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\WMgMEwcw.bat" "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe""
        38⤵
        System Location Discovery: System Language Discovery
        
        PID:2160
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        
        PID:668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\gmgokooI.bat" "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe""
        36⤵
        
        PID:2608
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        System Location Discovery: System Language Discovery
        
        PID:2476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        Modifies visibility of file extensions in Explorer
        
        PID:744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        System Location Discovery: System Language Discovery
        
        PID:2240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\pGkcIAIM.bat" "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe""
        34⤵
        System Location Discovery: System Language Discovery
        
        PID:560
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        
        PID:1340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        
        PID:2396
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\lUwIwIIw.bat" "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe""
        32⤵
        
        PID:316
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:1384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        Modifies registry key
        
        PID:1344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        
        PID:1072
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\hAQQYcEQ.bat" "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe""
        30⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:1296
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        
        PID:1124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        UAC bypass
        
        PID:2736
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tAYcUwkc.bat" "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe""
        28⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        Modifies registry key
        
        PID:2308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        
        PID:1516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        UAC bypass
        Modifies registry key
        
        PID:2672
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ecAsoMUw.bat" "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe""
        26⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:2160
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        Modifies registry key
        
        PID:1660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\MqowIkAs.bat" "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe""
        24⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        
        PID:1176
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\KaQEMocU.bat" "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe""
        22⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        
        PID:1372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        
        PID:768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        UAC bypass
        Modifies registry key
        
        PID:1672
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\gCkUQEMc.bat" "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe""
        20⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        System Location Discovery: System Language Discovery
        
        PID:1552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        UAC bypass
        
        PID:3068
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\LOsAwQUE.bat" "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe""
        18⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        UAC bypass
        
        PID:1224
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZSIksoAo.bat" "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe""
        16⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:2432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        Modifies registry key
        
        PID:2812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        UAC bypass
        
        PID:2620
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\dSossIkM.bat" "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe""
        14⤵
        
        PID:2324
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        Modifies registry key
        
        PID:1580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        UAC bypass
        
        PID:2884
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\LSkoUkUo.bat" "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe""
        12⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        
        PID:624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\dkkAwgYQ.bat" "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe""
        10⤵
        
        PID:1148
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:1200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        UAC bypass
        
        PID:672
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\gmMcIgYY.bat" "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe""
        8⤵
        
        PID:928
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:1220
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1344
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        Modifies registry key
        
        PID:1020
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1832
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\UgEAsIUM.bat" "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe""
        6⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:1804
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:1808
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:1500
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      PID:1092
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\SUMsYwYY.bat" "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2600
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:2572
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies registry key
  PID:2568
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2632
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:2556
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\xWQYIEoY.bat" "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2536
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:2804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile13.bmp.exe

Filesize
243KB

MD5
9257d63af337febff28a2e6192f0091b

SHA1
371ad53dc1a47f8b43111a50d8cbf4d82c92684b

SHA256
4e1f742d4e571620d58b1fed0bceea14e681badd2ca5fcf5f4904df8d2d3aee5

SHA512
1410195b8e0b81b3d84f3421945175a0765b2ea20b32cc36e2553e260430a6e10820b79ac2c2951b048fb438418cb7fc1fd48e5842e5ca4d0ef21f429ff0947f

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile26.bmp.exe

Filesize
230KB

MD5
8b23405d1cbc3d81c068602e78e06639

SHA1
046566f0b63e38753dc77931b0e4075bd0f0c583

SHA256
371300c31ca20206e9240046a643a643ec475c73edafc87ea4511097a1f15079

SHA512
1481f3a1fef8d4fba837b08e8251d3f674c88f79c8f61fc59399794f848a856ac9f2987e147356224bfe474273614a396f25633b1d1986af0a91d5dad519dce5

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile29.bmp.exe

Filesize
253KB

MD5
44d73d5ebfacaf7c1b5ae02fd4bc7406

SHA1
0e7a5360facd1047ac4542d9ee14191c99eaad4c

SHA256
f23e17381f59a1a688ce49882fbf4cb10ddb81dea8732a8a217a4dc670c23f9b

SHA512
b1c337acf5fb2a0cf5105513a1529b273b8116ceebf97d821c62cc46ebec389a643dd1b8788052dfe8514d3f80068d1f32fcd43c0b067234d726c7a510ebe0c7

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile31.bmp.exe

Filesize
228KB

MD5
0c4304f8f31ea65098457d7473bc96ed

SHA1
e5ab7ca51e392b35094d3e02834c8ccbf57232bf

SHA256
6c9fd9b133bfb83cf1dbc3f48b476303cca6f2b1b95380ae149aa1a5bba8fc8e

SHA512
60b6a1f3d5c15951d5b8f8f995ab524a28382ade80c1d8b3633fea453a4f06f9b280f9e2d64bd017198f139bbe15c5bf2dc0019fee2b08fcf4d6f4c6ee3d5693

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile37.bmp.exe

Filesize
245KB

MD5
c38984585013de530f8bec82a102d0c0

SHA1
2aed188d1949eba86b409792a6dfebf2658afba1

SHA256
807bdd9b869d1646ba4a64cac0537d5086d56c2c2fbe68ac5eb2b486eb5bf2b1

SHA512
14d29cbf3cb61de778ab99251c775a077a2c614232912ba4b504b500389ab3a704d390eb5e224a130841dd2704fe67de7d3a4257e98474a19989bda815a290f7

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile44.bmp.exe

Filesize
242KB

MD5
732b421f1030aa33c25ae0cfd8cd65c9

SHA1
83fd6dd0c485c2239ad70c6c142efe1dcc720f10

SHA256
affdf5e1bf616ffb8dde3a14d8a649fc4531fb6011da3360ab92d666b391d390

SHA512
c072ac297816d16c361bb83e6f50f4d525633f969eeb6457d9bc892c250aaf8435e4d382c1e3c8a569d471dbef49599328a373296ea19c575e8aa6d80a409333

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\guest.bmp.exe

Filesize
251KB

MD5
dac038b9123e1dcecc53c851a574eb1e

SHA1
abece3a5b7eb24f64d61c051cbc33b1c688b7ad2

SHA256
d5b92974d78629be9928f8d6c91e7b92a5c8274f845b3f8cc30fd2ff88d6a332

SHA512
455d02051496a096519334ff120021c38b102efe8635f1266fcc17e9c657755e25108f21952570aba2281715228ac98207202550d5a0d1b4aa1740a1268e860c

Download Submit
C:\ProgramData\zcUooogs\deowEogY.exe

Filesize
198KB

MD5
98006cafa1d132e7d831ef13623a5873

SHA1
72fdbdf8dedfa3a30689f5c053e955a89694da27

SHA256
109ccc2ddc005adbfb9dd9e8434d28ae23ac2751765389d583e0ff9aaa223672

SHA512
cb8bf36ae8e578b916c02b4715e35fcf829851b5378b21138113121acac82f79883a7b776dbfb0fa733d03fd739b17e1feb1dc127494677c45e078c2987dae0b

Download Submit
C:\ProgramData\zcUooogs\deowEogY.inf

Filesize
4B

MD5
fd63c6ada511b87150ec69d2c2cd0d66

SHA1
40e0ac3ed1695759dba8fe9266c28f023681178e

SHA256
e3e20f41bb8a099c3443cbf39ddd29ee3f5045226750fd4c5eabc804f86e269e

SHA512
bec27b7b1bd8b3c77b09f1dd7c13398c244fd5b8e3f1153fdd3ad3b6a55a080ab89c60fad969e4d628e9fb1a1657c22ab414cefe873307460cf862d2d8fa63cc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\256.png.exe

Filesize
200KB

MD5
4411803b4c89853d26724e6d5e159af3

SHA1
4cbfd22f10d3e42f9b8420ecf5f20e5862e6021a

SHA256
f2f1ea3dbf0f632e70dda95ae334a16e52c5f6778495da4732bdd0735005ac4d

SHA512
80e2e7052489b80473819e21e5d65d932717c3b1a8e4b9f7c57873d327cc0c48dc6c362aceddbcc2699d6804a62972487aac729e6097d3da975b38941c61c40e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\48.png.exe

Filesize
181KB

MD5
9f8ee69d88504d85981584d1cbbf037e

SHA1
aa98160d46201c86c5b6c739e2db2e921f9ede4a

SHA256
cc13320ec4a7345453479c0e92465bb52b8ee303ca4add152d72fcba0b6b65c1

SHA512
533d698af9efcc88ac47dc3dea306cf959492e05c1f97bfb00527c6908cedc4e646e905931165b963e95aea37dfef0c8773cd24df9503f54a1d1e91b069c7c4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock

Filesize
4KB

MD5
675f52bda7312b37c6267162b789492a

SHA1
322c12e3d6e8319b9896758717c5abc10313f019

SHA256
a9e78858914184e33eec6d323bf8b298c702d6d514a56dc5debde4956410f18f

SHA512
ef8b31ea501667818d8fcbb0eafa413dd3c07ba167dd5144c89646a03dd98d19bfd9983bd9c676aa059e5a11140a911c5efd4270aff57c737805ded675c20669

Download Submit
C:\Users\Admin\AppData\Local\Temp\AEoAMYUg.bat

Filesize
4B

MD5
701de1029233677610ec0f08493f4838

SHA1
dc57bcccad450c83cfdefc1a3ef40f65868e5e13

SHA256
89cefab908eef8402dba85dca176fdbe6c61b6883033dba92a6e6469e3b91f1c

SHA512
ed7615d6e27b52488d36aed79199483c454b02e36c81cc98aeaec241b8482c5fbfb848754a1d8dd7b4d94618792ed377d45fdca467ada85c4deffc50000e6180

Download Submit
C:\Users\Admin\AppData\Local\Temp\AYcs.exe

Filesize
247KB

MD5
f9f88373882ded909a806b991a370a3d

SHA1
6a5c745a8348cfb745e1f16d86716b0fba454a1a

SHA256
5e12eb19316a2059d1780ccb26f557fc33b93f17292526a1432a898598cde13b

SHA512
cbad3bd2a2aae1da440fe72b388ed236803072fd621feafb82d21d4cec68a124d548b6a0c4d7cb326bd3f6dc0e536eede34e16d6e9038cf9275d25f32912add6

Download Submit
C:\Users\Admin\AppData\Local\Temp\AkUU.exe

Filesize
198KB

MD5
62531fcfc6a3e8c5a92a85e95b9cf5f3

SHA1
b889d6010595617139c20b81891a316eb878b64d

SHA256
dbc171626f24d0cdf109fffde4c36649910e11c903713033dfb904dbd116801d

SHA512
bdb7d22f16e60347d889ac6db086011b4f18b7e5eeeee4bc5a51e987cf7487d179d8b6cc50d510e6b48039f613e632114d64040c55eec931015cd73574aaf1fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\AwYC.exe

Filesize
235KB

MD5
aae9158e31e0602dfd992c1b3c0b4efa

SHA1
5f2634f53598782d049dc56789451d057fd62392

SHA256
3b30bf0b3e3551ab38cf012b01519060f9a074c82f840e3f07c19a44d4d89f49

SHA512
0dc2bf993cbb084f0fb8291f08f8d2c15ea77107782bf77eae082bdf8111319fa30da3f2a1a135210b02e49759665a1a5b54de47c6332f29e7ca7beb860f60d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\BUscIMgo.bat

Filesize
4B

MD5
e3e9ab971b62b82989c13062d919302d

SHA1
ebce64186b5d86596c002db0c452bdf642ad98f5

SHA256
4410a8ca6e5197d825357ea9a2755cb37d70012314559708b0ea54fbd6cf13ac

SHA512
135e4711fd5d2b59a7d3cd2d2fd2c479ec70ff8001f841d77766c26545f102627a27f16b6a83a2412a6e638687f5eb92f5d45436f503865ed44f8d4ea0025540

Download Submit
C:\Users\Admin\AppData\Local\Temp\BeAgMosE.bat

Filesize
4B

MD5
761a7559a6ac01542fe7fccf7e02d80b

SHA1
d65b7b1d8758dc14605d968b5f26220867e2e8ad

SHA256
03670593c5a42192d8aa1126accb02ac12378257b2b8f9b1e2b0677b63d8b8b7

SHA512
67231c25af9d261339ce5b57dc7ba655f96e778268a1faf28a3e547de0cbdbbbd4c2f06d6fff6e86281e4584cb3339e6efcf3cd9e68e959edbd4f858e4e765ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\BeckUAwE.bat

Filesize
4B

MD5
91ff46dd60dd9a52eee2c74f9c9b7ec0

SHA1
08872341b9cdb333029cdac6b50f74d0337834aa

SHA256
b64711435cb4616ee68346f0e5e5c74b586691d2f7c47f24db1057a66e0a6ba9

SHA512
66fd0609bd44a0570f32325496bd29adf2a052e7b9c7049ae2416a659d9aceb174424ebb198c49f1d3a7fcd7f26a4dc2859c15fa6c43d27b73a0ccfc1fbb126a

Download Submit
C:\Users\Admin\AppData\Local\Temp\BoUgcsYA.bat

Filesize
4B

MD5
a257104160f0759d7083f9c55f876044

SHA1
ecc4aa68f04669295bb52da758828042fd5f7946

SHA256
3f44cd294f825b4ab89c63df9240d68639832c6abb94d70759773bd230fa404a

SHA512
7794250c8cd4050b98b85653bd5514dea685561fb604837c9221fd8b28337e020f56fa017bcc4039e4bc255d8e31ca234b3d8f8c3023e370a4b2b598eebe6245

Download Submit
C:\Users\Admin\AppData\Local\Temp\BoYIQYAY.bat

Filesize
4B

MD5
8be0194689cbcd17c188872e4360602c

SHA1
d47e0324c3284aa3c4f082bf4d5390e8e699924f

SHA256
c5ca1861dca141f4873dd7bc5c1202150c102b8b32bf6d9f81e49fea2849247a

SHA512
11164853f693c9d2e65c92d4364d22919e5f1be851d70516757bb4c5f9dc980cdf2b3252dafdf67851e60a5921f6391818f43c0e4db683208989420e3c4f9ce5

Download Submit
C:\Users\Admin\AppData\Local\Temp\CIYI.exe

Filesize
247KB

MD5
3f8a8108290432202fd48afbeadf3e68

SHA1
66a0c24db0ec90580ca74ad0110a3a1e4d0dd85a

SHA256
5c256b9a89e83d4153f0306784cf716b542952b2322190752c40d2cf2a96d1cd

SHA512
f09a294fc3316b596a9b24f2ed099211955e5402d384a282b58d4e23f43773cbfeb7cb55514256645df744e213541674d6225e694a516aed9676d60ae1eaafc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\CMYy.exe

Filesize
233KB

MD5
1b45bf4612fa2cc2f4f12c08997276ce

SHA1
8dbf4f13473416911f5538358157ce8f8b518848

SHA256
b8223126120fd9ad3be4aa14dc6321a325a8c8ddb41f78f62b15315b8550ae3a

SHA512
e1f748471da300cd1e0e9ab626672b5c200901ae6a02d847370409bc386d09d553bc468ec1de260440fc138fb63c2a9ec2d1396faff38e635af462a1b93bc6a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\CQoM.exe

Filesize
231KB

MD5
07cea44fa88b4e856cb1cf52dffc3cc1

SHA1
00989f22f37a210b0491b004f3c6e47041950981

SHA256
a1b2920abfe10bce91c5280c05170592da28b8b6fef817137dd884ff3cb7a9a9

SHA512
a0bcf285a9af6d3c67f6d6537068c40e037b153fe6d47dded9a3e3b8212b47a396af2ee065cb9db4fe60a38c4a206f0f40dc56c798bfaf659f0e7bb24760c4aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\CUEe.exe

Filesize
244KB

MD5
866b0464045562a68b18e555984467c6

SHA1
d283ff2cb38eac1ec2459261096ac86db9b58937

SHA256
dc1a71b7c3a8b298f1b0669e6954747a82a67a55c87e31f1bb0434265c40803a

SHA512
18eb81b7c29fae7e4b15f557ba6c6be4f78c3872bca2ae39e536af9363ccdd2b91735464dd3a11758180e2e16426cc75e725ac19fb2cf024201817e2b26371b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\CYIE.exe

Filesize
205KB

MD5
4ebb4a91a3f6775354a318f1ce1b3cb1

SHA1
a5b610dfed51a48bc540fda5d0511e881fc66100

SHA256
de5c1c74a1345a9e60f602d492fe9f9bdc0352252adc18d10d8402c1f5a14207

SHA512
41bbf853645cee3399d1dfc665e0be7d62f2c7cbaf975cc18567cea2611ea3d49341618d93b5786c4e6e8313cc6ee28b7369b4b326df2fc420a3a530b3cd67e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\CYco.exe

Filesize
321KB

MD5
6bb6ad987d4acb4607a5414f6c759b8a

SHA1
181eff6e7b134b7b22ec6b9a399a576fd3ba9e63

SHA256
a9c8577852987fabb388c25a317843500f6ae0ba5644560f3ff715f33dc43ac0

SHA512
3ec74b4b5cd8d7b919aa297355a3c9b895f2c7a7bc0cb0f142c0c65c3a9f51fce321b7c5fa412492592f90676049d3f31aa8aaa3e4e47e8d878683102be6e171

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ckca.exe

Filesize
4.8MB

MD5
a1b17fdcc1db392854ec9f731de4cb02

SHA1
70fb33babf295276b0b18b2ad7a6cc41f326dfb8

SHA256
6bf3bd1abf19fd1dfeb4d706af09d82d0a9f3e396b6c60858e72acf5f3e0542e

SHA512
64f22ece69edd45f6259f426ffe3346c2bb233025ea7b933d2ecb5b0340e9ac6341f9b1ed470804bd4ab8833742b99f9a23eb9989b51323ad7f1043f5cc6c3b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\CsgIkIQg.bat

Filesize
4B

MD5
1bcf4cfb635020bd9c0359bfb3441d91

SHA1
d3de8c3e18a39d5bbf4561d73d35d672575041ab

SHA256
9c783c533cba4d7cb75cd0235bee50246e5940ece2cff588a2201e83a1321adb

SHA512
12450b2468ce154e89324a929c30a2669d21d4861f9aab9699a78f4690fb94f817fc37a185fae00f83b144f1b7e3f236fc0b831570caee32bf82d148bdb87d9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\CsgY.exe

Filesize
247KB

MD5
87b4b58a9d2cb5421c67718e775d9af6

SHA1
925eae8d3d0043ee18797ed6d8dd509ba875aab7

SHA256
f65f730c51772739131131d283597e1accf251e8ec7b18e1268e43dfe83b6b21

SHA512
d97db176c6a2bbcad02951b4b91580061289106efbbfca2070d7e32e8e5301d81f46cdee08f75ac91a03d5b6385ac2de765ad919504eb4d1ea6698546f3101cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\CyIEAUUY.bat

Filesize
4B

MD5
bda45ab5cc59a79c108c60dda30292dd

SHA1
c34f0f8e5940163ccb3e48cc8ed09b958ec0fc54

SHA256
5094074b6499cd3abdb2493c69b0c0fbdc9035132ee2cd8491f0c5e8ce675b5c

SHA512
b6dfc538ac1573d79c9c31f2991b4a1ab5accab7424ae4c63695b5d7a02d776a3eb26ea0416aaf6b7d1c2d75e2a661f16a4c27b1bc88e86ef8b1693df91e1980

Download Submit
C:\Users\Admin\AppData\Local\Temp\DWQEYcQI.bat

Filesize
4B

MD5
698017c050da14a76185533e20a43197

SHA1
8b2b4daa7231cfcbbb23306a9d2f10b791b7e0c1

SHA256
f62281aa48a99a3eb9171b5615d1773faa16b8ff171438495d7d75ce5a293e02

SHA512
7e5f592e809d52e27e94db192e0eaa5dd868a902d87d6c7ea2cc9c01e47d790b9e3ef38a26b186d2f2d7505f212ac0e882a3d858cc43fba16ba6666cefb740b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\DaoYQQwE.bat

Filesize
4B

MD5
80566adc9e04917bcdc5ba627229e4d2

SHA1
c485fdf896034b46033f2cfc4d711d7a21480f54

SHA256
d1064f10c473e194ecc3f376969faa3f2bf0f4328dd6a6a041d77d15fe262b3c

SHA512
84902a0d666effb47aa027e2c805d846b3d4e6f3a4dd7982be55b8c3bbe9087cdb109cd0b7317b3db945cebc45bbc8cdcafccea23058ccf9f4b50616143768f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\EAUO.exe

Filesize
183KB

MD5
0924b11ca45589110052aac076c696f0

SHA1
fbd631b0baaa8d11a6592820f33a5216ee90c7e4

SHA256
8daed84bef78d3e778a0cea0a865daae4751c3d8d6fd2edf6c7fd8f001979a34

SHA512
16774e599a42af281cab02578ea02fcec02843e0f5022ac00c402e6a32a3dc16b19aa6de5c84ca41c9067af1daffc752bc6a89451be07ebba2490d45bdbb7b71

Download Submit
C:\Users\Admin\AppData\Local\Temp\EIkK.exe

Filesize
4.1MB

MD5
821a49ea61e9b3950f98a7a3d4a73e1d

SHA1
26a88609ab27779f874be32ab3cd40a1f7dd73a4

SHA256
3301291ac80943dcab4d6f662af743ba53e7d6be00ec44a6bf508bfc7a3130f9

SHA512
1013db1cec268ebe20dbbb4e07afad3d69d496349d436f7f28dccb308b4fd93b2f30408aee99e78e0befff4fc448e99bc6d369e79d2435755f52340473f0c45d

Download Submit
C:\Users\Admin\AppData\Local\Temp\EQES.exe

Filesize
237KB

MD5
49c1eee77ada6a746cb3368a8e3a3f49

SHA1
96aa9319c438fea7c8019b2b59c6eddd249301b3

SHA256
0cb109ee17739128b3835e7290f81d0f5d15539b6853d10f1ec11a47d2e5dd49

SHA512
79c239b431da5f6d82670d24a506e70ba16dfeef1f0e6ec60bdbd7fe515fa6d30333d23c9f3b2a3eefd9eaa349fdd460c23f44d8d4bcef50b5269d622b814f97

Download Submit
C:\Users\Admin\AppData\Local\Temp\EeUgMckc.bat

Filesize
4B

MD5
6d7e24f3f91ade62d4dbe238aac4b672

SHA1
1de119356b2bac6092de4d15d5030930e7c01523

SHA256
df30d1e56a7fc461f48ddb7da8fec00836e3e2431d96e5408adc366fe6cc9ca8

SHA512
791a5d25962fa765eb10ee83a884e4b1657464f93c9f3282478b30e22d0eec6ca8245149787f8b25602630c6cff7d940bd5d408ca2b10840b038a25763d7536d

Download Submit
C:\Users\Admin\AppData\Local\Temp\EoQi.exe

Filesize
1007KB

MD5
66ec944cb22ccd6e9967e0c281d2cf99

SHA1
15157cefc10fb1630e75cdd7e3c08b3886c96719

SHA256
318c0c762f727dff5272c1708e466a9275293846bbacf48c0e278ba4f3c85c0c

SHA512
51374909e12e3574de56f8ba333187221953b20b50defc1dcb22584baa7a6cab56ced38a85a394779cb8cb8e878f4fe776cf6d792c33880a4e3bf318b7b2fa80

Download Submit
C:\Users\Admin\AppData\Local\Temp\EoUc.exe

Filesize
361KB

MD5
a3eeff4dfacce56808e2ff39fca7f097

SHA1
3e0428440ea648772c54d41ee923e4b5fb9b4b48

SHA256
91d1a19db6fd65301ab084d6df689a36ec3a9cd82557d1151894f54e4ba30b35

SHA512
58419a194375955bff9c2ed3df1b1b1725fb2550900c7775b103f7774a6db07821f9d51ca402f7a70de1232153ee83a2455f97848819841527a15e74e0f05a47

Download Submit
C:\Users\Admin\AppData\Local\Temp\EowcIEwQ.bat

Filesize
4B

MD5
ff8e9844360ee9d39d8ac199ad24f31e

SHA1
f9b0211db96a939db1d44cefed5dd1bb6f8abc0b

SHA256
9d0cab1e4c11366f3e482fd252b153df0f2ad67100d073aa51553ea085bfa55a

SHA512
975bd761b11105948fb1b630f821feda6b1360d8fb37b1e83d415c8f44cd3d3264272c15c53e82a8704c8ad46e7ab2b5f395780290b9ce020f8055262a94a977

Download Submit
C:\Users\Admin\AppData\Local\Temp\Esgs.exe

Filesize
249KB

MD5
169ab6e844158689dfe0eb0c09654fc6

SHA1
a7c2896843b5373a39ee9dffc264176e745ed418

SHA256
8698125111c4850c8aa5a9cce7e32e98659115e6535392f732f2c7664cb9e85c

SHA512
4975c3e9f18274685530af34b190300877cacc416ea037b3a65324f4ff5c392792b86d778d50ec3e91c7c93c7f81b0473a26d3da1a8d230991109eff7e1cd467

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ewgo.exe

Filesize
642KB

MD5
599aa1b5a861731b7189cbbdaebc49f3

SHA1
5dd7d3c0d84fe872c1215ade9284c1b40ee8c168

SHA256
906cbc65445e4598aba48b010342a31150ed38330ba82d5e148abd5d22500588

SHA512
7363edf7894d3e126fa841fcfdf44d83a9ad4825c4d97c9664adc9d5cb9d64dc2c1216912c68f4d027d8b6056fef474894bcf25121075f7c8b7cb275b9a5b5a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\FOoIQkEY.bat

Filesize
4B

MD5
0e2cb406d8d33727f94e99c2a064e6e6

SHA1
d7c666bfe4ef407330130074e07b5f24f3c6ed3d

SHA256
cc2c289cdd31d5b5e7acb7976bdd07f01b33de1eaff6af3110baa73b02aa3a64

SHA512
75df82aabc9e44a636f22197faa54b1476ee5bfd99650c2f3211b80c3cbb3d5631f6c3ceba0dca94f59d059d869e91a0ff05a85cf8591df56c33be731f9c72bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\FeIAkgEc.bat

Filesize
4B

MD5
e295649764f3b81ef17e41c4570b3280

SHA1
553a7fcd77860d98b2499933fcae8660f089f184

SHA256
93da66cd94b486366cc606dac8c85a8dc9747d742d30c3a627ce1802b65b2ec1

SHA512
61dc1d3a7a111bb39519d9b70f961cce03d4664cdfbc1e5ad91edbc9e50406cde072099ccb21edcba7e4ef07b5626d0c93b0b31ace4420c403aa379e054002ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\FsAgkkIw.bat

Filesize
4B

MD5
21343c326a6d71698c7a4b5008a1baa5

SHA1
45e6c8b2c40ea44d7cc68d605bff84800cb17260

SHA256
48976022efbade53af5bc452ab75c994efe198a68230e00908cea12c6097b92e

SHA512
4c648d2e3705f2c4983538051ca6ba1bbf6b5189c7bf1e9615ac5fc58d61a365caa3402fc42d8b52e85fdf536c0710a1adb0eacccd733a6195b34a59c15eac36

Download Submit
C:\Users\Admin\AppData\Local\Temp\GEkAkUUI.bat

Filesize
4B

MD5
faac2c2dfaab294d879e70582054e453

SHA1
19127275f0e71ae55d97d6d5fc9cddf8925b1e9f

SHA256
88e2fbff12aee0b83512401f0b46c3d64fbc7e74e09222d29e09de7573c38c41

SHA512
effbc4aab2d14b77addd25bc1e253a5359cedba3ff6f831c8c88be1f3bcc5fc662e74e9b6388608cef6199d4294ce06805466bfe10a19e17516b1adeec3a193e

Download Submit
C:\Users\Admin\AppData\Local\Temp\GIsK.exe

Filesize
242KB

MD5
2fde1c555059814fddb7ebfd4970b8ee

SHA1
4c2303fa5a2f09676a00a6677bf76c7416f9e775

SHA256
9b942c912e20af7ba82e6322b5f81d017ec7b157d09aac62c411541c410cd899

SHA512
0d34ff5016a0a218f377aaae4301c5f20a5ec2b1d58c63fa4e80b5538916ba199d3a7a89f214cb1303cab824125dde16f1989c61fc05fde5b179f6456ef15c09

Download Submit
C:\Users\Admin\AppData\Local\Temp\GIss.exe

Filesize
222KB

MD5
a2fb2403739f6f7017e1f8532b4da54a

SHA1
94f9e93046406f0bb7f7412b27d0b1f7a2fed13d

SHA256
d3a9a3059362123a8335d81dac8c8226d48d688c45384f069abba35be3aca3d1

SHA512
15aaa812977971287cfe51faf4aeb3e3ddc88fdd89015a73f1c34dea5d7fcb6369d0f404582488cd78638524747cc459999f258d55dc5e9938dfe83119f5b62b

Download Submit
C:\Users\Admin\AppData\Local\Temp\GYAc.exe

Filesize
205KB

MD5
a954426debcb224caf9ffc0ae283acaf

SHA1
4e6d6f81a9a9a7b257cc2fc17cb4296ec3f454e2

SHA256
f6ac6baf1b0db849da7786f3da6314bf1016c3453cbb8090cc17a341cd5b7e04

SHA512
90316ec16b4ede45f4749e55acb8c3ba5772fed292da8b57bec0d27e8c532bfc5d41bdfe84351e5b2e71cdcdf43abf2974c8d66c1685c9aaa9fee3e7b1f0a3eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\GYYM.exe

Filesize
252KB

MD5
ab94d8993560c1c7c3bc3fd405d82352

SHA1
91488152a0a284629de0735ef43978c93eb45f34

SHA256
a7204bae44de27298ff5f67c0b58b8c3e3950edcd100b8e44d9c9687ea0c5c4c

SHA512
25406eeff58606ce3671b3828b6013c94d17d1a1a96abfea376246f27a23037fb40ad39923b5130e67554b006c3be5a3d6f6d66270d5583e0c31d087b9ed0058

Download Submit
C:\Users\Admin\AppData\Local\Temp\GcQu.exe

Filesize
206KB

MD5
630182ace73a08233665db5892ca01b2

SHA1
059f1ec87846fccffd0ca58551d47aa69f98ca80

SHA256
d81422c3ec82a7e56767d832ab57afff23a1e2c1944cbe3b5cb84e91cb352235

SHA512
5a78464bdf41d1d153fc97da9bc5dcfdf1cc37483ec62f29162e9fbe8ebf1dc1b222af5453bcc7cd7c346adf817b7ce27645c33b7ce81abc7d8b4d4892de7090

Download Submit
C:\Users\Admin\AppData\Local\Temp\GkEs.exe

Filesize
231KB

MD5
064f5e54370f1ad02f03f60be2b296ce

SHA1
f5d43ea319e563d4207def5279a90f7e581389bb

SHA256
af06070353c9f5b1ad03dad1005cf860d471c971752da6c85625ed07770b8c39

SHA512
4fb1e8d47d8da047e5195983114c2321471e1f953140c0c897c60ed6480fa27c77f6f1c57154a2285a96430287f411dca98b121f1f2df1b5a91555693b19f1d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\GwEC.exe

Filesize
224KB

MD5
7c7a9d068cd2a22670e30411186f57b1

SHA1
4054257aaca272df872fb9968b707ad4d09c56a7

SHA256
d8586980051f0318ff13abbf3647d93e5f36cca02dcf548882210a8047589fa7

SHA512
c9f9ce1bd2cbcb48dc7f73456e6a2ac24f879b85d1cb3e331e095b488c91e2e78312caf6ea28bc67ea482d3bd514202d07e92df82aca1daabafdbc733da8d999

Download Submit
C:\Users\Admin\AppData\Local\Temp\HuUIckUY.bat

Filesize
4B

MD5
f405d044c564487ce1412e1615945f33

SHA1
ed3e814319a9476d469dd9e2fc629d0d5182be24

SHA256
4c687e9c7c2a5077592b986723fa4ab5cb95cea1a6dbc388a59aaed1e241f75b

SHA512
b60673bdb4bd80a674db9864210d36d05413efa16a3034f076e2f24e76ae29c0ccf4e651d252b8d5b4c4796e6ec03af59ad68739b4920339d56b5edf4e99b887

Download Submit
C:\Users\Admin\AppData\Local\Temp\IOAUcUQM.bat

Filesize
4B

MD5
96388ac10ae4db0456f5d97f79e6c15d

SHA1
72828288e57aa6a0828ad1d10692fbc3c11c27ec

SHA256
e32516e0c83e0e8c0ecfd464674784e2cfd511f00f7d599629e87cf9bfa7ac9b

SHA512
b7f38de649d018434f4195d87dfacf90228970752d181350cbf11f19fc27e58ab268f9b14a2e8aa3ce210f08ab645316c3e3b6f9c44a7c28c5bc727e7db56bb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IUky.exe

Filesize
241KB

MD5
d52c1fe77918e65da8234a1a1247fd5c

SHA1
a6ac02bff593792bcd4b7214c1b43f7b2de793bb

SHA256
e29673a028819a3b24a3c11dab4186ec97e7da308ce63cbcf5395302ca626b87

SHA512
d928bc00d0c93fd006f41611099faec55ef99eb6c88a840a775394ac0e0200e923eccbeb3248f0c7f85d45c030bd6c13a9b10d7d8e21bd4052712b436fdf2db8

Download Submit
C:\Users\Admin\AppData\Local\Temp\JGsAgckE.bat

Filesize
4B

MD5
f487a5536527a8fc4944d47599d8ad2d

SHA1
cb2e8c9ce3dd317573ad7f1a690315cfc1b305dc

SHA256
43fbc2947fdb3dd068a2dd86bb064faa670e38eb7a2d90938ea35ba7d6fe8b45

SHA512
0f9bccb70767ad1712cacef8891306423faa450f7c73161b8045bcad35c8b4c26ff54b8dedcf7f2d556c7fb695fcfe0f1ab94d882608c0e9de02e6164d685c93

Download Submit
C:\Users\Admin\AppData\Local\Temp\KAsQ.exe

Filesize
247KB

MD5
979405fa93f44935f8692cebc40e30c2

SHA1
4f7459dbf9bf5dbd5b02b63a6d04603d2786ebb1

SHA256
5f32123df0897f0eb7f6e7bf6e68681272cd788bbb2c1339553b04cd2cb5265f

SHA512
d27f47afd5e669eedd40bcc0605a9172fbc649232d62f0076b445d9663441b28b90b82f86a95e9be6fb6fb59b4774c97b0bad88da18d2dcf91be212210deea5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\KYQy.exe

Filesize
798KB

MD5
1cf70fcaed0830b0c695e6c0d42528c6

SHA1
9794678c7977ba7c421cd8fa06c21b54631e0672

SHA256
fe78a1cb86432a68bd9073682abebddc1c0dffa0d211ddb426510359ae7ef72d

SHA512
7526c1d5514e5ee17f65f347b35eb596982401199c2d64040bf24202328950569d5673ad816543b04617eb587dd2e55e12b72075490bd49a1a9c17c9acb97807

Download Submit
C:\Users\Admin\AppData\Local\Temp\KYcq.exe

Filesize
225KB

MD5
c9ccf8a5eee653f7a334340740df331e

SHA1
8d1b74af8e5ecd9f6996b60ff4f69bc4fe42951a

SHA256
1386689ff93a36c70eddf0bc03afe28b0b4b4b55c2836895ae0fe3543195334c

SHA512
b1cae213dbeb2bda0f4a7e17ab224040f1dbe25ddae38b074dda1e445e6149fb839b45973909ad3f967f5b7f6725762b7396c525c925f265c9e76da693cc50c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\KkkA.exe

Filesize
234KB

MD5
5eba3c20f9470eb5794de9143afbc4ff

SHA1
dac5ead0040462edd3c9d309519cbe7d553beae5

SHA256
b6803fd44d7505fa4ff96fd90467dba65aeb550c281b6adbd6b4e59016707b9a

SHA512
12d0f53230509ba8d3d7f20e5ed8a53abf74977bc1c155a3f97f11a53314bf16d6fcc166c9b3190737426c730e2750d8a51be1eb4552583648751332d9847193

Download Submit
C:\Users\Admin\AppData\Local\Temp\KwEy.exe

Filesize
329KB

MD5
788115064b5c1497d9546f3f32a39742

SHA1
4da2f3e64f0a4ff482924f88eb9bf90aaaa01556

SHA256
63a38667bb418b86790eb7d5b0a78c4c2d9d1824fe213a102341c1115c5d0c71

SHA512
f4af9d8880801b19c848353b9c5ba00a02df5ac1340239eae7818dbd6bd90f0f28f6b8d993f4580d24bafb2440fea5e2c642ab10e09a5f0a7318a209cfbcaa84

Download Submit
C:\Users\Admin\AppData\Local\Temp\KwYwgEss.bat

Filesize
4B

MD5
cd2d34e38e93b874677042502909f4e9

SHA1
1fbc1ab003525a6057862ac9b8bb6c42f40d4f8d

SHA256
377b2b7be5fc18fb1257a3f13b57487eae2aeb0043e41b9418d0ecbff1c5bc4d

SHA512
fca99f1b5754962d43aae2c7229ed6d253a7906c08f4913e35ee00a17fb43aa11c033c8d9391d87d1e72c2791fdb11b58a6a08f22a9ec930166fb9317a1522da

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kwco.exe

Filesize
249KB

MD5
ac77d4c2b76fba723d533a044eb775fb

SHA1
b5eca9cf83554dc8a8e58d1b4a82a0631954e5b7

SHA256
67a6d7b09ec199375b074a024259eba88ff41747f0389062a336a7ae6677fc53

SHA512
1f3ce8f42fb0e19ad7c98911850a571882330e068a8fa873091d5c4367305f51c1589544976d53a701578499cbe77ed6a930e88be1e8ec386e1bfc055e304bf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\LWQwEoYM.bat

Filesize
4B

MD5
b6fade09f59481fe8ed846aa7f1f3950

SHA1
1cc9cb5d178dfe669608464a4fe9336aaf05977b

SHA256
80423a0ac00c422646aefcc343e2104418677a5c22fafe3a1a59c97778f0050f

SHA512
7397f299b35b8576085789e7a2bb1d38935876564d3598ca98d7f3f50addbafb769351a4d2db258b42c5246fe336b6086ca91faf3015bfc1ac776118109c8687

Download Submit
C:\Users\Admin\AppData\Local\Temp\MAMY.exe

Filesize
212KB

MD5
69ce5d15677f67620096783f5b81a6b0

SHA1
1265c91e3dfcde545bbc92071bc84bb3cfe239f1

SHA256
aefc706dc02accb35b706db800761f76a746eee386ca4c4ad2ca7989d73d3ca8

SHA512
799b3df358a8fa48f28e0895fa07bffcdb6c466981ee8ffb1043ad46cf34d3aa580f4110ddd260375ea5ad0686d79adf0e5ae9c415139317e6f93042e5014413

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEQw.exe

Filesize
228KB

MD5
ffef42e5a4ddf583ff2920b0ae37281e

SHA1
770971566a03f7a92e39cc82afce4f8b1b935307

SHA256
4a31e643840d7c94372d90378a87807e166104bd382eab4b62ec099ea6bfb6f8

SHA512
4159e860d88101336252d3ada52859ee3b11521c9b72364858dbc03032cfac6a94dfd4385854308e902fb61ec9f80ef34dd57d2c5a69cb97c2879f580ba37c02

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEUm.exe

Filesize
231KB

MD5
f75391a85df5ad156d005b94de52d1f8

SHA1
3ada4b45a75157748d8a8fd181b2de7f91572ce8

SHA256
baa318d665b933d8376e261210c0f22dd91ce889fa03be5bbc6005305c917b24

SHA512
2e68bc894dc19b116e786a87747b1efb3e29d5de58846f74a03d1b77c0fefd37b70ec2eb3e8ebee049dde3e343cfad424a1feea4bda9b0249ce6300530d6c4a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\MYEw.exe

Filesize
195KB

MD5
1a48c6ce7716e1fef2516810f55e1ffb

SHA1
0bd4725ac705cb2fb651afee3122d30eca2ef9ad

SHA256
f9c359e7d9c8736813c6e53a39074759576e66af7f49c22da295bb2475c678bf

SHA512
019307b1938a8761b03ff2ee48c9715c3af5f4835356b36152ca41b0c0cd9af19e911e575aec4425149c09f72bbb9fb8ea551f10b0d398aa03dc6ebdd3fb0844

Download Submit
C:\Users\Admin\AppData\Local\Temp\MYgK.exe

Filesize
240KB

MD5
d9dc02198098765244912b92e2f7509d

SHA1
3c6c69da61d3feb9d125796080cae656e73a9577

SHA256
79430118d0b960147455488d1fdba4770616c7e92185d4597754a43ba6e2f695

SHA512
58572cf700f2a8f937719fa85dbdeec332b3ed5f4777d2a48c41fe949a502731ad471103e231c801a8dc7a717c1838dbcbc5a2f05883ae59fa12828b100d1c26

Download Submit
C:\Users\Admin\AppData\Local\Temp\MYkC.exe

Filesize
232KB

MD5
2f84e1b77295949fe2703a8933580122

SHA1
1b2c8fdbf8826f13eb9df950441d2194144d3efc

SHA256
6538662da6dd8e0b53a2b90d1b502bdd2342ed72bde8816d9a2c61110e897435

SHA512
2c6f786fe7ca9cf258985296831cf02aeef8c29eef557a99910ba0dfc5024b0503a9d91363a81901e4290c4cc5c49e24e11054896f2641a92c633909c2df91aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\MaQEEYUU.bat

Filesize
4B

MD5
157c1ecc2ec900b686d4f729c65b9c2a

SHA1
7820ea70c551226e0964441e3823f011fd5fbd0b

SHA256
82aaac07ba72919bed9c57f06faa322d0e806bc886af62d8299aa7311d58193c

SHA512
a8e6d2b0e199b14f88e243e130f093c6e8050470656cb026b1703a1f381ed6327dd9eae61fd5ff472313ee13225ca5ab8adbf06aa614a2a82a23947cf1655972

Download Submit
C:\Users\Admin\AppData\Local\Temp\MeAogYYY.bat

Filesize
4B

MD5
a4aff232eb0e2342afd272a603acdc75

SHA1
20e294e9ddafbe84cf8056ea450938640caee0ea

SHA256
29325563757b354811bd1305c4bfb1138abeaa6a5bf9eccacd23ab3eabab5a8f

SHA512
2df0ba355674f515a4143532fc1f2f7f827ca9121d7bf274d6f6d1584e73dc5de03116150a03679db583c54aeb7bec83f243a9a3f27404793eef11ba3b7c2362

Download Submit
C:\Users\Admin\AppData\Local\Temp\MgMEoUAI.bat

Filesize
4B

MD5
f72fc041ed4c53b0bd0784227d6bf948

SHA1
d6e98af216a245769b9fd6e22ba4e9bf0f3c958c

SHA256
4e1d593ebb9051cecaa6dc48751b5ecbb0dda766968a3ecdf00b70f69e428e72

SHA512
11bea5038817649e3fdc8d23d969111673c7c6c17d9020a512f85223e5efad41c252b246fb779b3a41617511d384f19ac127b1228bcd7a7b3d2a97e6f174f167

Download Submit
C:\Users\Admin\AppData\Local\Temp\MiYccooA.bat

Filesize
4B

MD5
b0a9b142852c4a345d4a79e99dfec337

SHA1
8545e8da3d59e4c35bc1aec2d38bec378d1be898

SHA256
05f1f8aa254b596f98c93c9969d082ee31ae78a8c42e7b3426a221e49ae57448

SHA512
c02c20b2c5c62b21e6d9d1d958dee8699271af79bdb3f0a603cd4a886e9a9fad3f7f97056c7362eeb0ba02a17c1d8c117530fc408be315eb3ddc8b57cb42583c

Download Submit
C:\Users\Admin\AppData\Local\Temp\NIUIIYcI.bat

Filesize
4B

MD5
2110117642d8d8085e7d3b5b9565e0b5

SHA1
2d6de2876269c1879160e4aeb01b02a34ca2286d

SHA256
29e57248fadfa073997d8113ced4a480e9c4e5e039d01116b155274969ad0b1b

SHA512
0d25c033b967de65d379759ace6ce05fc1a1a2ade8831b43ae11f8344441f38dcf95b991de6ec68dcc348bc7c5e6b3d611168c3be1cc93244e6fbdaef78af80e

Download Submit
C:\Users\Admin\AppData\Local\Temp\NiEEIQoM.bat

Filesize
4B

MD5
e39ead470a37600e82bce921aee38425

SHA1
03c3c4a0aa1a3adbda082b3d9ca00d5786d2667e

SHA256
93792aa70747fe3f08d2e5d12d13cbe5b9568aa8223ce430b377d5c1faf3ab08

SHA512
a04263734f3e7f84619b8a7a2ca20771965d91800f07d215733f8f77d4b3147dc84490a40e28adad0ea22ba0dc8f0d33c0f6fecd8abe9b11062c56f58132c0e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\NoEIgkkU.bat

Filesize
4B

MD5
f06b94e4a036884691c2641c7440c392

SHA1
4c4abe8b37ebc2110cc009b00b121a4d0a9443e3

SHA256
a343b7fde515c77caf1a64c56759bf94c91f1a826c26c13ab74ed93e50d48ae9

SHA512
a393f10272508ce7023fa689e27cef078bef07d176d7fd36915442455debf5b33c7d394365cf971b1c0d87c02bc307971921f49db164830e427b2307a842a6b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\OIYC.exe

Filesize
204KB

MD5
1c4f60f2cf2b48da3009dc7c4006883a

SHA1
bfb630c49bfde37eb8466cd0499d7f5d741cb321

SHA256
f04eee191719b72d4bf5fed425eb79a88abee2f862ef4a8a78f5f57981e43cdc

SHA512
c4b78b92c7a36aff1b37ff070808d4d504c527f586dee42397b80c8d17f5c6d43fc52f0c1753ca0d2e8b8c0460dbc06f266c45380ce961e32616a477b577bb1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\OMIK.exe

Filesize
233KB

MD5
a23e8c02a2a308ead22cb3cadbda17cb

SHA1
7d50b2dbfba2a67bda0a2eb9f16bb2c098969049

SHA256
666c948a046511add794e7622222bffd4ff1255b52b9a57a80baa15e5c74d37e

SHA512
90a869cc968a960c17db855a8d8955ea87efff95b1424b79ffb9293a28a7af9d1a7df7672c2455e315c928037114bd4bd264f61c315bb6dca79c7b006b25585f

Download Submit
C:\Users\Admin\AppData\Local\Temp\OUkU.exe

Filesize
240KB

MD5
c55c173a8109ccad1b1bd8137ca6bf10

SHA1
98f075793200c89ea4af42e296e9161db0761af4

SHA256
f0b3c4c131f9ae7348522013aa9d52065bacc6996c811c19217fadf4cf0e8773

SHA512
a53a1babdaa4632fa84090db9fef1a4083d7e2273629c9bdb7124eee45a604f96aa55e288a134efc9c36faac3f9331b9373e931e8b6537980fb283bfed58dc9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\OgYq.exe

Filesize
189KB

MD5
896a3ab598558fb40644ad57a1904e6f

SHA1
4020f833e8891d3f4b8784b98a3ab91ae30d203e

SHA256
3c3fda42186f005ceadfa9e1cae353b0b3b6dc240e7708f794e0ffb3d8969c2d

SHA512
86b5317bd154087f70a6674f09e9e6afcc47850abe67114d02b9d19fa6df96f4865d3798aef11c1128b4f07afd97093bd165b225edf3368e66dfd0a46dab5987

Download Submit
C:\Users\Admin\AppData\Local\Temp\OgcK.exe

Filesize
250KB

MD5
b0e2707e89b0c3575dcb62ebacd31e8d

SHA1
80f3cf82e1961e461fb5f812a46abf3d729a94e1

SHA256
91fd546ce7692f8b2b3139111eb30448b0a44784c4daf8611a41f3c53c43a998

SHA512
176344ab4d812a3ba43bd96112727d5ac11224fdfa129512deb3bf653f2c702dc4fe0013a1be5f85fd10fad16c75586e367e1f142265f0a2c4cbd7dbe0373f08

Download Submit
C:\Users\Admin\AppData\Local\Temp\OkAc.exe

Filesize
231KB

MD5
21e4d0999b605cc3f3e5280fd3476e49

SHA1
1df21b9814049f6a913ed2c8f98314d2b08549a3

SHA256
e3b7b64367ce72de2f73b210ce03a775977b9b312b5b30d04d27a0b0fcb2d7b5

SHA512
340f3bcfce6d667890a9df9e9eebb2b341d2ed4357cc46b018f67eaf36c9408acf03dd2961b64c3890743152e9e778fcd841ce91bb81679d4ce260f680d4b5ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\OkUUAAQY.bat

Filesize
4B

MD5
48ee2328a8456bfde7b2106d35426edb

SHA1
cb5689d9754031e081b709f314d7492a1829c9b6

SHA256
efdb3ac21a38c6dd3d2bc137d710a882c7294f92508b737c8ec47204c9115300

SHA512
4fc89fdd8f46cdf01a1f83472caf269c5b89beedfa2cd5b81827b5af6f97180c221ea9eb6fd87f13bfe5fd11a383d575b63192946975bc51d3a743179e490209

Download Submit
C:\Users\Admin\AppData\Local\Temp\OwEC.exe

Filesize
240KB

MD5
6b37e36d9830da1222636a714810c3bf

SHA1
9f799a5f7dd7dcf36e5ece0b7ffa4e6bd4c82d56

SHA256
8722f9241f6905474bd3f28393dbcab418079b2dbf01cef04ba921b912f3aa1b

SHA512
c8908a44bcf77fcad9a5c19cd537abfa7873d81518eb3fa493b366fc7644709436f51ea13413bf4c7f1c6051d5f7fbcedcd6a354c312e1525bb1f2be9d149b2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\POgQUsAM.bat

Filesize
4B

MD5
2b98bb561577a0ab1343a27b60cecba9

SHA1
c7d550693916948dc8dde271720452e306e3b502

SHA256
49ffaf677b7f3440244aaa5bd2e1e2f4a7cd6187644e76edc6cccba97f9f1adf

SHA512
7f81dd28e158bbab81d76660d94c2b7ec22c7ee27ce24f6055b70d73b25638fe6658ae51e58cc0f2d6ffdf61e5e413f9ae82b90ebc55c4216583fc3725530fe1

Download Submit
C:\Users\Admin\AppData\Local\Temp\PkgEAAAA.bat

Filesize
4B

MD5
3781e13cfa87476dddf4585fe1f4f6b7

SHA1
95173d38b63ace89d96722becfd6d9044abfa4fa

SHA256
3380fcdc42a164a4f1caaa7a0277cb829ae96b1e0b49ed4069003c7df3073564

SHA512
68a61497e3a16a5de22041418855ade65ccc9e97d53a7894274a7cbe63da43338fbd4e49177f101bed30bfcc2417c45aeada6db1208f8055ae8e3cc8049d83db

Download Submit
C:\Users\Admin\AppData\Local\Temp\PyUgYYoo.bat

Filesize
4B

MD5
987caad156b4ab7ef88eaea346636440

SHA1
76f51790aa5281d0c579440927875fe1da9ec4b2

SHA256
815fa83cefbe4ce6958e8a358eec302f5734c894612faa54ef1bcc831b1b30af

SHA512
3b11be602a018619cab5a750fe6b623b68ba12dfaac722d6123f5d6879c14c3d0601b70b33db747eb240cf59c0a40b4db3b386fb921b45ef1c94c132ff2b2acb

Download Submit
C:\Users\Admin\AppData\Local\Temp\QGgUcwsI.bat

Filesize
4B

MD5
b1485218e76b45a70c840fd03180fe11

SHA1
a626d09680e60acc85d2e1b753ddfe7d54387b78

SHA256
41885bcf515a870e0edcbef450e9919ac7d1a0db66fa8c9947cbc3a7700e04b5

SHA512
b111ad7f7635b7e4072d4380bcd48fff4ecc32c7ae4c435e7c8455d27e04bcad6f0c7e00bf38d58c2769bfa3ce7100cc2df0d4c070e15142da158a804d81fc16

Download Submit
C:\Users\Admin\AppData\Local\Temp\QuIcYQQs.bat

Filesize
4B

MD5
7ffb24b166f236689dae1574d3e89dc0

SHA1
c9305b7e69048c5220e672aac08b0331658a4a62

SHA256
f876e223e6641444cdad78e0d47e6be262e46ff077462dd623e37b34c1ec6ded

SHA512
636ff0c20830262241397d33ab2cebb7eafdb060a14c186901b55ef7e7267e9ed770756412eaa509990187dc1cc3e7033bdfcdba65af90a162db247da7b43806

Download Submit
C:\Users\Admin\AppData\Local\Temp\QwQW.exe

Filesize
243KB

MD5
936d612099b80cd4420f98dc4e1de98b

SHA1
ad521220b5b7a98d0f3f5b60aa1d066c855337a4

SHA256
acaf0161ad284d6660ecb13eab1dc12eb1a129b5e8f35c0f01f96ec898913b78

SHA512
1773e9f054728027ac738482b7b7b006760e0dd894679fd44ce7cd34add762f8927711623aee765165bca66991635968b869e58ece6945a7aa4fcb8d9a5cdc0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RMQssUYQ.bat

Filesize
4B

MD5
bbc1ed6e57492155cec393459596f5e4

SHA1
3385b8140f4689d12beb26ab22136ecb2db65269

SHA256
6fefeecd7eb00145998a924225000697d0550e41a3c3517f59ad766248d1f94a

SHA512
1d6d8cbf8eb2fa20f6336deced21f29ad4bb042d32c2d7da567a6a7de5aae124ac0a3ee51a52a453abb2d2c9c92ce249c2ed820c2fa7508ab813f94c0dabae67

Download Submit
C:\Users\Admin\AppData\Local\Temp\ReUYMAUg.bat

Filesize
4B

MD5
a899423b6c266a855991f208945c8861

SHA1
6548bbdfef4ee9a954c9068702f43278c891707c

SHA256
2d20d4d2424a2d985a77af17fb1c57ab191ea963aa938fe2cf4d2588df0be5be

SHA512
05d89903f70ee5777ce7eec335aa6750acdacb947ff5fe453fc8312be09d180fc12e9893c94090ff61daf3140f31edcc51f0df97bb3aa8a77dd9cf83c4603053

Download Submit
C:\Users\Admin\AppData\Local\Temp\RmgkMUgE.bat

Filesize
4B

MD5
eebb5677a93f05e3d1485a4b627422b4

SHA1
0e2c790605a644ad6ae254629ff6b14aa701c86a

SHA256
add49320b745b5b5e1bfaa59d5f5b2335df83e038ec5098acab446fb3ce0eecb

SHA512
ab7605e38889672d3f8435b6df3f4245233c9e1e3a8fd19008e0098d9e532f3679181cb46cc05cdc9a464a895643184901d563a78560bada5d4a1d442b175f56

Download Submit
C:\Users\Admin\AppData\Local\Temp\RqswsYwQ.bat

Filesize
4B

MD5
c0b040ce0c28d027819e5c8e77ce258d

SHA1
4e2074f6db4db2e4c38c6854906ccecad8db297e

SHA256
cf41a38ab6f8773595a08cad8924a43506bcf54a578b5b46575ca7b67d9d509b

SHA512
e1527fb591a0df9fc21e1d65a5120abe62d4c750e52ea1c68fe22b840d53a4209cfd4e139b56e9187f734d5ebb049b1abf2013f908998683268bf3764f1c93c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RyQgkwgY.bat

Filesize
4B

MD5
0be03a40bac477dd45fd73330f5403d4

SHA1
dfb90acf67e74be8102f9275a96e1ecf7c80b8bd

SHA256
854074b426f076bbed965022b8549cebea79f825d7d2a659ddd3d6d17b5ca6e3

SHA512
7e543ac432374f05f17f1160e11d14611e7f582b0ebcb88efc4f00a45b6ed70168f9369491cc18529ae7cb7cdf8d026980acb7bd3e124bd69459975f8f2548db

Download Submit
C:\Users\Admin\AppData\Local\Temp\SAYU.exe

Filesize
815KB

MD5
e22809fe9c6c5b17142136840050968f

SHA1
616b9af3de19b2a4a3eaecdbd3d892c719843590

SHA256
f811c32462dd404ef27263d4f13fe25757b03bc69d755f40a433cf5a2ebdf48d

SHA512
af398aee03542fa54740eae7847fe334eb57f7e2bacdd25c12204a4552d0077a0fbcfda8141482e974d1ba4b4b73056bb3b87b8a5ca4b757796cb92d073bb935

Download Submit
C:\Users\Admin\AppData\Local\Temp\SIwy.exe

Filesize
209KB

MD5
7744e7883583181125596a2a13d2ec97

SHA1
eb2b4d864cbf1149a910f36a57f44da63991ea00

SHA256
3ade22f095bd6858098d745bd2d28d930d7393c5fb893d694799710a6344da4e

SHA512
2033da010a5fac6898df041ab0d77da8a1588a5b39658caa3c2aeedb01d60e9712a5916f280a1624273faf718cfc2836b1f7e26bd0002a319ce6cc0107bc3e33

Download Submit
C:\Users\Admin\AppData\Local\Temp\SMkO.exe

Filesize
210KB

MD5
4389e5e8eb20ff0ea96d93482afe000e

SHA1
85e4c0ebec1933e9ef75bff0ae6c8cd275ceb82d

SHA256
5c866a746ede9b9e0bbaa70d7b88ec7b6ef43c155ba2f37e8a6f85065ef772c0

SHA512
404f62ca8e0f905dae51ef31502d0f8475e0d7ca50232bcb6e1a97369400c36f5a16b5bf8b52653d2a7f773f6a1d12dad20ee34c47dc870e23504adf656505fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\SUQEgMUU.bat

Filesize
4B

MD5
445d5f59c4704a0245b0bc9a3e537f8a

SHA1
45a09faaf9d541850ef0a5790a75e6b87b49ccf3

SHA256
c3152f7e28d109544fd8cf526dccfe95b1f26b65e988f3ca03a05cf5a840bcb1

SHA512
12b7bb6b67abb6855f57329c0133725a1700bf6de3bea7fa8e65bb2ab22a94bbffe7cc7c3248f7af08b5042d0eff316d66f32605001c21ff82373edcf98c66b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\SsIs.exe

Filesize
1.2MB

MD5
d4bad0075c2e8a6cb37a797ade61e012

SHA1
e876c6deedbba407c23695d5857a952fe23856b2

SHA256
ac84981752a4e6ccbdca6c9bdb35739239c7693092ca7ddce4a95a76e16eb6fa

SHA512
bd41c379b6d05ed6f9ce5dadfb02d5cba11abd6a911486110841829f3dbd110f1b764e633868faaeacdf736ceb981f2140b3a72ecadb1b1f001b643e93e39060

Download Submit
C:\Users\Admin\AppData\Local\Temp\SsskYkcI.bat

Filesize
4B

MD5
84a1a8506127374e29ffd9bf7e8a4384

SHA1
32c91f0ac4d0b826ec50355951b4c2a551d652a5

SHA256
8505cb7b83fc3420d1d041ede381d0fb331a691ecd71a46e506d068f19d95280

SHA512
1b21cc8856b905dd718ffa98c0b8f3bbf5d755af17c46ace9237a8e35d741d9e77d6aba0edd38930580b9b75a2dde1cb1a266f3d5e8d1ad1978f93a3143daaa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\SuUIIwUQ.bat

Filesize
4B

MD5
eedc0691a4018b3583c6081153f2ddae

SHA1
4f871d1353bcbb1d4804980e2b1f94332c549238

SHA256
c951b101c5e0fc19fda3bc0ae24a5123aa5d06ae25a7105d7a3837b3bb5b8868

SHA512
0a9ef42cc9856ccdb93ffc17f522725109353a12b64561ec43fda28ed73fb7dfe06bb9930e4d8b2e7f3bff782149e1f24a8f13d564d8ad8edac11ac92a937038

Download Submit
C:\Users\Admin\AppData\Local\Temp\SwcAgoQY.bat

Filesize
4B

MD5
ef0dae4a3a13f40abe79f905502f8922

SHA1
290272a32400ea9f88305fc5ff6c87b84d68821c

SHA256
2eff997d72cb815dda63257dcac04c3fa75c4c6023f90b2219a12effe5c7a903

SHA512
c382eec65dd89541f4f455473316324fa8fbf65c6733b686ce05dfc3f9c18411240081353f585d562ab1cb76b5cb0fa680b2a2d4ca1b6af0700478d9cddc5c56

Download Submit
C:\Users\Admin\AppData\Local\Temp\TeoEgAQE.bat

Filesize
4B

MD5
954c6267a8396ddec3961c79b53d2228

SHA1
813dc9bce46c60e5cca89289835517c3f0f7c087

SHA256
b04067a0a9d1328e325ca9ba711f0fe348d39f3ee315ed7b0ce56a101df42546

SHA512
d39b7d71745439f45d4a7c10f0c234cf7d97606edc0e58279a2a3d28a419520cb5334764c926dbbc316323e096bfd5d1f0af39d7855218a66233a07803416794

Download Submit
C:\Users\Admin\AppData\Local\Temp\UAsW.exe

Filesize
232KB

MD5
78b2401b4e0d133120fc0e5d0aee6841

SHA1
e899a052eec1e7d979ebe4e58bf2da8b708f9d73

SHA256
5fd3ded08af58e4997914ee3f60e3e353d72c21b26023cfc531499830e41b971

SHA512
cf926a417e13be0d48a1844ec126a970dd01b72fa66d725e1d9ef4415d1e79046780f96d804fc50e7cb32c2609dedaad1837cf85f13d40d1ea9416a0c0c46657

Download Submit
C:\Users\Admin\AppData\Local\Temp\UEAY.ico

Filesize
4KB

MD5
6edd371bd7a23ec01c6a00d53f8723d1

SHA1
7b649ce267a19686d2d07a6c3ee2ca852a549ee6

SHA256
0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7

SHA512
65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\UQQI.exe

Filesize
831KB

MD5
ad05bd7862c2ae6a89a55201b1016783

SHA1
dd691dc5b8b5271f952b7f1222b9c9262173a545

SHA256
fee59fdba8c2b244e5f8586bcaa55bdbc1db74dd9b121432d86981d9dff15ccd

SHA512
7f6e9fa091f5fa7e9131993453826e3c22be0b488bc101234f22e021e5df715ae9877f3099a4e17aea77fcd4fcbbe6e80008b1bc6d25e8c06d4525d77581359a

Download Submit
C:\Users\Admin\AppData\Local\Temp\UUAM.exe

Filesize
231KB

MD5
5a3daf5395b07cb13eaf2b364527a90b

SHA1
82db08d0364735ce7f7964f02b25be333f1c0fe6

SHA256
34db0b73c28ec3f21164fd77921a1ba7cf1e60476c9711d958a3151064193f15

SHA512
09a12cc2407c57fd3b4f6f41be4e70cc9f6aeb710bca3e7e6fc3cabff699595d8c5dc46f6eb65e7ce201b24dc8c403debfd9d7664627a77ef07778059276e15c

Download Submit
C:\Users\Admin\AppData\Local\Temp\UYcwkAsY.bat

Filesize
4B

MD5
872f1ee37f741dab2c31ffac3a34c1e8

SHA1
489e201a1992c7dc2d24b7a6e1cc85d3998a63b2

SHA256
aa2fa6211c65f496895840b495d45e067ab38410888184aa5aa1ff35835c0fe9

SHA512
d7adf7ec92e1c69a917770354a9d0eb7dc0468a95357159443b7365c08e714a518cf69b8474f6ca4f90b1ab6bdd81df77ce91c6368c5dc8e86c7999cd58cc7a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ucwk.exe

Filesize
937KB

MD5
6ea7a13b1c3b189a3207a7bbb0fa9bc7

SHA1
4d7a7e8138de3f385453eb2a0494baa0c091740b

SHA256
a8a2dfdecded5ad325ec4338bb190039b8ea14ae63a674ac92a7963a4253df02

SHA512
c01ef825492857a7b7060cee5008bc0902c996a88c813f6ea70542330b6d988b38d6c8dabc8834cf6ac089610d4a0c39d7ad28231f414187e9df2b85e462eee5

Download Submit
C:\Users\Admin\AppData\Local\Temp\UiAYwUkQ.bat

Filesize
4B

MD5
eba2fd6deaab5846cd8552a8ef00a3ff

SHA1
b0070661ee049932ce61d862ea3cb0e87d514350

SHA256
23990f160d4367117ed295a29eb0e85aae7b25e3ce71c9cad13d4100ffe0183c

SHA512
46f6a1dfb3027c3d493699a6fa429d2fbf517051b5e12cf07b17f9d3b0caf84a47ada5f808cf615431e3004db927cab317c0011ca6e784ef993b4c288fa4753e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Usoc.exe

Filesize
238KB

MD5
34448dd0b4e5ed2ee2715ece368f247b

SHA1
b9f9343d012c4a26f783cec44548ffb72c2cde2c

SHA256
d2dd0335be5199e5592a767700a7fed25e10abf7e3adefc91779da5b20460736

SHA512
2c41d684b80926bab591366b65518220fb0d8b58422ffbef29d6f21a72c48dfb0bd63da0a3e62053a73ce59086180b6b7654176c010579a8635505a068b09dfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\WAsoswUo.bat

Filesize
4B

MD5
506e6b9bfd4e44d8599b2acec1c63fb9

SHA1
123d571236cd0df93e64b0e7e0b43d83bcd21647

SHA256
72d3a8e230fcd49e661ea97fb3ac13e0351380709b11073b924a1f70526da28b

SHA512
335149bb67c1576e5832a70701b7cd940aca375fe23422751ed94e3120dacd5ce424b1f2f49fb46d71cecd06cafce214818dcba54d595189ac1b7fdd16b4f777

Download Submit
C:\Users\Admin\AppData\Local\Temp\WMMa.exe

Filesize
620KB

MD5
64334692aeb569ad5eeedbf228960346

SHA1
3dfa848f9a71f5b7df4e6b48d450c899a9458940

SHA256
b5478e8e40d82cca2fb82c26098e64e76b5b52880fd75903e047b5a9ca235ecf

SHA512
f49bf2bf17598b6e49d3be548450476892e6a32f47f63b0cd23f0477f946622b362fe37292ea9a3227ac8644cefda27cda0880a6f3b79152b4f730a00283d1f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\WQks.exe

Filesize
239KB

MD5
8611fc3878f545fcbfc6f9aab27dac05

SHA1
03d32b65f9d003920f76d51e5f9cf2d8ce33246f

SHA256
a8850d00fbcea500119be33ff4a065bbbe4a3e0810f6e0ececdae6f0f52bb221

SHA512
8f92f0bf6460d3bfe8a810f3fb6416d4b4c83aae531d0e76635bbdd982ec76ab8226a8ed6033449574530195ad5dc043318be2d4e6241e09e702b337685d4b24

Download Submit
C:\Users\Admin\AppData\Local\Temp\WcUAwUEE.bat

Filesize
4B

MD5
909684803a5a8c2735b5890101eb0855

SHA1
9c7a0992fcfb9afde7ca138265d1c5ea35c1637f

SHA256
858021240675beff3cc8e5379bfd5006134802bce06b6e340d2b790ad886510f

SHA512
dbbb99846871c07ba93ca6ac17d5fc1d4a292a9b4c67d699b22931cb85804da09e42432709a53ca4727143a4c24ff2b6839d9e66f4ff53cc2dbc33b4c3b04c37

Download Submit
C:\Users\Admin\AppData\Local\Temp\WcwI.exe

Filesize
182KB

MD5
43c62e7ccb0ac1ae1f472f9c5f6f70b6

SHA1
78a381cb944dc5b15acb33d10ce0e7dbacaa7b17

SHA256
1a624949a0adb217d57fa009e0320879d0f3b1faa260357a7ad8e47c12124da1

SHA512
e4af15bc16ccaddaa4d6640b8dc633738d7005d2e74618e83ad404673b4a0d4cba2b5ef82e698109428484b6a7148d2164dce36f834dd8f9c36798c0c2550404

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wggg.ico

Filesize
4KB

MD5
47a169535b738bd50344df196735e258

SHA1
23b4c8041b83f0374554191d543fdce6890f4723

SHA256
ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf

SHA512
ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\WwEMQccs.bat

Filesize
4B

MD5
25df2cd635f88216953dfa95fe337a00

SHA1
fe9e76680e36011e693e4eb7b9c515cbb380d2b4

SHA256
14f1ff383ee39ced745df3e9fb9de992b7910761ab905b01a902d4e5147f14e3

SHA512
18ed68154c07e9ae124ddfbf633eb63b148b2e6e767a98454696025e1f4a96367686fd6c045bb3cebd0857b0c448d899a945b226c21c9f57ef192f2e9dfe3b26

Download Submit
C:\Users\Admin\AppData\Local\Temp\WysUQYwI.bat

Filesize
4B

MD5
8fe6d9b2081e65dff11c02916352e18f

SHA1
40d1fd2c358a4e0eea7b54ac2a1b79553a5ea8f2

SHA256
00e7b3966478ee4b8ee781916feeea6b6e100c02e4ce61c9c7580e8624623107

SHA512
e999e12e65299a47af1e388517fab486718011ccf85b5e5f59ee6227801f8f6bbe2663d300feb3af1d3d63b3eef51e70940db2ac7356a03abd8d30913779fb38

Download Submit
C:\Users\Admin\AppData\Local\Temp\XgYcoQEc.bat

Filesize
4B

MD5
2331f752661d32713825a5dfa7094dfa

SHA1
55052ce6994da3e4e256a54c1276805dc761727a

SHA256
e87d3685f3363c91f98d18f1cccce0376afc657c6bfac86795843dfdff7c9514

SHA512
c8fcc4879984269eb803a085035cc292898f8972a84657aa1549db3cc8221e3293370eb66a930e346f062a2f80435012393f53b6251dafc1399a01c6bc483de9

Download Submit
C:\Users\Admin\AppData\Local\Temp\YIcAYkkA.bat

Filesize
4B

MD5
3db72f2f9c85d6a254aa6de0e7954dcb

SHA1
c9b90097f813ffa8373a96ef8844a92888fe356e

SHA256
6592e63549292fdcf024732aee367a82937a40fe6500515556b526b7c89ebaf3

SHA512
a913f2be4aef33cfcd120c18c00395e9ce0b42e9aaf7d017c2305fae7f98106c4e89ae15fc28860234e99fd590d35708c8e2c253ea0e32020ebae5ec90f4c65f

Download Submit
C:\Users\Admin\AppData\Local\Temp\YMgE.exe

Filesize
251KB

MD5
afedc42cd8acbd89e5e6f564bba2b598

SHA1
3350d5e7220bfa0c36965f30bcd357941ba62655

SHA256
b59e72dedf195b59aee0ff415e0614ecd00b75dc2901228e979f9dd75ed70059

SHA512
405595b9f59b199791740d42d08a91ecc6220d25c7df7a9d7aa1ff36003353aea2ff3f0c813244122caa149666ce87995429631001fa762d68568c3d54267fc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\YYAo.exe

Filesize
394KB

MD5
f9d475483f392d6de414c964a07f0547

SHA1
b592b28d1d140ab797382d0215a33d6fb22eb64b

SHA256
408ad5b918fd3a74f692ff6e27d1a5b8bf6f514fd0406b431673fec1535059d1

SHA512
e723e0af56f41a25e568cbead7066eeda9a3b450f38a820814c9ac7da07d301ea49851cbc617389bf73650f7928e8f1b1b6e011bca49c85d141725695b121e69

Download Submit
C:\Users\Admin\AppData\Local\Temp\YYwc.exe

Filesize
229KB

MD5
c70a4f6d11fed89f4c060b58539da4cb

SHA1
c08f9072cf42ca30a89c4cf10272414a531240ea

SHA256
a9423edb78cbe28ecc6dfbb4f1126f2cbe46d3e28efe39115eda1a8c2ef8ba6e

SHA512
86c29f45b2f4c981e6e6cbc7db475a9ab4baf601cf4dab51bcb9e0d84c38a138fe30bccd9d4b659ebaa7735f3370026673c6764c9fd3af678286a44e23f90ccd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ygos.exe

Filesize
243KB

MD5
1cf52ff0cfe9ddd700a55074718df85a

SHA1
1ed1b31ab085579e39b74e8e223ca270901c1ba0

SHA256
9dd3914324d3e62c394253fceba5637a23d93a8a09ec23959464562d639e8a3a

SHA512
05b089931fc6e4e8eaab0f658dc162e8dcffc739f6367d3feea381ba144b1a14b4522c83c4298b62c48cb27cbd38c6abb914d951e394aef99acf3e1df26e0d12

Download Submit
C:\Users\Admin\AppData\Local\Temp\YkYI.exe

Filesize
237KB

MD5
ee199c3d3a165d63068578b92696fe8a

SHA1
5b87b7f5f5af87bfdd3611a955a338f1ffb6ca62

SHA256
462cabb81329a89ae4d9f68efb09fcac7781ff406872f15d2123c3acb53a3c2d

SHA512
e5508726c73c6910458c0e85173a3242c4ac2cd83fed007ab2ad4d654da5d875171fd81242da0bd760058bfe820ea2a8216e2b8cd63301d925a51a67d95bb8c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\YmAgocMA.bat

Filesize
4B

MD5
f3dd94aa84e1d769eba8144544a3a3c9

SHA1
3e9d2152b6299f3aca1a095c26d95643706ca79b

SHA256
77b437ea7aa4114a1d67a3605aef7a3a3e3002e9cd26274ce72a32d87d4d470a

SHA512
b536bc94aa857bde16112b11f4320f6df4a6d129652010a28263efa40d1c82f1905b8e6d64f398d3d9b9eb6baedfbc565a25c725470145bdfeb7393256736834

Download Submit
C:\Users\Admin\AppData\Local\Temp\YsAi.exe

Filesize
635KB

MD5
1f35cde19c0ebf39f5923b8367763993

SHA1
d235fa8f5f5251f07b118bec3a4d69210ff59923

SHA256
4a6f773cac38ea50d978d43b5957014732c241b9d7f772267a28e99da3000d64

SHA512
ad0749f1abcdc4f379328a2e77ab544bee112fc3a8496613a5ed20ad22c63d862415faaabc7be1f83ac46b6350278a3b451c655b7d31803fecb329c3f9364ed0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZcIwIYsg.bat

Filesize
4B

MD5
f4fc66aad904efab1ead4a5d919e905d

SHA1
83b74522b863f4e35aedd4887117a05845cc0beb

SHA256
a7fec58e20904466c56da8f2678e4404686efafc49e0779d44506f6e60035536

SHA512
247ef5550df72ff15037b8bdf5c4bc30c49a834cfe050dd27d5af776fb518b2a426129253d75459abe6c222003c90669f03c4aeb2ffa8f34b41ab6dddb01328e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZqoQMUcA.bat

Filesize
4B

MD5
0d5c2be19484f7e44e25cfe5746ff2ac

SHA1
340848ed1f8e5636825c19ea10d8d0bb103a293a

SHA256
a79de9de82d521f3c65984350e218a42cf387ab63e745778df39211068892564

SHA512
48a2a1ce8d1c6079860021c6e5aea8a1c97e58a3476bb008b2fd3d1bb72dd78c0ed30d06fb44d36f61a5ccfb886d67528ff969ac190888c342eb78d809a36f7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\aIsu.exe

Filesize
1.0MB

MD5
39bf57870c12f46d79dfb339749f193b

SHA1
2169293acebad4c8a71320d5e9ff1b01de443d9f

SHA256
bf444cdd11295e431707e83200295fac57345cc8713d5b611861e788c7dda7fe

SHA512
3cc8d1e4311a15ed0b1e0dc05092462cdc3baaedaccabfe8c4791afa3a6bb3316f96437805641f6e363dbcff322c3033b681a23748186e665a5460c5a09fad04

Download Submit
C:\Users\Admin\AppData\Local\Temp\aMwm.exe

Filesize
1.1MB

MD5
1d080c31311201ddfd16b84f2c620d21

SHA1
455162fb95bd96db228cda6dbe907d10e9b1fb3e

SHA256
ffa8b1ea4c4529b15fc764a7b11e08996224229f2e202517c41b6699c78b59b8

SHA512
dec4dca3600c4b2f0227db5168622db4f72e069c4fd06413ea972ef3ad0b58a0a3769ba16f246c210c5f1d8dc5edad7cca39cfe1dee9f35235e88611bb18222b

Download Submit
C:\Users\Admin\AppData\Local\Temp\aoIq.exe

Filesize
194KB

MD5
efc8f9ee3841dec317057f9f3b308f51

SHA1
80abd640b47260cbc6a1204d0aa467784c9fa447

SHA256
da7fe0f0da351ecda63c70bfbc95329ee6060085c58b2dc5252e278ead9f9095

SHA512
7a7561443aab0bd8b54c119cee730d6d6e31a293724a3bed13c0e6ff31712c7eec167feeae28fa3eb9a142b14171e0916af9296df62f41286c85ae7bb6b89b64

Download Submit
C:\Users\Admin\AppData\Local\Temp\bAAMwwII.bat

Filesize
4B

MD5
3df8f395d63305ea49ea5e407a273cb1

SHA1
f4918c7f2a2b6e69f577b62101ad7399debe6d60

SHA256
9650dc459cd11e6a59fdf6e662d45b2d84dd4c257507fa3c1cacfa4ce5b6bf95

SHA512
24f292d175232a9ae87de653c00ad82bbe3090ba6bcb576e2c624acfccfa47be039e5d9983475908818c92ace46de4074796d9b0188e214623a17775d1b5fec8

Download Submit
C:\Users\Admin\AppData\Local\Temp\bAoMwAUU.bat

Filesize
4B

MD5
b60c3b3de8af9a2b4bed9b1dfbb280ea

SHA1
40296266a9950495fcec283b3afe54feea930dab

SHA256
c35dc3fc87015693327ea127da1b2113a75bde70108237a3eefd82dc3ec14113

SHA512
0b6ec95cc428cecc2bf409820d4c86b6bd0e3d30385e76c204c1754d1a1ba3ee092cd29c4a5a0af91a881637d12d2aca6aa251de3a2f277cb2262ae23b3ad66f

Download Submit
C:\Users\Admin\AppData\Local\Temp\bOYwEQcY.bat

Filesize
4B

MD5
b75caf278e4f7ebf7a16469dc7b145ca

SHA1
3bc4ddf3459cccbbe4e30f42292d1e81f64653c2

SHA256
38eb9c4e3d05b41b6da273b348e57026a5c3a189a76c8bfbc911c64a8192df82

SHA512
c7ffc87b9248ff28f9623fbccddf02bb94672a6c77ff411f85fd261cb419fc6588b6584ead6a9b1bbffd3327b912a1d23643bf84b9a0bb84886f91c277f93346

Download Submit
C:\Users\Admin\AppData\Local\Temp\bwksswAI.bat

Filesize
4B

MD5
380b038c500049a7ddd45139b8971221

SHA1
38c0eaf6d9b2328a998be2e041302d82bfcbd894

SHA256
6a37becf5dcae28fa6e61d4e9d0871d4c01e0c8b0437dd635a178a083dbbfbd3

SHA512
3326f61fea3a1d3d794709b743021993a4a21dbc95b98a613b684ff9a4daf6abb6b9df5697244834faa46c2cc22f1315e0c8f56cb8ecd4950936ffd707af3130

Download Submit
C:\Users\Admin\AppData\Local\Temp\bykMcYsM.bat

Filesize
4B

MD5
b308897e627467d994796496b552a8be

SHA1
be4773d76eefb9afcae1d8795b808ffedbf7a6f4

SHA256
6be32cdba03839393d6af3065b0ad1a738ff1187f168b9d8e49601fc99758be5

SHA512
c4fd76e6d4a699fb32e1111888096e9c8c250a5d965dc040aede80d672cd1aff231a396a43ebbe74a529c16d7431339cd0806db1d32ad4fbf833ef00c7e669a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\cAAo.exe

Filesize
225KB

MD5
a9558fc0cb844004cd6895bb02c1a8a8

SHA1
85d8a14bcc9f56025f64437e713c403ee2a5d917

SHA256
af6675ffd5639df4499e1c4bbb4e9612c8dc30938112e01114ff8b8e03c3a006

SHA512
a0520f34089b3cbc801aed9118b796d89201a1366d614939b35fa86a1c686e7ddb0e756379f7cb2583bab7026af04952094d6e4138f6a48f034cf8da27ac8c90

Download Submit
C:\Users\Admin\AppData\Local\Temp\cAoO.exe

Filesize
237KB

MD5
ada5b34848ee9a6940aab0887d0752ed

SHA1
5c972057680bf0f02e244545a98cac141bf29d47

SHA256
82fee6cdbe16b0d87550e5efe53058e1f14516705cecdbb7dc00b4da379d9177

SHA512
a62c178408938f019ff668d1f479ba04901a66be53c3c601fd162862311ae9206160a14c5df1947d0f9fabebd698adf2bd7d4c9e19c61037021ed6b4cae3f252

Download Submit
C:\Users\Admin\AppData\Local\Temp\cIQw.exe

Filesize
193KB

MD5
d4bbe9f2ccd4be9e25bd858adc3698f6

SHA1
c5db97610a1e4a72cdf03aed18410a6c160033b3

SHA256
96fc0788c89e83be00efc07f9e7e56d0aec34fadf85451cd2781ced010bfcc3c

SHA512
9231387452f22288d781f36ff59af6cd2f6d6d63bde457d42c5b459008bec2a3fa2bf81363afb1737b96019054a28168f3a96f2f34d3ddf358f7b22bc4afaa79

Download Submit
C:\Users\Admin\AppData\Local\Temp\cMUu.exe

Filesize
649KB

MD5
41e658beb1e5b1e7e2c3638731e06303

SHA1
a153a822250436d0f3ee76d3f5440dec1a452260

SHA256
494f4e9251b3ea038c84647177158d057132325bec3694a22c6efa9fab559a8e

SHA512
cfda915cd9168c29682a3b43a14a2df46797e559917ef58f00e56913ddfa4f04375489055dbc775883b3f8cc019626ae1d631c3d5ec09a012df4a63697047d05

Download Submit
C:\Users\Admin\AppData\Local\Temp\cYoE.exe

Filesize
237KB

MD5
9356b2fccc026ecc6b9ea2b925a59d50

SHA1
f8e4ceefac63688deacc37599440c26b8830acf0

SHA256
fcb97f61953ee5cd3ff3cd692648942cc542d6767552a719d4f7bc30cb3601de

SHA512
f74d4c3f568681e7e45990c7f2f6d540703ebe25df6233f91a41f53a26d667410548933ef749fd2fcd4d5a7d62c221d756373194206a404c439a694eeb4acfae

Download Submit
C:\Users\Admin\AppData\Local\Temp\cgQa.exe

Filesize
250KB

MD5
74274754baa251918563b12c9a7cbe82

SHA1
5aeab71952b2aa3f22671cf0417ba5b9ac32ed11

SHA256
e940055f967443e47dce685e79869a6c2cf76363726dc541a2b557179c269d68

SHA512
e81a1a36371f766472743389862dd9d8409bf09a2fa7f9795c2c354d36514e96b9be3e0862bbba6e780a7584214ecbf3d19a599703575f8bff2956f326045007

Download Submit
C:\Users\Admin\AppData\Local\Temp\cgoQQkow.bat

Filesize
4B

MD5
a8eff01a81dbe91afd252b039e7ce4b7

SHA1
7be5c098ed7b9f8b171ef72f3b8c79bdce0975ba

SHA256
d40ff0275118e91757e1922565cf8619f2322572d4525b3bde441a8fbb3da0ff

SHA512
64fb3b0a3012faea8142d2656164d5152af941a082e26a00a5597005c7ebcaf3b2ab669626cfbbe0a51699e639c5b54190f05e0e8ce604ea267f13ff8ed4e164

Download Submit
C:\Users\Admin\AppData\Local\Temp\csou.exe

Filesize
241KB

MD5
4d7f172ec00315357bee0a1e73c5ea7b

SHA1
e7e2d26aab1922d9fe16dbae1654da6d5c31418a

SHA256
cecf8fa073ffa25f6ef5742705ab5670a48901dea8ab416a5b236c57f2ab4e5d

SHA512
75a05eae0aaf8ba9da017a5b9edb957a2905ec699dbc022eb76600955b0f081d1e8f4aaae7d5816026498163d90df883ee45e0d8e312fe0c64c4c3dcf4e51bbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\cykgMQQo.bat

Filesize
4B

MD5
f06950a9f771bbbbf3114a42222fcd04

SHA1
e84ea31286961d7bda209279c3992e5ceb5c84d5

SHA256
0305a444f2d32eb666d8458d1b30084a1edd0a63efe34e70a7e13b3b142b5b57

SHA512
e79d6be98a3743e4fba6a7ff09d72f66ff44f2f5f84d406b5549bae1991a6e95c6f36490675c9b8d1bf161a3b0b33176f0fdc477ab48d81eee528217936df1e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\dgYMggIY.bat

Filesize
4B

MD5
91adcc5439a002a99ccf3338f230851b

SHA1
71ff62ff385b4a81b71547fd95e41fefc9a76929

SHA256
b739b0faf1347d695bd4a633f745f3810fd62b5d78d18293a36f27c7d1c352ec

SHA512
322054b663f761abf1bb487fe58298015a3180581b99ab3282febd374de4d7553312a7e8b8c1877040260bc64620368453730aa809bd435d4b1f1e930c008e7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\dkosMoIk.bat

Filesize
4B

MD5
b4f46cae7b30678c6a48feadcab4d15c

SHA1
f7dd51efce5856796d1a436c831dfdab416afc6e

SHA256
643176ea42a944fefe5280af84da73a9a4485dc63e08e021039ee81e32cb5a0e

SHA512
69752b3984ba019d2d2965fc23aedca4c304a0ded65f1ef6446007e446b055ac66e1ee940af6a60263cd86f1b77969e145368d6ac18be1d380195c7541061de9

Download Submit
C:\Users\Admin\AppData\Local\Temp\dqEUIQMw.bat

Filesize
4B

MD5
6ad8aecb79192a00b5f995884474b201

SHA1
5fd1484a0c556fafd2f22208176d0454ebd1ee71

SHA256
a8b5cb362ec67fef64fe72a25757eb3ce3ce36a8bcf01f73ba725845c45ba99c

SHA512
2e8f237ed6307c1c191bf7a290d7ec9ff985395e40278ccc4e020568636eb6d8ec37eb80e1f7da502b5713490e9099b0aab1b5fdfc49fcfe95cc3962740bcae5

Download Submit
C:\Users\Admin\AppData\Local\Temp\eAMYAQcQ.bat

Filesize
4B

MD5
e98d4828c7db0ce3e2a0e10564929925

SHA1
335755a4efae7a60d76826e7f4755c14fc41a468

SHA256
176897b2ec992d19576cfb4310ae7b919e271508311f7ffb00de828700d60e3b

SHA512
cdf7cffbe99dc8af0483769cd5394ce2d3130d1cd76fe11441e026386551372ceab721f345d039f2c9d83d7c3016306f141d14ad9f5714c199e925247b8724f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\eAYy.exe

Filesize
237KB

MD5
a10fff46771446c9b6cce2ceb04f7191

SHA1
8f2b8b3762a1d7a4c2bceb468a7e199b62c7de19

SHA256
47f4016a19e6cd2b7078703cee7c79ebde0ffdf02bb56d33d69841c9d17cb8b8

SHA512
2a80d710260da874f615307ed0deeb2776ba1a859c6d887932fe69bc5212bb9c44488f5f17bf1cc8f66ffe49c89f910c9d450be399474e84b41be08e8c4a4f2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\eAcAkQoE.bat

Filesize
4B

MD5
c1f57e20b70630445d061b5cd6d2abd1

SHA1
bced1addecaf13d858f92a68fc6d5220b46fd48d

SHA256
2d3ab3a97821b0f9a42e32b43a897f64be120bbe51cf3b745def75f7e4b6f634

SHA512
26795182f4402aea725d4db5347d830c9e1f2c0052969671cf4c4d5b5f97fe04542b7ade9af06239041ae3d0e066f78bdae54bfb989d571f849442317f2fc014

Download Submit
C:\Users\Admin\AppData\Local\Temp\eKgQgoQQ.bat

Filesize
4B

MD5
e5aa5a460d29fff7910730f4d58d5e37

SHA1
e880d2140698dd461728b1707ba681ae76af51eb

SHA256
f9f21b801ad79d8deb413323276f87bacd143bb5e615c9c1e88f10027fbd58db

SHA512
125b804c975ca6a71f7a8c1afdfbcb3002966a255f411fe3e196e4dd94d351b34f774ca323ff4a48257c66eb86281a0c5c7e167819913422d0012cd0fe060f14

Download Submit
C:\Users\Admin\AppData\Local\Temp\eQEK.exe

Filesize
216KB

MD5
5bbd4fecde5f8952485532e0cebbcb75

SHA1
8a205ed5a1b5004786ea99aadb1a34e25fcb6ea2

SHA256
fa7a463f17a69b715cc5dc110c26dff576cca2c0344e39ac8d3b295a3b1e54f5

SHA512
cf2f06ae4faf9236e27fe7032a2bceca2bf02fdbc9015270e450c4ab0ebddd7a01b70de41112cb5729201435311a3e2a9b6c9bbdfd961cbfb8e8f11a1ab92fa6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ecIU.exe

Filesize
960KB

MD5
d5cd2d34d3f06e315e326a948226be7a

SHA1
20c30d635006b0673145cb5b03b11b4ed124f005

SHA256
4df945b8846360191baddcbf266afa0de069033bcaef6907eb8fa72774cd940d

SHA512
644677cc784800b12bddda93a3c80d45f3ceeec2728ef3690521a9752e1d099834da368f6169eeaf422539cc62a866840e4b024df57788077c1f2c0243e2d895

Download Submit
C:\Users\Admin\AppData\Local\Temp\fGIwsEsw.bat

Filesize
4B

MD5
f9b9b4cb5ddd0992d461df5ed92cb042

SHA1
2183cbb279398bec026950ea16883ef1a5e8fcd3

SHA256
99642bb95fd441d340a7304fc50209fd31bf06a8f87ea32be442ae3cdecb555d

SHA512
6cfaf1295f0e0cbe96facc38ce535dc7cb034f253b99e1a6e78f1bff998116f2c9fe4455ba4cf50fa4985ad2b600247bbeb93bb94a858e18c31fdc3efc63f083

Download Submit
C:\Users\Admin\AppData\Local\Temp\fKkcQIYc.bat

Filesize
4B

MD5
86d59ec4e33ce9c48b2a0b917524c361

SHA1
a1c743b739ee080f9866902ef213e01925194003

SHA256
1a3e8860ba9967e92ed722cea44ce7b84f73f3c8e6a7b9081a2c9d411bcc9b46

SHA512
aff4f8eba2a3f8f78c86fa47315d0423dcf50fe9bedf04b46bf34d3b85fd7a8bcd338d2a982f76fdef697c89e75ca4c72f3411db0eb778f4d0842f52af6baab2

Download Submit
C:\Users\Admin\AppData\Local\Temp\feAgEMAw.bat

Filesize
4B

MD5
bccdb714337ddc32543c07afae0b91f7

SHA1
6870eda1674d0ae1e0eef8cebc6832eca40f7584

SHA256
a7aecf0a6db2148268c89282fab10250d2a7c8b4c46396301a43e991d52c1513

SHA512
4e75a60c8d554dc06d617a4a32406bcd7cbe80cd63211bf5190dfc3e200cad04b30cfeaaa2ae358fb13822c5a5b9f5f2395ef3d1c94d80aed1a43877330f163a

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gAAy.exe

Filesize
204KB

MD5
1e0c8e61eeda0183a002c8c4301e8ecd

SHA1
68dceceadfdb56ffe58ed13c5a2d78db273bbe1d

SHA256
723546cc881914ab00794d189171b9a5b8adc78ab4324b71e99a381e337e722b

SHA512
af8df7428eaa1428717b0fc3ca806272846388ec111c0937835080f88e39cef4e375d4ab81c49adf4849bf6c3b1ad6bc086bca4a3d9ac20a88af83dae0eb6532

Download Submit
C:\Users\Admin\AppData\Local\Temp\gUYo.exe

Filesize
986KB

MD5
9d69eddfd2bba4664e30abdeba7da634

SHA1
62ea1a63b3292a098306c9d9796e207b85c1ce90

SHA256
f3cc9793e64fc70f75094193dce8ffa4856aafdd2c0a76b35612a3755a193da9

SHA512
b4911b5b38c46e24bb6f75eec5be9281623405e2b8410daae65632ab706951d9b548218421b36d05ade960babfa6110ecf43885d11a8dab72f6a9168d46da1c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gYcs.exe

Filesize
233KB

MD5
13968ec8b9504d417b6d9eba0fb223cc

SHA1
acd5ea2219264110d4c670a7db290a522d5a272e

SHA256
f9a38a8bbc07826ed909be2e5bb07245f7564b5a8b685438bda41e75fda63902

SHA512
233900376b9ff40a3644709829ad63c047073f600f219fdff04c9d56cc64a41f8ee85019606d5a0ae11af8cc5d1770b9ce7317a5d5c586836cb881b8ba943b6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\goAK.exe

Filesize
226KB

MD5
41e04d9126512a9ac623e506803b17b4

SHA1
c5197abc134e0a23640c747b115422fb727fe82c

SHA256
7c4da838c52ad81a2477a6cc48bdce5c3d11aa93387cdc25707bd0c1b1aa6508

SHA512
8f0b84047066dcd5599398770aeb44466844d8af979cb987f5e9121a3ae58e3438e5a06245a33bf45e0f9e12573303cd6e1e418a2de088e2d5444b5e27c902b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\gokM.exe

Filesize
400KB

MD5
5520be7c9a5e526d2517e8c32b66346b

SHA1
cbcb8a7c2059a129a6f02432d64ca7bd3d429e7e

SHA256
5726fcd4149d36d1cb13e6d916bc8364a572347a7f5113603cc947f63964bb01

SHA512
84e6c57b07f5d236646d9e662d7efbb2ea3a2a88e1840995c82522c7efb4f5ddc8c775e218d37ac7b327593fe81c93bf1771f28ec50c1c44b97a4195b6991ea9

Download Submit
C:\Users\Admin\AppData\Local\Temp\gsoG.exe

Filesize
384KB

MD5
40d9d0f87d8708cc7c1a0df7640adffa

SHA1
490d6bcdf4ad67508ce1e97a4d68e8c06d73c520

SHA256
aa2eb00340982640c48e3062a21c042284c3aa8d69ca58124631e2f4ba433a13

SHA512
1b309a17e1ef2883b73c86c8d3cb6c1bc4e249f1052e6cfed170862e2d6c7427e9bb18aedbad7d752e4f0eaeeb366d38ecf8c44c5cce2f8742c189752861b866

Download Submit
C:\Users\Admin\AppData\Local\Temp\gwIm.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\hCkoAYoU.bat

Filesize
4B

MD5
a3eda83cec61d483886b32c2f8da26a0

SHA1
6f28efca6505190c4a66808f4a579aead2f03139

SHA256
ad3931e812c9dd331efac311de50730079fa7c49d8f3989f0d18dd7903e1cac6

SHA512
6e8957e4bb0d9c4f4651ba521746212d6b542cecc863f937984fbbd280c6db102c6910e57c76bfc580502fe60bd05e404a6a894682e16462442ee6a548510d4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\heMscgQo.bat

Filesize
4B

MD5
03f707cf8f541a0a7a1d6bda7d42d4cb

SHA1
41bd61616748c6a27ac80a425f3c4eeae22542f8

SHA256
b1b6a12dc2e5270fbd9c0da1885a7f7c6c231a59c616e291ad1ec390f6a241d8

SHA512
659a44b9fe9753c84becbf505f517c1e61ac2107a41aff5b638476513cdf404c889ff55c32ae801a4d888d56ca0939728b34ec8be65677b91b0b0ed2943b9af6

Download Submit
C:\Users\Admin\AppData\Local\Temp\iAou.exe

Filesize
198KB

MD5
b293d31c7d38558a7d7f2caa445cfe7d

SHA1
4fe802acfd14a7a0ad0df6fc2a1708407eb4d613

SHA256
23ab8c25cad40eaca8b11c44a0c17397fa3c54a8dda1ee01deeddb7bd0e48e8c

SHA512
21087d7167d23163196d020cdd5f3ef70e74c4b5750cc652ccb236c2654e8e683fef5b43b077a1700afc9c7195cdd7297f968692b2cc6b606740e294204444af

Download Submit
C:\Users\Admin\AppData\Local\Temp\iCwIMEUM.bat

Filesize
4B

MD5
d21e5e1369068aa534b0aa925f1ff81c

SHA1
baef98e0caf1df810f2ec02340282620d6fff78c

SHA256
638e44b18465a3efc82144b8fec4e8319e90728a9c7c0013af8b8fafdd92812c

SHA512
49774092ca3b43bd627cb62ff6650a0488b5f1f0f1e061116e63cbd5a27229f6373fa80bebb433eadf9ba915894150dc258241f696ae259653c54984dcfae857

Download Submit
C:\Users\Admin\AppData\Local\Temp\iYcw.exe

Filesize
228KB

MD5
28deeab14e7468505286a2ac4296c489

SHA1
8b1973b361ffdcb89a81db24230fc092be62a0d2

SHA256
7816295f98987ba701eeeb513b2013f0821605e69304cadb3adcf26e8bdc1d74

SHA512
143d9da8761f545721da3c6a796acb3912bdb0fbff75c0173589c977f037b8f8c160ccb344b623a81a486d946bff788705bcd8a3cd665e607f74a0a122c42433

Download Submit
C:\Users\Admin\AppData\Local\Temp\igIQ.exe

Filesize
229KB

MD5
bc665d88e80a2780ddbcf043dedd17ea

SHA1
a31658082fc078f6964348fa302536977062a8a2

SHA256
25ac4de838893a74ceb91a8baae4f0037ea20903f5c036e18c67f54b72e4289f

SHA512
840ced4b0a24ed16393c3b10081fbd2100940788f0a1eea00c0b412c705df4711867c8a1b72b08b612185a2550be4c821ced6869537b0eedbc7610e448ead5fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\igUY.exe

Filesize
192KB

MD5
8bc4323eeebcf7f6843582e4bc41e40e

SHA1
a60e0464b5121fa1b3340edcbd43c4964069d181

SHA256
46f0ef91ac9f3148b0ff55c3aa8075132f7dd293608d0a189250962ae8e12bbe

SHA512
655c015f7b6c35c24c1b112e4327682c537109957f9f76c888d7ff966c24eb26f2dbc4cd24657f97c25eb4b7cfc424a9d3e1fcbb02e6409637f6ea24b300e31a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ioUo.exe

Filesize
238KB

MD5
203f3fd1e9671e903576d45bc0f45439

SHA1
ebc65e851a80c34d99a9a9d99863ef46380b2a66

SHA256
361f9534fd107cac07da11c2fe1b5ff6490c60efc910f1ebe79142184d2943f7

SHA512
a8c071d8a4e3aa486ae8890543c7e3158f8980d0e20f40948afe72c172896e3b0b435eb4eda4ca49c0c34a6192a7dbbc52dd835c80f9c1654de5d6b172aebde5

Download Submit
C:\Users\Admin\AppData\Local\Temp\iswm.exe

Filesize
228KB

MD5
111cb0bea595c14a7636dcd3a27077d8

SHA1
76f30be33a274631d962aa4e9cf1c7fe343b4400

SHA256
3418b4f9a0f71afada72c06a007c2fbcf8761fb8a1726f2a3a7091098ebf73f9

SHA512
56ca9d6e8e9c58cc861d42dd902922d4db1eef34273a4e5b9e62be032e3ffcf9fc6c0d02423f65c5ee833137487623a0a0a37d9f84892859e86b3e927d03c954

Download Submit
C:\Users\Admin\AppData\Local\Temp\iwAQ.exe

Filesize
243KB

MD5
56010f16a4d81d19afad3feb734bfb41

SHA1
94894f23e8d0dbd6b82e8bf6c15fdf07b7930532

SHA256
9378aaa8fe206ec34d5617a9b817442d767d6faaedff7aecceca31daeb37764a

SHA512
32b9e98695ce5f81a06fba033cde9198d31d8be94afc60583c76396292b03221fba34ccf5838835bb3510eb81d3f99c68908173e58e58c36af233a84eace19af

Download Submit
C:\Users\Admin\AppData\Local\Temp\iwQE.exe

Filesize
404KB

MD5
097fa64bc31238be47cdf29ceb9bfbba

SHA1
c02900d2408789f15e162874a3d89fbfb7cf0532

SHA256
19d31aff033eed79940271459bf172b398735001153f1286168a2db230a0b18a

SHA512
e28b7139418be79b8dcd80845ac0d11d5e30f6e27ed6a7fe764a97c73c3581cae2f1344dd30a20c358e288ea7b7ddb08db3c402f89b37a678c415209300904a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\iwsS.exe

Filesize
329KB

MD5
a2b6fc13a170b4ebea50545f49f6ae9b

SHA1
ab407e98471e92015c9c4bd61ed2a938f111c0b0

SHA256
307732903103de14f2946ce0dbcfc3829c5e8ebf3b8d8be3a715a9f68256312d

SHA512
58789df7eb1c52478e88dafafa6e6532c9aa8e3f3a8c689343081089de7d07eed9f98073bf4aa014edceea0106ee21046371dc2e9e50453c575aca231b9e736b

Download Submit
C:\Users\Admin\AppData\Local\Temp\jcwUsEEo.bat

Filesize
4B

MD5
87ffe07ae2f24e83074d60ff08b64bfc

SHA1
a56ac25b7d18f29f00a564c995eb29715526e70a

SHA256
43462486f2f3d1d00e0444abe06770ba748f4a1dec6cc21450c5c78729deadce

SHA512
6fbb43d3da66d81c73c79ee240f32772c4c13177e072c89d11eb3731199af8ea9abf1be3a72c92f7b20f4cd71ece57afdee2af264d3ee6bc4bed5cc2373b2562

Download Submit
C:\Users\Admin\AppData\Local\Temp\jywAIAkA.bat

Filesize
4B

MD5
95ade8197e9bb207ec8833df5fd0af7b

SHA1
a76d7ee68fe657566d984d37251dce14aaf42f09

SHA256
32daef734da8dee59e1cb321715afb06d3ae87940f721931a38302a93e8f359d

SHA512
20cfc3dbc0492371b10804d54d046383181ca9229b2a94a15994d00b1aa4de83c8319b024577b92349a5045ace126980341ce6588188df3e6ada75178759a546

Download Submit
C:\Users\Admin\AppData\Local\Temp\kAQS.exe

Filesize
191KB

MD5
165a2feaf7793b9e27affb8f5dd4c816

SHA1
c5b6f4d790fc96ce7d5f54ac2741e87527d58891

SHA256
65794ff45ca517306c76ed3ff086bed9388aa61f462a1389585e278627b386e0

SHA512
37675f4e271ea8cd88d387593daed0a83324c854deb8c8b93f2a0174eef05b9ff415c399fa53b76738d7fa59d60b1f10960070be536263414a1bf2a454912b55

Download Submit
C:\Users\Admin\AppData\Local\Temp\kEsIoYQU.bat

Filesize
4B

MD5
367921ca15f235da619c50f0a24f0af7

SHA1
41cb6de1e2594321a1b16a769ab38a1380af071a

SHA256
968e25ddb546fcac62df2d439b69ba3e0fccd39be8d6b2e13f2dd38d4de85d3e

SHA512
24ebc0df0851c4f57af054f017b2127adb188757f7abdcc98d3a9572fbab8c5351c5b3fd77b51bb5df5985ea6793506d1b1f6450f0b5c3bd3bed1f1e2310b78a

Download Submit
C:\Users\Admin\AppData\Local\Temp\kQsQQAEA.bat

Filesize
4B

MD5
f37c6a703edba3b2b587663360eb392f

SHA1
ffa7fd1ae210f84aa80e42f81ed29026f94dcaeb

SHA256
7c131bf068908a84be4e44eb8394084197c1662bfbc93f6bb0231af2ad16390c

SHA512
90fd216427a792702c8bef30badf165ef5b807531797dd4bfe9db9155a509b9b6d8f07391cc964860c948f1ed7107a9a7778333d89ccd72fc5736be7d8aaaf8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\kcIO.exe

Filesize
1.0MB

MD5
72a0a20819c0d13d099dcad1a403e19a

SHA1
0d95c0fb7f813a828518aaa2f04720fad77681e2

SHA256
6749be2fe64d77f14a49032abbf58289ea67fb78c055b841ef59816876949ec9

SHA512
c3375ecf0c0fe9206ddd6e50a4eed9c63cf4ac70ea9852a482f4a6f9dab5b24ac54cf6fb49d265e8711a3e4d6b0e496a58f134d5a9f65d3f0ea533609df3199f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ksAC.exe

Filesize
207KB

MD5
00166f282c55d46da34bbfd497773c55

SHA1
72cbd98c85d79bdd074b8554b3486517edcb9d2d

SHA256
54dc51ed1c6f05bdc68760ba0daa95e7a7714c91bdc61971ac93f7110f4e77b9

SHA512
5c4ad84a2d152ecedae42dc27409e9768c98156e45e0ef9bb1c3c6790031b5fb5a96a9bfaf72cf78de16b04385c50296440e19fccca3f5f380fc082fe00cd34e

Download Submit
C:\Users\Admin\AppData\Local\Temp\leUwQosY.bat

Filesize
4B

MD5
76360778a041fb49b467311cedd32995

SHA1
c799266aae8434d1d5184eedfb71b1906c73402b

SHA256
8eb3911285d72864ce448bf455af022239e3a2c2d841bd6374826460bf8d09df

SHA512
d5d653c5207f53ae2d247bd477f458862615cdea25ed0e5a341f82ca6e917d3f864800dc2d17f66450fe46ca7e7e1924cbec7a242e2d04568b065da50d7f6c00

Download Submit
C:\Users\Admin\AppData\Local\Temp\mIAccUoQ.bat

Filesize
4B

MD5
d87a4099fb4c515544f6fa5b65042346

SHA1
058af43374ec0dd51fe5210c213dccc1c2cedecb

SHA256
08c884aca593b939547cd138888d5c783c87c26f5277c460630d15e39a8e957a

SHA512
d7e600a0a0c404ee8c5b1d882c17a302995ecca433e7eb9e85312f1eb0292c39d32068bbabb2e829f1c0af7fd3cc9144ead1bc15781edce8fb02c61936d8a4ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\mQQwEkcA.bat

Filesize
4B

MD5
63fc91ddb10469c4ece70bbf4b9e4422

SHA1
c785d7608e516368f37171a0304aa0d60f2b8c00

SHA256
28e17be599bc671a611919086e8c6fdd80aca514897e7975ce464aaf28e449ab

SHA512
179c86a589835a720f92ab15f04538a45fcf3b35a188bd0ded80983eace94ad72103c6c223065234828f8a76ecfa337a1a00a72ca1a8f8fb8f823ea4b25fd1c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\mQUC.exe

Filesize
761KB

MD5
327ef14b479d99d4286cfb03f61b7383

SHA1
81a46850140ca0c4d971df8600de47d8a32c9882

SHA256
cec67ec835402347c1fd42d66740d3a12228cf7a73b700136201d71d7319758c

SHA512
d93943d190db6ebc0c3865eff971775efb7a7d319d68205515bd58051f6b79c7101f9f38851b83ef37f7c7fc8300d74a93d78aa26de99d97a998b5ebc6b33ec7

Download Submit
C:\Users\Admin\AppData\Local\Temp\mUck.exe

Filesize
416KB

MD5
aaed70bb2e15bdb69f5272dda908b41a

SHA1
fb66524b0904661f3eebd93235289b52b5ce1175

SHA256
a077c7f2c6a5326c5522e627cf8e1e944d2984e67fee68c9a0c54f082ef12598

SHA512
861d861bac7b3a161a39ee9f4611a5d7a20f7bc255605efd0775ed18123e4f44123f9dc156aa2259a561596bc5c1964597805ea29d0efb7387eb95f864b0ae7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\mYMu.exe

Filesize
227KB

MD5
7d3e260a2cf26de5525b0b05308d17a3

SHA1
c0eb911bedc8b5258a8bf4ef89186c41fc645c93

SHA256
3d23022dab2f84b1a46a3785361a28cf50778727de1fc25f1b5cc5bf664a1c65

SHA512
f1d51ed02aa475d2198914c03244f71349cd22577f98976f2a969a2bd2a71cd470c1edc561fb492b2e7de10430ac63353ee04411c6b62085ec791057f4ec46f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\mYkq.exe

Filesize
636KB

MD5
245c8f0e6c4cb1f9e98a647feebcee9d

SHA1
d29004f103b34d2648807f3859c6528ccbcf0846

SHA256
ff00770d04fdf0ad7b2c0952d1fff055c882d9f72a975906140990ffec9ce331

SHA512
ca3bd13022cb9999e7f21c2e297ff8f9241c67ea8f65921651e1194688823a1d188c0edbb1fcf43b633ded9db733c52a50b9f75109d27010503102b043a3ccc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\msMO.exe

Filesize
744KB

MD5
290a32d0bc5e7aa77d9c4ab96c4a7844

SHA1
75e2d7826f9a0d36979a34701f002f82106346bb

SHA256
1d71d23473bc27a0eb3c37a09c1dc6e219c8682c8da68afd8bb4b574c609fa45

SHA512
2ca2eb5acf649ca3adb467f54b7321e677008638e5acff1a00f38c9a8961faf9188f618dd6d5070c17a429c0ced022a9c7cdb26ce20070bee5f34e7a458e076e

Download Submit
C:\Users\Admin\AppData\Local\Temp\mwMq.exe

Filesize
240KB

MD5
7df12a3e1c8648d87d9fddafff72aa87

SHA1
d260037bc13814362b45e2c996583ca7451128a9

SHA256
d298bd2096cd6188bcf37d5e38b47c971f9ac5c702368b5da6d03c9205862e3d

SHA512
763035085702fcffc1120f995fcc192d50611dface4f38b96dff988a4752fbd2fb4af72b1f23124edda015db2c8c1c83ad53c4b61bbad258dc4d07487cb027d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\mwUg.exe

Filesize
246KB

MD5
dfb22473a6cd88b82371ccb87cd310c2

SHA1
9e4653e69529aaca00aa912c6b309e630fb9d718

SHA256
27c8fdc1ea000cbec35bd2fb2ec7aa73d293deffe4e99bdf28ac17fbf628144d

SHA512
6b99443a3412a7f6bf33764b412bfca025bef3d4cf560aaed5dc1cac25e3ead0584413166e3c2c02bc767abe87f0da03eb24020d27effd86861ff2ca4219eaaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\mwUy.exe

Filesize
237KB

MD5
91f35cd2fa68c0b745285d386969c25a

SHA1
5601690a1b420bc8f17a5e83276d536f1e9bce59

SHA256
56947285a5505435cee2ab03675f5729d7f93b4a2018f5893bce3693806d6b66

SHA512
c27f37e35225808f295561e691a67961851687d8af1e71d42bcf8baed572ab9f21d62203bfa09214fab2871d984a42dee961d61d9b34fae697486e8993ac44e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\myMQEUYk.bat

Filesize
4B

MD5
0e6f0b2ddb2b59330d39cee73074de9e

SHA1
da93f20cb5a476a5bb8ae2acee8bbc9f63ed521d

SHA256
3403232fb342e8b77c818ffed0796ff22ca4ddb317c76afaf0dbd31bae8c86f2

SHA512
e04cb82101e8ed84093c9b37d0afc1b56557ed02f5c334224ef3273c7009cd33a7dc445bf94b7441973fea4c06693adc80d27e4b601b0d4a57ecb2989cc084b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nKQIIsMg.bat

Filesize
4B

MD5
9a44a58f7d325d16c4054e8a5773a0eb

SHA1
4f4aff7f08d7edca1b862a4fce59361a714114c7

SHA256
6be173f3acab640ea02f113f8ee74055b674f539f11f47a898dbf7bc75075e04

SHA512
5752a0323a62de38f8a0601b16b65b6960143e98325312a4ae1a5efc85d67ddb07bbe429821c2def732e2afb45b45d94f4b5ad8a8802f61d76089a8fd258a3ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\nWIIAEYI.bat

Filesize
4B

MD5
0e2b534e94210c383570c1969cf4740f

SHA1
fa48901493abaab6651eb460a37779b853563754

SHA256
00cdcaf8eca80e74bd2a935b3c749a3020d6178066dab6a19ed236714e4a024c

SHA512
ff76471776903e181fa0b00b1a127261bfb58cdbb5b4d7d6d4ef7c03e9963a099c295f5c89cfdc7e0d6fd0e4269ad35b472906d8f2d9ebe0fbda27b6ec90f8fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\oEsi.exe

Filesize
244KB

MD5
3aebe757b3f41efcdfd8de16e91b8e34

SHA1
0d1b452027409048696ca1b5ae793cf252908698

SHA256
2e3ff77f4f0187694f2a329839289a7edc20a2df6483698973a7f0edda64910c

SHA512
e96005e092c3c9a2239e3757b797c5197425a7d12b981b84e2d5061ddd4863abf9054066493542ef6236e9becdbaa416e1bb40978121f7aa51e7546abab6cb51

Download Submit
C:\Users\Admin\AppData\Local\Temp\oKcYgAEA.bat

Filesize
4B

MD5
e5e27b602886fe0bfc9a849c2892b418

SHA1
24bf6f9c871682487c44eb72e2aba2249dfe1b8b

SHA256
be0eedf75e40c23c5d5deaae6f8897b5ceeb05b88881498dd986ea6c0d89e172

SHA512
8ace4bd9448e407e25193538f3045071b10e05be1db2ed9411ab747b569f4573c655709adfe094d105fd133c902e750d8a009db35790b9b7de610217ce1ec598

Download Submit
C:\Users\Admin\AppData\Local\Temp\oQYIMYYg.bat

Filesize
4B

MD5
9a2b2703cb7d10c561ea6c48a1ed7c2d

SHA1
0f4380aa4d6a97d7397d52ee64e73fc48255821c

SHA256
e116482bc8d5028587942acf702da11345de4fd93290fcb4ce3f0a3a2e07b8f4

SHA512
218be7985c2d9ff38114d79c75ed3057aa446d53d23f299883f8beaf477bed1d15ccf6fa11872f21f59de028a39dec407dfb69886fc01e0e56740d7e26f8cc1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\oUsa.exe

Filesize
233KB

MD5
b93fd534c1e64f0f6ef5615b83458780

SHA1
6c354bcc7dd58dc40e95468d874b1f3cde423684

SHA256
a275d0ae6a2a437d9ef4d08ba8ea1435f7cacaf187f9466da6fcc68dd68f3b54

SHA512
db05d8b1450e73454da480e782877c1a6d7fe4ec5c620036a79cb1bc1d428d6c717f3af15fea68d13afdb41056dd29aaa9f0ff4b426637968d713d32e58811ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\ogMk.exe

Filesize
203KB

MD5
ef29e0080292c29621a00ed4ad095a9b

SHA1
74fbbf0c3b644ac72612710a5db8c2b8df659dc0

SHA256
6e523ca315301c65758dba7a9aa494cd59800c915cb149bff62185a753cff890

SHA512
75e88d7d02c737902ba0b9e09642e4690bc9585c1304dea6283ab4e88eb8f5c8a645ecd16ddd9a12e3af59add828c8e49b6cbcc88e68b951fe8d83a00a47119b

Download Submit
C:\Users\Admin\AppData\Local\Temp\okkoQsoM.bat

Filesize
4B

MD5
526b18fba6d86d1f1be13f4e96899efa

SHA1
0cc3f8987c7b938df1e71923adee87b34951c4b9

SHA256
4ae22ffea12a7b2bf9ed4ff1d9a7c8cb48ff94493ab5f2d7b7f052a655b621ee

SHA512
a56d87871a1ac471dcc41fdcf3841308b55fa1c980f6b69c0fdf29656fd05281a1ae5df2aa4ac0801086aa33ab09b676b934849694ac49f30cc3ccea23937825

Download Submit
C:\Users\Admin\AppData\Local\Temp\ooIYIAIc.bat

Filesize
4B

MD5
20eee13803ef38e318564bff2d9b8c9e

SHA1
9c96c2fbf3753fb44950f2d5c6abd4ef6e1d305d

SHA256
bdc8eeabe4980a740cf1231c13aa15861d461cf03db9c6811614f2c21f740459

SHA512
c932b6b1f1c7a78886cfd5532cd4d896b2f439c31c069da3245433bca32cf6581d5f0d85aaf96826cf48563e831257cc64ca6ad1558311394f428e0a45e2a9ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\pgkIgAkM.bat

Filesize
4B

MD5
ed6e8c4601caec10b1a890ed01416b95

SHA1
45600202435dedd627e01f80a72d0f6d50e2c6dd

SHA256
bdb17ee5cdd84fd050bd1f4b141eec183ac9fe2af68d890976a16271f1d85d7d

SHA512
b6b7adec61893f40ac27405edbba113cfac5f10433b93847db35bbc00c7205b401dca8768989339eb940aa3d3fc44a0210f56ecf7edc55e89ec13ae090d55c69

Download Submit
C:\Users\Admin\AppData\Local\Temp\pgwMswUo.bat

Filesize
4B

MD5
93d2706f816ede566f0f1c372fde75a8

SHA1
715184b687e854c28b5f9582c0cb780dfa5d95be

SHA256
72c00a3df870195275bf5355f1a59cec361dff2c2c5f9af37e55691eb4b27e73

SHA512
ae85798ef8d9fc37c3f3902596ebb9df9cc2b4986b10c1a2a5a37bebde64d41456d8ea7bca8822d13f98d7815a9720e0ba1b223b6b0905bc04f9633130fee68b

Download Submit
C:\Users\Admin\AppData\Local\Temp\qEwA.exe

Filesize
249KB

MD5
dfb5a900ef536d15e37156fbad4b6fcc

SHA1
570d9bf3df26814c5d576f6d5b627aeae67719e1

SHA256
0604be4312a9fd970b7c09a29eafd9f546fcce90c0146305caa0664e872e65cb

SHA512
c59c9dceb858096aee9d8033a06bda484f7d75d94bcd3a672fa68cbace8cc6dc813586cbd3166a8d100cd4cfd2b65adfe96c7937e3e7c5ed482e6aa0d915a6ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\qsIgYcsU.bat

Filesize
4B

MD5
893db70aabe56013deb826fa8ba30eb8

SHA1
8f8ee34eacc608629cd008fde12b15e8e29e49b6

SHA256
1389ad3e782fb9eb3acb9bbeef65e06a9c4cb363456b84b274ec013f35c47bbf

SHA512
6739654081dd9f3ed8615dcbf179d58e9e9ace7e53a9f9ecdb3f75bcc593cc8b622bb14d9fba2cdc8271417d5c5aa308d98d829ebcdc804d8c654c2b49084b37

Download Submit
C:\Users\Admin\AppData\Local\Temp\qwMscsQc.bat

Filesize
4B

MD5
135effca3b79b77dabeecfee1e3aca65

SHA1
82621a969c81ac70e9e9ab5db8e7d6fc0e091809

SHA256
aa4ba74885577777cf3eb77ed0ffcfbe71a0a74877130d5a14c1a1228f4a0d0b

SHA512
dfc9a527173f7b412290760a689bfd97dc7a47185b7ebd252add2558f5c4706bcccf63d1dcc5c0f132313df62fb37fa98ff229b617e5e4afc940bba7798c8ccd

Download Submit
C:\Users\Admin\AppData\Local\Temp\rOgccQAw.bat

Filesize
4B

MD5
ea4919c629b0b2a4bf251bb25ec77f2a

SHA1
0131a12f6fe1a610b13a7b9309e9f2e0612a3c60

SHA256
93b93ff51367b26831bbe7204d9a103555e588c437976224f25ffb529bd0e60b

SHA512
780d438cad3740bd121ad2fb042818a3128a66d2aa4f3e7a122708fe6466fc40795509e8894caabf97ca38df5ba0b35f9a4fd225a5e1558405633da18df75aaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\rqwIMIAY.bat

Filesize
4B

MD5
09e69a1c9d93fb0ed014df60b3c2702c

SHA1
bc5fb27bb272488c4adaa9e9f48a14d306eacd76

SHA256
89e2e282edd871f9610edcd6265ebf1a93683b77b473d893847d000cfd0186da

SHA512
aa8ea545d7eb8f056aa994c0682a91d03848f111435f7ae620f898f29baeb1f3328f7e1df2c1eee3dfc16771aebe484408cfb77a2622d730db953b799aca90bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\sKMAMEco.bat

Filesize
4B

MD5
54ff58cb2a6ede08b36751cde10a0224

SHA1
f61ddff5d5cd4008ddc8f8136b24606a8d1f23d6

SHA256
d83c6103a77f72f5407ab1ec964ea11724c71a2f9d40a0f91b84851964a7655f

SHA512
462cfc45f7abc33dc8803cd6174f8c0e840857a83e524785c83e0ed0e8d540c13edcd1072e6f6a1c905f7889ad6137b75beda1f77f46e91612adaae1d3299abd

Download Submit
C:\Users\Admin\AppData\Local\Temp\sOIYYowk.bat

Filesize
4B

MD5
6a718a4a9bb85a287d2d7d7e79cd814a

SHA1
506e57ce1825f87cd73464debe2d0423d8e19d55

SHA256
a36ebb8b657dc2765bf3388c125f090838ce6100562802fd9da16e5ab10e7064

SHA512
f5b4957dfd484bd950c3c8d4f7d271118fe64475c4e2a8bdec20ea0102690130929310fe24b5a1acdec1adbcf6ab298a022e9227eca4ec4decd666fa16cd183f

Download Submit
C:\Users\Admin\AppData\Local\Temp\sSwgMYsw.bat

Filesize
4B

MD5
5f7fefef8515da6fc45ad78a461354cc

SHA1
779e63e3b94098727906f5b68c93252e2ce928d6

SHA256
c396914373e4a1ade0df03f5e21ece7952efd2c0327f92b5c1fc32463e88b436

SHA512
79cb4c01e3847aa9f9597162a70c6f9c0989eebc2478efc8ab30eb6517463036f0f1437a6256716dd31dbec3ce5f8c1fdbe95d1feeb0b9c3096ccaeb6b4eb157

Download Submit
C:\Users\Admin\AppData\Local\Temp\sUYi.exe

Filesize
327KB

MD5
c29c514e40b5ef03f4d00fdb447a0f16

SHA1
a42057b7fdf2a7679277a175959bd5515670b6ea

SHA256
51ca03ce2aaa6c5f2452eedb81b20bf7872be43937a412b43e0be2001fc9380b

SHA512
65b1ee05630fe3310ced622673eb037f6a3dbbfb13bf41436a00b4006d6668c5a80fc3dedad8b520df271d1b06fc744e9b7652a7e04626a82b9d42f221caaf68

Download Submit
C:\Users\Admin\AppData\Local\Temp\sUgw.exe

Filesize
227KB

MD5
49e1741fb73a95221f6f32af7812425e

SHA1
b732d80b7910e113c063aba6144fb64092b985c9

SHA256
db75c7373a8169e1589b24faf50435d8ea38401e77e791fd188c0f7f3a3264cb

SHA512
d6efcfa170e7a72cdee9b59290668b7d78e33f7535529f84ce46fee6759511ff5e9317d73e96615f2183673e41b1c0df6cd3baa1af28a167e8d905037463dba6

Download Submit
C:\Users\Admin\AppData\Local\Temp\sWoQIYoY.bat

Filesize
4B

MD5
1c51581d9afc1494ab9d4e634e88f824

SHA1
ebcf333c14cbdd2fa5f7dd84c7a471a7b8829f51

SHA256
f41f1122ba150bee52af7af12d89eae9efc2bf1c59bb7e24c7941e29a4a35720

SHA512
5743bd2680ec1c4790b06ff89e052c4414545ed28d6c3fb84a6f9ce8239f9a80dea00b4511fbcd7c59d960b93a9480ebdb6a2c4d5a5b68523153a740a3b4bc63

Download Submit
C:\Users\Admin\AppData\Local\Temp\sYke.exe

Filesize
189KB

MD5
edc1a028a8846c65c1361a1a0e93be2f

SHA1
cc82e8800bcab3042659a4acf7d239b76404fa1c

SHA256
fb07e7037d24044a67c3d8c268ae6eb81a3458d18979fe7f710c8033de207132

SHA512
24ea1812fb22bd608bb544df7d5549bcc5e09bb84532c420826496fcf2849bdd16d50295c72075366646cdd9d783ba320f123765f9ad23780dc8c9a1251cdea5

Download Submit
C:\Users\Admin\AppData\Local\Temp\scYI.exe

Filesize
199KB

MD5
2401eadb7216899a3accf1e4a82b7b78

SHA1
d10599eb991a75f138ec6d8c9b6071e0ca0f5800

SHA256
a3896cca0b2e8db68c67b0766f276eb46fa802e653d4d718d9d6c2371364c323

SHA512
513d2dc8a56068ba5f2b823ca24e92f216165c5b399cfa9a69c7f910e47d345627d49bd25d79c475c86f720442635c26a3431eaa6710a35f804b23e0c70a40e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\scYc.exe

Filesize
243KB

MD5
961a34203c82175d04ca0c52029d2c08

SHA1
a78a7d609f93458bf64cd71acdb42c8ef42df614

SHA256
2e5fe5f996114f1e999b569d1c51a97cb1cbd30a8a7de03c3bdc4e7c9550623c

SHA512
06d8c8f2a289edfc5e46d358404593fea20a1ff0cfc50393ac2778ab111fe50ac0899057ff8aaf30108a79d73dd8a24046a916d3e9433b4c46eb31d3a8cdc444

Download Submit
C:\Users\Admin\AppData\Local\Temp\sccg.exe

Filesize
240KB

MD5
67d4012d505f3b9d5bd42fbadb3ac421

SHA1
5f1c7e2975ce8f90b94adb88392cff479562fb6e

SHA256
6f4f354ab8065de09b8576036e195e8677781ca0a8b8cd2a3919b408b1922c23

SHA512
f38b43fba192f90717e4b8a631412a2c60604558a9f7e62c4b82d6b9f37ce46a9b4b907100d26c3bf6e273bae2ebf1fd80cae2e9615ea071b4774c734cf490c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ssEi.exe

Filesize
246KB

MD5
cf8e0414b6d802cefef0103e08815f55

SHA1
6b2e0dc7093d913ef277ad86b8905c836b656e96

SHA256
cc21323080583d55f9fd072e6289482b5c56718319e87916f39a14389e5c2b50

SHA512
fc59198fa702bc6fbf96415d161d8553ebee113b83de8c587e76ba79a4f88af9e3c56f4cc8375a4370ae27aed2a26af56bbe88c81b99c89cec06626ba01c7704

Download Submit
C:\Users\Admin\AppData\Local\Temp\ssYc.exe

Filesize
946KB

MD5
1ea476d0f10200069ca5a57ee38b9d7e

SHA1
30f09a35398b13a49fa7b908cab4436da58fc7da

SHA256
a804a546e33cc96d22b217c9f02c3fb5fbf5e3d28d35a21fd7da27253be8c7b1

SHA512
45b03bf92012a513ff9f7cf005a7bc473b5bce3449ac92c0b19fb5f380a0b5970116913979888baa5b90e85d201ed125d5437987a131c912f2317757ce46eb91

Download Submit
C:\Users\Admin\AppData\Local\Temp\uOkgkYso.bat

Filesize
4B

MD5
76753e5164041ff339a271a4bcfa759f

SHA1
fea8204e76b73cd1ef1087cb686e5de8b95faef6

SHA256
c84d9ee793c1757d8f49e47d893fbe58d5990af6b133057f89a388e04d54ca6c

SHA512
3054665f935584d6e9514283b3b4b6ab5dc32718cdc88704e331752481ecda72da2a944777ac4d774dc67c9e2bc5472a733dfba13cfd0964d8ca35e42ce64867

Download Submit
C:\Users\Admin\AppData\Local\Temp\uQMm.exe

Filesize
234KB

MD5
b57c972cfe506a6ebe7fe2fe930a7d28

SHA1
8e505c1f9ea098f5c5e89097aef6a26b77585e70

SHA256
c76906e8c576f7dea8d7deb1e3bb8a1e64d91135c0310be5514f8058c869eae2

SHA512
7ffba865d999958dea187fe1930dad0ac952531f5793c2092ba065abe99216600d8d003875bd0dfded140f40e308f6c49b919c6c491788e2439779742f2ebaf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\uWYEsAgM.bat

Filesize
4B

MD5
de14dbc3c365f538ab4ffed7eeb53ee8

SHA1
4d61b64594cd438a45d7255ab0994aae1076ec1e

SHA256
e85fcc8db356de8a37b48076c11ff18d27f57a76c0d9bf76fe2f457f5dc4121f

SHA512
6f2a761baf8c65c9a354e12abbe58c7d5f17086d44959f97a4df83854ca7f61ef53b85ea418d6d54e966e930cd85759daa054480b54f6c1a83fe0dbcbc73407e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ukMm.exe

Filesize
230KB

MD5
4b6728bc317192116cacf304f9f7f377

SHA1
1ecdeda5004fe6c029e149a8da1cd8fef0c855b8

SHA256
4e0f4abab72d0f35e6b0ecce1b091d2194e0c415dfbb67cd9fccab03d465c0dd

SHA512
6f481ef945ceb501c3dd7009429c3307f2f111f861976a2f31eda7509997257f4d2a44a6e595ebfb9eeb322f2b3ae3e4928c7c4e38c5576b82b970f0362c5206

Download Submit
C:\Users\Admin\AppData\Local\Temp\uooQ.exe

Filesize
229KB

MD5
13d8c2645bbadc24f5434a86f0b0c0c8

SHA1
59b4e6a11e389d1776eff458253134fb3264fd15

SHA256
201daedb2709ceed371be45821456c75711fba0eeb240fe0ba44bfe88bd1592b

SHA512
b88fba323e7371566113e9600401720b7d532f517c7e934e193e1d174780e5e9a580bdc7a09d3478cfe798865c7cd8773fdacbb63b5846ae4bb98f5d6623059a

Download Submit
C:\Users\Admin\AppData\Local\Temp\vSkAMYsM.bat

Filesize
4B

MD5
2a4aa357fb78a85c67baf4a381bc9279

SHA1
fa4d487ce50cacbc76713859f3ecb1a3544fbe5c

SHA256
e89be4b8cd331c4222e6400be2e0b7e991d6251ac34049cdd00e7a01788789ed

SHA512
94797b521ae8bab58ea5c85cebf21455db64575ca36c5d680246e0ed3bffefe8a59635ab49fa7577fa32e392f06bdbaad151105d3450960d1454c05993609711

Download Submit
C:\Users\Admin\AppData\Local\Temp\wAUO.exe

Filesize
253KB

MD5
76161b519185577c3217e5317ed42d5f

SHA1
d148e0db0075765952ec865532e100bebaf4e77b

SHA256
8d9521f0f44bd4873fef2182c7bc7df41d5ec7171e50a6b83f4de4db4633dd5c

SHA512
bc2708fe2f9d869d86e917591be59b741959939f68033d41d2d078aa377417ce4a4fe3a4a179cfc5a137c5864dd001374bc039e58975c11fefac87fa20522aa3

Download Submit
C:\Users\Admin\AppData\Local\Temp\wQQO.exe

Filesize
458KB

MD5
a34350d5aa62ec8f4e046b36c1bff0d6

SHA1
5f54aedf68c5f227c73c1c60087938d8a3030e45

SHA256
2a08a493a3df5613837d7997267eef1387a70acf74085f0402a0cabeee5983a2

SHA512
f105b5ef09c772e4c3fd2050e4dd4d67632e906b49041e170abfe730da454457f1dd242680bc278785418d384e89e51dec91997a00a708a05cb5cda70cee7528

Download Submit
C:\Users\Admin\AppData\Local\Temp\wacwUQoc.bat

Filesize
4B

MD5
4d2d447702c57c7a54507ee9bf3b0f63

SHA1
2d7020a988679313873001cef4bd45f0d82e1069

SHA256
6268a76281358528f11a40b36b8e2e6fbe2a8927f18de98f19e305d289756dc4

SHA512
189ac8273fd51791d207476c0d17655f78df3cddbe9312aaa21eb6f7b0a276dfb7f1acad51c27c61dadecbb4496362969f136b33bfe2f209ae0eb6b06aeb396e

Download Submit
C:\Users\Admin\AppData\Local\Temp\wcka.exe

Filesize
502KB

MD5
01229557c0a9b571562f9ca2dff0b505

SHA1
4c71e7a7e6b782e6c2a140cd2dbccea0c23e1f52

SHA256
08f957a92057a757bf9f1d763ec020e7e467cfe65fc4312ee72029492e85cd58

SHA512
a1ea7593652f6c43d591faa8bcca54e7724c4ad2d7f022246bfe81b3b30fb59411f912e140c3dbfaba5b12ff021916a76de382b71e6b49df3811c532476d657b

Download Submit
C:\Users\Admin\AppData\Local\Temp\wiowMcUg.bat

Filesize
4B

MD5
947fae6366222c4662203fc8d08136b0

SHA1
7dc61f7b2836f25b4bb715af662ac2c2eb98bdd7

SHA256
4c10f41165d470d66a40eefa9f465e4f41e26148281d5e5bb074646e931057a3

SHA512
50afe99d6368bd2e14ffc4ad2de0c76e794b3d2667855132e6b056c655fa5f98946af1c154e4a725d3133ebdfcf243a038303e516b924d983540e26f8e782242

Download Submit
C:\Users\Admin\AppData\Local\Temp\woES.exe

Filesize
248KB

MD5
573995b7faf9485b3b14d0a7b50fca7a

SHA1
f985d63d33785d07d460d28c70fb036cef43e1c3

SHA256
009715a7c732937e01fed92db32cb0bfff6b7a6d94121137cbe02e3ab3c8067a

SHA512
0c42efc92db14199f40091ab948a99bf95ab8d9dca43da22f63ffa1c9a400688b5fbd49f3bd729df266faf65bd3a45b880aeab122389294a46defdd79fc94eb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\woYW.ico

Filesize
4KB

MD5
f461866875e8a7fc5c0e5bcdb48c67f6

SHA1
c6831938e249f1edaa968321f00141e6d791ca56

SHA256
0b3ebd04101a5bda41f07652c3d7a4f9370a4d64c88f5de4c57909c38d30a4f7

SHA512
d4c70562238d3c95100fec69a538ddf6dd43a73a959aa07f97b151baf888eac0917236ac0a9b046dba5395516acc1ce9e777bc2c173cb1d08ed79c6663404e4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\wooc.exe

Filesize
239KB

MD5
84d4db653bb894cb74b970ddfa4630ef

SHA1
57beb91586f35331baadecd1e1cb6b93f8dd6daa

SHA256
b08a6df28e32f9b665ca14507445ec36d0a0d59c0e74823e2d06a1f19e172376

SHA512
7cf9724428a348041f58f2d499e92b92f435db64f01cde69591b94afcb0081faebda043f2e2557221362a95d8c3974c68d6a92435867156c7dbb97a6d08514c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\wuQUsgUk.bat

Filesize
4B

MD5
020f3300571ae08d9c020ff3978edfb6

SHA1
c2986584d74ffc02f4f8b5ce13fd72c1f96f8e2d

SHA256
b8b41a880abdfe7af1509594b41402a70e337c5388ff655189fbc0f52aa90d15

SHA512
ea222a32bb0066a44d2bcde548ba2d6b4bc0c4e34b1018ea52267d2e8a2019400b613971535d6eacfd5d7dac6283b96ab67058a164caef7322f7d76bf9735d89

Download Submit
C:\Users\Admin\AppData\Local\Temp\xOYsMgAc.bat

Filesize
4B

MD5
daf8aa73c1f681735a926125059d2095

SHA1
d4a6877748c99bca472ed4708952e3ba36c84d25

SHA256
b3b77d68bd1a36113df9d134a366b2244f0b3d055583dcfdba33198b4f8d653a

SHA512
73bcac8392c48e14fe419dba473a6d9524da81c08572bbc0443ca126bfc561c6ff7891ab48845a636bf91f115dce952d422cc657262083752577302950dd6c6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\xWQYIEoY.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\yAYs.exe

Filesize
209KB

MD5
0ce1eb99b195e67c936128f48fedc7af

SHA1
615217ac6600c1eca8915f3dc1da2892a86587bf

SHA256
4c5b5b78e99fa972624dfe9d12be4e51c4315c8b8a2eb051e1136b3819cb2cf3

SHA512
146f141beedba9494fcb126ec1c5ce20eaec80d2b1e1c088b70d9ff19e31a29d2b0ba47f89ea629030343dd90df7cebbea6b183e043f3c3ed12bdcc085ce1a0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\yUcq.exe

Filesize
230KB

MD5
ba8262d6e57b11835c2dc43da5b2c043

SHA1
4be5121d2d37bd94ae4b9f1c11946ac70908c00a

SHA256
d1feccf16793bde475d2dd60876d33ebe973c3bbb06795b7b2840810887523a3

SHA512
1dd81566940a96946dd7cab86b57bf75ecadd70fc7b06b7ffd13a1d183fbca530b2e63dd141c417f3ff9ad1d440e6e6be8ca60c3b67746a60b96799204c92764

Download Submit
C:\Users\Admin\AppData\Local\Temp\yYoIwcUs.bat

Filesize
4B

MD5
11597189b9b0f57ecc4879c0feb8d57e

SHA1
c27e59130d321917b8d63b7be3929c979553d534

SHA256
803e9018d04b17256915b553e96362dd96c354950ddcafee2e16c99a6a5ff6c9

SHA512
125287c95ec9c7e311ab07652ce02efe464da5ed44e3af018489e2e7948b6dce616d111b29aacb6be380e228789de5d16a8b6f74237a82057b91a6f3f9776407

Download Submit
C:\Users\Admin\AppData\Local\Temp\ykIA.exe

Filesize
187KB

MD5
2463baa7bc61aeec48fc105a0693a292

SHA1
f0dd743642e75f503083fe5aad4202dc58ba2e07

SHA256
b0bbb59e5e2ef9e1b021a4189d4628265ee69383cb54dd68668f95bb4b343fcb

SHA512
e1890547a9df3237d0df9658df7df21a7626b241b0b1d99754fc59b8043f223e0ac2f61e7d16410ffd1eeca0ef5e97cfe0aff4751cd536c6b884d17647de923d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ykUYMMsw.bat

Filesize
4B

MD5
a6cf81541f93eff477fc65d8d8917050

SHA1
a47bb5176830e83a65b8aa6620e6756da4a37cf3

SHA256
6fa754aecde499021a6ede9e520192c9119226299bcb3769c835caf85f4f33bc

SHA512
f6f72a6170e13669b32c9fb53800c152b43f64f4df83d2a24909146b98b64f49be0c1b4b28965c17a39a3b96db7d0c33efc38afcf420d19dc63fbeb522ce887f

Download Submit
C:\Users\Admin\AppData\Local\Temp\yoEK.exe

Filesize
562KB

MD5
b0983cba18cb63f1885649429d4c59c4

SHA1
7eb22e82645950d295922f357ede6b3d2fde0623

SHA256
72db379abca8adf1efd49f46c63cda69af4a3a2a0fa0c782c96675ed158f3b3c

SHA512
610d14360ab5eeac5b8c782e73b3249c17cc6aa145df9f8b1b5bdc8fc43c1bf9176634d078560fec4903936476bc9f0361227f859c86b9d78bdeb1a54fcc1990

Download Submit
C:\Users\Admin\AppData\Local\Temp\yoQE.exe

Filesize
246KB

MD5
5fdba4fd0be4b3fc97b3608a5fc57482

SHA1
bc80242d075770fabe97f42369a80eef578b638f

SHA256
a76c4fcf951be392e212a02834c4fb30d7a2153d3a9a64c3462f59ad2a49ec3d

SHA512
b4418cf36fe73aefdce17aacf77a480bea622827a8f51d4c766f33d8af17aef9ac30058c559733da4d42d03bbe86028a7f037d93561c1274520a4575672627e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\yskcYUog.bat

Filesize
4B

MD5
7dcbeb8c9327dc30b7377a0e32142dc8

SHA1
217561eef28fb518c8db4617c521e1328d162397

SHA256
a6e9aea305d3f2937c6bfe0a28694fc4bca9dc445b195d4d63d407e33c12f2e0

SHA512
c8dea008cf14017c262f53b36872a3acc911ce0fec5a42be9067d756db06ce9513bc5a8bb886f2ad4f3e0652b214a4f7beac5aff44771c84858d2c4ab2e0a648

Download Submit
C:\Users\Admin\AppData\Local\Temp\zIsgoUcE.bat

Filesize
4B

MD5
9075b6d0ca79a040b8872fe44c7944a9

SHA1
921264ad700360e3d435c8e98de6d6d09c3e6db5

SHA256
21a0f3badab1ce0d5bd80bfd574c6384a9271e82af60c82f7653c6f49cb696e5

SHA512
7d84b99ff9972c98bdc8d7bfe22e17aaf65eefddee7eece47529dc7de111fca3b6d1780056508ca0ebcbab25312eed4953bda3048c6b365c8cdefcac70162f72

Download Submit
C:\Users\Admin\AppData\Local\Temp\zQIUoIgE.bat

Filesize
4B

MD5
e167e76e0bd09f279a2ebd6b5f561ade

SHA1
0ba01a12bf91fad99287652c96205946af1cde15

SHA256
2ab7bba1c9cdde97f85bd0228306135fcf0a29d6c66c9776ca8843b04990ac2d

SHA512
36a979876a7d41f66da3ff3c0e93d2eb1767802db174df35db5d262156295aeb4616168b50b96797ab0b2ef8e6680cce539e8879c686e1c2e6d50f3860e71c93

Download Submit
C:\Users\Admin\AppData\Local\Temp\zUskMccA.bat

Filesize
4B

MD5
da529d0fc8424f06394d3603d4867548

SHA1
676c95a5ff9f04ec260d3c04e08629ec2a2ba233

SHA256
b627cffc14c4ea8296cd9ecf33d927613b1f70b4d298e24ea6bc9f57887c9eee

SHA512
ceb8924bda7e92ee3cc450d004429ad6bac9e247497ca845bc7615617c7985944c2d25be1c1015b84e2c3031e28b3ec57c89dd81938faf8030ea2e1d4fd85146

Download Submit
C:\Users\Admin\AppData\Local\Temp\zaQIUcUE.bat

Filesize
4B

MD5
68b337fc3b51df4851d5ed725200a5c7

SHA1
bee64fd8b2bcd57f11a69adac629c3054c9670ed

SHA256
dc41214bcf7114706d5d06b871805f53d5c219d8ec330ed2dd386a504432fa6f

SHA512
48ac42c08a7b054a41c7631127d58f2e9f03176b3dc44bc6b7cdd69dd2d9eb8cb10a77b0f9aae98e1373b5658df0cef07fedb6e81db2045da5dc6b4756d06b1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\zkYgYAkg.bat

Filesize
4B

MD5
2de6204e922660ce6ff3a835031e605f

SHA1
ac34290e8b59f33376d806639b1ecd9142f6db12

SHA256
7bb92b8cedbab1ebb58fe8b24b4ce3ce936448f95b3b95f35fb4139d90d2e616

SHA512
669e22dd79222f54bac596006a0fca030a84bc4243f2d531ea870f9c51679fb202cb46ff5e1cf682558deef1567f34d9d6431f831d223ab017f9f54961dc9606

Download Submit
C:\Users\Admin\AppData\Local\Temp\zyMkAwgs.bat

Filesize
4B

MD5
abcf20eafed67b01f250b12b555bc474

SHA1
bc691365e72684430b75457944dd9eec2748acac

SHA256
14566a0a35bc521d2eac9f7ae488735628c940b9b44c4fa3c03454b51cbd3282

SHA512
61a9e9bdf134aa3a59aca934576e9a490ad7ded4e493c4b30035db482e7d7aa98267e4d377c924bd1ea90de65813248b9caaba2d4dea294a42dff9fc484cfd65

Download Submit
C:\Users\Public\Music\Sample Music\Kalimba.mp3.exe

Filesize
8.2MB

MD5
c43d77a97446b42ea591a3e590357c34

SHA1
40d0a4b55f73be9f83bcd3782c3f5a28a8a5bfd6

SHA256
7dceadfac65c4f55c2074f87c900314e9b029607a9e327ebf56fbed1aaff3f4c

SHA512
2f87dcd1eca2120b1625f0b80a0e5db624120844397dc26cd16eb5ddacf414ce98daba6b175700ca57d2e3d289c11bfafea99c49a16643fe51a6d3c742348daf

Download Submit
\Users\Admin\cGoYMYgo\wokYgwEw.exe

Filesize
191KB

MD5
556dc127b7d875da7c6e6d92568de201

SHA1
22391e200f17fd6faa2fdf857ae82f359fc678d7

SHA256
e360483dbcc1725ca38a660ba5b3cd2cbc86450fbac932abf4a7b46bf4331e7a

SHA512
4e7424f80304d7f92a0720ac3d5a61eaf10be73cc2217f486811d0af00343cfab005e2b428ad8d359de70e477e20d441ee1987376e8233f64a0359498dd1903f

Download Submit
memory/476-81-0x00000000000F0000-0x0000000000123000-memory.dmp

Filesize
204KB

Download
memory/672-984-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/692-265-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/776-939-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/796-552-0x0000000000120000-0x0000000000153000-memory.dmp

Filesize
204KB

Download
memory/1020-753-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1072-607-0x0000000000190000-0x00000000001C3000-memory.dmp

Filesize
204KB

Download
memory/1072-608-0x0000000000190000-0x00000000001C3000-memory.dmp

Filesize
204KB

Download
memory/1088-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1092-842-0x0000000000120000-0x0000000000153000-memory.dmp

Filesize
204KB

Download
memory/1096-320-0x0000000000110000-0x0000000000143000-memory.dmp

Filesize
204KB

Download
memory/1148-1082-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1220-656-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1224-571-0x0000000000120000-0x0000000000153000-memory.dmp

Filesize
204KB

Download
memory/1272-764-0x0000000000170000-0x00000000001A3000-memory.dmp

Filesize
204KB

Download
memory/1272-763-0x0000000000170000-0x00000000001A3000-memory.dmp

Filesize
204KB

Download
memory/1300-103-0x00000000005B0000-0x00000000005E3000-memory.dmp

Filesize
204KB

Download
memory/1348-352-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1436-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1536-795-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1536-765-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1544-523-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1552-908-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1620-286-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1624-899-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1664-832-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1732-533-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1824-776-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1860-154-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1880-133-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1900-542-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1984-419-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1996-494-0x0000000000120000-0x0000000000153000-memory.dmp

Filesize
204KB

Download
memory/2008-233-0x0000000000420000-0x0000000000453000-memory.dmp

Filesize
204KB

Download
memory/2024-475-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2024-744-0x00000000001F0000-0x0000000000223000-memory.dmp

Filesize
204KB

Download
memory/2072-889-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2088-966-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2144-629-0x0000000000160000-0x0000000000193000-memory.dmp

Filesize
204KB

Download
memory/2172-706-0x0000000000270000-0x00000000002A3000-memory.dmp

Filesize
204KB

Download
memory/2188-871-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2208-59-0x00000000001B0000-0x00000000001E3000-memory.dmp

Filesize
204KB

Download
memory/2232-948-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2276-1022-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2280-561-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2292-2395-0x0000000076DA0000-0x0000000076E9A000-memory.dmp

Filesize
1000KB

Download
memory/2292-2394-0x0000000076EA0000-0x0000000076FBF000-memory.dmp

Filesize
1.1MB

Download
memory/2308-465-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2308-851-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2308-177-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2308-436-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2332-242-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2340-374-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2344-211-0x0000000000160000-0x0000000000193000-memory.dmp

Filesize
204KB

Download
memory/2368-434-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2368-435-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2460-675-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2496-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2532-666-0x0000000000160000-0x0000000000193000-memory.dmp

Filesize
204KB

Download
memory/2560-638-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2560-610-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2580-786-0x00000000001E0000-0x0000000000213000-memory.dmp

Filesize
204KB

Download
memory/2588-918-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2604-927-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2656-581-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2656-307-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2660-445-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2660-805-0x0000000000160000-0x0000000000193000-memory.dmp

Filesize
204KB

Download
memory/2676-687-0x0000000000160000-0x0000000000193000-memory.dmp

Filesize
204KB

Download
memory/2680-408-0x0000000000280000-0x00000000002B3000-memory.dmp

Filesize
204KB

Download
memory/2688-716-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2712-198-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2712-503-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2712-1002-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2732-68-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2732-42-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2732-220-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2764-1058-0x0000000000110000-0x0000000000143000-memory.dmp

Filesize
204KB

Download
memory/2764-814-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2764-1059-0x0000000000110000-0x0000000000143000-memory.dmp

Filesize
204KB

Download
memory/2800-609-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2800-30-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2816-484-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2836-696-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2852-1060-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2864-90-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2868-365-0x0000000000330000-0x0000000000363000-memory.dmp

Filesize
204KB

Download
memory/2892-33-0x0000000000120000-0x0000000000153000-memory.dmp

Filesize
204KB

Download
memory/2892-32-0x0000000000120000-0x0000000000153000-memory.dmp

Filesize
204KB

Download
memory/2900-707-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2900-734-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3008-619-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3032-13-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3032-606-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3036-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3036-11-0x0000000000470000-0x00000000004A1000-memory.dmp

Filesize
196KB

Download
memory/3036-41-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3036-29-0x0000000000470000-0x00000000004A3000-memory.dmp

Filesize
204KB

Download