cb4bd47c9b59bf3955ea560705f748457e4656d8d07c68744e177a487f25a6b8

Analysis

max time kernel
150s
max time network
124s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
07/09/2024, 11:31

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
Size

200KB
MD5

afaa6a14eb7b46dc2165b3654e238b1a
SHA1

de9344d62cbe3bb743605e5b08ef2f0f53105a24
SHA256

cb4bd47c9b59bf3955ea560705f748457e4656d8d07c68744e177a487f25a6b8
SHA512

8439927311549274249f631eea79f4daa7d4334d3f300cd6d0b4810c7528fa3adbab1d3f6bd6fdb0efba64321a43eedba1453d5ef9dab6fa83724a28675a695e
SSDEEP

3072:jR3295cHoQmi9B6m38FER2L0GC9gA5n3xGFVDGQ9U8XcURE5gwfxG9FDtN:dG5omVmM8cA5nBGF9U8XcUREHfxGH

Score

10^/10

discovery evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Renames multiple (53) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Control Panel\International\Geo\Nation	qSUckMMs.exe

Executes dropped EXE 2 IoCs

pid	Process
2200	qSUckMMs.exe
2180	cyQwUoUo.exe

Loads dropped DLL 20 IoCs

pid	Process
1660	2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
1660	2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
1660	2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
1660	2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
2200	qSUckMMs.exe
2200	qSUckMMs.exe
2200	qSUckMMs.exe
2200	qSUckMMs.exe
2200	qSUckMMs.exe
2200	qSUckMMs.exe
2200	qSUckMMs.exe
2200	qSUckMMs.exe
2200	qSUckMMs.exe
2200	qSUckMMs.exe
2200	qSUckMMs.exe
2200	qSUckMMs.exe
2200	qSUckMMs.exe
2200	qSUckMMs.exe
2200	qSUckMMs.exe
2200	qSUckMMs.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\cyQwUoUo.exe = "C:\\ProgramData\\oYAUEIMw\\cyQwUoUo.exe"	2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\qSUckMMs.exe = "C:\\Users\\Admin\\gmoEkEkI\\qSUckMMs.exe"	qSUckMMs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\cyQwUoUo.exe = "C:\\ProgramData\\oYAUEIMw\\cyQwUoUo.exe"	cyQwUoUo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\qSUckMMs.exe = "C:\\Users\\Admin\\gmoEkEkI\\qSUckMMs.exe"	2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico	qSUckMMs.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cyQwUoUo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
2320	reg.exe
1300	reg.exe
2744	reg.exe
1044	reg.exe
1412	reg.exe
1116	reg.exe
2584	reg.exe
2924	reg.exe
2568	reg.exe
2164	reg.exe
300	reg.exe
2220	reg.exe
1500	reg.exe
2552	reg.exe
2928	reg.exe
2092	reg.exe
916	reg.exe
1160	reg.exe
2600	reg.exe
880	reg.exe
2580	reg.exe
1592	reg.exe
896	reg.exe
2184	reg.exe
904	reg.exe
2056	reg.exe
2068	reg.exe
2320	reg.exe
2108	reg.exe
1776	reg.exe
2800	reg.exe
956	reg.exe
1616	reg.exe
2172	reg.exe
2248	reg.exe
888	reg.exe
108	reg.exe
992	reg.exe
1972	reg.exe
932	reg.exe
1928	reg.exe
840	reg.exe
2572	reg.exe
2552	reg.exe
1944	reg.exe
2964	reg.exe
1560	reg.exe
2532	reg.exe
1864	reg.exe
2584	reg.exe
1980	reg.exe
2132	reg.exe
1032	reg.exe
2892	reg.exe
2492	reg.exe
1992	reg.exe
2136	reg.exe
2580	reg.exe
760	reg.exe
2656	reg.exe
2232	reg.exe
872	reg.exe
2264	reg.exe
2144	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1660	2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
1660	2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
2420	2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
2420	2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
2972	2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
2972	2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
2020	2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
2020	2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
2780	2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
2780	2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
1156	2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
1156	2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
2176	2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
2176	2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
1464	2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
1464	2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
2560	2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
2560	2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
1512	2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
1512	2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
1748	2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
1748	2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
860	2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
860	2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
2168	2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
2168	2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
2896	2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
2896	2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
2844	2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
2844	2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
2560	2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
2560	2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
1700	2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
1700	2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
1692	2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
1692	2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
1788	2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
1788	2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
2888	2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
2888	2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
2952	2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
2952	2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
2476	2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
2476	2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
372	2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
372	2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
3036	2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
3036	2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
2968	2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
2968	2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
2432	2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
2432	2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
1636	2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
1636	2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
744	2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
744	2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
828	2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
828	2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
1968	2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
1968	2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
772	2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
772	2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
2176	2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
2176	2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2200	qSUckMMs.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2200	qSUckMMs.exe
2200	qSUckMMs.exe
2200	qSUckMMs.exe
2200	qSUckMMs.exe
2200	qSUckMMs.exe
2200	qSUckMMs.exe
2200	qSUckMMs.exe
2200	qSUckMMs.exe
2200	qSUckMMs.exe
2200	qSUckMMs.exe
2200	qSUckMMs.exe
2200	qSUckMMs.exe
2200	qSUckMMs.exe
2200	qSUckMMs.exe
2200	qSUckMMs.exe
2200	qSUckMMs.exe
2200	qSUckMMs.exe
2200	qSUckMMs.exe
2200	qSUckMMs.exe
2200	qSUckMMs.exe
2200	qSUckMMs.exe
2200	qSUckMMs.exe
2200	qSUckMMs.exe
2200	qSUckMMs.exe
2200	qSUckMMs.exe
2200	qSUckMMs.exe
2200	qSUckMMs.exe
2200	qSUckMMs.exe
2200	qSUckMMs.exe
2200	qSUckMMs.exe
2200	qSUckMMs.exe
2200	qSUckMMs.exe
2200	qSUckMMs.exe
2200	qSUckMMs.exe
2200	qSUckMMs.exe
2200	qSUckMMs.exe
2200	qSUckMMs.exe
2200	qSUckMMs.exe
2200	qSUckMMs.exe
2200	qSUckMMs.exe
2200	qSUckMMs.exe
2200	qSUckMMs.exe
2200	qSUckMMs.exe
2200	qSUckMMs.exe
2200	qSUckMMs.exe
2200	qSUckMMs.exe
2200	qSUckMMs.exe
2200	qSUckMMs.exe
2200	qSUckMMs.exe
2200	qSUckMMs.exe
2200	qSUckMMs.exe
2200	qSUckMMs.exe
2200	qSUckMMs.exe
2200	qSUckMMs.exe
2200	qSUckMMs.exe
2200	qSUckMMs.exe
2200	qSUckMMs.exe
2200	qSUckMMs.exe
2200	qSUckMMs.exe
2200	qSUckMMs.exe
2200	qSUckMMs.exe
2200	qSUckMMs.exe
2200	qSUckMMs.exe
2200	qSUckMMs.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1660 wrote to memory of 2200	1660	2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe	28
PID 1660 wrote to memory of 2200	1660	2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe	28
PID 1660 wrote to memory of 2200	1660	2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe	28
PID 1660 wrote to memory of 2200	1660	2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe	28
PID 1660 wrote to memory of 2180	1660	2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe	29
PID 1660 wrote to memory of 2180	1660	2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe	29
PID 1660 wrote to memory of 2180	1660	2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe	29
PID 1660 wrote to memory of 2180	1660	2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe	29
PID 1660 wrote to memory of 1572	1660	2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe	30
PID 1660 wrote to memory of 1572	1660	2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe	30
PID 1660 wrote to memory of 1572	1660	2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe	30
PID 1660 wrote to memory of 1572	1660	2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe	30
PID 1572 wrote to memory of 2420	1572	cmd.exe	32
PID 1572 wrote to memory of 2420	1572	cmd.exe	32
PID 1572 wrote to memory of 2420	1572	cmd.exe	32
PID 1572 wrote to memory of 2420	1572	cmd.exe	32
PID 1660 wrote to memory of 1608	1660	2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe	33
PID 1660 wrote to memory of 1608	1660	2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe	33
PID 1660 wrote to memory of 1608	1660	2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe	33
PID 1660 wrote to memory of 1608	1660	2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe	33
PID 1660 wrote to memory of 2900	1660	2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe	34
PID 1660 wrote to memory of 2900	1660	2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe	34
PID 1660 wrote to memory of 2900	1660	2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe	34
PID 1660 wrote to memory of 2900	1660	2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe	34
PID 1660 wrote to memory of 2956	1660	2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe	36
PID 1660 wrote to memory of 2956	1660	2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe	36
PID 1660 wrote to memory of 2956	1660	2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe	36
PID 1660 wrote to memory of 2956	1660	2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe	36
PID 1660 wrote to memory of 2964	1660	2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe	39
PID 1660 wrote to memory of 2964	1660	2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe	39
PID 1660 wrote to memory of 2964	1660	2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe	39
PID 1660 wrote to memory of 2964	1660	2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe	39
PID 2964 wrote to memory of 2716	2964	cmd.exe	41
PID 2964 wrote to memory of 2716	2964	cmd.exe	41
PID 2964 wrote to memory of 2716	2964	cmd.exe	41
PID 2964 wrote to memory of 2716	2964	cmd.exe	41
PID 2420 wrote to memory of 760	2420	2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe	42
PID 2420 wrote to memory of 760	2420	2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe	42
PID 2420 wrote to memory of 760	2420	2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe	42
PID 2420 wrote to memory of 760	2420	2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe	42
PID 760 wrote to memory of 2972	760	cmd.exe	44
PID 760 wrote to memory of 2972	760	cmd.exe	44
PID 760 wrote to memory of 2972	760	cmd.exe	44
PID 760 wrote to memory of 2972	760	cmd.exe	44
PID 2420 wrote to memory of 2624	2420	2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe	45
PID 2420 wrote to memory of 2624	2420	2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe	45
PID 2420 wrote to memory of 2624	2420	2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe	45
PID 2420 wrote to memory of 2624	2420	2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe	45
PID 2420 wrote to memory of 2652	2420	2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe	46
PID 2420 wrote to memory of 2652	2420	2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe	46
PID 2420 wrote to memory of 2652	2420	2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe	46
PID 2420 wrote to memory of 2652	2420	2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe	46
PID 2420 wrote to memory of 1184	2420	2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe	47
PID 2420 wrote to memory of 1184	2420	2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe	47
PID 2420 wrote to memory of 1184	2420	2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe	47
PID 2420 wrote to memory of 1184	2420	2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe	47
PID 2420 wrote to memory of 2536	2420	2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe	50
PID 2420 wrote to memory of 2536	2420	2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe	50
PID 2420 wrote to memory of 2536	2420	2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe	50
PID 2420 wrote to memory of 2536	2420	2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe	50
PID 2536 wrote to memory of 640	2536	cmd.exe	53
PID 2536 wrote to memory of 640	2536	cmd.exe	53
PID 2536 wrote to memory of 640	2536	cmd.exe	53
PID 2536 wrote to memory of 640	2536	cmd.exe	53

C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1660
- C:\Users\Admin\gmoEkEkI\qSUckMMs.exe
  "C:\Users\Admin\gmoEkEkI\qSUckMMs.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:2200
- C:\ProgramData\oYAUEIMw\cyQwUoUo.exe
  "C:\ProgramData\oYAUEIMw\cyQwUoUo.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:2180
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1572
- - C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
    C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2420
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:760
    - - C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2972
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock"
        6⤵
        
        PID:1920
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2020
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock"
        8⤵
        
        PID:1044
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2780
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock"
        10⤵
        
        PID:1540
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock
        11⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1156
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock"
        12⤵
        
        PID:1704
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock
        13⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2176
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock"
        14⤵
        
        PID:1996
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1464
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock"
        16⤵
        
        PID:2240
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2560
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock"
        18⤵
        
        PID:1936
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1512
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock"
        20⤵
        
        PID:2764
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1748
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock"
        22⤵
        
        PID:932
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock
        23⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:860
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock"
        24⤵
        
        PID:2888
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock
        25⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2168
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock"
        26⤵
        
        PID:2024
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock
        27⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2896
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock"
        28⤵
        System Location Discovery: System Language Discovery
        
        PID:1996
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock
        29⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2844
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock"
        30⤵
        
        PID:1844
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock
        31⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2560
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock"
        32⤵
        
        PID:2356
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock
        33⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1700
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock"
        34⤵
        
        PID:3032
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock
        35⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1692
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock"
        36⤵
        
        PID:1592
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock
        37⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1788
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock"
        38⤵
        
        PID:3040
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock
        39⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2888
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock"
        40⤵
        
        PID:2536
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock
        41⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2952
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock"
        42⤵
        
        PID:3000
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock
        43⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2476
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock"
        44⤵
        
        PID:1868
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock
        45⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:372
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock"
        46⤵
        
        PID:1260
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock
        47⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3036
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock"
        48⤵
        
        PID:2164
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock
        49⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2968
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock"
        50⤵
        
        PID:2500
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock
        51⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2432
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock"
        52⤵
        
        PID:2920
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock
        53⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1636
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock"
        54⤵
        System Location Discovery: System Language Discovery
        
        PID:1728
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock
        55⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:744
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock"
        56⤵
        
        PID:1048
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock
        57⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:828
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock"
        58⤵
        System Location Discovery: System Language Discovery
        
        PID:2232
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock
        59⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1968
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock"
        60⤵
        
        PID:2088
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock
        61⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:772
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock"
        62⤵
        
        PID:2404
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock
        63⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2176
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock"
        64⤵
        
        PID:2624
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock
        65⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock"
        66⤵
        
        PID:2536
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock
        67⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock"
        68⤵
        
        PID:1972
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock
        69⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock"
        70⤵
        
        PID:308
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock
        71⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock"
        72⤵
        
        PID:948
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock
        73⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock"
        74⤵
        
        PID:1464
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock
        75⤵
        
        PID:2608
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock"
        76⤵
        
        PID:2092
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock
        77⤵
        
        PID:1508
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock"
        78⤵
        
        PID:640
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock
        79⤵
        
        PID:2160
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock"
        80⤵
        
        PID:1652
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock
        81⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock"
        82⤵
        
        PID:2820
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock
        83⤵
        
        PID:1116
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock"
        84⤵
        
        PID:1260
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock
        85⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock"
        86⤵
        
        PID:2808
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock
        87⤵
        
        PID:1788
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock"
        88⤵
        System Location Discovery: System Language Discovery
        
        PID:2012
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock
        89⤵
        
        PID:2176
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock"
        90⤵
        
        PID:1976
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock
        91⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock"
        92⤵
        
        PID:2768
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock
        93⤵
        
        PID:1772
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock"
        94⤵
        
        PID:1700
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock
        95⤵
        
        PID:892
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock"
        96⤵
        
        PID:1660
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock
        97⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock"
        98⤵
        
        PID:2400
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock
        99⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock"
        100⤵
        
        PID:2508
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock
        101⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock"
        102⤵
        
        PID:2552
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock
        103⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock"
        104⤵
        
        PID:1688
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock
        105⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock"
        106⤵
        
        PID:2348
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock
        107⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock"
        108⤵
        
        PID:2152
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock
        109⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock"
        110⤵
        
        PID:1752
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock
        111⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock"
        112⤵
        
        PID:2796
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock
        113⤵
        
        PID:1116
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock"
        114⤵
        
        PID:1864
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock
        115⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock"
        116⤵
        
        PID:2616
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock
        117⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock"
        118⤵
        
        PID:2424
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock
        119⤵
        
        PID:1092
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock"
        120⤵
        
        PID:2224
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock
        121⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock"
        122⤵
        
        PID:828
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock
        123⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock"
        124⤵
        
        PID:1928
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock
        125⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock"
        126⤵
        
        PID:1644
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock
        127⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock"
        128⤵
        
        PID:1624
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock
        129⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock"
        130⤵
        System Location Discovery: System Language Discovery
        
        PID:1540
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock
        131⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock"
        132⤵
        
        PID:1380
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock
        133⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock"
        134⤵
        
        PID:1208
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock
        135⤵
        System Location Discovery: System Language Discovery
        
        PID:1752
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock"
        136⤵
        
        PID:292
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock
        137⤵
        
        PID:2564
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock"
        138⤵
        
        PID:2264
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock
        139⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock"
        140⤵
        
        PID:1788
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock
        141⤵
        
        PID:744
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock"
        142⤵
        
        PID:1584
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock
        143⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock"
        144⤵
        
        PID:3020
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock
        145⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock"
        146⤵
        
        PID:2024
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock
        147⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock"
        148⤵
        
        PID:2896
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock
        149⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock"
        150⤵
        
        PID:2960
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock
        151⤵
        System Location Discovery: System Language Discovery
        
        PID:1260
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock"
        152⤵
        
        PID:2600
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock
        153⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock"
        154⤵
        
        PID:2140
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock
        155⤵
        
        PID:652
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock"
        156⤵
        
        PID:1868
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock
        157⤵
        
        PID:932
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock"
        158⤵
        
        PID:756
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock
        159⤵
        
        PID:840
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock"
        160⤵
        
        PID:1704
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock
        161⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock"
        162⤵
        System Location Discovery: System Language Discovery
        
        PID:2908
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock
        163⤵
        
        PID:2988
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock"
        164⤵
        
        PID:2932
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock
        165⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock"
        166⤵
        
        PID:1184
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock
        167⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock"
        168⤵
        
        PID:2036
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock
        169⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock"
        170⤵
        
        PID:1592
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock
        171⤵
        
        PID:956
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock"
        172⤵
        
        PID:2696
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock
        173⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock"
        174⤵
        
        PID:1800
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock
        175⤵
        
        PID:1048
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock"
        176⤵
        
        PID:2084
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock
        177⤵
        
        PID:2580
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock"
        178⤵
        
        PID:1872
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock
        179⤵
        
        PID:744
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock"
        180⤵
        
        PID:1444
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock
        181⤵
        
        PID:2504
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock"
        182⤵
        
        PID:2460
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock
        183⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock"
        184⤵
        
        PID:2144
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock
        185⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock"
        186⤵
        
        PID:1980
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock
        187⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock"
        188⤵
        
        PID:772
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock
        189⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock"
        190⤵
        
        PID:2900
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock
        191⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock"
        192⤵
        System Location Discovery: System Language Discovery
        
        PID:1996
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock
        193⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock"
        194⤵
        
        PID:2092
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock
        195⤵
        
        PID:760
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock"
        196⤵
        
        PID:1940
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock
        197⤵
        
        PID:2160
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock"
        198⤵
        
        PID:292
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock
        199⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock"
        200⤵
        
        PID:1316
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock
        201⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock"
        202⤵
        
        PID:2816
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock
        203⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock"
        204⤵
        
        PID:2580
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock
        205⤵
        
        PID:1772
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock"
        206⤵
        
        PID:2944
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock
        207⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock"
        208⤵
        
        PID:1788
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock
        209⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock"
        210⤵
        
        PID:2960
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock
        211⤵
        
        PID:1568
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock"
        212⤵
        
        PID:1708
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock
        213⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock"
        214⤵
        
        PID:3016
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock
        215⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock"
        216⤵
        
        PID:2756
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock
        217⤵
        
        PID:932
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock"
        218⤵
        
        PID:1380
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock
        219⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock"
        220⤵
        
        PID:2160
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock
        221⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock"
        222⤵
        
        PID:2404
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock
        223⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock"
        224⤵
        
        PID:2392
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock
        225⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock"
        226⤵
        
        PID:1620
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock
        227⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock"
        228⤵
        
        PID:2312
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock
        229⤵
        
        PID:2580
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock"
        230⤵
        
        PID:2956
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock
        231⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock"
        232⤵
        
        PID:1212
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock
        233⤵
        
        PID:948
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock"
        234⤵
        
        PID:1556
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock
        235⤵
        
        PID:1208
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock"
        236⤵
        
        PID:1760
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock
        237⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock"
        238⤵
        
        PID:2248
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock
        239⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock"
        240⤵
        
        PID:2672
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock
        241⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock"
        242⤵
        System Location Discovery: System Language Discovery
        
        PID:3032
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock
        243⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock"
        244⤵
        
        PID:2800
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock
        245⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock"
        246⤵
        
        PID:2908
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock
        247⤵
        
        PID:828
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock"
        248⤵
        
        PID:2948
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock
        249⤵
        
        PID:2052
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock"
        250⤵
        
        PID:1680
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock
        251⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock"
        252⤵
        
        PID:2968
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock
        253⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock"
        254⤵
        
        PID:1272
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock
        255⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock"
        256⤵
        
        PID:1788
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock
        257⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        258⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        258⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        258⤵
        Modifies registry key
        
        PID:2584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        256⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        256⤵
        
        PID:2176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        256⤵
        UAC bypass
        
        PID:2160
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\XWcYoEAw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe""
        256⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        257⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        254⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        254⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        254⤵
        UAC bypass
        
        PID:2136
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\XGQoEwoI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe""
        254⤵
        
        PID:1412
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        255⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        252⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        252⤵
        Modifies registry key
        
        PID:1864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        252⤵
        
        PID:1372
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\XYoUMEwc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe""
        252⤵
        
        PID:1508
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        253⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        250⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        250⤵
        Modifies registry key
        
        PID:2572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        250⤵
        UAC bypass
        
        PID:2624
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\GowckMQc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe""
        250⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        251⤵
        
        PID:1764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        248⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:2740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        248⤵
        
        PID:1140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        248⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\QAEYEwsU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe""
        248⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        249⤵
        
        PID:2568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        246⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        246⤵
        
        PID:1844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        246⤵
        UAC bypass
        
        PID:544
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\KSMQcgMQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe""
        246⤵
        
        PID:1768
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        247⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        244⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        244⤵
        
        PID:2508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        244⤵
        UAC bypass
        
        PID:1672
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\MsoEEUUg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe""
        244⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        245⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        242⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        242⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        242⤵
        
        PID:1780
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\yaQEMckc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe""
        242⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        243⤵
        
        PID:2564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        240⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        240⤵
        
        PID:1856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        240⤵
        
        PID:2532
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\HOYQYsAI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe""
        240⤵
        
        PID:1052
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        241⤵
        
        PID:300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        238⤵
        
        PID:2896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        238⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        238⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\dgQYYAog.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe""
        238⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        239⤵
        
        PID:796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        236⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        236⤵
        
        PID:2988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        236⤵
        System Location Discovery: System Language Discovery
        
        PID:876
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\TcIMMokc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe""
        236⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        237⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        234⤵
        Modifies visibility of file extensions in Explorer
        
        PID:956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        234⤵
        
        PID:1524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        234⤵
        
        PID:840
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\xcMEwcIQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe""
        234⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        235⤵
        
        PID:2772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        232⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        232⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        232⤵
        UAC bypass
        Modifies registry key
        
        PID:1928
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\sIkYggwA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe""
        232⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        233⤵
        
        PID:2176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        230⤵
        
        PID:880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        230⤵
        System Location Discovery: System Language Discovery
        
        PID:2072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        230⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\IsQUcAgA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe""
        230⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        231⤵
        System Location Discovery: System Language Discovery
        
        PID:1740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        228⤵
        
        PID:1772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        228⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        228⤵
        UAC bypass
        Modifies registry key
        
        PID:2532
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ccsQUIoI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe""
        228⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        229⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        226⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        226⤵
        Modifies registry key
        
        PID:2568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        226⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\gwsAwwAA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe""
        226⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        227⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        224⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        224⤵
        Modifies registry key
        
        PID:2552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        224⤵
        UAC bypass
        
        PID:1028
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\HMcQQEII.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe""
        224⤵
        
        PID:2928
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        225⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        222⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        222⤵
        
        PID:756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        222⤵
        
        PID:1336
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\pAQMEwEY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe""
        222⤵
        
        PID:1300
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        223⤵
        
        PID:1568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        220⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        220⤵
        
        PID:948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        220⤵
        UAC bypass
        
        PID:2508
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\dooIYYwk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe""
        220⤵
        
        PID:896
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        221⤵
        
        PID:1588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        218⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        218⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        218⤵
        UAC bypass
        
        PID:2328
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\NSUkUMEU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe""
        218⤵
        
        PID:1540
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        219⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        216⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        216⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        216⤵
        
        PID:1856
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\EcgIoUIY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe""
        216⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        217⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        214⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        214⤵
        
        PID:1512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        214⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\IicgQocc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe""
        214⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        215⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        212⤵
        
        PID:860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        212⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        212⤵
        Modifies registry key
        
        PID:2248
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\okMEssgI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe""
        212⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        213⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        210⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        210⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        210⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\SAgAcUsw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe""
        210⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        211⤵
        
        PID:2176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        208⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        208⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        208⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\NiMEQwwI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe""
        208⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        209⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        206⤵
        
        PID:768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        206⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        206⤵
        UAC bypass
        
        PID:2880
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\JyMUYgEM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe""
        206⤵
        
        PID:744
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        207⤵
        System Location Discovery: System Language Discovery
        
        PID:888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        204⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        204⤵
        Modifies registry key
        
        PID:2144
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        204⤵
        UAC bypass
        
        PID:2604
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\lKcEkcQg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe""
        204⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        205⤵
        
        PID:1856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        202⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        202⤵
        
        PID:616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        202⤵
        UAC bypass
        
        PID:2292
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\kUYQIgsE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe""
        202⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        203⤵
        
        PID:2052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        200⤵
        
        PID:956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        200⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        200⤵
        UAC bypass
        
        PID:2972
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\UgAUockA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe""
        200⤵
        
        PID:1276
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        201⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        198⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        198⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        198⤵
        UAC bypass
        
        PID:1780
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\mqcEoQUE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe""
        198⤵
        
        PID:2564
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        199⤵
        
        PID:1048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        196⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        196⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        196⤵
        UAC bypass
        
        PID:300
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\CogkIAQk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe""
        196⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        197⤵
        
        PID:1272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        194⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        194⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        194⤵
        UAC bypass
        Modifies registry key
        
        PID:2184
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\psUUEMcE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe""
        194⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        195⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        192⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        192⤵
        Modifies registry key
        
        PID:2220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        192⤵
        UAC bypass
        
        PID:1800
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\fcossgoo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe""
        192⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        193⤵
        
        PID:1772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        190⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        190⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        190⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\dUwEokEE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe""
        190⤵
        System Location Discovery: System Language Discovery
        
        PID:1788
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        191⤵
        System Location Discovery: System Language Discovery
        
        PID:1652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        188⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        188⤵
        
        PID:372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        188⤵
        UAC bypass
        Modifies registry key
        
        PID:2924
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\IAwocAUA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe""
        188⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        189⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        186⤵
        
        PID:1044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        186⤵
        
        PID:616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        186⤵
        UAC bypass
        Modifies registry key
        
        PID:932
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\owIgMUEk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe""
        186⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        187⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        184⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        184⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        184⤵
        UAC bypass
        
        PID:2660
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\MCMQQwEg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe""
        184⤵
        System Location Discovery: System Language Discovery
        
        PID:652
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        185⤵
        System Location Discovery: System Language Discovery
        
        PID:2708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        182⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        182⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        182⤵
        
        PID:2512
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\asYkUkQY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe""
        182⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        183⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        180⤵
        
        PID:1864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        180⤵
        System Location Discovery: System Language Discovery
        
        PID:2028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        180⤵
        System Location Discovery: System Language Discovery
        
        PID:1692
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZaAsQcoM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe""
        180⤵
        
        PID:1160
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        181⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        178⤵
        Modifies registry key
        
        PID:2108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        178⤵
        
        PID:2548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        178⤵
        UAC bypass
        Modifies registry key
        
        PID:300
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\xMwoIAsk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe""
        178⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        179⤵
        System Location Discovery: System Language Discovery
        
        PID:3048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        176⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        176⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        176⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\RcgEYAsY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe""
        176⤵
        
        PID:2584
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        177⤵
        
        PID:840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        174⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        174⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        174⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\yywEYcsk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe""
        174⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        175⤵
        
        PID:2896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        172⤵
        
        PID:2332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        172⤵
        Modifies registry key
        
        PID:2264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        172⤵
        UAC bypass
        
        PID:2780
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\aiosgAkg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe""
        172⤵
        
        PID:660
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        173⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        170⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        170⤵
        
        PID:1028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        170⤵
        UAC bypass
        
        PID:1944
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\EkQYAYEU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe""
        170⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        171⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        168⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        168⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        168⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:2760
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\UoUAcQQk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe""
        168⤵
        
        PID:1052
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        169⤵
        
        PID:1380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        166⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        166⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        166⤵
        Modifies registry key
        
        PID:2744
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\wuAUkoEg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe""
        166⤵
        System Location Discovery: System Language Discovery
        
        PID:2948
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        167⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        164⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        164⤵
        
        PID:1208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        164⤵
        UAC bypass
        Modifies registry key
        
        PID:1992
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\BOskkMEU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe""
        164⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        165⤵
        
        PID:760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        162⤵
        
        PID:1768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        162⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        162⤵
        UAC bypass
        Modifies registry key
        
        PID:2232
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\RksEAUEQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe""
        162⤵
        
        PID:2504
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        163⤵
        
        PID:2432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        160⤵
        
        PID:660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        160⤵
        System Location Discovery: System Language Discovery
        
        PID:2416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        160⤵
        System Location Discovery: System Language Discovery
        
        PID:2392
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\xEcooEAk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe""
        160⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        161⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        158⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:3060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        158⤵
        Modifies registry key
        
        PID:896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        158⤵
        UAC bypass
        Modifies registry key
        
        PID:2964
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\nAYkcYkY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe""
        158⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        159⤵
        
        PID:948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        156⤵
        
        PID:2320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        156⤵
        System Location Discovery: System Language Discovery
        
        PID:1372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        156⤵
        
        PID:1864
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\GuEAoIUY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe""
        156⤵
        
        PID:568
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        157⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        154⤵
        System Location Discovery: System Language Discovery
        
        PID:2088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        154⤵
        Modifies registry key
        
        PID:1592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        154⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\eakYooos.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe""
        154⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        155⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        152⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        152⤵
        
        PID:1312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        152⤵
        
        PID:1368
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\kmIQoYwg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe""
        152⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        153⤵
        
        PID:1524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        150⤵
        
        PID:1084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        150⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        150⤵
        UAC bypass
        Modifies registry key
        
        PID:956
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\WKAUUgcs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe""
        150⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        151⤵
        
        PID:2996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        148⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        148⤵
        
        PID:308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        148⤵
        
        PID:2432
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\SwEIkQcY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe""
        148⤵
        System Location Discovery: System Language Discovery
        
        PID:2336
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        149⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        146⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        146⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        146⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\BgIwEoAs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe""
        146⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        147⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        144⤵
        
        PID:568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        144⤵
        System Location Discovery: System Language Discovery
        
        PID:2572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        144⤵
        UAC bypass
        
        PID:956
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\lAkkoAMo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe""
        144⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        145⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        142⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        142⤵
        
        PID:1512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        142⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\HEoIAMEA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe""
        142⤵
        
        PID:2516
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        143⤵
        
        PID:1052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        140⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:1636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        140⤵
        
        PID:1912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        140⤵
        UAC bypass
        
        PID:1300
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZwMckMsk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe""
        140⤵
        
        PID:2476
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        141⤵
        System Location Discovery: System Language Discovery
        
        PID:1916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        138⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        138⤵
        Modifies registry key
        
        PID:2584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        138⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\koUEYcgc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe""
        138⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        139⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        136⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        136⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        136⤵
        UAC bypass
        
        PID:756
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\YaoQwoMM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe""
        136⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        137⤵
        
        PID:1768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        134⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        134⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        134⤵
        Modifies registry key
        
        PID:2164
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\imgQUIMk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe""
        134⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        135⤵
        
        PID:1756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        132⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        132⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        132⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\kGUUMMoo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe""
        132⤵
        
        PID:2572
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        133⤵
        
        PID:568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        130⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        130⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        130⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:2844
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\FagIQckU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe""
        130⤵
        
        PID:2772
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        131⤵
        
        PID:2840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        128⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        128⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        128⤵
        UAC bypass
        Modifies registry key
        
        PID:1300
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\dGswAkwo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe""
        128⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        129⤵
        
        PID:2476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        126⤵
        
        PID:2948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        126⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        126⤵
        UAC bypass
        
        PID:1368
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\lUsUoEYE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe""
        126⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        127⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        124⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        124⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        124⤵
        Modifies registry key
        
        PID:872
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\jWIUEsMU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe""
        124⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        125⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        122⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        122⤵
        
        PID:1048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        122⤵
        
        PID:992
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\imwwIows.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe""
        122⤵
        
        PID:1516
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        123⤵
        
        PID:2436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        120⤵
        Modifies visibility of file extensions in Explorer
        
        PID:796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        120⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        120⤵
        Modifies registry key
        
        PID:2320
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\UKcUwkIo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe""
        120⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        121⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        118⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        118⤵
        System Location Discovery: System Language Discovery
        
        PID:2580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        118⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\YkUQYkIk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe""
        118⤵
        
        PID:1540
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        119⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        116⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        116⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        116⤵
        UAC bypass
        
        PID:2448
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\qSwYUcwY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe""
        116⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        117⤵
        
        PID:840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        114⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        114⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        114⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2320
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\IeAUkgEs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe""
        114⤵
        
        PID:1052
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        115⤵
        
        PID:828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        112⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        112⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        112⤵
        UAC bypass
        Modifies registry key
        
        PID:880
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tAEwYAss.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe""
        112⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        113⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        110⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        110⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        110⤵
        
        PID:1276
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\RkgsEEwI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe""
        110⤵
        
        PID:2552
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        111⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        108⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        108⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        108⤵
        UAC bypass
        
        PID:2564
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\JEMIAIck.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe""
        108⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        109⤵
        
        PID:300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        106⤵
        
        PID:992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        106⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        106⤵
        UAC bypass
        
        PID:1208
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\RosMsogc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe""
        106⤵
        System Location Discovery: System Language Discovery
        
        PID:2008
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        107⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        104⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        104⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        104⤵
        
        PID:1380
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\KEIwYgMc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe""
        104⤵
        
        PID:2536
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        105⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        102⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        102⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        102⤵
        
        PID:2176
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ewEkwAAk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe""
        102⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        103⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        100⤵
        
        PID:1768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        100⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        100⤵
        UAC bypass
        
        PID:2732
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\eSAgUccU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe""
        100⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        101⤵
        
        PID:2396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        98⤵
        Modifies visibility of file extensions in Explorer
        
        PID:108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        98⤵
        
        PID:2436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        98⤵
        UAC bypass
        
        PID:2084
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\GEUYwUcI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe""
        98⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        99⤵
        System Location Discovery: System Language Discovery
        
        PID:2004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        96⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        96⤵
        Modifies registry key
        
        PID:1116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        96⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\UKYgAQMQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe""
        96⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        97⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        94⤵
        
        PID:1352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        94⤵
        
        PID:1208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        94⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\VWoIYQAg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe""
        94⤵
        
        PID:808
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        95⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        92⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        92⤵
        
        PID:640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        92⤵
        UAC bypass
        
        PID:2664
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\RWAQMcgw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe""
        92⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        93⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        90⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        90⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        90⤵
        Modifies registry key
        
        PID:2068
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\FKAMMcUY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe""
        90⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        91⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        88⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        88⤵
        Modifies registry key
        
        PID:2056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        88⤵
        Modifies registry key
        
        PID:2800
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\lwEcwkQY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe""
        88⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        89⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        86⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        86⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        86⤵
        UAC bypass
        
        PID:2208
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\gmAAwgoI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe""
        86⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        87⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        84⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        84⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        84⤵
        Modifies registry key
        
        PID:916
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\AQIQYcYY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe""
        84⤵
        System Location Discovery: System Language Discovery
        
        PID:2544
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        85⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        82⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        82⤵
        Modifies registry key
        
        PID:1032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        82⤵
        Modifies registry key
        
        PID:1972
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\cCoQwwIg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe""
        82⤵
        
        PID:840
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        83⤵
        
        PID:860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        80⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        80⤵
        
        PID:988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        80⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\qQEEAUsY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe""
        80⤵
        
        PID:1212
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        81⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        78⤵
        
        PID:2584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        78⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        78⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\JWkscgMY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe""
        78⤵
        
        PID:2532
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        79⤵
        
        PID:2320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        
        PID:2500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        System Location Discovery: System Language Discovery
        
        PID:2552
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\bKYsgokw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe""
        76⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        77⤵
        
        PID:1444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        Modifies registry key
        
        PID:2580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        Modifies registry key
        
        PID:2656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        UAC bypass
        
        PID:2564
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\vusQEooA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe""
        74⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        75⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        UAC bypass
        Modifies registry key
        
        PID:2892
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\nocUgEEQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe""
        72⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        Modifies registry key
        
        PID:1944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        UAC bypass
        Modifies registry key
        
        PID:1560
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\nMgsAMkk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe""
        70⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        
        PID:896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        
        PID:2476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        
        PID:1028
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\CWoMksMY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe""
        68⤵
        
        PID:1116
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        
        PID:2320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        UAC bypass
        
        PID:1412
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\WaUoMcgw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe""
        66⤵
        
        PID:1212
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        
        PID:2996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        UAC bypass
        
        PID:2316
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\sUkMMIUk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe""
        64⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        
        PID:344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        Modifies visibility of file extensions in Explorer
        
        PID:932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        
        PID:1856
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\YIUgYQcU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe""
        62⤵
        
        PID:652
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        
        PID:2504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:1748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\vSQEUsYw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe""
        60⤵
        
        PID:1768
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        
        PID:2988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        UAC bypass
        
        PID:1844
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\XccsYUQg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe""
        58⤵
        
        PID:896
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        
        PID:1380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        
        PID:1276
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tgMMwsIw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe""
        56⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:1084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2160
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        
        PID:1412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        UAC bypass
        
        PID:812
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\BMAksMUE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe""
        54⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        UAC bypass
        Modifies registry key
        
        PID:760
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\HysMcMEM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe""
        52⤵
        
        PID:1444
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        System Location Discovery: System Language Discovery
        
        PID:2484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        UAC bypass
        
        PID:2608
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\KswAUwEk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe""
        50⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        Modifies visibility of file extensions in Explorer
        
        PID:568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        
        PID:2436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\owIsQkgM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe""
        48⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:1756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        
        PID:904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        Modifies registry key
        
        PID:992
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\mWYkgoYw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe""
        46⤵
        
        PID:1032
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        
        PID:1084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        UAC bypass
        
        PID:1028
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\QGwAUgkE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe""
        44⤵
        
        PID:1052
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        
        PID:1212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        
        PID:1872
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\JIsEkYkU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe""
        42⤵
        
        PID:1048
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        System Location Discovery: System Language Discovery
        
        PID:2616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        System Location Discovery: System Language Discovery
        
        PID:1928
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ByYEgocc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe""
        40⤵
        
        PID:548
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:2396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        UAC bypass
        Modifies registry key
        
        PID:2580
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\zcswAYkA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe""
        38⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        System Location Discovery: System Language Discovery
        
        PID:2692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        
        PID:876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        UAC bypass
        
        PID:2128
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\TgooUYsY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe""
        36⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        System Location Discovery: System Language Discovery
        
        PID:1292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        UAC bypass
        
        PID:888
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\cusMsUwA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe""
        34⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\OkoQAEMg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe""
        32⤵
        System Location Discovery: System Language Discovery
        
        PID:1528
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:1116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        Modifies registry key
        
        PID:1412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:1916
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\QmUsQQIU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe""
        30⤵
        
        PID:1052
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        System Location Discovery: System Language Discovery
        
        PID:2028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        Modifies registry key
        
        PID:2552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        UAC bypass
        
        PID:2948
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\MqwQwssg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe""
        28⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        
        PID:2740
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\eGgEsAMw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe""
        26⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:2652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        
        PID:1588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        UAC bypass
        Modifies registry key
        
        PID:2132
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\lQgIgUoY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe""
        24⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:1756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        
        PID:1160
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        
        PID:840
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\rcwMssIQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe""
        22⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:2832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        UAC bypass
        
        PID:1440
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\lCkQQMAQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe""
        20⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        Modifies visibility of file extensions in Explorer
        
        PID:956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        
        PID:1772
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\bUwYMIoY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe""
        18⤵
        
        PID:796
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:1828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        Modifies registry key
        
        PID:2928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:2660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        
        PID:2532
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\iyUUYcMM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe""
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:2996
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        
        PID:2580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        UAC bypass
        
        PID:3040
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\KcQAEYsM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe""
        14⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        
        PID:1768
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\uSwggUgs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe""
        12⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        Modifies registry key
        
        PID:1160
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        UAC bypass
        
        PID:904
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\GUEMoEQE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe""
        10⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        UAC bypass
        
        PID:2820
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\PwAEUwIU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe""
        8⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:988
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2004
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        Modifies registry key
        
        PID:1980
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        UAC bypass
        Modifies registry key
        
        PID:1776
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\FyskAkIY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe""
        6⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:1632
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:2624
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:2652
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:1184
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\lSMwoUos.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2536
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:640
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:1608
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2900
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:2956
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoMcQIYE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2964
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:2716

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1856654281-1021316200-161006948099330031789184088-1478665447767293506-471954232"
1⤵
PID:1700

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-13251795011973337996-969005293789173727-3961657001617340994-412180841-1656614691"
1⤵
PID:2232

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "902955654316352405-1154500104-756790009-14836067851590560997613014886-478462961"
1⤵
PID:2132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile17.bmp.exe

Filesize
252KB

MD5
ae285f9b94b2b43f29bbba07b8d769d1

SHA1
560dd2339017191ab1ff00228f53579fb21b4fe1

SHA256
9b745c84df0898db6dfad8c75c4fda3d7e3075cdfb6eb6a19780996df8e182fd

SHA512
d84c9cfc68bd760c137260b25d613a5bc97f54f14486b3f4c4c2a673e0c99680e572d485f7788a35fb519b947a9263c97926903ce8e9e03998f184fa72cca4d6

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile37.bmp.exe

Filesize
244KB

MD5
3fbc93fc0967df4c050cfb6a1119dbf3

SHA1
5be3f9275e28d0a30e59c434920c126606a4a6ae

SHA256
6cc2155682e1554e3448cd1a647be3eb768d513a714b4b3ecd5f21594c82b5d3

SHA512
580ff1d89af86dbb566427d415cac8ec809b71e4db1080e8ebfec5c6c1ef804b1fc538a26bf393d31947d07ca3f6a073209efde98dd1c82045ff0e5086693f02

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\96.png.exe

Filesize
200KB

MD5
fde81c7dde65a8e6be581d2bff9ce2d6

SHA1
c451ff1fc9a7000fa868bed25018999328d38351

SHA256
78dc8df8adcee7027bb9f47a6a11a368a3a6becdf50cfea3a4b9b2b684bca2eb

SHA512
9981faa683e4893a66665d1e0a3cc98168c9e6f72f4162a409b6fce3fb159fc412dc5781be7ff80824e1e43ad3b442893f0205f3ab3c4a0db06b2a9783f0dce8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\64.png.exe

Filesize
210KB

MD5
7d2fc8d63a17058a0f71a81f8d50989a

SHA1
a0717e62a8a9b9d191c948aef6136c8cc007817e

SHA256
880c97fd1f8516b1fdcfca9497561c65e757e3e7d7dc01f0dbb39fc054d439af

SHA512
cbf66d481879ff341a3d242a98a958c44010098a3f2e3a6bdd3d5180de61f44fcde542c17b19a16bb567328c80a921c10043a5397d7d5768009a1c560132d0e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons\128.png.exe

Filesize
196KB

MD5
62d03933fc41e08e3b7f188b605cc7c8

SHA1
b347ec1d04690c9f762ce9356934e8cf0e3131cb

SHA256
c861c0b2da2c46271130dfe3138c6b387c29e0e7acc2dd6cc4fe242686534e01

SHA512
0bbc933f3ae4dffb91d23bfe7dad927e0d3743ff5ecc47faa0dd3492499bd35ea7f1b5fc83bca63520ab0aeb7a859bcac5156839e50981894e05f201080ce14c

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-09-07_afaa6a14eb7b46dc2165b3654e238b1a_virlock

Filesize
6KB

MD5
6df7065f01a6050fe6a0fc315cc1198e

SHA1
7b01a12035d29cde184590b08441c61c507a947e

SHA256
67a4ceda66f3abe6e0d18b08351d09c00e29f6a2ae3e55ad5e721218d6e45137

SHA512
6b42f9485501a09460acf5fd75f61ec0f92ed0f29a7cf26c11b9a13dabbb730f5f88f6a3e0a2f1bb20f984f8d0320bdc33e589100efb40c4fdea36f16a98db29

Download Submit
C:\Users\Admin\AppData\Local\Temp\AAkM.exe

Filesize
509KB

MD5
43aa4281671397b5c2b13c293c2572ef

SHA1
d988cb0e2b629515f78194fc23980e611e541c7a

SHA256
7f2bad452273857b9ec7c7c1309783bb81e01ed7b0bbefccb636d8cca22482be

SHA512
0c5c7b693d7166d205da498a83ceaeb652b72752c2fb6b9d7bc2d00eaa364e9ed4d16d713a552642d9e1c41e1a0fbbc8d745724dbe804139439366966d14b278

Download Submit
C:\Users\Admin\AppData\Local\Temp\AEsc.exe

Filesize
1.0MB

MD5
b578a09faa4b9206357d493b48a4f408

SHA1
edbf34bcd95eb59896f13917f66dbf071f56c579

SHA256
ecd5a602d2e7fd1953327338306dcff6fe2beec8a4c75fbcb510b81e89cc4abb

SHA512
f008c4942d29d57b4350931f394ebfb1648b9dad5c702f3b1c10aa037487ef51e714196988407ce01dd8d198a1799a38b290019c92ee37f8d99729d192071c5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\AMcu.exe

Filesize
230KB

MD5
46d854c8ef2afea591abb3d33662a1b4

SHA1
30fcf78aa8b9d22ee47047e7dc0b5701e30bcf69

SHA256
2a97031080d191a2e90d47b8f8e5d49f866df343c98c9e6c3143e1564dc0eb2b

SHA512
aa696ec7081742b6294149274921588e92e12c77af12390fe02a8bea2eb6cfefdb618a45dd6c50aa862262f0403870f6a2190396bd7f29196c821863f07c659f

Download Submit
C:\Users\Admin\AppData\Local\Temp\AYEk.exe

Filesize
231KB

MD5
8d109e5e80602c053bca9aa9cf10ad74

SHA1
78bb51ff77793a958b128e8a0f87c8f200ce015e

SHA256
c33a2c615671150e71e39574cdfa04b09c18a717b40a5c443bae1857b4a82d5e

SHA512
8e38c6a1ccb2def67afe07cd2484fc58d827b7374dca7cf3f6364ca63b19e1c2d01f14b28d71dbfe3e99ce440e4b2000c87f1442262aa436344a24076740acd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\AYwW.exe

Filesize
231KB

MD5
3625e7c203764cabc1840fd53e7d8003

SHA1
f38e4338e76c3624dc21afcadb134c8abcb66285

SHA256
232e0fe761a9be6aa3ccc377dd18759f527400cb3854ac34287f290bf75992ad

SHA512
5967ef2443bca30f6210d5bb2c6a98ab3e2aaff1322994f16d98dfabc293f232ebcc1f9b6975b375e35673d384dedb6b377100483d13995929f87cfe7eb657db

Download Submit
C:\Users\Admin\AppData\Local\Temp\AaMkQUEM.bat

Filesize
4B

MD5
8e3dd52e15961da410eb4bf95653e45c

SHA1
9c53156003289fcc4ef2e0b145a8ea05cf8b1363

SHA256
201885f2b726eecbef996cef5daecc62442ae95bd8737c04e07656e3b421b8f4

SHA512
78a95992e852fa14bff20406f53d8a30791fb5f2952a91e946ecb1a1efed3e3a19287452be8c8d9d5e152d73fb2a758e6269059ba9fc6b985b6fea2b1c173edc

Download Submit
C:\Users\Admin\AppData\Local\Temp\AgkgIMEM.bat

Filesize
4B

MD5
f0ba8e77187928d940127ddbe1487cbe

SHA1
6a5c0f9609c75cbbc8e2f0c5780e47d61ed1c2bb

SHA256
d01f0b2492debc674019178e9cf5e706b1781d05f0a9e46a9da10a0cc2e0c020

SHA512
54627e9c408974ebd1beb027dcd481f3550184ed50b634c6e1f14ee6fbfb00b9df6597cd4fed57e9d9865c3792c82bb88bb9fef782af132ff01b3e16b498aed5

Download Submit
C:\Users\Admin\AppData\Local\Temp\AikEMwgQ.bat

Filesize
4B

MD5
b410754d4ded5a366c5a27c5b281af1f

SHA1
cca66903c1b34a87bceea296a89296d5af4ee67f

SHA256
c977db4c6583a99cb750e50b3fe67584c6553d8db2ca7ffb54638abbad3f5f28

SHA512
47d35b1c12f4c0928946244e5f0db4cc1b2bad80d19e8545e3edc44b5756c55534cb47cc04401e93c91daa902ec6d35db6a4d83151d85874f4d32b549f6f758c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Akwq.exe

Filesize
331KB

MD5
692dd5bca2f7a71c38f61ea566b23d0f

SHA1
0577363e7908f88fb0abaa3deaa25d3b6cffea07

SHA256
1c71623690cca9fc1242079f57b5eee5ecc943a06be8bdcf0583a86267c1dee2

SHA512
82f8006de3d6eeedbbd47db941bdf9014942ef18b3d2d7cc41a81a7271ffcb7eb0d3999e62c486c4c2e7f3f73e231ea4effb1d070afc49a817b72341febe2be4

Download Submit
C:\Users\Admin\AppData\Local\Temp\BkUsEcsc.bat

Filesize
4B

MD5
08109fddb2571002c9f0fe53a76de922

SHA1
d26fc612ea5b2c65fef1784b30aa06a825df3866

SHA256
cada9f9ec305ea9f930c5835e3c8c5d36df1becdd06e2d03c1b049ea1e22b644

SHA512
2b49b55b776cd94fd685ce4cd00720c11b9177ec8a90f7f9484343bd391db6bf6afb98ff9ab60381c1ef5ab0d2a94c02328146b8f3d651520315f4803cae0733

Download Submit
C:\Users\Admin\AppData\Local\Temp\BuEEMQUQ.bat

Filesize
4B

MD5
731ba90593081b4cb33d4ec91391cac2

SHA1
61d8bb20ce5e09d2fa72c8baf20b0bf540c6af8f

SHA256
2b7237141636fa180097bf4330b4ed43c6f8bbb030eedb3c95be132c3500e688

SHA512
19678fd29cc552300bce7122752577d2a28d2d09a1292b0e9463486ea3286fab0b815ff3db607312cec6774de0965bb196c507d94f6c4a74cf8146355dc105e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\CEga.exe

Filesize
630KB

MD5
9d817d0a348b1a237fd28b7e26860867

SHA1
bdc9e273c71a46850f0872897750c9a4ee485f7e

SHA256
df618b828e1447b5621aafbd77b187fa5763a46db9b5a0541a379956972e6b4f

SHA512
3cb6eee2b15858d174b9133be6da46678e60b0f9c3417ddd959fa5fc35224423fb910a2120bb6e56249e739fb63ca951b9ca64ea0aafcf09238c8007b4cd28b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\CEocgoYc.bat

Filesize
4B

MD5
5444a01f24893d8828b837edf2195a30

SHA1
7e0889808d0be20fbaa2e92fc17e07a2cb2f6277

SHA256
61b4b5558fad73643d0bd6af8cb695f66fa050924f85e783d933f6fc3abdf676

SHA512
7952495343be83b49f15a21b92d09892968d9cd50c0d1e7b4af72e9563aeb177bcf84e1dd835b1bfda0343eba995bdcd52e3e74580553c20545805b6cf8e1fc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\CIIY.exe

Filesize
210KB

MD5
361f8e84ed943124566da81d0ccd24f4

SHA1
0a01a18d2ff958150321877287dc8b6a3754156a

SHA256
2df990d1326193d855a1206467214c361215e6fc58dc2c24d2f015d081f19ad2

SHA512
72905dc4dc963a70a8c2444086ba47553152ecffb51605949b7a2924ded8171c62700b11860d3af5dc5956ee739b0183858f87a72637f52f944ed94ecbc30c40

Download Submit
C:\Users\Admin\AppData\Local\Temp\CIkMMksQ.bat

Filesize
4B

MD5
fb2fdc4b316c0b424084c79403515a48

SHA1
afd21aff77c72a6669451f09439ba2c1a387274c

SHA256
6bc883e37abac3581164832d27e6f863d67353c457af057230e61971b0987e19

SHA512
912cbcb260f724d092b72e188009a701af3a579f702dd655af94f9368b1063521f996a1e8c01be3cd6a4455095998a4a1dcf3273d7f4e6f842d658a88ddb11b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\CkYE.exe

Filesize
250KB

MD5
cfae68b150e4d5c2fec3e8d8521b8c05

SHA1
573bf8a3df89cccef34ab4d4998df60c30ca7e43

SHA256
d7cab025c58fd9d014fe24817f8ef475bdf097ac51bcbb31a1d1e9a84c2b395d

SHA512
9d44feed8581131f8435908dec2d81cee6475abad11cc6641a20135bcb0dcb81129c36bdaeb26b63ad51e3805e0213a413e262be7b876bca808ec155ff8f9502

Download Submit
C:\Users\Admin\AppData\Local\Temp\DqgwEgwc.bat

Filesize
4B

MD5
d4bd2b05bb406fedad5588a7a2b84ea3

SHA1
25928c0d32eba0ad61c917e36fda3aa005b57596

SHA256
827505afb0a5d3f097faa812f4b85d7ff6868ba8ce4e22666b7e01d6e57225a0

SHA512
571f1f9c3cb8ecdecceaa6447c0e059f9c1fca1fb6ba10ce57fa3bdcd6889ef08045719e5b7c688c23d98e053cc8bea83c6b6d806c3427ed83bc0a971f89c455

Download Submit
C:\Users\Admin\AppData\Local\Temp\EAkE.exe

Filesize
248KB

MD5
c8e73c710e77248ebf0fafb306e315d2

SHA1
66710bf5e1410f49af69eb75f8272601c60ab658

SHA256
29298ad92034f7478e072ea5b020dc8979c1fb52443f12aadb790a2af7541422

SHA512
240202d6b7198e97ab2142825f5117a5ee5cd13806fd3858e94b7867c3b5ccd450489474dcbc3f796c05fa9857e90034f25be392b1e49ca13cd5e9ee25ad3397

Download Submit
C:\Users\Admin\AppData\Local\Temp\EMQEEQcM.bat

Filesize
4B

MD5
3810359bf5133e98e27dfc723629f101

SHA1
6f4725cc4255450581444d0c3481ddde3ead9bf5

SHA256
cfd51a82cd1aac2616a618cdd8d4180c08818701a563a048d50074a97752b19b

SHA512
161c23cd738beae8692c7d4f7ec336b0bf728e1daa90877b159dbbc55b5e194caa4e69b141a8ad85e0a4f8ca0ce97f58de5a63c1da0f9bbb3e0393f43b57e3f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\EOwskgoE.bat

Filesize
4B

MD5
d691fee18ab59d0cb657e9327de872e9

SHA1
48da969b7c06775529a67ecb551b588242a4613d

SHA256
56ef5f9a69fc48120a0d2952dcdd537063b16ca383b05213abd9602edd2deca6

SHA512
6ddc9ee20da9c77b3986f9f2729565a28a77fcee2d9bb49497de944d85ff107a7412413d7d052c3ccdf7399b17b6939836dd060dd7c3e38db3f071098148a9f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\EYEkUEsE.bat

Filesize
4B

MD5
e0b09bce0b685a8656ca6966ef1a89b0

SHA1
9dda49837eec8b6ef0f9454373524101d4ea6aba

SHA256
9480f35ca94084c2af46d9fae8a31feac54fd113250810912dc45750ea7f878a

SHA512
23a446f420842f8aa235834f4cf3ae3ca6b4a4ee7347adee353c186a6dc9a69a7ea706043b48faa6ea645b976e3e4ef8f0fc7aad7c29cbe0bb26df79522a174d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Egoa.exe

Filesize
238KB

MD5
849c07686ebeee544ec5d4f8c49d98af

SHA1
788fa2e86d1d972b17a52fb27172f0ee8a8c94b3

SHA256
0309202b26fac66aacf9765ef1739442df83ef60f8cb017b71de49ce6b33b5e4

SHA512
e3a6a2f30713f0324d1a174835858e7e0de47e7a79545ed9754f8245eda4dbad4ba4f41e18ad2a1b5f2ab6cad6064732d5159dca67d727c22a419362b126f8dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\EiQUosUI.bat

Filesize
4B

MD5
b5330d9c79e4493e1bb1884049ecc5c8

SHA1
5449a3d2f852bc07c64978ceeed44f4fd3169366

SHA256
4973cc4ed41a803e54b5b9e428814edf9d0da93383b78d56360bea52112f650c

SHA512
7dd546a50a967f8bf4b92ef19f21f43a01ac742559456a905c7d3a8534bcf6e76d9514851e22b3b05d128f0e8285a8a911ec2d1b635969ccb9a9da949a73b0da

Download Submit
C:\Users\Admin\AppData\Local\Temp\EmwskUsU.bat

Filesize
4B

MD5
218a84c9de885a5d083248b5cb4ba72c

SHA1
d6a58c3632c743a2744bb3d21890f44b4e3b99e8

SHA256
2e26a524aa31f4a68e2c988a988ebb4665e0dff7d1931dcde80b589c4a5d98b1

SHA512
569eddd507e26b292f84276ebb50b79a32b253d4c38d68807276e4f110fc6aecdd07fe7d81dcd1fb7563c1769f332ddeb71767c9af4a86a024dc131438022037

Download Submit
C:\Users\Admin\AppData\Local\Temp\Eogw.exe

Filesize
239KB

MD5
d35f64c897fde2dc47e7e3e40466fd9b

SHA1
148868781e6ee26ab96344015eeadda40fbec334

SHA256
321bf0cef917d0577cd13c9c340952cbd60afb6918357fb6db283682a489d789

SHA512
20631ce343b315654027a4a1688a72cb24c556cdc6f912236f09a137f9bfa42bb583086047ac10df8c58f3032054c6aacd156bb6ec2b9736da0746e728509f88

Download Submit
C:\Users\Admin\AppData\Local\Temp\EsQE.exe

Filesize
326KB

MD5
e567cce2f56ef6039420ff34371d22ef

SHA1
68830568e4c423060ac5bc141ced8e4f8a954090

SHA256
a3ff380a3dc0b9df1f9a7793dcd9f593547cc46bd62afab3bd27ab1ace6f5a1f

SHA512
ca8fadc34cb71afa06246a36b6e668d1e19f2e03ad527ec152cce1bfab825f7b53dac5f078b638549ebd51f69bcbac9962a957a785d692fc5ac4a3e601584703

Download Submit
C:\Users\Admin\AppData\Local\Temp\FOgwUYIs.bat

Filesize
4B

MD5
d6078da4e1b7d7c49e726c96b22054a7

SHA1
8e229a30a12eafe593e492430055c1ce27dcf8e8

SHA256
6918e5a9a7ba0b42010877f82125586b9e4f39378914dc7deb32c7a413c4d2c6

SHA512
1104f21e312241b91bc983548f06134f18978cdae3dfeab659b1df07dd8e93cc756567746ab123b388bcd35b5a917d0df263b4e31d02cb28c0fb043cfd777c37

Download Submit
C:\Users\Admin\AppData\Local\Temp\FoMcQIYE.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\GAEi.exe

Filesize
230KB

MD5
7dadd8cb60f21f4a7b3e75f0fb65d222

SHA1
40e3ade431963eb148fad9d0f478769ef37db002

SHA256
470c46c827aa2868ec3f60e0c74f39d7aeab81b313cfd155bba9f169db18b269

SHA512
07d11c60316f1775f69cc5c106cea63611300cddeec83a137820e4ed36d8f00c00817bee7c0f99c26fb94e5f67a9f1fe70c3fbfd5943e9b5b94184b0618155f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\GCYoQsIY.bat

Filesize
4B

MD5
fad33e20e23a844e9a7a7328e7c47b5a

SHA1
73970a3eab66fba0a2866b0074e6508e19155251

SHA256
37cd20d3dd0ebcb8cb4da116b163b4633e646a4d62f45e60fdf7e8a8bb416ef2

SHA512
dfad0ae8fef1eda400157501d9c091251a77e3592f1120b1f5ebf52c947118a193d7a0fbcc568c63fc93bc4cc724c8bd0bb70423ac9d428917883f3d8e6573f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\GMYW.exe

Filesize
1.0MB

MD5
6e2ee110d11f9764fa4dbaca06c29a08

SHA1
999330b0cee80444fecbbf285d93d9a07b579bb0

SHA256
8e7b505058a8b4c59e3e34160621f0c7d789a445a9a97fba1d8b8eaebe737ce4

SHA512
4ae6abac5435237fb75f64f10b8aef2eeaa2deb7bc65caf17451c0f3c9b21faf04463918682177f0ef1511f9bc4f2ab52727362bde73150fcb398fec3f06bf76

Download Submit
C:\Users\Admin\AppData\Local\Temp\GSIgocYc.bat

Filesize
4B

MD5
42430189060ddcf510a954415a7722ab

SHA1
eaf95c39fae442fc5e9b91de18b00f19dd230087

SHA256
8b89741f98fa9f246796c25dca47ab756b74f23c13861521554c750a3869db58

SHA512
9eb4adf9abe390143869d1005830c07413e2e038a5867c5c21a6fbb6ed24312bcbe3c0011b0b1dc7051822dbdfc55793fa2ee25e758d1e80176e35541f8f9d7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\GYAw.exe

Filesize
230KB

MD5
e9d6c3fab78a34f730ad510bb9299c04

SHA1
8bc74a927a7cc98cc6e6b5d8068f795a82257a44

SHA256
9e6e2c297c90ed8b9120e0e79152694f56f4da3a8ab47dd6c5bcbe803643816c

SHA512
44ba1b9e4f1969e2bd68a790cb6a0b1278f94b298b1b1a0d4adf3f9b4213da9265f1c46139b24e42cf1db5e22944399a0990f23d9efb52eb12de7c312e7e1af2

Download Submit
C:\Users\Admin\AppData\Local\Temp\GkAu.exe

Filesize
230KB

MD5
8e58ac7fab0251055af1497c2dea0c83

SHA1
9845684ca5e4d00de3eb0ecda043f5e1e26fda1a

SHA256
d5dfc45fdef130eb3b5fadfaf8519f946f8155a9966f773ee89e747928afd954

SHA512
8e4aa21201910d3f92a16faabf9f754d9beb7a35ca13b1c433f27715906f7c24bd0c5824905c930290b245f0464b0e007a8e9d71b6082d64e77cf4590d2a7f1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\GoUK.exe

Filesize
811KB

MD5
517f515599fd5d98854c00ae1ca26dd8

SHA1
c43fb8c6b06d055a7a40791b9e5a9defbfbaa683

SHA256
1efae7b4501295682a2f13eeddae2a33e6099dc726adc9462b6629854a1604b3

SHA512
04fbad053b9b2bb7bb9425667af2b3e757957df5b2747b462962898583504d3e4d9f33ae2f093c738a70561b03ac8249e1697bdc654856873637f4ae09af9504

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gwoo.exe

Filesize
241KB

MD5
08c5fe20e75d854532139c2dbd76031f

SHA1
9927760ae6a74a1c5e52f270f5d50bee02f78258

SHA256
54ee04aa0339f831be8da4dfd48255efa5c668a4159242356a571e8aade3d90c

SHA512
07fca7ecd22b6de96bb53f68c038a3e620e31cbc95db233e091357fd7ee8e6112fc2a4f59ec607407a04143b12a7d92f2937c8068458074cddfd977c854ba4e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\GykIscgw.bat

Filesize
4B

MD5
7134252300cd2977b48acefa75262134

SHA1
f150997ddbcdcc43029ab7a8bc8b455fa718a005

SHA256
7ab805de503dae1b49a094ef4c644583dc973d91d8338260cb9d200695979110

SHA512
b17bce58f95dd83e6054297c4592532f2aca91f5219b6adbebe0a1f2903b61532e4399d4f82c69f110504560dcad99adb912099dcfd3c30f4260215cc27ae9c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\HaYIUAoM.bat

Filesize
4B

MD5
1b0e7b4343aa523addc0ba4e0b3166f3

SHA1
2e1c6b8b8c9a7a5f4aa29b6b4f4fc4256c5df952

SHA256
2fed055f04f3a00bf56feab273b5998fa14bb4126ea3ab169b120ad24f694ba0

SHA512
fc1e5a3d94b94192ede250c7e396c310cf78ed14d4f812daf5caa1fc1b376563da4305fd61a65d690e655d1930b56050977829b3b53acd3fb6741bcd5cafb956

Download Submit
C:\Users\Admin\AppData\Local\Temp\HgMoUUso.bat

Filesize
4B

MD5
b6d4d20f1dd33c386978aaa625e62db5

SHA1
069461426f25b64126e9ebb4f6031789a17421a3

SHA256
797a2e302023d276c59e5c6673f0e70e51bd2cdd4ef23040af84ddd9eb4a2e89

SHA512
7d786e828e912c5b815d922a921e96255d24a28d8b176bc7a5e996dba326b47fadafde541faffb2e2b42d6716d1b44684c9429004c8aea25cde96f9b24cdb16e

Download Submit
C:\Users\Admin\AppData\Local\Temp\HgcEIgEY.bat

Filesize
4B

MD5
0f2e0420fc633cbdaa19dcbad7293d10

SHA1
9973f6ee604e03cc50733bcf93ff2d0aa8d54b08

SHA256
54023e42fec9f2d28e7148859e5590347082415873f1d7c68853ad4a7463e95d

SHA512
14b2f69eefe2b5e8fef5651d319dc8ee2920221e84cb1d01d74a8671935fae955be38e9ccc4a88df53db578787dc6add52e767b5828966c5b3d884c69c8b59ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\IMoEUQMM.bat

Filesize
4B

MD5
ca99844b249afe3941293d4c6fc531af

SHA1
cdda823bff4c320d9d3d5c99fffcfaf89e9ee0d6

SHA256
7655935d7845c7b990ac807943f2a334110b36f9a1a21c6aa44afb07958bc710

SHA512
fa9193f2a3c392d8f5a64b938dd8db8f339376cf2f066aa118227fcda7cdbc98e0879670263ba95c5b245cdac859a69db6d50f9b3f8e90e5724fa8ef0cd982fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IQMe.exe

Filesize
243KB

MD5
2551fcc2f4dd4d967663e6eb5b5eb211

SHA1
d7955d0d20dfa3fbd441d5622f326d84bc81fa32

SHA256
c164c352a0dedb43658efab8a63c602d9e86bc9236ec21b3390dbdf1545e9dd1

SHA512
4490edb73cee5c24fec8e882873ae8a47a691af31f49e8a3083ea2d1d2cf4d843392712b00566fb29f9d6ce1ed64504551718c2ed90fa4cf7e179f7b0f53b27e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IQYG.exe

Filesize
1020KB

MD5
4297e980d86776046c4f6efa5077d47b

SHA1
b20808b92f418fbd6fe7d88340cb2a7bc7a767ab

SHA256
3fc43df7ff19594af540830dd87d70a9ff9fbe3e66566b6173d09e6aa3a0fe8a

SHA512
2942097045242e5096d4194bb525c0b611031694e74ff1e66b475e640b015612bbe46fa2ac6bb1d9fb045139b3c988c1d379f527b872c0a410b1c2edfd53c25a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ISYEsgkU.bat

Filesize
4B

MD5
b3edeadae7c315447fb3756774cbb15a

SHA1
526266228b328e317fb80c67a5dcb2fd20041b28

SHA256
69d283c3b412bcf16cccc8d8ae9abcb148b744340f1ef372b537ec702d7b2327

SHA512
960e1d870711270e481747117361cfed1690f7f9da4cb985afe8cc151ef8a0b8842991379aaaee4626a2f94711b8a13a87231207e3d3789de7861b19246e233f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IUMe.exe

Filesize
235KB

MD5
25f8d0b31dde6a9cf0e4a05f5269175c

SHA1
ca0095f77dcb9adb924d9feaf616aca9849fbf7a

SHA256
06e404a73824014d8dd8d82e9fef88dc75e1f9b453edad16421cae54dc1a8284

SHA512
2608924e73f32cc37720eb3829f3c85e90a73223b2355129100b7085d1080d240fd877d62316c398d5ce4f87e31fb283f9d228b129e57f972ecd14acb2c8e6c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Icgy.exe

Filesize
210KB

MD5
bf26e685510f87eece50d2b1918cfad1

SHA1
65a3a5d2c1aa111d759e7b215ce66698b72279b8

SHA256
f5c57024f44916c27f3ab162fac746cdd88aa04215962c172e97a618a2a44a52

SHA512
0c7c43dfa1a0f906fe025e3e0db1d368e29d4e9e356bacf84bab5ea772e1526aca649679023bb2652adcd881ea24aa7c3ac4c78d610bdd7a31ad3cd5532c5992

Download Submit
C:\Users\Admin\AppData\Local\Temp\IscM.exe

Filesize
365KB

MD5
71015eb88b2e9050c05446586ed0cbab

SHA1
488b3b9ea43720568cbced8b3e0227fef2ee4a3c

SHA256
49c00356ecca3c70d94aab5407e9f2d12727d1611d4f1441c89aa0b1263ec7ef

SHA512
941ff625532471e8704c69f2ce4f2aaf084bbcfaf7a4e34ce4c9ecd9e15557db290dc6d65d746851077a2cc276402cbb10cc02634d696b9da20cb5861420b82f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Iwgi.exe

Filesize
243KB

MD5
bf2e6cfc6242e18d03c8d1c75bef68ad

SHA1
d9e5f22c2cf052d66f2dd8f4671c60e563c7f680

SHA256
249a4cadba0f58baf4be5270e028b00f6ce1bf75449fe2ac145ac5da937b7347

SHA512
46fc0bb7d3a8bd7d249642198729627ec79a4dd96ffe257d2eb1aaf572b780065d3ea1c0d9b1488ea697fab07bf55e65cc892eb216c24cde126de5c4b66699bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\JCkAQwEY.bat

Filesize
4B

MD5
88c557f202b27b2e9b3657f44dc3af4e

SHA1
bea6c8ca0d156813604a64316ff8618dedecd5f3

SHA256
434ae24121b53d9d39175178771e2ba42253bf91d6c2a4fd05aebb43925c1caa

SHA512
8c91f7ffc84f98ac65fd033e7846c0c162093ca194ae888c244579923e0001fc05803518059d5455bc85e51e374796ce9bd94b3c9d60e6efa933750acfbbe130

Download Submit
C:\Users\Admin\AppData\Local\Temp\JmIskMMQ.bat

Filesize
4B

MD5
e01eb2908dcef30c00d5aabbea1c603b

SHA1
724e19d0a873e4ddc1a8429260ef003ed9c2696a

SHA256
4c37094e545463ff98c71ed2e30e644365b96564c6fc27e991a3c7a83600be0a

SHA512
e013297ca27ff21d151aff2a860c312b5430988a34e354a2081da134d16c708b1869057a136142ecfc3c5fb58f3371af8cd9498088cbe0dac582efc93268238c

Download Submit
C:\Users\Admin\AppData\Local\Temp\KAoI.exe

Filesize
182KB

MD5
ab81bca59e16f83006af0082e2eade6b

SHA1
e6b1ba394a5228dab4457a00e7f86c7b8c0ab6fc

SHA256
bfacd0c3d30e04a1d71510e337a3424dcc9a0a8e615f88e8baed4b3285b7d69a

SHA512
e75c132052eb5d1aa0676e13834969e497e1fa39d3237f127150e1b287546f6f9a806e8660b388f45a62b79a60dd4e699d0319eb6f5c45b3dd4889da3675f9ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\KEoQ.exe

Filesize
244KB

MD5
3297641d6a0c2cd272079caa25264f26

SHA1
ca64f83a30581ff0be6376ce54c52f6b4638a2cf

SHA256
3b26d4300147574fde153ec07f5e986a731d5959fa6b560239fb76bdc6d2456e

SHA512
a332e606fba2d871be898e55faa7a6fc0a5052dccf03b7ec16b39b9ce53bc0f23a170852732473a8a1c66c41732920142fce15ed2dad0867214e5cc01b4cb8e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\KoAw.exe

Filesize
250KB

MD5
c23145f36971f38a91cb7c33535b145e

SHA1
989352b1f8559413c1de3e012460f79d9b020d73

SHA256
a05f95b00be6735a05b192068f20894893dc230f5ce3338b1b045751c15d4399

SHA512
69132cff0493ec520e5a1314a01219cec351fe5df7e3c23f20c4fcfeb9c681d6400972cbbdb52b9e75c440ecdce386d78613a22fdb4b24eb59b91f8e9632d135

Download Submit
C:\Users\Admin\AppData\Local\Temp\KqEocEgk.bat

Filesize
4B

MD5
119f6d5ea999d3296ac0e9d496395646

SHA1
c2daf6b08952581e51039ccf524125c6b35c9156

SHA256
6d4db1be5dace6e64b48b3639470a1641371e2c9e7d7bb684201ea7c963ad330

SHA512
bc4662441e568b6f51547920665c0b0fd8f7d066ae1e6699a0e0eeb3310ba9001b22b662d174fc074c4085ea336217f2c7f8fa55c13f1014fd3d7563f94c2d1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\LQIkUkMw.bat

Filesize
4B

MD5
a1e04554fa1ecb2bae2cc40e84d7644c

SHA1
5bdc92798b4f94001f8d3a750a46f9f5c751c3ca

SHA256
2fb5fd7b43a7d0d1673d22b2857b5f0dd2caaa3441a29c579e3c36cc040c0a4a

SHA512
0edaf2afd5603bd318db4cded5c6e87525016973a16e064e0d222505fea82d39f88d3728c392b0f3ca0890698d9648438fd3a6c460e5f4d678f9318a43ba2587

Download Submit
C:\Users\Admin\AppData\Local\Temp\LYkUwksA.bat

Filesize
4B

MD5
0ddddd990b13a77ef7191a409cb6cbde

SHA1
158078fa3d7c0135af9f002b6e69f1f9b99c2cdb

SHA256
b00fb5ceadc3b4be331bddf1d61856be825e525cd4eba481f65efe1fa98c7e41

SHA512
54d7fad1bb561c943eb9e7401b3a0d73f1fc4eb736bbea62f48b0309e059ba132881acfa92cf42af094377079e3e91caa7de5ae3ebd40b56fc3e94823369f9aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\LkEwMQcA.bat

Filesize
4B

MD5
b937fc6aba6184976b89a437341c97f2

SHA1
5987e011fbf2487251a15a9e9b293a130d066121

SHA256
a40db0445673505286e3f6c638ec994d1a194ab44496a4ef2ebe8aaea9cfe4cd

SHA512
20ee880e3f75f887d9f3357416f0292dfc2f833ed614cf459093d80b83b0c6c5bc493924cea0c913dc0dd3e3db1b4d0ce006060ff060b5960ffa9766ed2d7bf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\MCgQoIYc.bat

Filesize
4B

MD5
5fa090d19bac3dc0cd8273683fed3063

SHA1
758ccff3940928b449de893018334b3599f26cca

SHA256
ef827412b8d94f1064cdbf161c13acac3702ccf11e35bb5d1538c19673db1a0b

SHA512
ab1d62d70cdad9d7d2fe543adc4e9c00e4f0cd562b3def8c2bbd350b1e84d82bc498bdb2e69705a952f07db505ce7c9d2953b9f2e556ce55a4afe7f5ff66fbc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\MGAsIMkU.bat

Filesize
4B

MD5
8176acadf9da6bca19836f04a55c8626

SHA1
a68f5fcccb7b9ec7b2e8846f94f248dbf9b62d6b

SHA256
39dc43293635ed9cb998f07fb21a42135116ea9a5553ea16342b09ee9893e46a

SHA512
0756e8170e86fa4b0c2d7f1b47f3a074fd46dcd31e531e535a28cdaf0506d2132f61431e03b322333ec51f269433df2c1c14c970e535901f290481e8e457c57e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MOAYUEwQ.bat

Filesize
4B

MD5
211109b8ba2d2580e56b64ad894b95bc

SHA1
db17ef52373bff75b566adb41fa8fca2209aceb0

SHA256
11d4e9fcdca2e70090420875dd37e3e2fbbfdfc4ace126905e456ce50b08fff0

SHA512
70179d0cc0a504061c3cc9a4ac4d346d96cb6098e70f7e172e5c3b3d384eda16307726980d072eb4ce3c3caba70ab07275e6f9b27d4f6ffbad848d4292ea5690

Download Submit
C:\Users\Admin\AppData\Local\Temp\MOAwsAsk.bat

Filesize
4B

MD5
feff9b5f90ff311fa3840e6fe141dd95

SHA1
5698cbb44ca96eaf51c789db3dffd40d0a07e993

SHA256
a62549e98ef2f7ddfe9675739f4193cda0412e7b919274b9bfa05aee7ef5c198

SHA512
b4c371271ebf5dd232ad5f590aaa386b8021ab3af2651a10943a480ec32329da011f1b59ff88873c5988adb716d2fb48a498982d1a8c716e35c1dea046fa32d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MUwS.exe

Filesize
227KB

MD5
a5547d1d6d2463488ece790a7a9e2d60

SHA1
3fb5d7efffff97cf076d11d0b61446f9a28c028f

SHA256
5d78d1c0026ff76225b96af5c439d4ccaa548bf0700bcbb9bd6666f199b3589b

SHA512
6bd8b85792bc63ad41c70307ff5c8f10dadbd65e7a9251638066b29ca6658ee93d1ccb89652d2c44f26ff6eb5894c9910f3a982c5d798164f566cfe36564a8fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\MYQMossQ.bat

Filesize
4B

MD5
5f445707801d958e4bba8ab79c580515

SHA1
aca5627a0cfe7349f5e5193706b14d86cd4d6a48

SHA256
76df6f6a10e7c07050d796b6cf6789b4572371216f8e01df11b49e099e625f9e

SHA512
4cc32365917b11a3d99bc4859c95e73a3f39cc18c6b26cafe899499f16a4afefeee16d2061981d14f32713cdcb52fab485332fd2321ee7777677b1b1336870b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\NaIUcMEk.bat

Filesize
4B

MD5
1c09b62fae0216fee012fc27821a7674

SHA1
ac18f8999959b39357188815ffe7a864b1ba8919

SHA256
5e6771c148c3ec96cb88e83740b254f2ce446d8724257980b8257e64858fa3c0

SHA512
4364c6535c935fb8bb27a2b7f585fafd6027164e2dce114f6441fc4504fa668da78a0ea37c2e626f689470ed1b21215d00a67bb4efe5f29d940327e8fbf6b005

Download Submit
C:\Users\Admin\AppData\Local\Temp\NiMUcIoU.bat

Filesize
4B

MD5
b1260e7c1a1314d3154b9388566f47a6

SHA1
217f3b01a278218d4a83d0a3a6cf4569e25d5ffa

SHA256
330ba934bf27cb671c0d4544b70160c9f40d572eac0f2c8c89ae2a6720d3bf8f

SHA512
e5d2ff8cf249b8013ddd407adbf3da3834164613e45769717ab69ee64bc0cd398e66eaba1e9854bca90ced398d9d50f8d65fdc2258d59d11ca5dcf8a39990976

Download Submit
C:\Users\Admin\AppData\Local\Temp\NwMEsEYo.bat

Filesize
4B

MD5
0d5f0199cc64a028b4617c4a6539ff06

SHA1
74c48efc8672a7c770ab8c3ea020abaf2fe809ba

SHA256
f4181fe6aed88b3c6bef215a1f95f19693d995196e1a79caaf8d0be4589166e2

SHA512
0ee4a60c12912842fb116faed89b2d36203e71c06fbda0c0280e9ca250f4152cff7c0132552ec01929d94c29bc0d05b6b741f42192d62742da509eaad4c89e08

Download Submit
C:\Users\Admin\AppData\Local\Temp\NysoAkUk.bat

Filesize
4B

MD5
472f2ff938c5eebbbff93f9ed7fc4396

SHA1
b9f07730623a40cb9517b3dfd1ccc450f801df18

SHA256
07f88adea16c269a6021bd33476770047c20c32bd180208940ed2f185cd78c7d

SHA512
c4549c083fa366415c9bd15327ece37ec94f3e4fef2764a7691038ca1444a585cbd41f05c48b7f19a5e65c0825d5afe4d38eaaf304aea9cb6c9c10879bee6a33

Download Submit
C:\Users\Admin\AppData\Local\Temp\OUIg.exe

Filesize
207KB

MD5
d0efd64c77153614535a4c9627529958

SHA1
05198f80e6befcde2beb44d76ac439cc4c847947

SHA256
fef07a1501ee5b4589e37dd02b5e18bc468b586991d447ca5a84f602a8b0cd68

SHA512
75899d76ff6bddd42d8e0ab081d2cc402658138d64afabe64eb54ec319b74d4d40bca462caad5a90367e98eccd83ad2a663e5f3e82c5301e8fe4729c5b0df942

Download Submit
C:\Users\Admin\AppData\Local\Temp\OUwm.exe

Filesize
230KB

MD5
de84422d81f7a2ff86102a2031ee81a7

SHA1
b61e8834db3db6d2e9af1fbfe5c1d1b3b0c5d777

SHA256
913e5ec61712f15b26ee49e69f6290125e3434f87dc6520d5de4ef71b08b5ba7

SHA512
5d13f240c25ca04508f481811e0570c4dc75304463b404332ccd70649e7f94456409e154061a25bb2cf94e0664a5e44a8f4c0bd55673a3494c9a6dbbde30eca3

Download Submit
C:\Users\Admin\AppData\Local\Temp\OYQm.exe

Filesize
234KB

MD5
e3b702eb7f302af2b8fb8dab068102d8

SHA1
5262e6ca54e3802387666780444720153a190d7d

SHA256
df5d7c157652347d3226f208b9270e8714ddb4a83134fcf2c7a8bad8867d0067

SHA512
9bc9debdd34d4f2955dca4eb27c50ea6231183b00be09548fdaa0fcbabe786cda4387e747fb1fe757d49787e23b3987803b186d3b3efa3e5bf8c9ec319565b4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\OYoAIAYg.bat

Filesize
4B

MD5
2af27db13f1e9928f613c49f45a42d06

SHA1
4ca747efd6f3d11c491f31b6ca04ba47fcd469a6

SHA256
2792eeb4fb5b3812671a6e211db7ee6d9fbff9818559339ec3fdb3e6a03e44b6

SHA512
951240989e3a6676edf748999214b0c16a8220e5c7c520629c9fbed3c75d81fdc0c65762b86e0e07112c097c2da6dfed0c7fd05fbc1295905a4fde5393124fe7

Download Submit
C:\Users\Admin\AppData\Local\Temp\OgUe.exe

Filesize
250KB

MD5
cdb409678ba108968419c3199ace1c69

SHA1
e9c1ba96630d2b35cddd6c5479d60471152432b8

SHA256
b8d21ac0ffdcb358a44f7ee1e48ba2ebff4f6afe15d8ca27aa19aca5a63781eb

SHA512
28a505769022b9a05502cf41bff37a7132dd69a9b2c306a657e0458de0e807cacc4218d1ad8a7a94cb2b7c5ac9fb8986604e7934c230929b62327503133c70fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\OoQo.exe

Filesize
1.2MB

MD5
0655f41b95b521d57b198d7a01fc78bc

SHA1
3e25694ada67301abd5ecfd5554b44c29931795c

SHA256
837d321464ad7987a53c4806fb04a1ae861e6b3145c4c961d2e808b1b7e9e230

SHA512
822d6cf218564cf0f518de3385d0f6f98a3acfb980713fdb04d074e3748f83936648fc14662e9fe05dfb2a5be2e492d19445f4a549163f2603e34e27a477a9a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\OsAq.exe

Filesize
180KB

MD5
39c9633ead8770699443b8b832030e98

SHA1
f00ca918e4c67a9ef6000e6c0c1422e7695ea8e8

SHA256
f57f771d2517068718b8631629b41a2d80118fb710d55ac4362cec36c6bb959c

SHA512
7ec8b5d75ceb9de925d2e6e619e187577326f6f074cda99cc856b8054c5d5f9d81366821d911cce600cc12251a0dab981ff68fde5631cc16a45a3f26fac75033

Download Submit
C:\Users\Admin\AppData\Local\Temp\OukUkYwM.bat

Filesize
4B

MD5
6c8915f7142f5977697d80afc1169ae8

SHA1
d9f4e3fb7839a7ca38116972e45e51f40b9206d5

SHA256
914c5bb0473a8846e1f3f3be98635c6dd44dec5e296a73cce0c2eb980e7c56b8

SHA512
ada367232f2f21f68faf0dcf4f03ee647b6f213663ac7cfce5c514d0b246a1932dea8d2e29ccce6cc103e9291f07c8e715539a1b030b062912ca4ca49bd5b76e

Download Submit
C:\Users\Admin\AppData\Local\Temp\PQwQwwEA.bat

Filesize
4B

MD5
e9696d87976a05bca0ec270d881b05d7

SHA1
6c217a2d4498f29f54cc900532565ad50ad3577a

SHA256
f6950204afb4d403c685f41dbb118a6ef8bbddd60835331a8b3e32e91b03d720

SHA512
a1051937e0ae4ba341612d6dc70682f63ac5f3ed3af59dd1f71c9b4f5273fe0b3094321ed20bb938f631a3e0a3c7d408988368bc07460c9c68faf95b0d2a9447

Download Submit
C:\Users\Admin\AppData\Local\Temp\QAQU.exe

Filesize
833KB

MD5
eeff0fd13a3ea8236bdbca74b1a5e88e

SHA1
f48d66ac1a4e73d08b45081f7cdafc43f3d4f5c2

SHA256
8399e9210de5bb256700eb10d6317215785518f38a4714b0fb6c9e11a8fa0c3d

SHA512
eeb63f289aeb152fa298d919fc53a0c4e26d02ede59446dc66167300183bb7fe0b5bdcf846c930a9ae7ceb7ec1c1bcb9278d879a4c6f2c480197675fb5fce045

Download Submit
C:\Users\Admin\AppData\Local\Temp\QAckUsko.bat

Filesize
4B

MD5
90785d71bc192c2507d8d291663b9618

SHA1
1ad6a32fe624892402a5e776f6e3529c427df939

SHA256
e82c0a4bfa01834025ac89952d039890bcd85d0a47afa7bb1204c1239287ba7d

SHA512
2d20a9ef7d2822acf0de9971d5b1b825f26310ec2a92f3419c895e10f40f5997c84aaec07f33a61f49ffcac481433015851575c7d3b8cd00519dff9eaa9087eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\QEcm.exe

Filesize
229KB

MD5
d3d66bca82fb042f43bd622583f7c54b

SHA1
e4dd058cbcecabb263d7f5f78d359994eab2ca2e

SHA256
f84c4b78be7714d89381bf98e1f2011b931f3d5999b8c60b4d69e9b9de5a3340

SHA512
1e4e3653950fa3f1619c8afbe8681f902b0eeef81dbd835b90d3f08209bf3ef3a44a9100a056e41c082408c723162b46515e572ab1d9555c4f0fd550fe5aa971

Download Submit
C:\Users\Admin\AppData\Local\Temp\QIoC.exe

Filesize
235KB

MD5
b8b9d9748dd2d5393277d080fa32dfcb

SHA1
9767a190b429b6e4990316a114e3bf3a5aefab0a

SHA256
6c34ccbc22fc79ffa5d54d7021786e6609e84276eb9dfc6490cf0c454a76b319

SHA512
0eb5599221e0812499502c21042dd0d60e73226db646b1f5585dab6db5f0d1e3611518f5ec367aeca179a118ed1146d8cdde8266148566f15df50563ed458cc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\QYAEAwIY.bat

Filesize
4B

MD5
f8a4b00456c30822f7b8a21defc16a76

SHA1
b621c1ee7d5d23f0a19fced9c17c6e9e6a0a273a

SHA256
4b7b49f6026942c0a3e9a33eeaaea5c4cb4143e2bd6aad42e05dd19faf9e17de

SHA512
b6d71d3e4195baed82317b9bae9fe57046e7c467f7f10ebda51b7dd710aa8daabc00bb2d7268e22e44846aba1a4d89f5ceb1f13ed68121ed95acd44ab2f0a36e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qsow.exe

Filesize
199KB

MD5
0d8c5664679d668e836647e902945f76

SHA1
c60d4e04d2fff1a3f06963bcced3085e3f9749d0

SHA256
c79dc76d5ba84d812bf82eeb0d20f8ba62b38cb9f26ddc4e49095ad5cd926051

SHA512
4afa7d8761c8989051f135aac624b8caa8ff6f422e6b616ad54a5de89671c428c60f839537cda7988186c43725ff588c94206e21109433f522233855b210746e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RoMQMwAY.bat

Filesize
4B

MD5
384bd8d5d9ea1c3dd42cbf63326e8aa0

SHA1
1f94765cc59d97773e60ce8b812351d4b302eb38

SHA256
4b94d7416dd088ffe456aafb21a5f52b82552266610801edd4adacbd1f461681

SHA512
d2296bb81cdeb100ad562ba4a696982190f395be82a2b55fdb2948afe2bcdb6c40701e564412c360326d4fd594ad7eb06ae4cfe445403ee987c52558ffa6397d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RqAMkosM.bat

Filesize
4B

MD5
644b9a31dd4711cf0fd4d2e3a142aee8

SHA1
5f5e53825a00bf9646f006c8074cad93fcd96ecb

SHA256
2dd8feb766c0b4389f581d7969ec0c3f2188f57fb8981704217e43ee84d80496

SHA512
2af9442391ea20e0a006478ca21af9d1edd920cb8f8e48bafdee92fa78c182d532e681ddba568defb5d38b8100ad0256a27b408f817b111289cabf71f3e353b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\SAUC.exe

Filesize
242KB

MD5
851752f22effbc7320b418542b66e073

SHA1
73566e83ba27cda086bddf48e9bf779c1b6ce810

SHA256
89008a7e9682195e1b01366f78d517f58c403fced2413c01de386b426c0a6156

SHA512
cb7fd0886132eb190251ed7ea9925138d436c078836991cc662f855cd7c96012d2b179bb7c550295fa7d6d5098cae085297f871fceabb924d0181acd38c7804d

Download Submit
C:\Users\Admin\AppData\Local\Temp\SAYE.exe

Filesize
230KB

MD5
f8e26ceefc0835609c292689625e71b6

SHA1
7b796eb3a16eddf5b9737547aada243af1cf9bfe

SHA256
f33e80e0cf18411c5ae11e1a27ea7c9d060c8dbdaf378c410859a28849d5484b

SHA512
d5c4446852aa17cfc1fd4b46ebc2c4c6a68a69d1f7b02f6ebb45c72db08425fad0773d8656453a874273ea979c52f8fecb87185f7432c0a586f444531e316b95

Download Submit
C:\Users\Admin\AppData\Local\Temp\SIUA.exe

Filesize
246KB

MD5
b230bb777e99db8db13e796ae45640e4

SHA1
7e45072178a636df66c7277ffcc8bb0a01da5c70

SHA256
47de53e95e00b64396835beadd563ca416737043e9026cee5f727d26f39c5dae

SHA512
195f1b97928986f09aa7cc216ca7a22373be4b8c26c9834075bc6c8dafb76ed60866dc27990601eaf022e6e5bb17e20d3040f3edd4a04764858ed74d5e3d53ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\SIku.exe

Filesize
226KB

MD5
8b466a7893a82f1e9bd8f92bdc2e7810

SHA1
3f25b4286bd091dea4b9e2b755c8de6e8aa69cd5

SHA256
ce4d62c953c6fcd5cccabfedb41161e07c7758522bfb6485d9a28d04a8c4aeaa

SHA512
3adeab9f8b98831505bd3673485df7ad636d5c10fe83b00517d73fce830c830e58a0e361ca396c418b7e3bd040e9cbba7c6cf70f9d539dd5d4de4194f0623bba

Download Submit
C:\Users\Admin\AppData\Local\Temp\SQoq.exe

Filesize
822KB

MD5
0dbb80ba4878c9292d9a6a4d3ce34e2b

SHA1
420ce60f2aad1bbcfbff4121d26d91e5f8ee55a8

SHA256
5fd5110d3f84c85ff7b583c51b893ec19983abea0830f9b29e83cc4c53a40f42

SHA512
f271466bb1f60f3671a7e70e76e047f7dc771fcb539e63e76425dda5e4b9f1c343bef206d82f8b0e06d66bdba7b9efc61490b5a592cdef2b606ee72e09e37187

Download Submit
C:\Users\Admin\AppData\Local\Temp\SUoYoIwY.bat

Filesize
4B

MD5
cf26f1e9b139f2b8181529412b65b7a4

SHA1
056c605e10f7f53455bac6628fd28c4619fa486f

SHA256
a66b4eb66a63b75e03881092ac1cceb5ada147fd98e79f7b62e6daa6f4413636

SHA512
1c241ceeac3e4f10a317ee93a2dca2260958ae2818f4b4a3c2aa2f37b798a4b6767e5b59978dee8c13f695f795ab51aad0fb1214fbb5ff16b2fe862585911469

Download Submit
C:\Users\Admin\AppData\Local\Temp\SUwM.exe

Filesize
206KB

MD5
c9c03f14d47efca41c4548e46d6619cf

SHA1
deec7c15f90a9690c858e223117630d51027bb45

SHA256
4e78697582c509d729342bedcd76b5e93de83217f9e6f088d9ab80cafd67b650

SHA512
7492b25ad2657e610afdabbd2005c08a6773e9c29bc5d7e4e4ec1cfac945223768209cb46d1a05bfb49fb1cc82b33328c33271b8188f7974fea99457dc9c1ac5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ScQo.exe

Filesize
195KB

MD5
4bcb9b5291ff745fbdc694a8cbbf73c7

SHA1
331afb84398ab3342fc9b55d9595b7f7065de6a8

SHA256
197411d33d74f91537f8b7ad5a838b3e2b40c1848396e17b213a3e99904f0730

SHA512
7942b560524e619aae7543baf05cab90419b379424f35c2197196b4173cbc7da372b1f6db2208ec86f9415903a67b9566507158862315c9fc3a7a6b81be4e835

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ssse.exe

Filesize
240KB

MD5
58c9af44d1937a96d39fcd5ba2775c0a

SHA1
fe68a8d019038be0fa0a653333ca10ce140a478f

SHA256
4e14be1f2733bb965bf161243f767f5049f8cd92c0dbe87bcd651e8ad1f4aa22

SHA512
7053c4436d1aff934387ff2f701056d7dc2140d56c8d0ee196a81ae4f1b37bd95f21d1b65adb5b0f71e97cbb49231591ef89f1a8b733cbe8050153f264fbcf8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\TGggowss.bat

Filesize
4B

MD5
192b6c83ee0c082212060a4f0f59dc99

SHA1
6adbe65a46e2240fc95d8b8dde5831531ba4c3fc

SHA256
5823fe56f1d42cf4c475ee4dbe480b5b6893725aa8d656c07ccac23350f7c435

SHA512
76ace8715ecdae984d0ee0341c5523c6d36fc1cc759205af88a6449d730a874e64383925323a767e073a74d9989256c2eafd16af6497fdfd369f325ab89ba5aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\TWMwMwkU.bat

Filesize
4B

MD5
20f245ac009145732fee1a35760b39c0

SHA1
a2dbe7af8a678d1ac47094887b20432909016093

SHA256
3a354667cdcef45f824844a91ff7471cab18ed15b301f7c481905413a47dcf47

SHA512
a6c24c958e75d0d499331273d0e0e674f7385499b8ec3010fd6c98ab538d2f84eb1dc842575280f6a70deeb244306dfc78da8dcc44598f31c67e2303eab87d9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\UMAK.exe

Filesize
231KB

MD5
ca88ab3e64985e7fb02a5f2c2ca8372c

SHA1
03a3af9d5cc9eeccffc352b43922c6d78ee25267

SHA256
11e426eb27734eb8b71c688065f81374cf90e97cbcdb04b3aecd6d9c4f6e109f

SHA512
8ece3073b46cadf148e8cfd35b196df47aeb886ac45ffc6a0f13610ad2fd085857108db3ed57f6f7d2aef5ca8aaff5d37dd47165d1126f1f8acc8917b6967be8

Download Submit
C:\Users\Admin\AppData\Local\Temp\UQEIkkEw.bat

Filesize
4B

MD5
470b3eeee58399bf8c4fa3b17f69e0d3

SHA1
3caf59ea59ec28eaef3dea34928df3633e4ca852

SHA256
e61f6515795f888b4774c53161c8221b6e02d1ddbdae47a542bbfb3fb251ce7a

SHA512
78b3f6ecc356a0322f78321584aac5b0dab7cd1a136613b7c5015b98ebd2ba154025434cab8fc9417ce914f234f4d2578918d479c733d554de6f59616caab7f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\UgEm.exe

Filesize
242KB

MD5
ddc6a5894edea7482406b7c10aba55c4

SHA1
0f53ed40faaa9cd56558f704f5c71c883e8024ef

SHA256
0d124fd250794fac580f2053e482195bf86c8553b5d605c941f3c25170380ec7

SHA512
96d2650de3c93de32a9c340a51a208d5f9c004d847f54cf5b4abd3bcf9225a6f2d9133fbfd82d6f3e2d71c8d3fc8866b0279132134fc07b785087729aaee8d99

Download Submit
C:\Users\Admin\AppData\Local\Temp\UkEs.exe

Filesize
547KB

MD5
461df103f308b1124ee3c13aff12f776

SHA1
7147d7437cfd8f2a25bdbf1110f4c4f5085adaf5

SHA256
a121a21465a8976048f2471aabfe724e3d060578dfff511a5beaa90ca09217be

SHA512
0b3d1ba4ff9b981ccc74248fb66a5838c933ee9f0a83410e1d6d4756774cf75de59198ce8ba658ff73292893abc60a52f20a3a6738017d0b5fa01bbab2e9682a

Download Submit
C:\Users\Admin\AppData\Local\Temp\UksQsAIk.bat

Filesize
4B

MD5
098e2aa0e1dbc32c20c92249cb8cc33a

SHA1
875ae075ee5de47e6a187319b6c2a6bd37264edb

SHA256
c5fcdd780e0b2fb4112b1bb98580ae6593edb06782ce8c0735ffb11dd0d3831c

SHA512
6c770b0043aa27e24edb642ebc9be97ece7cd465ec9de130462b1c14bdf5a647ea3fc2764c2a0889096c7bba80019093f3df562866573ae86bad83de404c6ec7

Download Submit
C:\Users\Admin\AppData\Local\Temp\UsoS.exe

Filesize
241KB

MD5
b366eeb0d8be3e9e653cd661adc4aec2

SHA1
7d76b93d53f30b10e833baf55361059619316895

SHA256
61ec310f50bdae7178cfb3d6c9eb191ab8a68eb5c59b34c98d16850a28348d5c

SHA512
300b252b426a790fa7179d507674af63fd4f56071dbf01ffb2681b8ec958d7b886ec56ebcf8bbeb350c881b4b1fd1775b8a1bfccabf39964d0715f180e0b58d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\VYEUMYUc.bat

Filesize
4B

MD5
5a170487b9a3bfbc32dcf37a4ce14c09

SHA1
8f7b78c187e964c15e6778f9ba27fa261a9ab2db

SHA256
c0e87220504c680e69ccfb3b3520afddb9e05092e31aded8ed16b51a0008f939

SHA512
eaeb7645becd4ecdf1112f3d322dfc9dd6235c1b40d728000fcacbbb8f3850139eeea5686e125d14fc1d02c9af3f060e5116d2793f3c886ad1d70535b482b5af

Download Submit
C:\Users\Admin\AppData\Local\Temp\VYMkEgEw.bat

Filesize
4B

MD5
81355f78529905aa5602e923791c602a

SHA1
808aec942eaec6ccd136ed37a50eea13c19805b6

SHA256
4e4e2ee0f8573f80d6eb235915e0405aabea6b67ef760814acc1bd22b872bad7

SHA512
19c935ee3e8f6203c593f7fc3a0daa8e03dfa0ecaffeb620dac4c54ea6607cb8d993b6b2bca8a83c547eceb37a58b1d55acb1e3015aa42f9f3fa5a52bc65a285

Download Submit
C:\Users\Admin\AppData\Local\Temp\WAka.exe

Filesize
250KB

MD5
1c36faa7864aac8b8f2ee2da359c6158

SHA1
ae620c26e5454ef91601e8017a18b5aa819cceee

SHA256
553508b0f7fce5fdc313b5a79f67835b39972b1ea5a14e9d71cef94e6a1b04bb

SHA512
38803de7bc5adea78e0346156b8073b9d78fd410a5f55aedb214457275d6d31c69ebd8755065ce0a0afede3cce6422d56acdc1cbde5fefa0aba569414f92c691

Download Submit
C:\Users\Admin\AppData\Local\Temp\WEsy.exe

Filesize
255KB

MD5
fedb89d505ede98dffccc4ff2f100110

SHA1
de04e9f66d62e8208d24a2f41bac74d493f2ea88

SHA256
58d5249e203e7de454ca4ce8c0ca3f7bdd003dff0d185bc6420f7e3757110579

SHA512
f71be4a05b3b84d03ccbcf1a7b6cfbb1dbcfb0ff0791db8833c8c73ee367ed15de9d3ff7e9d9770b85f569ae3678103fe129b203365ea3da8a18fe0206d9ec11

Download Submit
C:\Users\Admin\AppData\Local\Temp\WYgG.exe

Filesize
187KB

MD5
2cc736234fc90d02d3d0d4c4a440345e

SHA1
09c85fe43f2bb8ef9bb39bcb5cc4007b9fcfb37c

SHA256
7f4b04d04d685fc340fcbb3e0947efc09379931f59b563af816206f2620093a5

SHA512
d8f9f544a0968dc49dd411ae5954d8f8db4a21b015c4c6041eb64025326af8e7455a82f47a27bf7e1f50a904ece4e77c5f96c2a1d02512cfe55c281ed06a0424

Download Submit
C:\Users\Admin\AppData\Local\Temp\WcEi.exe

Filesize
229KB

MD5
44f3bb2cfed5808fb79adfc01dd8a957

SHA1
709770a5a6a46f6aa37990f6ebd91073b5199e78

SHA256
3d85c335c3bdede6044a529c7a42c0a4e19f1b9bdc6a009bb80904a94b7789a2

SHA512
722fec0fe79c08d92e6c13a703ac89586337c608dff7f84a9c29af64206bcee25ede23b9c7502625a6b0caa12f20ba61a56624d5154b0b71332bb73c44b89e16

Download Submit
C:\Users\Admin\AppData\Local\Temp\WoMQ.exe

Filesize
247KB

MD5
c50f44188ef13886e28116f3980972b2

SHA1
bc72690ea040ede1b3135682812444643de4699a

SHA256
a83694d6ad9f3bfd458afe7d01b07d841b9a2e2fdc5b24d13f9f0aeaabd473ed

SHA512
f808eaf14e048ad083740a1d76c156fcd97f571f1557a0a87bcad1b33aee3828f29c982a60917c54737b6146612624e6a607e87465f8f0ae30d94cfd6bbdaef2

Download Submit
C:\Users\Admin\AppData\Local\Temp\WscYEQYw.bat

Filesize
4B

MD5
b4116dd1e92e6bdb92d2582891e7d73a

SHA1
893fb6a160015eb7818e8f6b73fed08bbf05e783

SHA256
78a340a4498fc50dea00efd1d5a164d137037e069f2efd90811e0687b92f82c7

SHA512
a0d5c7495a84187099dc18c27c42c4a16c1de5839c2a587fb88f6f35f609d8940c210a8d1768b99ba9566bf6bc6b2f27fcfc022167e7afaf5655b1d8ed630cdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\XMAkQgYY.bat

Filesize
4B

MD5
46a5dee6b05933e001f923495bfbb600

SHA1
004974fd7ea27badbe2653e8317860b5a2c4bc9f

SHA256
0ae94ef90f118a94a07ab6a2e6f1f9dd3efefda480b519464407aa7ccbb2b5d8

SHA512
3c2ee19c4b6bed180dc7532e6c4b141f213155dd1ad146e32eaa630cadd2b5ad2b2f438c1b710347e958bcc0a8370e1bfca3b46c3ce18cc65b9025e3177a01e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\YIQM.exe

Filesize
233KB

MD5
fdcf35fc017d26e32048e4d3f79c4893

SHA1
a6553554f1557435a49d0a36bcac94541a3cbf8b

SHA256
cc0eaf0184c9209da3eb68f11710aa39898b7150ebde39d9b4973bf09edfea87

SHA512
7878ac1616da8e6e17357e9ce281a1b516e3310e4c42af656e652d05018d389bef96692c7f517a0568432f60792be46de3b3ac6a62766ecaa577c3c4eda04749

Download Submit
C:\Users\Admin\AppData\Local\Temp\YIcg.exe

Filesize
746KB

MD5
569d0cc7f917191b36431ab856134c77

SHA1
db9ea7630157c133bb72f75d2173cf4c4c4b0873

SHA256
062586201586b8424b3e34497174143f693d5fc70b028352032c7d9380c5642f

SHA512
9f92713b13d7ec374bbf6ed751babb5c5218e61fc228cf72cf84f15f0cac1dffc9f506e695bc34b929ad4bc3ae3ef821c675ea68a3c3b581ebbb8890adc7899e

Download Submit
C:\Users\Admin\AppData\Local\Temp\YQQq.exe

Filesize
254KB

MD5
2810d13170a9aad7040955bdc079eebf

SHA1
2fc1995ce50733d6def6e5a68ca82f6a729d277e

SHA256
3e0736b7627ad7410341e5c711ddeb0567504444cb0dfa71179eaa27eba5e64c

SHA512
412e650076bd27801a52ab442a67826ee9836ea759e276108803f7d789c20ef5cb5a0deed309168fa99fbd18e087468f888d17fae62a33f162e201497a6b31ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\YQUW.exe

Filesize
564KB

MD5
5170eab0c9892ada511ff7de0e58c73a

SHA1
c2f7d879237c820aebe706ef45edeb38a67bdc2d

SHA256
968855c0d69c13b2ada40770b1a1c90f4f58ba41de5e9bdd0cdcd9795c8fbb29

SHA512
949733d3c8ac7551d684c1e584621a84b4ebcb0327a3a7bdb8ea6225d9cae246905ef6f5278735347ba6283eea17bfbcbdfad6972a76a2fa7a26439991d20370

Download Submit
C:\Users\Admin\AppData\Local\Temp\YQYu.exe

Filesize
238KB

MD5
4b6c414f44e6d5ba5cf72201a7a51798

SHA1
f2b53208c3a638926d6d278db61022ba171496ea

SHA256
4f5b863e72d0ec02af1caaafba4be8c9a3f7f1eeed99461da7e4e9dcc86e76ab

SHA512
35bf8bc1b208605b2d165d34b218e862e20cd9e181ad56d7e09f024a72ca38916dd5f95ccaac87990036fd78206f2c370cc16c48135a2cb9476cf6527e15cace

Download Submit
C:\Users\Admin\AppData\Local\Temp\YgEq.exe

Filesize
187KB

MD5
a500965f5716ded3ae5be5169c9dd080

SHA1
5ca2ac58d7fa27e012ca2d804607caa31e6425ce

SHA256
74e73cb49a01100a5c7c285f088913fd18f09b865a2f1e7bb231d6bcfe0fd4be

SHA512
77233bc7ddb85b69476ee5baf076ad01db8db3b3ecf19800c7a7fbe62ccc61b129eff45fbea17b88019a08b179a6b490740f4b33e9a1e5d3c321a4a30a5532f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\YmwsogQg.bat

Filesize
4B

MD5
44a406190865cf3b8043659d9165d97c

SHA1
a0befb98a8fcda2a10262b73b56cba14d31bed61

SHA256
750f6701af673052bbda5f5cfdff111c5aa3c9f0e0646d080c078fe46175ee9d

SHA512
3ff04577ebd59fba01b91dc020c9c7bef3f9caf7e26b60977f4d04cb375dad79a55abd35d237ca4cdb551dc48cfe38f5b92666004dfb3c63253026b9d519f15e

Download Submit
C:\Users\Admin\AppData\Local\Temp\YoQM.ico

Filesize
4KB

MD5
6edd371bd7a23ec01c6a00d53f8723d1

SHA1
7b649ce267a19686d2d07a6c3ee2ca852a549ee6

SHA256
0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7

SHA512
65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\YsEi.exe

Filesize
222KB

MD5
8135c17fb17cd4270d34b56308c7dd8d

SHA1
d7a9ed753b43c5260eb3f76c80800f400f674f2c

SHA256
77b618191bd966adea0ec02e76e8c524574496e0fd59edd06198599be16ea449

SHA512
52e91e17b22bfd08ad6582fcf47401d89d1e7cbca65f6296e1487d630a9d85a82350fc138ccf2f3271615208ba50697ce51cf108ec7da113690fda79159148f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ywcq.exe

Filesize
228KB

MD5
9d3bccdfcd44e2f6283348678a0cf2b8

SHA1
2986cbb6d5bab4c587b38794acaa37c84ef77d7f

SHA256
975891b77602f81ff9b30025d3652587091d005fed8155f3d1c4d62b5341d58e

SHA512
11ee7ccdbe05937936a99bf49b791c8c41967542448d020f3f9b6faf852329f0943c99797c23c06b942a0348ecee5a161b05c5d60d27bc050aaa50f1ff917840

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZMIsYoEo.bat

Filesize
4B

MD5
412fadca22aecdc4f17c82dc112ba009

SHA1
abbbbcec3c809638a935c47cf089ac7f23ae229c

SHA256
8385d51242d18cddda5ea3fdc2ffb3ed01afa5fa30e3e549757ce272daa7bde4

SHA512
4efcb187f2f70911e94f845704ce9e5fb156cdf148ebcefa13d0bf2e1b3f7c2d8d6efab57142bf6e177edf2a4b7d0f5d3bbf2c77374411cbb9e42a747ce65144

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZWUEMUQE.bat

Filesize
4B

MD5
7aa29665c76afc1dc2ff62222dff086f

SHA1
f52d744ba16c7d63d6ebe0adb108152f5d2c79f6

SHA256
8ffc617f8af51c2c336baaaf114ed9dcd1d25e7d9a76c89953f0898de257744f

SHA512
28f7aa5d0a0ef6275bf58b46587c44e19e9a9358269526ae8867d60d97d2f96fceb688d929762a8bf679a83ecbd908f24fb346a3a27a5bdab15d720087390c80

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZgcYYAAE.bat

Filesize
4B

MD5
daef79a695157c74a75a7db96d936cd7

SHA1
48bbf35eb45f4f0c5801bd29590c88623a6c82e7

SHA256
2e171473cbc9d22ecc2cc76e282d08d11cbb48f574c84dbcf8770ecb765fe7dc

SHA512
93b08cec4511e792aaa4ad063a44c4239a96f2eedf1e3fe7c0d02b994d4a8541a5e6330a6203347b4986f0f679259de4e1502163305d41c66c18654e4b0b68ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\aIQU.exe

Filesize
252KB

MD5
fbfb35d968a43bb33d6ab37cfd6c91cf

SHA1
62dbcc712efdb7c136c44ae5a855ee1cf5102e41

SHA256
5f54a815d67dda43502af20c8c59e2f5d8f88bacc2ce4677747ccbde04a057e7

SHA512
0b175742fd55c12596efb69dff4b056d0f724b2b6879a63e5e5eb6b31442874d3af155eb1433edbb187486ee04d4fc8fea6693ca8de10de1d7e0643954775a60

Download Submit
C:\Users\Admin\AppData\Local\Temp\aKQIsgkc.bat

Filesize
4B

MD5
c6dc3b703f61176144fbad719dff1601

SHA1
02fd61089b8d973d6fe37f846aacb7a2561f4490

SHA256
1d7830535e225dd1d9d73f6cb9c9ae8d2aebe8232ccb9a99b71826926c978d9c

SHA512
f4f17a7a966177971fc712ad8291f3d8955139770868a6c7ae921187caa427e2ae62c4d7f123f2a55cd171db355babb8ce79c8375bbe6fcd8f15089ba4765941

Download Submit
C:\Users\Admin\AppData\Local\Temp\aQYe.exe

Filesize
241KB

MD5
c9e055fc21e4eccbc1370952a49fe793

SHA1
32acb8ad3a19835e4c36ffd51baf82869d32861b

SHA256
03fb77429279d581a6e9bac49da60160559d879e2b3e01b761626fe2871956b8

SHA512
270db6c8ff608d5ad37f3f2595a92647bfa8f7e1925ecf0e2d2324f75242829896976339273afe44d37a8e3faea484eee32c6d80efecbb17b6330e216d5fb92f

Download Submit
C:\Users\Admin\AppData\Local\Temp\aUsA.exe

Filesize
233KB

MD5
0e49641f154e7f511ade18ee513eae76

SHA1
6cd81edb6df1e98e30abc3c86aea324c9cd864fa

SHA256
bd18604af96b157f438e17b339d5b85fdc894dea67831a407c8ca6b89c35589e

SHA512
ddd34016ba2bdea7c9c96a3aa7314a9b59cd10e91fdea376d8812be0e0ceea335c0ad899d0f9bb9ee9e0933f71167bfd2662269c1fe7911cb703e960927e7db8

Download Submit
C:\Users\Admin\AppData\Local\Temp\aYQa.exe

Filesize
193KB

MD5
7c87773229baf49f5d8c6159205bcfaa

SHA1
1f3629c55148ff30e8abf12ea0a267a2644a8bb5

SHA256
a127b3f263fa554b29c5aea9f5f9d0eaa50a74b7646b388690c58654b63f4de8

SHA512
528ad527f711a1d99960adf808dfd79d9d1d874fb8a62965bb5104f03a5af13fad33126e38b15af2688b4981c6a9bb8ea97bc8b699e9c47fddda16918c980573

Download Submit
C:\Users\Admin\AppData\Local\Temp\aaUQAAgw.bat

Filesize
4B

MD5
de54a9d20075b70ff2ced9ff3a406a65

SHA1
7e908633d8a5346538ce9046f2493ebef533b584

SHA256
77a57ad62adc950935dfde45f18d49370509ebd9f6c84b263c200df254980613

SHA512
d247ff8053861a4a6d95a9fdc98b10a769e35fc79820c65be1fad7a91bede730c5961baf65914783694aea38603f64a5c24d2628a94ea64032df4046e390104d

Download Submit
C:\Users\Admin\AppData\Local\Temp\acAy.exe

Filesize
8.2MB

MD5
3bbf21be7c5323f18a3cb9cfa91b52a3

SHA1
bb235ae8cb75b0b690de2f7a5c90c4a2db55dd88

SHA256
a79b0cf3419983894dc4f4cc1f3a1471203b95806ce4fb046b277351a569bc16

SHA512
1e6b9bb74304ea326482818318d295598192a06919e68ad36e1659c60db09dc5557209b57a5fc1c4514649163363b0e0079305d85fb1d96fc0704f675fbc3bd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\agAA.exe

Filesize
235KB

MD5
196aa77a35ffa0a91e04e4d749ff1bd1

SHA1
fae06b5c83f3c43dc5369a67d5f192c547e09550

SHA256
18ebfe786010fc5f505f9bf0d76be64b0eb2a300e1906e37e075911f8ff5377b

SHA512
8f854758219d0312fc1ff352f218c6d3484ebc46bd9d9ed2ca47a361794da781676d26586fd4d77c140747f205594ce3423a492e759d05a9acba23c48efa3e06

Download Submit
C:\Users\Admin\AppData\Local\Temp\bKccIcYM.bat

Filesize
4B

MD5
c3c03196c7a2266b924e4ff22cd9ff36

SHA1
f2c608e39aab34d377091cae2b33ca8155d21d4c

SHA256
11b77db933f500e02f4c8d62ff6bf929d7f552a1ef7a6ed3daeebc0cc840dccc

SHA512
94e08b514d450753e2e10f17d9eacdfc984672c0a52b86d77459783a1bbc63a7e8aa69e3da2d4c262e9b289d50616af91db50a79e920fc3bc6251b3af0ec02e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\bmYIkEcc.bat

Filesize
4B

MD5
3f9f2cd90a85113a7cfa25803d6681dc

SHA1
39e8a7153de3665525f12865a0f9c0d6bef926c0

SHA256
ecbbbef193b23f1d1b541fdfdb44432e2514e1c11d3fd7a0e3ac7cff1876933c

SHA512
e4a129452050e9c45ca41d97c384dca436042d003bbdb9dbc08bd387b67a43dc11dc71816e5badf2a4cfdb4f43042fc19cb36fec3dfae8e8cb65a5acf18fe39e

Download Submit
C:\Users\Admin\AppData\Local\Temp\boUAIIIg.bat

Filesize
4B

MD5
e05ba4f214a509db7766d9817c074b99

SHA1
5592de6f5f53bf79d6fcf7cf7c91bdaa57f9d06b

SHA256
ab73641f24c980d314723f7d174ea0cea285f57fc772e4006aeb443abd70c336

SHA512
afb26f328a23ef25b8f7b5b0b0082680ccb3672364eb8a8ee115b4d2ff7f203e403a103f1a6801fa90114cebd21053957693e08c3086b0694290555544dfa397

Download Submit
C:\Users\Admin\AppData\Local\Temp\cEcE.exe

Filesize
945KB

MD5
60589f4ce2624f4387bba3e6f61ee502

SHA1
780d7b0aaca83f7e5535b149b5b5a90910fc7944

SHA256
8c7bba5fa2538ecd9ffaebd5d6dbf5622c128b94a2c652e30ce94bc5e796f74d

SHA512
fcfaf9566b2996d3e99740277c89b28445bb826cb3bb42ecae638d55bb7ee74d447205cf4921f964c06e1412bf8980732e2e985fcc94da1014605eef0d6e545b

Download Submit
C:\Users\Admin\AppData\Local\Temp\cMcs.exe

Filesize
227KB

MD5
1c1ca627c7a5478f2de6bbdd8cc2b619

SHA1
cb63581188097a6e47baae372877e6c9d6b01eef

SHA256
198f02f76e2999149659aaf6cd3e4cacb45b9d3fdc72793d0dd4c0e8e623eae5

SHA512
cb6fd83e1af876a4dccef2b0086b829eadbacd636b6e7381742e01b571caa61146d29e1584d9dc56b16483fa736c4cdea1697cddaaff8b8bb5a5d1c02d948a9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\cQAy.exe

Filesize
4.8MB

MD5
50970432d129981c1e26f17c705fb699

SHA1
5563b1ed69f50c24e148393b274f59d153298682

SHA256
62756e2221df9b1804b88592c6e486005e66a9e16250a6a508ab4132fd7a9f70

SHA512
6f0bbd81da2f31a297419b2912184aa9cae6a63b5b9c54b2901a5c91464186c0d90e7bfed529357542884ee7fc32527eceab15885a46480b330f0f265224ff6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ciUIAoAc.bat

Filesize
4B

MD5
0dbfac944da7befd7e28cd8495701c93

SHA1
74654b78bf966e77ab53393de175f8af3098b7f1

SHA256
199aa4c2718d0af08dfe3cf06ea2a05b87f3b390656b068f3ac4940c0b8bfa2a

SHA512
061940fca59c9843b82d73f1ce344a894fff08c34f449827048b697d91efc68014d0cc02a13b11e6a1bf297f9c3a00877975b8afe5b50ee58313dd5d386e89e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ckIY.ico

Filesize
4KB

MD5
47a169535b738bd50344df196735e258

SHA1
23b4c8041b83f0374554191d543fdce6890f4723

SHA256
ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf

SHA512
ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\csYU.exe

Filesize
251KB

MD5
831b19e74db19e71a89df71876a72430

SHA1
d9980b73448a89fb98199237e85ed8fc2f1a7091

SHA256
4cdf7a700c9dbbcde7f0f2c449e649080ea61209a4bcb16d196e7907a2ba9af9

SHA512
2e88777d5eac9c43c0b09d1bf6b2cfaa938a6b3b13ebec559ffc85d2324011d883b2cbed8a3a791eab480c8e6103351fc34c1488424f1756d6cfafa46c69008c

Download Submit
C:\Users\Admin\AppData\Local\Temp\dUoQokAo.bat

Filesize
4B

MD5
be40ac3bafe65f6c68335515b51ef59e

SHA1
47589cafacd794084a941cd94b52a5361a950add

SHA256
d19798d52d2e51bd4bff4354bde486e6a851a6b72e3e9d6c73797c2449c8d6dd

SHA512
eddf6d2a6489f65873285fe414b6285aa052ce6092b6c4d271edb7ec0b5372200d4c3974afc5c842e4bc28f0a872660117bebce15a6d9f41441f049d179c9b1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\eIko.exe

Filesize
227KB

MD5
b864770c8f727c9ed8180065e96a960a

SHA1
472cd5c99b7d975700dc49a495fe4b5ca332cbfa

SHA256
6eb26a46e66b0099603dca4fbb315e1a25e18d07db4fac729866b16ec52838fd

SHA512
be33f974c4527b247e8b9c2ea564aaa54e878c2c1a4e6db91a488f60227e608cb63c4ff25a5f38fccc094e8c7b462bab5cd06655e7c154b842323279b9b36b93

Download Submit
C:\Users\Admin\AppData\Local\Temp\eIow.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\eUYA.exe

Filesize
241KB

MD5
bebfe3f592f122df822336bd1a236f93

SHA1
1be55e41f2cc01c772d44404ebd14dbf634aca4e

SHA256
a4e35df86da4064cb54d145172ec73a5b34b10cf64f305d5843c86570973a92d

SHA512
c8dd25d33e1314150991d70d15193b94d055f13c405daecb2ae4648afa21edf41f4b608a9e3d8f138624b5afbbe101ff275847a7e93e4d1503ba94c4f1f47f4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\fMAswgoo.bat

Filesize
4B

MD5
7d0cb05bf961a75276d6de6cf811629e

SHA1
11c6df2295a8b859363a609eb27377c4bc85c834

SHA256
952788d217a0397e258ec6c0fdc055a36fe81abb9959f6b06b6eeb8f05965cd9

SHA512
526aa621be8b5697be25e7f9eb9b4d5cfa07363b3de3e7be81a22d9ccbb14169953c029e5339ecd9ef6e4fdbc282aa17648d8c61d73b69354a22183dd5db5d3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\fOkgMwgY.bat

Filesize
4B

MD5
ba49b31130d98d154890e0360eb9babe

SHA1
41f757a400cf80d91f27778d61c14e917669d8ec

SHA256
3db3caed71fe122b965673023738ccf477997ada99e8a873dc935cd78efde465

SHA512
d25cbd66e2abc8545c68682d7dfb083829beb2f93cae4c9c892756923096357d4da41d51bb3e01dbe7f27d02e353709082cb45e702a0b9cd3b0ce459782eb7e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\fqAMMwYI.bat

Filesize
4B

MD5
db5e3cc0fdd190235fffdefe87cd95b1

SHA1
03020549ffdcfd8937cca08b9ed427002c270005

SHA256
fedab3f01cc58c874d843668ff22cdff82adb88b40113c08476c06e62539b482

SHA512
5eab1e90f8a3beed48cac563dc2880199292727dbd328c1e811f0243416232005c1ce2f4a21e78996408c011b6e8bf5d45169353ff6a8926fb76d0a296b4c270

Download Submit
C:\Users\Admin\AppData\Local\Temp\fqUoIwUw.bat

Filesize
4B

MD5
4e2da843ca945c46070e96dd8e217636

SHA1
57b787327c8f64121f059a3f157d7ff5b7746a5e

SHA256
e86c4f7ee7295e705511309c928d164715496e7933e37f3aa8d560470b101ed7

SHA512
e0156dc6b79ad2f948d1a6202f93e3f482319067fd873ea08327b79acc67c9abb0564c8cda77205ced408a7c42a27c7f70092d9e682f217f070e025f0891ccfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\gIwUkgoY.bat

Filesize
4B

MD5
79beedfc45495b3200f84f688def4b26

SHA1
cf292b7ea0ad567fc8dc45a491474d9e1025d21d

SHA256
c41259171362783c51aaa5e18a7d4b91872f2177488276cf245bbfd208ae6cab

SHA512
f6d36a3b0b2f91afd46838725a60a947455bf48e76c8c5479968ce21711314fe68b32aded04696ef25a6f1a49da5433fda90701f34097c969e9036c3e937cd8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\gMgYAIwY.bat

Filesize
4B

MD5
eb299b4a3081627d8ce307b27440a50f

SHA1
311543df31eee17da24f2169fa2c8de052047722

SHA256
5dc8d62c52c33055e36194e26eb5fa2a5ac893ca7f09cc0396c497b1afee1177

SHA512
8739b19917023114afd7dc55b4227d462b4527d8463892911004f5da1099cfff5bd26c43e6b2a9971452870942c76c5562b4b5b158f134435d1ae0bd8791cb76

Download Submit
C:\Users\Admin\AppData\Local\Temp\ggEe.exe

Filesize
250KB

MD5
e99b9b89dde8882baa455919fd22049c

SHA1
5b0f04207bac1a48e67de31e8ae9d4c570a2d4d5

SHA256
1bb8ac24b426bc13a4ba35eeb81de3e7d8bc3692832e48162413cb627a974d5e

SHA512
8ac0221abd22fea5fa64f24fa1f9dc36a71d66498fa8a63d61f4d3c58cf76cfee983fe066efa94b112c514d71e7ec47973287c5c36e697467e8bae2dd9b82a03

Download Submit
C:\Users\Admin\AppData\Local\Temp\giQkswYM.bat

Filesize
4B

MD5
cf27e76e92ab0bff3145f5453fda4adb

SHA1
27a266ed3690a8c28009f3707f263d3ed8e64cd6

SHA256
d91fc82e4c046f0021a953467b972e8b48dcfb64e7586b66eb9e5b709d5b2f24

SHA512
8c233b0c035aacd478eef98abe021a7e38c0e9a50f8a5ddfbc5080e7b7e78a07f8b84bd91cb890a9c053ebdec2da75f39a67858686c3cc688450ca2388e71699

Download Submit
C:\Users\Admin\AppData\Local\Temp\gkcC.exe

Filesize
244KB

MD5
aca9f983b7c58e6425b593cfd4593288

SHA1
c8f4a4a80ae996650dc00f8edc726c618133dd9c

SHA256
29bb3e3534149d32e521743b727b6c79f9fa26825a75b228addc59dfa59c8283

SHA512
b080bee99ccaccc821c9e75aeb784d293663c411dc33b27c3e89f17cf0c2e743710848fc93b81801d681e2d9f168cb1888eb2da788f22c896c9ce6d10f7569c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\gsEK.exe

Filesize
648KB

MD5
487e8834adb4e8cc806e55d02173e49f

SHA1
263cd9812b6fa37eab8d3682edae17e631efefef

SHA256
a4893f737958110b999e1a2fff6f8f3f66ef011b876d1935313751bc4ad42cd0

SHA512
c98cfbe511e66c5cf3bb87105a179c767c1e743c3fb101c39c7983b0c76b6a53d41c5eb3dc4f508b924863bc427fa12d7d4e439d574b54b3fbacdc6000e74a6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\gwQu.exe

Filesize
187KB

MD5
d440e99d64da5aebdc2e3fde6861038e

SHA1
6412f6c4086400c991d137a2e633a004efa4c2b5

SHA256
d02fc22ca96456a17dc871177a9cb749135c8947c9f69c9df4d4e3bbddf9a878

SHA512
7e4ff683393818b700e8985526163d81e7167a69570faa10666f30b06eead45092a41a48e7457a8b2323a376f6733c4a860be48622b6a87a58e960765d4d9387

Download Submit
C:\Users\Admin\AppData\Local\Temp\gwUy.exe

Filesize
253KB

MD5
59f610eec7d8a7ea60f4d3da1438dd88

SHA1
db7811ff39f8f2ba8a7f2244d7fad8c29b8c02e5

SHA256
9c98834b45727cb039907c6ca5355c0b55eca8a61471cad55a4682d2b51a653f

SHA512
6c404b527283100465a394c5df2b0f654cd271723f39ef1171d84c97a41a6ad786a872b050223ff5c34d18384b2723e3ac61afd16a08f203b7036ff94e858f83

Download Submit
C:\Users\Admin\AppData\Local\Temp\gwoe.exe

Filesize
198KB

MD5
a5bf2f3e85e4a4c138fc8551201a0b7b

SHA1
f1dee3b3b3220c6528986add22cc205c88aff2d0

SHA256
afe9c2cd0a29c368c26e366086dec9db33349ceef5fc538e61dacb0ab0553437

SHA512
3861cc86c91bd1d6278be62e0a37ea876624d037fdd0b7c62c813d78843f368f1d9a27ec153a8583e5816806c2b52a6b52ba196f9c8164fe9716c23ef903b26c

Download Submit
C:\Users\Admin\AppData\Local\Temp\hGIIcMkE.bat

Filesize
4B

MD5
768a365476f148c4aff31bcfffa7e567

SHA1
7ceb2734d77ea098ac439d44bc12914186b3adac

SHA256
4920c3274a5bc4f9949495f759bf24954a504e029ad63a0b65bdfbb6323ee442

SHA512
b6017cbf13d151a11759cedb291a715e5b7f6ad46b41b56f98d53e1c18b9ec74775f7cb2121dfafa72238542ed6332fd1ad0d5a786828db7c0ae375ec06a3bff

Download Submit
C:\Users\Admin\AppData\Local\Temp\hUwEwUYk.bat

Filesize
4B

MD5
2bcf15a3f633c40c235adee90943084f

SHA1
f06b162e72b045e5a039ca8f2c7bfdabd09b9b32

SHA256
8738ba9f054ed2659a54b748d12e59d500c396f0c92247381de5c5689d9dd3cf

SHA512
8b7e0228ad61f3c9d0ef781c500b9430ae0e95536ebaaff7004c29354fd77189a7b84fe758dff76b2567e5ad240b7cd3579f612ca84f3db365bff95fab93c801

Download Submit
C:\Users\Admin\AppData\Local\Temp\hckUkAwQ.bat

Filesize
4B

MD5
1d1a8a32af358df5b6114b14d9eb2d35

SHA1
266c75cc11f9856827082e70e1e79d3f37b048c5

SHA256
f1a23ac07b3f1c886e1ec8050f4a42ba051fbeaffd52c01d66650ffa6dee0d57

SHA512
a0630817940c7527b55b5c7cfdd2d149d441a097af653cde498da3fbfeb56ae4335fe86bd777acac1e5f1e3d342d120a7924da5f7513169189959794040d4b7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\iEIM.exe

Filesize
250KB

MD5
5ccba1c955e3ee14e28717088499eb53

SHA1
4a9968c9fd89ca5d66c5ee645e260f42647a4ca9

SHA256
f85aebfeefd2d4504b46b75952c8aef44314a59568752fe5963b969fa38a05e5

SHA512
694c0683fcf9fbfdb870996acaf5b5c294b3f045ec9a9f61e4bf66c842ffbe46030b3e71c38984fcd26cab01436951f2b50bb20b165571a49e050ca7e0f7e6de

Download Submit
C:\Users\Admin\AppData\Local\Temp\iOMcIooU.bat

Filesize
4B

MD5
a18e2eda3f31e406b71ac56a0b2471e2

SHA1
64d04dce88dde51c2128f66877a861ebbc75c950

SHA256
da43b7788e95904f0a07c633523db9ff7d98dd2dc634f8856d3735ca3bcd0b6d

SHA512
00001206c0578ae9927af682b7d71394388d8d1de098a6ce8c6c2bc9eb7f5fdecef04fc7607aa3555d91d738027d64a566009fe2ae241cd1e2ba11d20c4f971b

Download Submit
C:\Users\Admin\AppData\Local\Temp\iYIM.exe

Filesize
187KB

MD5
281d009fb24bf73daa53f1d26aee25f6

SHA1
a78a098764889f4aabdc0d8ba64cc051ca05c5bd

SHA256
477c843bc083a64c8c37f5103bc42391001cffad90b4c66091e2b06980dc719d

SHA512
26b5feb22283e6c4b03e1c43accd4f78d5d1d05ab1662db433355a3c8fa916d8c5ec633541237a49e445ea5d413e150efb99dc484b0be9b107cf738eea218a91

Download Submit
C:\Users\Admin\AppData\Local\Temp\igQQ.exe

Filesize
392KB

MD5
ba2c6628ffa20b1ad332664932c49315

SHA1
68ede385b2f68069db28f73cd672c263d64df3d3

SHA256
806556db44d8ca505236df7ed8f447895ade43b3b2d3e5b2f70713cc16a3b435

SHA512
e62c18bec08ee1357788feb0168644bff84a276363398156c4387abd5ec363c46ffaf302267d642fbd318359e8f47b2007a509639bc60f9516422bf2a3103c0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ikYQ.exe

Filesize
191KB

MD5
388a3b0a181d742437f9818654e42380

SHA1
9d67721785ce832c9b6e94773fd857b3181c6ac8

SHA256
18abf4aedb3b9ac78bf3fa9faff9dcfed05726fca71d6245e277a47d70f6f31f

SHA512
07db9695e0ee360df7098da4b598cf69510db05747d32dbe494e362467b85a4fef516776b75af467e6321fee4841a693d611240c7b1b3a974181ed31e538faab

Download Submit
C:\Users\Admin\AppData\Local\Temp\ioEo.exe

Filesize
195KB

MD5
172695bf62ae682ca60d088aad0a5e7b

SHA1
e2fff1891d78126f9cecdd2343140e8777d47562

SHA256
310983c6a046f47a1fdd374f8ae5e6974e0d12da12b88ee3fa97a9fe4f1e5fa1

SHA512
4b23baa52a1eb45da444879209a571564321be35b08a519ac4c4c531b929dd14b0ad87a138e0eed3f58e2ab3e0e3fe7535d03237c290ab35dc9f17dc3b16bd54

Download Submit
C:\Users\Admin\AppData\Local\Temp\iwocgswE.bat

Filesize
4B

MD5
9e0dd9c042d14db27b5aa3f1895f90cb

SHA1
7035ec0ebb9d31fd797c8f73b511583c9ccf9ac7

SHA256
3353c125f6fbdd2ae3fb33098b30024eba9c4e8a64aa8b5ce3d5fed41f5bfaa2

SHA512
5311db878514ce4d7bb65e10049af45ddadf7a3aa57c859f970dc707cae917bd6ea4412888bdb8f8eb606f0828ea4e6e59577db2fd3fba4b1824947d32740d00

Download Submit
C:\Users\Admin\AppData\Local\Temp\jSEAskEM.bat

Filesize
4B

MD5
0941d6ba68b4412593b0e1dec6939808

SHA1
5fec028c72951a6890fc730343bdf0fe8ec1e84c

SHA256
22c2f3d8d4c09c537af623c59a4ae2f437b6ab85bb685ccf9e6b54545d072276

SHA512
acc77e1c81c4ead260eccfce8627a1e5ab6c4fdc7973600c856f8e68df3a6384be1a446e941afb66abc8e23d8f6bd7590a4f6e84cbb1cc2343aa1d3a99369a57

Download Submit
C:\Users\Admin\AppData\Local\Temp\kAEW.exe

Filesize
4.1MB

MD5
c906ff546ab9a5dfbadd0b80aa325f0c

SHA1
23dfb655570822749a7a62d720c617736e1f010f

SHA256
08ccb601df93612fcdd745122619549affdf5e651057c7a594e10b4d3dc7c2e6

SHA512
5fa37c9b89aa0c0c9c124343665df01ef782768e9776a7f8557523cdbbde3f49420fbb59dbf5133c798ff7ee90d6965dc6c1955c612dc33041f65b286c63a8c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\kEgswUkY.bat

Filesize
4B

MD5
c320444579fe6dc03b3264f634c863a4

SHA1
a8f4f4b6c94b8462da05782c620c6b6a3c12fda9

SHA256
a60a9902fcf75be370ca31953a850ea63a2e4ec89dbe946ee600eb8504e73560

SHA512
9875d1025cd3e17b9d68090a9704259ddabcda2c300313ae8f6e6ad6281998cd44a2733376367317a1fddf3d7fdfbfbe0cdcb88ce669845215f1b957aa916f30

Download Submit
C:\Users\Admin\AppData\Local\Temp\kIow.exe

Filesize
238KB

MD5
f5d699a6360b2c6626d5af65de90295f

SHA1
8283986900d2ea233252f9d8eb8128332f1eeeaa

SHA256
af4831b8e1e53619b7a61715b5befc672e6751970abf200a44af72c9c3db087f

SHA512
007890fd5e14d7ab7da69865229438556304446777980f531d5e806ffd62fcd287fc2e7ef8b356a33792e211da51cf26c399c68a8d14968201f4bd7fb0b8da1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\kKAQYQAM.bat

Filesize
4B

MD5
da40521a41a940287f231a22aa8b019e

SHA1
8020537ec501a091ea4881073e894e11959a7d95

SHA256
4614a0a7b5efd68547958d0fcdf3e399616cfba38da44088c8aa90788315d763

SHA512
73dc66fa7a5f2e2f680beee2a76115e4250412a477d01adf2b144b9468cda28f38ec3e0c8569000f4c933bc49d9154e071b4e9edba081bb8b75d32e9fa231397

Download Submit
C:\Users\Admin\AppData\Local\Temp\kMMk.exe

Filesize
243KB

MD5
98b258407b13de8248b267acf28fc325

SHA1
7e9be8d559054f1e5e6517f4dacb0b8389f9f647

SHA256
79a0785401ebf713db732cca83fdf4f019bb4954cb799d29396915eab949e77f

SHA512
04d09f82ab786353fbbeda07732a6fe1d03f16fc429a720b78dbdd9d9c49b29abe12cbe9594d87dac1e99e89931abe553a549ffe7e29853493ea3476ff520465

Download Submit
C:\Users\Admin\AppData\Local\Temp\kQAc.exe

Filesize
241KB

MD5
1654b73058dd325b567a50db710ee1b0

SHA1
469691def1259336b55bcb06d4326c4add488bb1

SHA256
1b99c41dd5c9bfb507cd120f6e75d32b8c4193fccde17c8aa6ab3840eff992c6

SHA512
1e73f0ad345a984f39d078b5e41cfb87a6776cb411313b04f560183327eb8b53089300f8135b08f25a89f8e62d11687ad2c91322c37a24d713d59e16a6816659

Download Submit
C:\Users\Admin\AppData\Local\Temp\kYsQkIMA.bat

Filesize
4B

MD5
f4c8b022e740a6e5de206ac41b8fba53

SHA1
43190e6be5fb87f40a63c378836da948b85d0c18

SHA256
75ff4ed0cfa22a7e1be19ccf61599aee3db493d955f3f6e0e0ab255a8b9112e4

SHA512
8d696a93eb3fc1ef862fb37c1dd3ca7308409371c25b7cc0b0436a33a19d9476667ed61ccae6ad1cbf4fcf02ff67c12d3332d08c3d276b75c8d32def964fad53

Download Submit
C:\Users\Admin\AppData\Local\Temp\kesYEgUE.bat

Filesize
4B

MD5
b81e81b86fa389bf4add3b9f89b155e3

SHA1
2d9e715c3b3231e56c656746288b0081c40deb2b

SHA256
a2ea85b10680ac80698c2e159cb08016e83528af00f1bae631305e3ab7e7fac4

SHA512
03a47624b530fc663bc3af0a84ff37848a659184a15fdf87b6dddd4ef6a9ede08518961d1ed678d47245014b82524a59e386e5c6eaefe8d62e9fc3948bdcf22f

Download Submit
C:\Users\Admin\AppData\Local\Temp\kqMQMIAQ.bat

Filesize
4B

MD5
909fa7462793d8c8187551e8343299b2

SHA1
87efe360eca2531075750e8ac875d1eaa7129137

SHA256
675b7bdd1d47ca5b38e406cbdfbd6ecbd3e4993d19ef1127ee4239af51b1b7b3

SHA512
726d13b69748c494adc405b40e284ac957931ae2b8b440dd0bac83a8a67104acd05ddb0d86b5ecae59e63560c5ec411fb9c8ef74408fe1722ca48a2e99ca5867

Download Submit
C:\Users\Admin\AppData\Local\Temp\kwEE.exe

Filesize
241KB

MD5
1a9af52238e23d7966b4a5dbaec40a6b

SHA1
07e80bd6e10029d049495c04380c6c4f617bb6b8

SHA256
dbbe5e6797ed1dcd1d9c5a4493f6bb28a5569a88e187aff80e14aa7d306e76df

SHA512
d85d8831514fc38bcd6c0545e7b62390387b1b8b17aa5a2f1ce1b546e197958d92f93181aac9f557635e6b597ec55a98eb615abdf128e685d764fdc45ae3dd09

Download Submit
C:\Users\Admin\AppData\Local\Temp\lgIEkgok.bat

Filesize
4B

MD5
f25dbae31bf0697eee04ddb17778b397

SHA1
17573332dd0aadda2b8f35de6529c6cd91123170

SHA256
40e49c79a26c42d6602c2422f8b5572893138fef078f777ca17d0f183ae052d7

SHA512
6b01734880056494e70389d8e0ea00e0aca7eff9ba30dae8d3ac5a1d6fce5c82ccd36a272623fd37cb97b12598118de7f6dcdd023c83ad81d14cec690c01be50

Download Submit
C:\Users\Admin\AppData\Local\Temp\lmcgAcck.bat

Filesize
4B

MD5
d5b0fc88697bba1403cc12beec7ba2e9

SHA1
90459bc7f04d72786173ac62a85a3209a837e9a3

SHA256
3a8ea0280313b765452d480478a68a06436bd04845ea6ffc9907922911a6f993

SHA512
ed32765678157f0a0ca0f7e05067b370ce0d1a89a114dc41ad909e4286926380ca3aeb810a86e3e3e73d26f7cff518a2ea8578177edd36fb447148b36582e888

Download Submit
C:\Users\Admin\AppData\Local\Temp\mAsc.exe

Filesize
185KB

MD5
5ccd98484ffd4efa694b2f3f6d8ea3e2

SHA1
1033e02048e1e37dd4acaf7a987753d3a35bd5e7

SHA256
5b3d9aad98532e30053ed94e830bc417297fcd7482e0f55a309b4c18a44cafd6

SHA512
ab6ffb6bd10887bb7a71296cd6570149ef2ee5d251909990b00edb093981107b27d55f9dc9d31f5aa393b797c67341929f0876f62648bf0f6f04acae56ff09aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\mEoe.exe

Filesize
250KB

MD5
d32349ebb1823b76df540db4e59ae227

SHA1
26f9ab7cec74705b88cfa8dad6ea1b9b7a649166

SHA256
ea2a4722b11a6f0feb789ebb6d1499b0dfd2b7eb6dab16f63e1ca72796b9706e

SHA512
611ff5ef11c34b879090c95d6bff0062f15d159eba97d9aec5c283155331215de41e61786c14dfaea5a17759bbfe37614924be0b1a78b26adbc43f203f190d07

Download Submit
C:\Users\Admin\AppData\Local\Temp\mIog.exe

Filesize
327KB

MD5
d16ce41312c1d59a9287ef47aef2e525

SHA1
9432bc969ef2237ee5ae28f999ff5a242decbe72

SHA256
8197c03445d9711bc2258d03c9856d3b2ae7214ba6d8488ca9ef21dc5b7d8105

SHA512
40dcdf7231e120e5421635ca3d04f595172d3be7454bf291b14d8e7fbca128642e77bcc538608a095e000a221a947cbd9c3ad0b5850952e70fa8e7e808ba70c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\mkwK.exe

Filesize
236KB

MD5
dfd2d103e6b0d5fd2c23b0f3040f5cf9

SHA1
a861adbfb7e772f6fdfb7bc0b3e8de98f8090d4d

SHA256
e9351f1b59024c4b5055a36d3f17b915daaa95440d432a84578bb9c91fd09adb

SHA512
e8142863d0efa23b09da8f62666cf1852681ca2e0d86475468098de61fd5e288c5faec0954eec379a536d96cea5b2c5ff730f4ed3828fbbe2deb19fb99c08da0

Download Submit
C:\Users\Admin\AppData\Local\Temp\mywoIEAs.bat

Filesize
4B

MD5
be69f389559f3f9199c6fae1fec5b07a

SHA1
1e0a493ec5dce0b77d67937e24226d679979f450

SHA256
84a8fab734a99c86677529ce12a9cfa353551d56620f4a60c4b374e2a6c8716e

SHA512
d77ace945f7dccc34f36bebc9fc8d65ac2cd6e65de534093689a7e80a1db919b00e7e1e6c75efac3e5d58c72e8049cf1940461b0cf68754338d1367cbb327f64

Download Submit
C:\Users\Admin\AppData\Local\Temp\oAAMkgAQ.bat

Filesize
4B

MD5
a7196c51fd0a4a6b394d30e68ba80ee0

SHA1
ce1e83e759c749160635f24197748793d2fa8d02

SHA256
19a9d937a654be58933063aef42082dc04e4da95889e05b2fa38bcc8bcbbbd87

SHA512
6301432b267554162bd57226f1fcad5a9be7dbb46ecd9aea1120dde1fb4c6d8949f3b833042934dd2810dd5e5533b7bd38705e64b2de0898575788c0568dfa79

Download Submit
C:\Users\Admin\AppData\Local\Temp\oAYu.exe

Filesize
233KB

MD5
490cc21223e8eab70799785ac7c7dd63

SHA1
037ad35ed64fdc82e37e0b6e35c19d89164dd9a1

SHA256
e582c4bbbc9853f257ce73ddbfb3f84363bac6adfa2ff617de278b3032f503c8

SHA512
915d377a219ab88a53b9d16263bcee78104370af1f56f990ee26152bd86a65c06b1c3cfc5465869349946954bd8d076b4be6ea8e904ecb5b22f24723cd68a469

Download Submit
C:\Users\Admin\AppData\Local\Temp\oAcEIAMw.bat

Filesize
4B

MD5
c3500a1a2fda5b337a617018a3d24cb7

SHA1
ac1a24f061ca244f6710b04dad782c8250fb86f9

SHA256
5be297b8669d5fc9a69840edea2be1c9186c66fd3cfe646fe7a2106ee3ca85b6

SHA512
3f1397b9cd354d3b4218c697f9056368d36efa35f350f0e8865b5e713f73484f41b339adba3b9d8f610383044ee175a61bc39a3c6e710a908c8e2aa08944cf6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\oWsYUgcw.bat

Filesize
4B

MD5
ac59128f2b8d190b008293a2c7474eb4

SHA1
4b9720cb64551e1a2f1487ed17b912f8edd98045

SHA256
dc3327fda9edef0d236a2b9966e8cd164ab7a6d911f8cf6981f7b8f373535852

SHA512
ee0a7f6df0978dcc2b8ca905be59fe673a8b4862d5b5637ba4ed5885d790fdb89a4b05abea2081e4909a6a6f2211e1b8777ed6059b16df937a2313870ffda58f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ocQe.exe

Filesize
233KB

MD5
3c3550136cbc18c6f9bf68abb110ec79

SHA1
3a459c4e1778cd05b20b04757ef0670d9ac4ff7f

SHA256
411ad8f3e7a19517183de287e934a7330970f5a203231c126a785c6c8bf9e486

SHA512
1afcef12c22a35f5d86986871e269368c0b6824c5f3c2b474a1c2c68a5fd2ac5a9e26016547b91a504c02fc98fc8c2fa3718d765e3c6b3db3a7b990d518a2a96

Download Submit
C:\Users\Admin\AppData\Local\Temp\ooYo.exe

Filesize
231KB

MD5
d2092e3ab33c606460da599319b321dc

SHA1
5e2fff0596f649ffb56d6d082ce4b1d9edfb0efd

SHA256
6316fb4423873f9d39e15473468c821fb4445ede1358c9ecaef558b6127370d2

SHA512
922c650b98920e9bfc117e69c286829e5ec93f0b48ab9a004bf1b800c2ae97739c288136c3dac5f722f442b7f8585222c9ac410ee355a8c6513aa21796845f2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\oscE.exe

Filesize
231KB

MD5
c8c995390a3e77a0ffb15f2fa8e60079

SHA1
f7bf82bfdb2a3756879a6e49c5e5d5c7240a1603

SHA256
19e82b74ed1801e8d6ae38c6319f11b1ffb0c11056fb7bed5752961d2923a1d8

SHA512
44214701d30e5582db1688a861d90526712916d07bdbef609cc55f92cb66cac3b6af1f9d2ad15a79bbc36b9c3d38f98c7c07b59007a2b80dcaf6fb483836a09f

Download Submit
C:\Users\Admin\AppData\Local\Temp\osgY.exe

Filesize
210KB

MD5
2d4332a7a9b24195aa7a0ce7c884a0cc

SHA1
3e9e213bbd9ef77f35497c5ff995db2e551bfbe1

SHA256
65d61f5662a1dd5a2bde6591ec2ce5502f7e07d59bafdee4a222f2a6f503fccd

SHA512
d548864806dd7eb60dacd2798893361001379afc8324580be9ab91acb86f83377abaae1331c19cf63e6b3602056d52c16056bd565cc976da0cf0b6e95c63cc89

Download Submit
C:\Users\Admin\AppData\Local\Temp\oucEsUYM.bat

Filesize
4B

MD5
df51bf140c927bbae5bc0e930256cde4

SHA1
7bb839f83f0664560f5990ac1dd71456617b73b0

SHA256
1606d09611f4f3471b31936877e33adb9771d7e93576993d281159b0ea628375

SHA512
5321304aaed1f3d478b73f17098692dd4a097b024ab5a08500abf033047d3070c556653418f8320e8ab9359c4b7f4386e13efd0ffdef5ec468ca2709a1029f84

Download Submit
C:\Users\Admin\AppData\Local\Temp\pYQQQMsQ.bat

Filesize
4B

MD5
17d0d224f87076594c1ca52af2147436

SHA1
c982e541c614d16070a794ab3b0002c0238ecba9

SHA256
14cf99d5372db722e5dbc86601ae217c2e4c4b12d6998bbff9347a594705c7e9

SHA512
bdbe505398d7791bb99ee709d5820e762fb2711290cb19aa2db779cd56cb7a58d9a11c2ec52ef51d8700878e71be6eab305f1e4529951d7670efb53fe3c52a2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\pccQkgUE.bat

Filesize
4B

MD5
887a71f061bd10e20f35f57901de38d0

SHA1
d137deaa9b8a493e67069ffca444d1bfff45c817

SHA256
8c6cc8386ab135b3eb5f590af8b552276ecf1f246a3225811e19e0fd4ea17c25

SHA512
ca4273829a35e1d2335ee1ad453a3c09c1e2339e8eab17e83304a79308b89b15876672f396f2acac521286298557e0ccb8000cc13876fda277d4460b929469f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\pgEckwUc.bat

Filesize
4B

MD5
3499fd5648ed61679ffde0289c4a89a3

SHA1
614f5fba41669b8f9acfd0390585b9d1a4b459a6

SHA256
10ccd699bcbe51d8b5b297c2ab5c0138243ea804c089b746dff385ebbff42ae9

SHA512
0d9d42915612ff7d7fe68abd5e73e6e20cc68bd3b64f31652ee2f6df4ba307d731078a62ffced2c5ec50d85e048419f9d0ad0ad9cec1af01240a7999d170d347

Download Submit
C:\Users\Admin\AppData\Local\Temp\pgQIYkgo.bat

Filesize
4B

MD5
9e08351c4024a877aecf6aa1d8866003

SHA1
b64bf257d1ae0b4c1d070c3868c6ba6a426be517

SHA256
e531a4db38fc739b9d9bd3af0bc5fe119f0ca567a2459fb55d3c92ed06da6594

SHA512
f898e4fcc6c45dadd77ae70b8a41c988a83497d43393a02371231b028e1b1464e14521011ee69cdfe89edd5aa248d2e0d278ffed35f939a91e154d09d6706791

Download Submit
C:\Users\Admin\AppData\Local\Temp\pusYAwMc.bat

Filesize
4B

MD5
8210f48d5cbfc4a268cff14a1b4b0069

SHA1
422fed6751d5f08a23bf46754eb1acdb664b476d

SHA256
84c8540a720cd96ef325ddc9beb32a64c8575f79d976e3d4cc1a8f0403d9f5e1

SHA512
9392109935c038b95f57e481b0b91b20750fca4979c02a911cf8c387de04436743178fb7987ba300ffd59c48c812b7a70d625fa3e1db6b3680a7e1341526665b

Download Submit
C:\Users\Admin\AppData\Local\Temp\qAIEUQIY.bat

Filesize
4B

MD5
f1c38ee0a2e9b16a65fcb2a1c9242f18

SHA1
c8872625e576264c6040b0a7cd06be0fc1e0b6f8

SHA256
29dff921e555fac537cd440e22ac3b4a531ccf3857a59806f3b1727751852b17

SHA512
a54e9f14045ee69c67ef4683b357897bb8583bbcdf6749248bdc147ae2ae79c5e14b7da15909b6e49429bb94130d2f3d14646d216576c3395474a2567a2bfeb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\qAIK.exe

Filesize
241KB

MD5
7e54ed0e30c8a779383202dcbde66481

SHA1
01932056b8baa8f3fc5fdb923ccb5b2e95a5b98e

SHA256
34a545411df975a01324120f1da8d5b5e5d96a2333ed8585be6c2a9b74a53b6c

SHA512
4de90f48dcaf0fb83b7c6b777241b20c89dcb86efedcb804f87cb16e1beeef1d458376ebe387a3c330fa5ff886d9666e7cd147397ba038e5267d8e6a76988dd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\qEMg.exe

Filesize
232KB

MD5
3d1baf4eda7b485f6aadb9e43c5cdaa2

SHA1
892e3cd4205848af4237143afcd9a85778f91eae

SHA256
377df2c7f89340477f5cec81656c0c7991acaf6a275c7df431cd24a39f213c77

SHA512
6f944b2a290768f16c51a87e394761792ba5c3561fb1a33dddb4d78a7d68ddcb0e2bba5eb7545ab34dc2c84ee364a10752babd04600f9797697f845edfad4cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\qEcI.exe

Filesize
215KB

MD5
1dc5b2d3ba5f2e21c0e0b5347551ad49

SHA1
2ad5fad3bd2a9e91a5e9b49947492510c4f8c89c

SHA256
3a1a07862038781d76f1dd0cccbf7dda8b70c26b77dd99e98ebc8aa73710c9b3

SHA512
1d858e3134d9b128d1ccbbc839d0b3a16c2245e77bf1c049965cddea972ef0c810370def95ff23a8a55f0fa2771f7f19a6f07d10d950f428ca16fe14951bd281

Download Submit
C:\Users\Admin\AppData\Local\Temp\qEwa.exe

Filesize
235KB

MD5
9c81a946b39ac19e1722148d4fd4a85b

SHA1
0d8a28249c05f42382c1ff8a8ab95c194f00d820

SHA256
381851793fa97be64586e1437e819dcfefbaa2e0894f74f642e121613401cb6b

SHA512
79df0c0d5ee9280aacc510290c02f208a8d0e2c0421f2995b4fb0aa4da7fec68923081a448f8542a2ce65f1526dbff6b14f39496aafa41946899a958809e6ad8

Download Submit
C:\Users\Admin\AppData\Local\Temp\qIEA.exe

Filesize
241KB

MD5
14f6d8d0a41ced0f647350d8ce43c799

SHA1
683413eab37914d3ae16ac6a9bfaa008b1fe0566

SHA256
98581286d03887caa204de8707aeca962c87c90b1a71d2428946298953ffd61b

SHA512
3575f83bb94822d8e457be8c43b727fce036132d0454dd9a9717f1ccf30751c3567ed6326d3a69705fec58403890c7e6b2181e3b33d1e7604c7b5a185b003771

Download Submit
C:\Users\Admin\AppData\Local\Temp\qIsokcQo.bat

Filesize
4B

MD5
d97f09ec48ada2fd73fab2db59ad6f96

SHA1
d729ba40e6edcc0ddc78209aee30d7c41ee2108f

SHA256
cbd20bb5d89e379698237fc3da43119a26f29c9e693cf52760019fcb8720da45

SHA512
0dcad5c954963bfdb29ccc8cb6b9edf0f8b237607df547e13883f73d8720c45d42b0cf5182de4f05d2b1da52e43e79b0aa7241d14cc2c0f303b3e91c06cb5376

Download Submit
C:\Users\Admin\AppData\Local\Temp\qMUkwgAA.bat

Filesize
4B

MD5
ad0227d19367ce68bbd483423f665f95

SHA1
070a27c6ee0df062546bc9c10dc60b57523294ef

SHA256
0951fc0e3050f5e048d9757959c64d49cafaf6adbb04e8e221604f995c7e5c9b

SHA512
5d64f1f578c1504c83097977ce7d3ddb68b9a5bf0a6a4a0fc72d62edc9f14a5296e7a2f2ff928d89e6781c64c5cee4b8413d5931594e2941ac71ffbc4a4a83e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\qMYA.exe

Filesize
183KB

MD5
0c239b1904bb9c553fee28c645935a7c

SHA1
022bb186d9932cda281b0e92271819bc81ec81c4

SHA256
5c66fbf235b9a2ed5be0260ff9cf2378fc6b2c4ea0c2f01f45f5a62e83a52bef

SHA512
043842d0fbf917c5293fca2312f438afc626ec592226c0d4790f5a8a5c739869134caa01991b9d91b65537aa351df79895a63617e24216d6f805e32ce43e391c

Download Submit
C:\Users\Admin\AppData\Local\Temp\qQos.exe

Filesize
232KB

MD5
f176a73838074918e7e6ec5ae709cc26

SHA1
9b28aa5d93553e8d6201eb28f3e6ca12d6653725

SHA256
20fbca911c8b3fd96a63ae0fb2a676caabf726042a6a64302977c2b760b24aae

SHA512
60686134293b2d2e63a9b1360df47de558b56dce310df3f89f11669b6a3fd85e825a35b25f040a9120e8b9816186808dd8d18dd1ab3dab05357647ddb385dc20

Download Submit
C:\Users\Admin\AppData\Local\Temp\qQsAUgAw.bat

Filesize
4B

MD5
49b072c8897a592add9fcbcb95038c1f

SHA1
49dccdc8ee3c47bf1e808583ddaf2e03da7296f0

SHA256
08d76ae75c37f037b695b1d7fff2bcdc6da925b69b554e0736068925c385fd3f

SHA512
f56512fca55bb5c83157c2868caf7a7b4b57982fdeb21944cdd2de00eeebc2f216b42ebf36e021a7dbc3fd138b7f69238bd2655e32c1c093ea0800f657ddebf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\qcYE.exe

Filesize
251KB

MD5
8152bb2f42fe49733d7ac91810fb6990

SHA1
e9471e48538aa681e1b1542009cd65195bf60de5

SHA256
93b99eec3f53a0963618a1675b2022ee9b27b62af54ab72ee27485a3957ab223

SHA512
50fa17e294de00fe7d73f9f2d86b4b1158604e18f9d4f28e823c4754cd85f584ecf3bfa4d3846fc30c519df0d2f7755f942224511da0e0a2b0133f4365d69c69

Download Submit
C:\Users\Admin\AppData\Local\Temp\qgsQYkIc.bat

Filesize
4B

MD5
dbfee92a8f52b82ef7033f24ab338a9b

SHA1
5ede34ed8ab6212cc4677634b1f94f92f314be49

SHA256
25120f9ab0a732ff0e6153f6d6b6d19a850ed0ee52537d0e0fa2cfcb7047dbfc

SHA512
f0ff67b91f440dbb9a88b64ac6c17b4294830e051627a3ac6cb67bb9933004e872e7c1f95982ba0f1a45b9b01558b8c56b4cb7472c0fa64f7c7cf3c44f7aff24

Download Submit
C:\Users\Admin\AppData\Local\Temp\qoIw.exe

Filesize
496KB

MD5
708f07e98e64ee794b67ff80b5196237

SHA1
2328b36ffb8fda361348fbe4d4d14ab03d1f9341

SHA256
c0d5540ef7d0a84e2e2c4adf4d53c27317742b9dd70185f57677797d3d0d24c1

SHA512
8a6e1cf09526137fa864719d5c53ce25dac309165486f18da2603d5eea0138f48280a8551d3f77f72a7cbbfca823c7158cb11565415a80f02a5e6a78abb017f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\qsAq.exe

Filesize
244KB

MD5
d4f2bea5eb2063eec99de2183eecfd02

SHA1
ff859a70de89735da318cf4bfd93f2b6a069b18a

SHA256
c84513c41f1cfb74f7209e30af4fea16464dba641bdc8d8a9c3fd3b7cce2d467

SHA512
edf076f0f3d33e04d2da0b53d28fe1ae3cb8978ffd526b7d78decc6c641b97a78bf557949f77281731e27c6ffa2c0580037384f981f8eb81148f1647ce19937a

Download Submit
C:\Users\Admin\AppData\Local\Temp\qwUM.exe

Filesize
203KB

MD5
c2dcba52f7c6d3cd26336950b1417f08

SHA1
8ff606bc7c083b1075ee316ce8034b77479094c9

SHA256
91a1b9e8e92d2e2cf3713f4588825ca6e80deb3e2992b04fdfe005b765b4075d

SHA512
a90c932fac25dea8802e2f334c46a8a6b27a95e8b8d976ec1f89cbc860037d6775460de0bd4964e1c67f82e2903b2b6081b5cd7423c001b4c59685a0f776e8a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\rCwowIYg.bat

Filesize
4B

MD5
dacf1fbd1dd3b41c47a02246d168b979

SHA1
cd574ccc5008f76067457e7dcbae17a395473451

SHA256
0d2fccf2261f3f541678e2276b499cedf345857e386aacb38e0a9fb9bc5a4271

SHA512
9c3733828edbdd67b8f163b4091254b038bf365aa8cd772195f22f47ce9e7c03f65bd5ca8b92a31d8f3a21fe3a1c3e6b83f46a7ba39503982f9c0f3eb30172ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\rYMckssg.bat

Filesize
4B

MD5
5c61d361635554cdb13d9aa841371967

SHA1
954092df37efca837412e568c052adfb93736c93

SHA256
6d07cc348f4986a49589fd3509dc9decab0e59548db423ec79010b089e3ccbcf

SHA512
052ca1741bc0473640073a8708547577dbe95c12e4842fa1de7935888501d5ee94e9328b6a3b5abccb68658bf2738d85ceb293cdee190055d4a490d1e8147b14

Download Submit
C:\Users\Admin\AppData\Local\Temp\sMMM.exe

Filesize
748KB

MD5
0d15d72b4320837c734de7f5091c1863

SHA1
8bdeff6c21341ff308ee637fe0db91e6aaaeba77

SHA256
e09074ca3249e5fe62a61c8c5647e63d3a2140158edff2e6be77779edf55a45b

SHA512
d6a109d2ab93a44b340e5556c01a05dad05c86f3c13c646d6cc3b137cf9fffaefbae63fa73cb3337a91377ba941be0a4e77ce264f75262aff102f6e6ebd5e076

Download Submit
C:\Users\Admin\AppData\Local\Temp\sUUUMwQk.bat

Filesize
4B

MD5
1fdf348b9219555306aa68f2f5b9aa48

SHA1
e19d5d027e40db24a72f7437bf2d0bd364cc284b

SHA256
e07840c0bcf1c0af20f4d1d5988d0785a58b587951d9740d1188a50eb3fabc69

SHA512
0e0df71c8a8da0bdae140e27ee99c1f2d8be8eb171f24b72a47f929a3ef3222ec64469bf5aa450d61abd159f173fb112d7988e16c407a5131a91f9b0870d7c09

Download Submit
C:\Users\Admin\AppData\Local\Temp\scks.ico

Filesize
4KB

MD5
f461866875e8a7fc5c0e5bcdb48c67f6

SHA1
c6831938e249f1edaa968321f00141e6d791ca56

SHA256
0b3ebd04101a5bda41f07652c3d7a4f9370a4d64c88f5de4c57909c38d30a4f7

SHA512
d4c70562238d3c95100fec69a538ddf6dd43a73a959aa07f97b151baf888eac0917236ac0a9b046dba5395516acc1ce9e777bc2c173cb1d08ed79c6663404e4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\sgEoMokY.bat

Filesize
4B

MD5
1b22b4cf1648798d39ca04fa6d5587dd

SHA1
d50da97d0330103a0424105f9cd10feecdf16816

SHA256
7fd48b62c0001b6aef7ab76d82ab5b6d550af465ae760301c3fb49611542de5b

SHA512
a3183fa5dfa3a2e4ed24f0267d78750342550e0b97f2e0a2deefa66e46d894c760e3928d383f0d56e19860f6c70c734f12bdf02799dd5e28fb522a4734933c9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\sgoK.exe

Filesize
186KB

MD5
baec356c12b09bbd8f31c2475e822266

SHA1
00fdc261bf69dcf0a3f5cfbbfc2770130431114b

SHA256
b1c220b3a7058df1a2cb38c3f3c5ad27b5c88e455ba51a8399c793fb18a38d88

SHA512
3672e00404fe6ff876c52be52879a8ca821d31e3ce764625e67ea9dfb42c38ec3096a64df8a87ddfad53a0bde1cfb0e8cab2fec7e34b1b669f557ea286b4dcf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\swMC.exe

Filesize
229KB

MD5
5549be2a5e086138533832cffc36e39c

SHA1
94127ee4c8183fbd62ddb69c9a420859334aad14

SHA256
f7988592234aa59de3b6744f8f8e45747731a49faea3f418e05509aac9d77ddb

SHA512
4223198728b487cb3dbb24483e817998cc8cb363ec7c14c83bf5c423aea5b667386a588d3a668668c015260f8effb94f4de3fb0d87fe5538c845215a0611a321

Download Submit
C:\Users\Admin\AppData\Local\Temp\tOYMsMAI.bat

Filesize
4B

MD5
6fd7dc14f24ceb2c771199dac751f15c

SHA1
db8469d4916f5a317eec14b3d91116074bb910b5

SHA256
b9adbae6c9f20d63ec31c1ac50500bbc10036585c90bbf18ee7752c110b2828c

SHA512
7bdcc844b96c18200591bc920138d52096dafbac72cacf9d8de056477c61e4b2d5852d5f096a0a88e6773ae1279966678e185ae20229d50a5033b598296f236b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tgEkAkEA.bat

Filesize
4B

MD5
65b8ef3526be837ae865c1bcfe0b9f4d

SHA1
0363f82332a43514bd738f3af825922b849142b2

SHA256
0b2467df20b8786e187c9e52a74450070b5a5ab9d881986fc671684bf5db73f3

SHA512
1a6449e4b6e3f1e551925c4f90468706296bff613db20283e332685bedd30bd9ba43e7d2643eb2010ab80b24cb73f97f80db1fd46a026f2195999dd347692841

Download Submit
C:\Users\Admin\AppData\Local\Temp\uMMI.exe

Filesize
956KB

MD5
45c00ccbe977f90c212ac34006c95442

SHA1
1192551e5b2346f0eb890aafb3598bfa4993fbba

SHA256
dfa1d8b2ad341e1386127821f2968ddd08161ab6ee2001f11b40323c2805307d

SHA512
b5666c4fca298737493492b3726290225c11d578cac806655b5c70f4544039342a7aa3aced8505e7577c94eccf97e6191675fa30715443f5d0b953ae58330ca3

Download Submit
C:\Users\Admin\AppData\Local\Temp\uQoUMQcw.bat

Filesize
4B

MD5
bd912ab8828e8a6970d3726db2423428

SHA1
26e8f137f71d98b01d0776d2a4596ba42c2317eb

SHA256
5ddd263b186d429192059332e1510a03da8c50ff532c2a43b1d43790b1cbe6cd

SHA512
f04296cf8971fe9c8d4396f5610c988ac1151c52b3924435270f4bd8c0fd12a0ac04bd0a5f1968c24b9b6f1149a5667aacfdcde1c55f1e42cf4e484868011581

Download Submit
C:\Users\Admin\AppData\Local\Temp\uUIa.exe

Filesize
194KB

MD5
0f4de0b64b1564314190946bf805ab96

SHA1
55fe008df8d9d3c74d25aa3b4c73c8cadabaeea0

SHA256
3bb95b2bf0ad86f33190f35de618979b5bd102b1c786e7adc385064acd9c9559

SHA512
b2900800135a07729f002c47517d033892177fe614594f6cf943a4b5dbaade10246d5afcd2580abaa25556dd3530e2c1ebcac79d3018582befb8fa6ebe716146

Download Submit
C:\Users\Admin\AppData\Local\Temp\uUYc.exe

Filesize
954KB

MD5
d200d585f5e2bb90d57d294679653c12

SHA1
bf9b706b23d5fffd1b7333be1412d45ea7207805

SHA256
03192ef4c42ca13ccdd620c8bc79a18e31b92b1209167191e4c82fc072633569

SHA512
248676cab8612959b476a2699bcf3f0402c1ebd48d3359920b7bb11b053c4e33b988cb5926723922a5b72e3d440ebef8d7c75e31bb0eafa3e13a9e7c0d9051ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\ucEc.exe

Filesize
247KB

MD5
f8b2b3eb3e30ba3ef8d7b50d238dde69

SHA1
8b5876ad091d26ae68083e6b730a7128f988c756

SHA256
704293cace526f002b1205d8991b2070ef019e22c78c045018c90a61bd5659d2

SHA512
a79f4b3a8d9f3f065e3fa89e1471bb932b0909088c7c297991f21a4b26e848d8a8c0ada5051d19af0f159c6d29995d03ae4bd6cd144d6eb9a0ac0b89474a77fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\ucUa.exe

Filesize
635KB

MD5
996e824237680d2f0fa97cc2e0695b0f

SHA1
4cad4178cb033c2d288b8db0fc320f503f405722

SHA256
27f6f6ff824f07d91b90667b2702dd71e37cdd90278fdcf186cc4d3ea19b9e0f

SHA512
7398359a6f3c2ff42fd7d6dc7983889593c1af2e0dc61be77762b0634988f6e5dd83d8514752b8e562addd842510697ac94d29a8f430ee761b94f978ae08705f

Download Submit
C:\Users\Admin\AppData\Local\Temp\uckq.exe

Filesize
346KB

MD5
031b3ca17f24eea99ad41e81e5d99a16

SHA1
aa95c2f0709bf699633e560defd3bc6680a5ccfa

SHA256
83eac8f3c5f1f2d57d877c6df559c89bc474cb011a3f5da22b73bf12c83c659a

SHA512
e926de27cc210be242405eed8574eacbff4fbd8c5458744ac3c8585f33f87ef1a8b18cfcf1ddde6c2aa5ac84638083717d868d1ddb6aeeea89f6b74f22b62cae

Download Submit
C:\Users\Admin\AppData\Local\Temp\ugAK.exe

Filesize
760KB

MD5
1bf26eb411c409ac655c867b661e2419

SHA1
43a815aba2d7f2cbd5b2ae2a884aabf453875276

SHA256
fb5573af672f98e1197a6972a64b677ac1f03e7229e86741f884694c6d7968d0

SHA512
2ce940f781ec89cdb2970b89353b996d7a47155db15358f5c037bfab43ab1b379a2598fdb18c9d5ce9d76abf6244b5f6666878709419e622550c688bede1448d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ukgC.exe

Filesize
235KB

MD5
a773271f652aec6600feb57aa6016b96

SHA1
a2a5389045b17e8fa9eb20828e7dd1548cb7fbd1

SHA256
7a47e49d223db54a74816daec984b251e4e8f0a0838e352708dd51b322849b95

SHA512
20b13a9d3fa4f6eee1176c7393d7704b8e05fa5f902e9fdf15de2eb384c3462a13e92787d0d92584a691bbb29b54a80ecc45bffa558b6c7bde982fe8bda50159

Download Submit
C:\Users\Admin\AppData\Local\Temp\usYe.exe

Filesize
211KB

MD5
46a6cfc172c613b77d9d96f49d4efe94

SHA1
8100ba28460d370a4556dcb153589f89ecea2c06

SHA256
b9b8282154cd622799f4c87aa3546a1eb568bd7b830de0620100c633ffa60fbf

SHA512
a30f3b398649f32721294e14bb0ea434f9a233a64d818389dace19bc0d3e6dea836e20a29238f3ce00b95e9a4ca462b7337ace413c23d7075737983827b234ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\vEsooQgk.bat

Filesize
4B

MD5
626cfee6cd0e14fee1d7a79bdf8c0ad8

SHA1
92c5b9be4693ecf79aa3de5277dcbb875452e000

SHA256
16b7045b9f9529c38915d168b5d05b3e524535d65a4edee85fee4cefbe0d4ab3

SHA512
670668c8ec3f01b570b79e327b71d08ebc735a56d203471a61ca90902e3d58bc83cc87d87405ab56d86da413c6394cdce7a1eaf5c472149ab055a02585fdd8ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\voEooEco.bat

Filesize
4B

MD5
595fee354b741ce5c1b998ba268fd2ae

SHA1
6c2bd5dd8d6e258bc5a3fc914e5169da2400ff73

SHA256
90b531a93f9b72caffaaf4608581f39df8b7332070001041d7d955f58bf5a418

SHA512
94ed6ed53a52d308754b44a86661ee36becaa75af9b293b0a9c87206bc4e582161312f829ffb3890f823e7eb0176815ae5a6189628501493db87045ecd45d32e

Download Submit
C:\Users\Admin\AppData\Local\Temp\vuksQoEQ.bat

Filesize
4B

MD5
4497cc095557f3ccd29f5dc02196e66e

SHA1
5211e96898b5bb98cc0f632a2b1a929fb33d59c1

SHA256
7a54aad051422bc91bdf767dfad573a4b2229ba7afaec28abdd76d08e69b8263

SHA512
19beb5abd192b5cf78841019379dbc863345e4392faad653da43156e5a7e90ea96accb5135942945184329c3474e26f32f31c19ba79f483c0fe315dda721d490

Download Submit
C:\Users\Admin\AppData\Local\Temp\vyEUkAgY.bat

Filesize
4B

MD5
504bba2cdd4c9ba630cbfd76723523bd

SHA1
3cdbd73489bf94d50a5a7f6ea6b0b79f61619874

SHA256
c1898851b19a921029a90bb7cd940c6e06e6c76908b518c9a99e1957f5dfb9a0

SHA512
84d1ea1bbf79a17f3fa3cc48d377a4a2f5b7426a30874876909cd161b6d542f75f0700b0df5b0e44c12e7c32785832d174386f0a2805bc74092445794fdf0b43

Download Submit
C:\Users\Admin\AppData\Local\Temp\wAIc.exe

Filesize
189KB

MD5
06f8f6924605e7f5752002d7c90eaf56

SHA1
2bbd9febc422c6c26909d995e023f9dd3b9e63d1

SHA256
18ef107005ce890a109b0fddb7bda0bbe3e5e905706798cf1ec17919daf7fab4

SHA512
5f78f982d670fe8b72bbce542ae8da6d27599701fee2b7f6819deda5302ea21b197b9ab83e9f56eb376bd3ca5defd8736ccdd2d409b8e7875afc86dcd1b62c43

Download Submit
C:\Users\Admin\AppData\Local\Temp\wEwg.exe

Filesize
233KB

MD5
b17aeeb8ed261bd3b7fba16f26a668d9

SHA1
4084a54713a1945063f6839cad63822eb86bb22b

SHA256
edb426c5087c8490634af87ced47760bfe6be350f7f35d9b8741c8db6f79789c

SHA512
219223530d8630b60630b96f36ff428b7c4ddcf4894c373942d7661d7be4c3a595a7bbdef0169d3945b7073e7d69c57af624d4ab2179b7d1418415c5fd63efd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\wQsi.exe

Filesize
317KB

MD5
3f15b10164ace94b93566b0a0ab9185f

SHA1
7af2b10755d7784b4bc57ff85cc40eb4c99099ea

SHA256
54e13af5560b91e221d72f7497683abe98e23ba07cf4ce5552f5517e25ccd030

SHA512
19c3352fdf708005c4f036039d73a2e0a6cba6b029b025fae2f410d39cd3d5764199fd6be09acc6b9f64fa2f4292498c2e636ab5ad1dd9a75adf6685119c459d

Download Submit
C:\Users\Admin\AppData\Local\Temp\wUgwscss.bat

Filesize
4B

MD5
e7b79e3023620396e328218bebd91c90

SHA1
9f9cc8fe71d71612bc02f8a121f841f8880a857b

SHA256
ae5b22bc5ba0d966d5bc9f7d040a2773911518a5d3a311b5862be677fdaff5f7

SHA512
805982155729c352959c43d7b764d81e033f6fa37cc53f81f77ad44fe9005e3f97cb1b499a719c358c2833d747bf798c028da158c2a7f6f4ad915d8d7a948ed8

Download Submit
C:\Users\Admin\AppData\Local\Temp\wYYU.exe

Filesize
642KB

MD5
71a593e50facdc431bede385ad8d2f6a

SHA1
afaf8b5c4b63ac08ffeb67b91f9a4fc665f11662

SHA256
0b927030cd8a5c45a0af3f69e51dfc18bb27225b7e8630176497ec0be6455f45

SHA512
0faec7efb3abd10d50f6235f393b101fcf4e556a58027961e6027882d401928cc8a646d964eb5c10814fcb56082d6e7b841c7e300bf3f3e8f882ed0b8591ce41

Download Submit
C:\Users\Admin\AppData\Local\Temp\wakEgQgc.bat

Filesize
4B

MD5
a6c5ec16dccf4fb162d46d54c6f5f41a

SHA1
43a40d5e78fabdb7a903177edd630909402b625f

SHA256
6d4e26ac5060c6d03dda6c52b891e9d2e9b59ba9ee6df13c3e622f54c2297ec0

SHA512
d3580eb90f147114d98951c908b14b237a71cf42bb8cd4d2b5f0a617b5a261d1122ff3ede2496948097a06d64d8960362f5dd82df121a048498027b491c81a6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\wcEw.exe

Filesize
230KB

MD5
a504fda2d5a7dc1896e21f16248d045f

SHA1
3c90113c675b33e49e12bfc9dab3eb200e118ddf

SHA256
d39c38876c6ab520f740af19898133538bdf6c32fc276e3ecdbdce5152970bb3

SHA512
7499aa42b9984948a66d8056a36fdafbba80b45490f70ff62357097fe372b634d1f2084512401bd464c03e3a4c1bff6dfecfaef17df360938e75f458d102c1a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\wcwk.exe

Filesize
235KB

MD5
a2246a451e02ec872ec10f1e00fa71b3

SHA1
e82d1f6eded736f35ff86691fd1c5204e9d6d840

SHA256
d4ad06c54b8225b44f7b09a6fb6d4610601392f77feb644043b9b62d5c672ab3

SHA512
e4f43ecfbf7c372c2fab6db14b31ac7763416de3eb62de9a692a51d099b0b307d8e37b30ebfd0833a4929b8672f62f11367088dcd8b7e6b50af146b910a12fc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\woEc.exe

Filesize
208KB

MD5
4d2075c3c8382f107bb8dac1cd39a789

SHA1
1277b980903a8714ab4c80ac8514f3fa4762e6eb

SHA256
c2d015d84af1ebfd4fe2a53b2139c2b1842bd3eff424caf4d6a7e182b4ac854c

SHA512
b28840f864f40a7be524130a93a313245997ef1ab9b9dab2a12a8f702d7e542a61b50ff6f87161c07f906f3eef8f1e0458de5308ee2e9a0beef3204ca7ed2f3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\wsIQ.exe

Filesize
247KB

MD5
3b016cd95c7bafd8f10e4839efc503fa

SHA1
99fbe64a76e337a3a0ed3089feec4c4b34dc1a5b

SHA256
8176f0b437cff1865f2fd5e3ecb0272f67526d6f33d8f2ca36cf2c3899814283

SHA512
93ed8618498113f2546b4a18fba091378c383490c23fe6eb2a98fe503085d93c2aebc8276bd92b5f012d388c6cbe1292534e5d57dcc7580d4759892665817e6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\wwYy.exe

Filesize
511KB

MD5
05dfb6aa6ec9f06b2fd5d26ed4c0ea8a

SHA1
3eedfa9d4b3313f6b279d3aba6c4453c444e87a1

SHA256
b9c12f4c84b7de63cf2230ab81ecf0ba86f16d2673cf2d6a96e6d2916d10c86a

SHA512
efcee882d9375b89992b975d8835a636ef96bca06c24e3f2c8ae1c33ad0c287ebcd79d3952c4595d28bbb45dd9b7161718497c8a056f790027c56ee229625360

Download Submit
C:\Users\Admin\AppData\Local\Temp\wysgYwAk.bat

Filesize
4B

MD5
89a155f8e210d232193ff4931afa3c6d

SHA1
5a18048af4e7d9671a68e7322aefffe34806ad8c

SHA256
375cbb3e8c9e9ca869ca0b4ddebf77d50efe765c6d2717a51439c805a47c9915

SHA512
739fd54b9aec8f8a11b6818abcc2a9e98335b712b1e6b3022106bf0f98a0eab5a4b2a2ebca2d421ec2c57f59bf54436fc8cf2ffab67343bbd0ce4d10b100be52

Download Submit
C:\Users\Admin\AppData\Local\Temp\xAkckkAo.bat

Filesize
4B

MD5
fb602574648fd10ee759b44f74b8ce53

SHA1
fa40b8a681595e48445206ca87df819aada02219

SHA256
29667caed07292d82414faf17040ed3928b94c3165445308efa4063e7c713021

SHA512
6ea9ba0d15dfe65a5e4e77b79ae31911b767e2c62742076bb29adaa290e6fb69378ae249fb58018836fe11dcc8fa7e3ec2a3d0f6b8986dd5025808eafa92edb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\xKEUkgAE.bat

Filesize
4B

MD5
c05a0aff9e5357b0bc91ebb1e54d4f0c

SHA1
303e751e535c7d724951647da21d114a1230185b

SHA256
cae36c7eee0367958ac4b8e98b214313fc0fa2b779da1416a267e1026fa03f86

SHA512
037d972065d0208a79eecd34127411dea28fbd5ab21a520715b5eb330bac4c77c0a7e39025e42c20f7317d845996da0083839c9166f7054f2476b4e4b87045db

Download Submit
C:\Users\Admin\AppData\Local\Temp\xKwMMcYE.bat

Filesize
4B

MD5
4ddd312738e941db84644ec1e08cfb1b

SHA1
65a6e55945bfa765fe9bcb172b478ef2d7994069

SHA256
3e588ad6fea6b4b7c928c53083e134bcc81f28f0be4f2392248540988dd0d4cf

SHA512
931682ce4d4b534bd32a1e3d840c169608a134150060a6a791305717df5b99664e7e53e9034e806d9cb2e92a1c2d61deb507181b726ff45503a6d1d905696c14

Download Submit
C:\Users\Admin\AppData\Local\Temp\xikMUoYc.bat

Filesize
4B

MD5
8bd9a707e9c526cc3abab92a1e757f60

SHA1
393c9f2934020b9c3e3774bb830156fa86770ba0

SHA256
9cf2ac958b74ea9aa784e545ed5e50fa0a719809e02bc7eb99abbe0e02734c1d

SHA512
9e456c1572ba147f923776b9bb729b107835618cf164c7b1f25619b00d9a10a9be4d2497dbbb1de9f6f98fbdd5f66a676cb31b7b83ac95ed6db96a1e5f7cc8d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\yAkcoAog.bat

Filesize
4B

MD5
65cea779a6a008e507d0611cb1bdff1d

SHA1
66de068c4e47dccc4062860b5da45332b5ced7d8

SHA256
7cf3305ef0efcba12b8119b439bebe867b48c4a8064cbfe711aec842f6c4ac4d

SHA512
a49c7b079fd792421f0c6132e4153a97577dc16c8ab2fe7428c9658cf359aabd708a9c26a407da7876dfd8d5cbd8844d5a4b304117ea145f151cecc5495fb0fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\yEYO.exe

Filesize
232KB

MD5
11e3fca4b8ce7a5aa2e30da5e76d0b26

SHA1
ffac81a922e6d26b19c8f72de9862caff5e4cf0e

SHA256
860578c7743897d9db386eb081a15553646d220cfc6a3c877448cc5d4789e125

SHA512
2ea3dd2734aad3fa731d0db57509df5b0e74dc72e5d3be7804e596b26f45756bd212ff128bc3ddd7c709b07774f2b4ab785ec63c4d090b02dfef565dc5e29dad

Download Submit
C:\Users\Admin\AppData\Local\Temp\yMUYcscc.bat

Filesize
4B

MD5
e8081992652d42f91d9c812900c2066c

SHA1
055fa2673185f1d2031c801bd3c5ee1e661197d4

SHA256
c1a3f596d1dfb709148681ae2770a3f71dd2a408c5a9afdd796e82b25d8a96ee

SHA512
455228f911f47f1a22b13b9dd940729d4e30834a060e0dd66630bf70a2792c93d104770e7821a9d2ea92473779e033bca2e94422c3a248e266d1c0ddd4849599

Download Submit
C:\Users\Admin\AppData\Local\Temp\yaoMoEos.bat

Filesize
4B

MD5
3a3165e9245948fef4fb4185e4b5d9e0

SHA1
c90781adfba544abc7880f4eb9f1953df9f7d7a5

SHA256
58bbca9e022cce293707096c4339dd0c56a190370bb9c0d1ab11bb4b91787712

SHA512
132da30d95cb89b054d8856f83c773d39c166ebac1ab1e11276e1d8076eebcaf6e0adebc1ec581742eba7cb9a94e1e7f3d9d9a783048d17ba3b12a1715439330

Download Submit
C:\Users\Admin\AppData\Local\Temp\ykgcIYMw.bat

Filesize
4B

MD5
2ed1797dc70b489bb6468d1c1429b3e4

SHA1
07dea776f8df58b4671a5701f441860b3e2bd243

SHA256
e053af8880b46eb1fb628441474e05256f4636cfdac8951a2c3287a1ec9066d0

SHA512
f7ab765fb765a581684de616f229b43095fe5b3f8ba138f7d174b1ba6f48b8e1eb657b6a3e077cbe651c81576e8b4acabebcaa95a0b13ee28a5d56d346e1858d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ymYAswIs.bat

Filesize
4B

MD5
b81202192d219909620ae53874c95268

SHA1
d054d384cdb2132577d60942f3bb333bb89e53c5

SHA256
d3ca65724ef3a0462287a4abcfd71c9ff6a6b9eaede2676a1a7f9b68d0daf485

SHA512
91adb2b3b240bf6055df7ea58fbf86636aacb21ef1823b16c22b44fc8e9d96197a3c8df968b440dee5eda8eb83457db97edd925d35dd6f10ac31a12aa8775ea8

Download Submit
C:\Users\Admin\AppData\Local\Temp\zAYQsAIw.bat

Filesize
4B

MD5
08079cfa3860666c12220cb423b05e74

SHA1
0dd1c0f024441884cc686be9e2704a109d70a8f9

SHA256
561dc88d68f6cef6c914ed8ca1c1d88201918dff61b9f377e93284d114c18faa

SHA512
d7008c9b5e9ecfc693ec9a90b0bccafa9c8d5127f10913f8fd44d8a7f5cf8839bd3bc4908c30a29834666a4fa858c0065d1ee8100627928538e4915c14715765

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCAEgUcA.bat

Filesize
4B

MD5
3e8bc5ed52c0db705c794649d1e22d19

SHA1
ce32bfc2355abd136c6cbd971c419b9180308fda

SHA256
8302608c383e0579a174563eddfd1f86092f5c257e03f7cf167c60fbba039800

SHA512
78d82fc58bc31dbab08bff0f602ff96a288fa89934f91fe5613aaec96192a7dc8f5ae2c78e9b2fe59d3b004d66fe01b40c6b6a80d73fa4f27499575bba93ad5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\zYIYYwYA.bat

Filesize
4B

MD5
e40492018e94ac7b680f5594a09b97af

SHA1
19266e8459535e126eceb94d70498dc6b9e04d85

SHA256
5df7674d2afe97780461040cd645cf4110a5192ae6ce5ecd2a7075a7a173ff94

SHA512
43c0af51b3f4924d9079e65bd8f9af7f1653570d7cd707096423035601ad4307db3f4c371305c601f838d8095c1c538a12fdf4e47fe76fb55fb38764fd29b9bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\zcgMUEEA.bat

Filesize
4B

MD5
b984deb52b7293dc23d1281178b704c8

SHA1
a5ab44e1edf68c5ac0bdfc13f6b5daf3e49cc826

SHA256
b6ca7b7c7db13f969a04e1c23fe8367b90a0cc0484d806430db511fc000629fd

SHA512
54a2d361ba8d5037bfff22d1335f6288909ccc3daf50ea0889b27a9157066689927b4eebc3bd3aed499170834711ba57a0e5e3d155da000b95a94c3d23f20e23

Download Submit
C:\Users\Admin\AppData\Local\Temp\zcgwUggI.bat

Filesize
4B

MD5
9fb0e32b6f563cb4802d3cf034bcf072

SHA1
07faa939cfa44f96a2c5acc36b787af3f408388c

SHA256
5e8956d91ea657e13378735be58cb572a062407a7656a66ad9cc2930e4a8df6f

SHA512
875683d8e8bb615fc9c7e3578a27762704acb632e41e9695a702ef25ca57092a666005c7945826e2872a76d8fb7d4a52f112b014ce6e1b1097e94de18b8e855d

Download Submit
C:\Users\Admin\AppData\Local\Temp\zgMMssQM.bat

Filesize
4B

MD5
666b4b236b6c9c0046b69bf435e64141

SHA1
31982de7589d89b57099b316661a3f76faf992cf

SHA256
27c343dd86bf4634e63d3d9154f32562e22c59a711e934588a6adcb1620bf264

SHA512
2ff6792314f556da10573282284edfa22270c9b168bf395694f6fcbceebbf39a1dfcc378cdeed5695cdaa0cb82939ef21d20736eb2a286ff1739fd6ce8edaa2a

Download Submit
C:\Users\Admin\AppData\Roaming\CompareWait.pdf.exe

Filesize
474KB

MD5
b67443d3fcc5fea2d412f86c0cdb5b11

SHA1
d6e5f733ccc19c65af275d0a5bd52ec431e46db8

SHA256
74537b0f6a8c4aa8e88b5c2d975227ce2dec253d372b29b3a6880fe8808e3de6

SHA512
754f10f5bc8dd6e5acf00484d8e333c430bd11afe64660fd3cc3d651380e6e0af729f5e1f0646bb386ee17951a4dfaea80a9479ded10f73a66036ead3a030de4

Download Submit
C:\Users\Public\Pictures\Sample Pictures\Penguins.jpg.exe

Filesize
945KB

MD5
a60aca812dd43f1da641fc8f5844b84c

SHA1
dec7a7a37d486bb83c4b5b4593903ed4719d5b14

SHA256
d1dc0ea0aae5bc86f88b0371ca2ba7e802b9e417227b061ee123fe5b64e85de3

SHA512
d7297d299da77adebabb33ca8a2caa4c8a594506d70aab8bad274e264928c26e8909ceb8eb3e63923193a266d440a671f70769c2c978b14400eb7caf8cb958fa

Download Submit
\ProgramData\oYAUEIMw\cyQwUoUo.exe

Filesize
186KB

MD5
b3684abe47d9d6ee4fed641e50828a1c

SHA1
97adbff509978c88dcc27cd2d600253e30611ff2

SHA256
38f95bbbda1c408a978c4dcaa962fc525955279ff705596518e29d81cc5cabe3

SHA512
dbfd8ec7b16d9da8538bf02708244e152eb590b61252df3a3acb59f591b65a889f92727ee491a4431d823bf01e209210e1372df58da05a7bb34bd4b0058cb91d

Download Submit
\Users\Admin\gmoEkEkI\qSUckMMs.exe

Filesize
198KB

MD5
c0c3e5768fddb801a4ff9f580f1a5d4d

SHA1
0fad113293158cc0412b37b605ab91e15474cf02

SHA256
2aa94a4b4682e5fafb768404f28d8ffed55fb737d9cbd2a2065d09964e138b86

SHA512
8bbdfa0e74dcef22027a7bea3fae93769cdd73d40e09bc18ee2ec03e4b4b045a5ce9606ddf2e6b51fefa577bb536f16ba862c06c0b8e3c787e710f84c4e2f8bf

Download Submit
memory/372-539-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/744-638-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/760-66-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/760-65-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/772-700-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/772-669-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/828-657-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/828-629-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/860-297-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/860-267-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/932-266-0x0000000000170000-0x00000000001A4000-memory.dmp

Filesize
208KB

Download
memory/1044-103-0x0000000000120000-0x0000000000154000-memory.dmp

Filesize
208KB

Download
memory/1044-104-0x0000000000120000-0x0000000000154000-memory.dmp

Filesize
208KB

Download
memory/1048-627-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1048-628-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1156-159-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1464-205-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1464-173-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1512-219-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1512-253-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1572-30-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1572-31-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1636-588-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1636-617-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1660-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1660-14-0x00000000007C0000-0x00000000007F0000-memory.dmp

Filesize
192KB

Download
memory/1660-5-0x00000000007C0000-0x00000000007F3000-memory.dmp

Filesize
204KB

Download
memory/1660-41-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1660-28-0x00000000007C0000-0x00000000007F0000-memory.dmp

Filesize
192KB

Download
memory/1692-402-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1692-433-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1700-411-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1700-379-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1704-149-0x0000000000120000-0x0000000000154000-memory.dmp

Filesize
208KB

Download
memory/1748-276-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1748-243-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1788-424-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1788-458-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1844-355-0x0000000000160000-0x0000000000194000-memory.dmp

Filesize
208KB

Download
memory/1920-80-0x0000000000130000-0x0000000000164000-memory.dmp

Filesize
208KB

Download
memory/1920-81-0x0000000000130000-0x0000000000164000-memory.dmp

Filesize
208KB

Download
memory/1936-218-0x0000000000120000-0x0000000000154000-memory.dmp

Filesize
208KB

Download
memory/1968-679-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1972-769-0x0000000000290000-0x00000000002C4000-memory.dmp

Filesize
208KB

Download
memory/1972-768-0x0000000000290000-0x00000000002C4000-memory.dmp

Filesize
208KB

Download
memory/1996-333-0x0000000000120000-0x0000000000154000-memory.dmp

Filesize
208KB

Download
memory/1996-172-0x0000000002250000-0x0000000002284000-memory.dmp

Filesize
208KB

Download
memory/2008-770-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2020-113-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2036-758-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2036-715-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2088-668-0x0000000000170000-0x00000000001A4000-memory.dmp

Filesize
208KB

Download
memory/2088-667-0x0000000000170000-0x00000000001A4000-memory.dmp

Filesize
208KB

Download
memory/2168-318-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2176-182-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2176-691-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2176-724-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2176-150-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2180-690-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2200-670-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2232-648-0x0000000000680000-0x00000000006B4000-memory.dmp

Filesize
208KB

Download
memory/2240-195-0x0000000000120000-0x0000000000154000-memory.dmp

Filesize
208KB

Download
memory/2240-196-0x0000000000120000-0x0000000000154000-memory.dmp

Filesize
208KB

Download
memory/2356-378-0x0000000000120000-0x0000000000154000-memory.dmp

Filesize
208KB

Download
memory/2404-689-0x0000000000180000-0x00000000001B4000-memory.dmp

Filesize
208KB

Download
memory/2420-64-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2420-32-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2432-597-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2476-519-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2500-567-0x0000000000300000-0x0000000000334000-memory.dmp

Filesize
208KB

Download
memory/2536-471-0x0000000000170000-0x00000000001A4000-memory.dmp

Filesize
208KB

Download
memory/2536-748-0x0000000000170000-0x00000000001A4000-memory.dmp

Filesize
208KB

Download
memory/2536-472-0x0000000000170000-0x00000000001A4000-memory.dmp

Filesize
208KB

Download
memory/2536-747-0x0000000000170000-0x00000000001A4000-memory.dmp

Filesize
208KB

Download
memory/2560-356-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2560-388-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2560-228-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2624-714-0x0000000000730000-0x0000000000764000-memory.dmp

Filesize
208KB

Download
memory/2624-713-0x0000000000730000-0x0000000000764000-memory.dmp

Filesize
208KB

Download
memory/2764-241-0x0000000000180000-0x00000000001B4000-memory.dmp

Filesize
208KB

Download
memory/2780-134-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2844-365-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2888-482-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2888-449-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2896-342-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2920-587-0x0000000000130000-0x0000000000164000-memory.dmp

Filesize
208KB

Download
memory/2920-586-0x0000000000130000-0x0000000000164000-memory.dmp

Filesize
208KB

Download
memory/2932-749-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2952-501-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2952-473-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2968-576-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2972-67-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2972-90-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3032-401-0x00000000004F0000-0x0000000000524000-memory.dmp

Filesize
208KB

Download
memory/3036-557-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3040-448-0x0000000000580000-0x00000000005B4000-memory.dmp

Filesize
208KB

Download