877c37e2b15ac450c67c4d88964ee53357e0722b03a046c603f626d3f39e80a4

Analysis

max time kernel
150s
max time network
120s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
07/09/2024, 18:47

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
Size

143KB
MD5

9b2c74478464af11cc7a8d075183837e
SHA1

32bee1800b816bf16ff597a725bce001baefea8f
SHA256

877c37e2b15ac450c67c4d88964ee53357e0722b03a046c603f626d3f39e80a4
SHA512

832ff64c2c69ac6bf94beee2b7695e8e1cf671815be47921d2cd2e48652f1d912665da6110ef0258f3e1dc01bdc04e204cf8f05052541fbad91aa25c783a8780
SSDEEP

3072:tfXPFEhlwj1pKzASHRPGq5yIq7Hxr+r6d+39fx:JXt6wj1pKzASx+YyIq7RS9

Score

10^/10

discovery evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Control Panel\International\Geo\Nation	zockIsws.exe

Executes dropped EXE 3 IoCs

pid	Process
2132	QkQkIMAM.exe
2828	zockIsws.exe
1460	QkQkIMAM.exe

Loads dropped DLL 27 IoCs

pid	Process
1620	2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
1620	2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
1620	2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
1620	2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
2572	2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
2572	2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
444	WerFault.exe
444	WerFault.exe
444	WerFault.exe
444	WerFault.exe
444	WerFault.exe
2828	zockIsws.exe
2828	zockIsws.exe
2828	zockIsws.exe
2828	zockIsws.exe
2828	zockIsws.exe
2828	zockIsws.exe
2828	zockIsws.exe
2828	zockIsws.exe
2828	zockIsws.exe
2828	zockIsws.exe
2828	zockIsws.exe
2828	zockIsws.exe
2828	zockIsws.exe
2828	zockIsws.exe
2828	zockIsws.exe
2828	zockIsws.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\QkQkIMAM.exe = "C:\\Users\\Admin\\ZoYIwkIY\\QkQkIMAM.exe"	2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\zockIsws.exe = "C:\\ProgramData\\yeIcgkEE\\zockIsws.exe"	2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\zockIsws.exe = "C:\\ProgramData\\yeIcgkEE\\zockIsws.exe"	zockIsws.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\QkQkIMAM.exe = "C:\\Users\\Admin\\ZoYIwkIY\\QkQkIMAM.exe"	QkQkIMAM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\QkQkIMAM.exe = "C:\\Users\\Admin\\ZoYIwkIY\\QkQkIMAM.exe"	2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\QkQkIMAM.exe = "C:\\Users\\Admin\\ZoYIwkIY\\QkQkIMAM.exe"	QkQkIMAM.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico	zockIsws.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
444	1460	WerFault.exe	44

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
2576	reg.exe
2176	reg.exe
1740	reg.exe
480	reg.exe
920	reg.exe
704	reg.exe
2136	reg.exe
2132	reg.exe
1052	reg.exe
2240	reg.exe
2528	reg.exe
1064	reg.exe
1684	reg.exe
556	reg.exe
2284	reg.exe
2832	reg.exe
3028	reg.exe
288	reg.exe
1752	reg.exe
2652	reg.exe
1560	reg.exe
2488	reg.exe
2204	reg.exe
2580	reg.exe
920	reg.exe
2036	reg.exe
2376	reg.exe
1492	reg.exe
1172	reg.exe
2960	reg.exe
2528	reg.exe
1652	reg.exe
1604	reg.exe
2252	reg.exe
2876	reg.exe
2220	reg.exe
2172	reg.exe
2380	reg.exe
2808	reg.exe
608	reg.exe
2116	reg.exe
2616	reg.exe
1952	reg.exe
1748	reg.exe
2400	reg.exe
1696	reg.exe
1388	reg.exe
2500	reg.exe
1492	reg.exe
2808	reg.exe
272	reg.exe
1752	reg.exe
328	reg.exe
1104	reg.exe
3012	reg.exe
2588	reg.exe
2760	reg.exe
3008	reg.exe
2768	reg.exe
2796	reg.exe
2808	reg.exe
2688	reg.exe
2592	reg.exe
2944	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1620	2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
1620	2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
2572	2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
2572	2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
2936	2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
2936	2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
2120	2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
2120	2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
860	2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
860	2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
2288	2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
2288	2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
2676	2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
2676	2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
2576	2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
2576	2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
2500	2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
2500	2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
2908	2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
2908	2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
1780	2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
1780	2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
1796	2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
1796	2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
2808	2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
2808	2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
2312	2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
2312	2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
1476	2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
1476	2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
2104	2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
2104	2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
2280	2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
2280	2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
1832	2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
1832	2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
2860	2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
2860	2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
2528	2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
2528	2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
2040	2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
2040	2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
596	2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
596	2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
2236	2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
2236	2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
352	2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
352	2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
860	2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
860	2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
2652	2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
2652	2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
2424	2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
2424	2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
1764	2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
1764	2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
2120	2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
2120	2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
2388	2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
2388	2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
876	2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
876	2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
2776	2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
2776	2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2828	zockIsws.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2828	zockIsws.exe
2828	zockIsws.exe
2828	zockIsws.exe
2828	zockIsws.exe
2828	zockIsws.exe
2828	zockIsws.exe
2828	zockIsws.exe
2828	zockIsws.exe
2828	zockIsws.exe
2828	zockIsws.exe
2828	zockIsws.exe
2828	zockIsws.exe
2828	zockIsws.exe
2828	zockIsws.exe
2828	zockIsws.exe
2828	zockIsws.exe
2828	zockIsws.exe
2828	zockIsws.exe
2828	zockIsws.exe
2828	zockIsws.exe
2828	zockIsws.exe
2828	zockIsws.exe
2828	zockIsws.exe
2828	zockIsws.exe
2828	zockIsws.exe
2828	zockIsws.exe
2828	zockIsws.exe
2828	zockIsws.exe
2828	zockIsws.exe
2828	zockIsws.exe
2828	zockIsws.exe
2828	zockIsws.exe
2828	zockIsws.exe
2828	zockIsws.exe
2828	zockIsws.exe
2828	zockIsws.exe
2828	zockIsws.exe
2828	zockIsws.exe
2828	zockIsws.exe
2828	zockIsws.exe
2828	zockIsws.exe
2828	zockIsws.exe
2828	zockIsws.exe
2828	zockIsws.exe
2828	zockIsws.exe
2828	zockIsws.exe
2828	zockIsws.exe
2828	zockIsws.exe
2828	zockIsws.exe
2828	zockIsws.exe
2828	zockIsws.exe
2828	zockIsws.exe
2828	zockIsws.exe
2828	zockIsws.exe
2828	zockIsws.exe
2828	zockIsws.exe
2828	zockIsws.exe
2828	zockIsws.exe
2828	zockIsws.exe
2828	zockIsws.exe
2828	zockIsws.exe
2828	zockIsws.exe
2828	zockIsws.exe
2828	zockIsws.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1620 wrote to memory of 2132	1620	2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe	30
PID 1620 wrote to memory of 2132	1620	2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe	30
PID 1620 wrote to memory of 2132	1620	2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe	30
PID 1620 wrote to memory of 2132	1620	2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe	30
PID 1620 wrote to memory of 2828	1620	2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe	31
PID 1620 wrote to memory of 2828	1620	2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe	31
PID 1620 wrote to memory of 2828	1620	2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe	31
PID 1620 wrote to memory of 2828	1620	2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe	31
PID 1620 wrote to memory of 2580	1620	2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe	32
PID 1620 wrote to memory of 2580	1620	2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe	32
PID 1620 wrote to memory of 2580	1620	2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe	32
PID 1620 wrote to memory of 2580	1620	2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe	32
PID 2580 wrote to memory of 2572	2580	cmd.exe	34
PID 2580 wrote to memory of 2572	2580	cmd.exe	34
PID 2580 wrote to memory of 2572	2580	cmd.exe	34
PID 2580 wrote to memory of 2572	2580	cmd.exe	34
PID 1620 wrote to memory of 1744	1620	2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe	35
PID 1620 wrote to memory of 1744	1620	2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe	35
PID 1620 wrote to memory of 1744	1620	2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe	35
PID 1620 wrote to memory of 1744	1620	2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe	35
PID 1620 wrote to memory of 2812	1620	2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe	36
PID 1620 wrote to memory of 2812	1620	2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe	36
PID 1620 wrote to memory of 2812	1620	2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe	36
PID 1620 wrote to memory of 2812	1620	2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe	36
PID 1620 wrote to memory of 2592	1620	2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe	37
PID 1620 wrote to memory of 2592	1620	2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe	37
PID 1620 wrote to memory of 2592	1620	2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe	37
PID 1620 wrote to memory of 2592	1620	2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe	37
PID 1620 wrote to memory of 2548	1620	2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe	38
PID 1620 wrote to memory of 2548	1620	2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe	38
PID 1620 wrote to memory of 2548	1620	2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe	38
PID 1620 wrote to memory of 2548	1620	2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe	38
PID 2548 wrote to memory of 2160	2548	cmd.exe	43
PID 2548 wrote to memory of 2160	2548	cmd.exe	43
PID 2548 wrote to memory of 2160	2548	cmd.exe	43
PID 2548 wrote to memory of 2160	2548	cmd.exe	43
PID 2572 wrote to memory of 1460	2572	2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe	44
PID 2572 wrote to memory of 1460	2572	2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe	44
PID 2572 wrote to memory of 1460	2572	2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe	44
PID 2572 wrote to memory of 1460	2572	2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe	44
PID 2572 wrote to memory of 2192	2572	2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe	45
PID 2572 wrote to memory of 2192	2572	2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe	45
PID 2572 wrote to memory of 2192	2572	2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe	45
PID 2572 wrote to memory of 2192	2572	2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe	45
PID 2192 wrote to memory of 2936	2192	cmd.exe	47
PID 2192 wrote to memory of 2936	2192	cmd.exe	47
PID 2192 wrote to memory of 2936	2192	cmd.exe	47
PID 2192 wrote to memory of 2936	2192	cmd.exe	47
PID 2572 wrote to memory of 2096	2572	2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe	48
PID 2572 wrote to memory of 2096	2572	2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe	48
PID 2572 wrote to memory of 2096	2572	2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe	48
PID 2572 wrote to memory of 2096	2572	2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe	48
PID 2572 wrote to memory of 2944	2572	2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe	49
PID 2572 wrote to memory of 2944	2572	2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe	49
PID 2572 wrote to memory of 2944	2572	2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe	49
PID 2572 wrote to memory of 2944	2572	2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe	49
PID 2572 wrote to memory of 2616	2572	2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe	51
PID 2572 wrote to memory of 2616	2572	2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe	51
PID 2572 wrote to memory of 2616	2572	2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe	51
PID 2572 wrote to memory of 2616	2572	2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe	51
PID 2572 wrote to memory of 2908	2572	2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe	54
PID 2572 wrote to memory of 2908	2572	2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe	54
PID 2572 wrote to memory of 2908	2572	2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe	54
PID 2572 wrote to memory of 2908	2572	2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe	54

C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1620
- C:\Users\Admin\ZoYIwkIY\QkQkIMAM.exe
  "C:\Users\Admin\ZoYIwkIY\QkQkIMAM.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2132
- C:\ProgramData\yeIcgkEE\zockIsws.exe
  "C:\ProgramData\yeIcgkEE\zockIsws.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:2828
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2580
- - C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
    C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock
    3⤵
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2572
  - - C:\Users\Admin\ZoYIwkIY\QkQkIMAM.exe
      "C:\Users\Admin\ZoYIwkIY\QkQkIMAM.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      PID:1460
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1460 -s 192
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:444
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2192
    - - C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2936
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock"
        6⤵
        
        PID:2428
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2120
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock"
        8⤵
        
        PID:1112
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:860
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock"
        10⤵
        
        PID:876
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2288
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock"
        12⤵
        
        PID:2656
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2676
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock"
        14⤵
        
        PID:2620
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2576
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock"
        16⤵
        
        PID:2772
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2500
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock"
        18⤵
        
        PID:2116
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2908
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock"
        20⤵
        
        PID:2432
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1780
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock"
        22⤵
        
        PID:2396
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock
        23⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1796
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock"
        24⤵
        
        PID:2840
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock
        25⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2808
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock"
        26⤵
        
        PID:1932
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock
        27⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2312
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock"
        28⤵
        
        PID:2588
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock
        29⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1476
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock"
        30⤵
        
        PID:2888
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock
        31⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2104
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock"
        32⤵
        
        PID:288
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock
        33⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2280
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock"
        34⤵
        System Location Discovery: System Language Discovery
        
        PID:856
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock
        35⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1832
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock"
        36⤵
        
        PID:896
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock
        37⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2860
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock"
        38⤵
        System Location Discovery: System Language Discovery
        
        PID:1064
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock
        39⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2528
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock"
        40⤵
        
        PID:2792
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock
        41⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2040
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock"
        42⤵
        
        PID:2920
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock
        43⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:596
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock"
        44⤵
        
        PID:1660
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock
        45⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2236
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock"
        46⤵
        System Location Discovery: System Language Discovery
        
        PID:624
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock
        47⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:352
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock"
        48⤵
        
        PID:1608
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock
        49⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:860
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock"
        50⤵
        
        PID:1744
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock
        51⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2652
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock"
        52⤵
        
        PID:2360
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock
        53⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2424
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock"
        54⤵
        
        PID:2348
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock
        55⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1764
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock"
        56⤵
        
        PID:2100
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock
        57⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2120
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock"
        58⤵
        
        PID:2268
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock
        59⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2388
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock"
        60⤵
        
        PID:2868
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock
        61⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:876
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock"
        62⤵
        System Location Discovery: System Language Discovery
        
        PID:3008
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock
        63⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2776
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock"
        64⤵
        
        PID:1064
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock
        65⤵
        
        PID:1296
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock"
        66⤵
        
        PID:1788
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock
        67⤵
        
        PID:1856
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock"
        68⤵
        
        PID:2164
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock
        69⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock"
        70⤵
        
        PID:2380
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock
        71⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock"
        72⤵
        
        PID:1776
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock
        73⤵
        System Location Discovery: System Language Discovery
        
        PID:1508
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock"
        74⤵
        
        PID:1796
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock
        75⤵
        
        PID:876
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock"
        76⤵
        
        PID:1916
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock
        77⤵
        
        PID:1744
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock"
        78⤵
        
        PID:1468
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock
        79⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock"
        80⤵
        
        PID:2824
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock
        81⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock"
        82⤵
        System Location Discovery: System Language Discovery
        
        PID:392
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock
        83⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock"
        84⤵
        
        PID:2972
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock
        85⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock"
        86⤵
        
        PID:2720
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock
        87⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock"
        88⤵
        
        PID:2056
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock
        89⤵
        
        PID:1772
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock"
        90⤵
        
        PID:1240
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock
        91⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock"
        92⤵
        
        PID:560
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock
        93⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock"
        94⤵
        
        PID:1112
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock
        95⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock"
        96⤵
        
        PID:352
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock
        97⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock"
        98⤵
        System Location Discovery: System Language Discovery
        
        PID:2548
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock
        99⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock"
        100⤵
        
        PID:2840
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock
        101⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock"
        102⤵
        
        PID:1164
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock
        103⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock"
        104⤵
        
        PID:2896
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock
        105⤵
        System Location Discovery: System Language Discovery
        
        PID:2488
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock"
        106⤵
        
        PID:1780
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock
        107⤵
        
        PID:3052
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock"
        108⤵
        
        PID:3068
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock
        109⤵
        
        PID:3000
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock"
        110⤵
        
        PID:888
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock
        111⤵
        
        PID:2176
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock"
        112⤵
        
        PID:2980
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock
        113⤵
        
        PID:1104
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock"
        114⤵
        
        PID:2524
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock
        115⤵
        
        PID:2540
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock"
        116⤵
        
        PID:1468
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock
        117⤵
        
        PID:1472
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock"
        118⤵
        
        PID:2340
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock
        119⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock"
        120⤵
        
        PID:1964
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock
        121⤵
        System Location Discovery: System Language Discovery
        
        PID:2356
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock"
        122⤵
        
        PID:1008
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock
        123⤵
        
        PID:2576
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock"
        124⤵
        System Location Discovery: System Language Discovery
        
        PID:2028
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock
        125⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock"
        126⤵
        
        PID:1172
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock
        127⤵
        
        PID:2988
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock"
        128⤵
        
        PID:2512
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock
        129⤵
        
        PID:2436
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock"
        130⤵
        
        PID:2360
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock
        131⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock"
        132⤵
        
        PID:2964
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock
        133⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock"
        134⤵
        
        PID:2692
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock
        135⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock"
        136⤵
        
        PID:1832
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock
        137⤵
        
        PID:896
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock"
        138⤵
        
        PID:2608
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock
        139⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock"
        140⤵
        
        PID:480
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock
        141⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock"
        142⤵
        
        PID:596
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock
        143⤵
        
        PID:2704
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock"
        144⤵
        
        PID:1172
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock
        145⤵
        
        PID:1788
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock"
        146⤵
        
        PID:2192
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock
        147⤵
        
        PID:2544
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock"
        148⤵
        
        PID:1672
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock
        149⤵
        System Location Discovery: System Language Discovery
        
        PID:2868
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock"
        150⤵
        
        PID:2320
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock
        151⤵
        
        PID:3000
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock"
        152⤵
        
        PID:2664
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock
        153⤵
        
        PID:2996
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock"
        154⤵
        
        PID:2028
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock
        155⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock"
        156⤵
        System Location Discovery: System Language Discovery
        
        PID:2524
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock
        157⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock"
        158⤵
        
        PID:480
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock
        159⤵
        
        PID:876
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock"
        160⤵
        
        PID:2604
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock
        161⤵
        System Location Discovery: System Language Discovery
        
        PID:2280
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock"
        162⤵
        
        PID:2856
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock
        163⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock"
        164⤵
        
        PID:2504
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock
        165⤵
        
        PID:1508
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock"
        166⤵
        
        PID:3052
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock
        167⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock"
        168⤵
        
        PID:2804
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock
        169⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock"
        170⤵
        
        PID:328
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock
        171⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock"
        172⤵
        
        PID:2888
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock
        173⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock"
        174⤵
        
        PID:2692
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock
        175⤵
        
        PID:2540
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock"
        176⤵
        
        PID:1264
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock
        177⤵
        
        PID:2576
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock"
        178⤵
        System Location Discovery: System Language Discovery
        
        PID:2104
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock
        179⤵
        
        PID:276
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock"
        180⤵
        
        PID:600
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock
        181⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock"
        182⤵
        System Location Discovery: System Language Discovery
        
        PID:908
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock
        183⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock"
        184⤵
        
        PID:2556
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock
        185⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock"
        186⤵
        
        PID:1388
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock
        187⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock"
        188⤵
        
        PID:1308
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock
        189⤵
        
        PID:1296
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock"
        190⤵
        
        PID:2652
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock
        191⤵
        
        PID:2316
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock"
        192⤵
        
        PID:1744
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock
        193⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock"
        194⤵
        
        PID:2708
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock
        195⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock"
        196⤵
        
        PID:1556
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock
        197⤵
        
        PID:916
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock"
        198⤵
        
        PID:2400
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock
        199⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock"
        200⤵
        
        PID:2800
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock
        201⤵
        
        PID:1568
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock"
        202⤵
        
        PID:1052
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock
        203⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock"
        204⤵
        
        PID:2316
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock
        205⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock"
        206⤵
        
        PID:1772
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock
        207⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock"
        208⤵
        
        PID:2788
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock
        209⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock"
        210⤵
        
        PID:2896
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock
        211⤵
        
        PID:2540
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock"
        212⤵
        
        PID:2204
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock
        213⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock"
        214⤵
        
        PID:2984
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock
        215⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock"
        216⤵
        
        PID:1868
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock
        217⤵
        
        PID:624
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock"
        218⤵
        
        PID:2316
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock
        219⤵
        System Location Discovery: System Language Discovery
        
        PID:2448
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock"
        220⤵
        
        PID:2220
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock
        221⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock"
        222⤵
        
        PID:1140
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock
        223⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        224⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:1760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        224⤵
        
        PID:1508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        224⤵
        UAC bypass
        
        PID:1748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        222⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        222⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        222⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\CYowoAoE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe""
        222⤵
        
        PID:1780
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        223⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        220⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        220⤵
        Modifies registry key
        
        PID:2588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        220⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\esAUwAoA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe""
        220⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        221⤵
        
        PID:964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        218⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        218⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        218⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\VAQosUAw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe""
        218⤵
        
        PID:604
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        219⤵
        
        PID:1200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        216⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        216⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        216⤵
        
        PID:860
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\BmMQgkIc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe""
        216⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        217⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        214⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        214⤵
        
        PID:2228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        214⤵
        Modifies registry key
        
        PID:1652
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\nWwAkYMc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe""
        214⤵
        
        PID:2608
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        215⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        212⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        212⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        212⤵
        
        PID:480
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\OOQQAock.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe""
        212⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        213⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        210⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        210⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        210⤵
        
        PID:580
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\YuIYEIgc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe""
        210⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        211⤵
        
        PID:2996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        208⤵
        Modifies registry key
        
        PID:608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        208⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        208⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\uiAMIsUg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe""
        208⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        209⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        206⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        206⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        206⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\QAUwQcIM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe""
        206⤵
        
        PID:1848
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        207⤵
        
        PID:1104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        204⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        204⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        204⤵
        UAC bypass
        
        PID:2380
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\oqwwAYMk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe""
        204⤵
        
        PID:1756
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        205⤵
        
        PID:600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        202⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        202⤵
        System Location Discovery: System Language Discovery
        
        PID:2796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        202⤵
        UAC bypass
        
        PID:2180
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\vSwMQkUw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe""
        202⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        203⤵
        
        PID:2444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        200⤵
        Modifies visibility of file extensions in Explorer
        
        PID:480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        200⤵
        Modifies registry key
        
        PID:1748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        200⤵
        UAC bypass
        
        PID:1532
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\JioQIkQo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe""
        200⤵
        
        PID:1264
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        201⤵
        System Location Discovery: System Language Discovery
        
        PID:2060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        198⤵
        
        PID:2176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        198⤵
        Modifies registry key
        
        PID:2252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        198⤵
        UAC bypass
        Modifies registry key
        
        PID:2808
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\POUcwsoI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe""
        198⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        199⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        196⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:2244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        196⤵
        
        PID:1764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        196⤵
        UAC bypass
        
        PID:1608
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\nkEoggUs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe""
        196⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        197⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        194⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        194⤵
        Modifies registry key
        
        PID:2688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        194⤵
        Modifies registry key
        
        PID:1492
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\sowEYoIs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe""
        194⤵
        
        PID:3000
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        195⤵
        
        PID:1392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        192⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        192⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        192⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\qwcsMkAU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe""
        192⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        193⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        190⤵
        
        PID:2228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        190⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        190⤵
        UAC bypass
        Modifies registry key
        
        PID:2136
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\KAQsgEQE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe""
        190⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        191⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        188⤵
        
        PID:480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        188⤵
        
        PID:1064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        188⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:2196
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\sQsEYwoo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe""
        188⤵
        
        PID:1240
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        189⤵
        
        PID:1264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        186⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        186⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        186⤵
        UAC bypass
        
        PID:2232
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\XowUQkAs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe""
        186⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        187⤵
        System Location Discovery: System Language Discovery
        
        PID:1552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        184⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        184⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        184⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\HIMcMYsA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe""
        184⤵
        
        PID:2332
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        185⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        182⤵
        Modifies registry key
        
        PID:704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        182⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        182⤵
        UAC bypass
        
        PID:2764
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\fegUoIsU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe""
        182⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        183⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        180⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        180⤵
        
        PID:2512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        180⤵
        UAC bypass
        
        PID:2432
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\NIQYwccc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe""
        180⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        181⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        178⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        178⤵
        System Location Discovery: System Language Discovery
        
        PID:2004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        178⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:1988
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\zcgwIIEg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe""
        178⤵
        
        PID:1320
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        179⤵
        
        PID:1856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        176⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        176⤵
        System Location Discovery: System Language Discovery
        
        PID:1476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        176⤵
        UAC bypass
        Modifies registry key
        
        PID:1064
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\IIEQIMkc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe""
        176⤵
        
        PID:1240
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        177⤵
        
        PID:1548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        174⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        174⤵
        System Location Discovery: System Language Discovery
        
        PID:2688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        174⤵
        UAC bypass
        
        PID:2028
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\aasEscMk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe""
        174⤵
        
        PID:1560
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        175⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        172⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        172⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        172⤵
        UAC bypass
        
        PID:2040
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\YIIscEAE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe""
        172⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        173⤵
        System Location Discovery: System Language Discovery
        
        PID:2236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        170⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        170⤵
        
        PID:1476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        170⤵
        UAC bypass
        Modifies registry key
        
        PID:2808
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\TOgscocI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe""
        170⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        171⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        168⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:1200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        168⤵
        Modifies registry key
        
        PID:1492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        168⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\LkkkAgUA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe""
        168⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        169⤵
        System Location Discovery: System Language Discovery
        
        PID:1760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        166⤵
        Modifies registry key
        
        PID:2796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        166⤵
        
        PID:624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        166⤵
        
        PID:2612
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\pYEQEsIw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe""
        166⤵
        
        PID:2512
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        167⤵
        
        PID:2436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        164⤵
        Modifies visibility of file extensions in Explorer
        
        PID:856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        164⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        164⤵
        
        PID:768
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\BSQooAQU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe""
        164⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        165⤵
        
        PID:572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        162⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        162⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        162⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ioEMggEw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe""
        162⤵
        
        PID:992
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        163⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        160⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        160⤵
        
        PID:2228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        160⤵
        UAC bypass
        Modifies registry key
        
        PID:2500
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\GkYsYYoE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe""
        160⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        161⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        158⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        158⤵
        Modifies registry key
        
        PID:2808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        158⤵
        
        PID:352
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\uWwQosIo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe""
        158⤵
        
        PID:288
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        159⤵
        
        PID:624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        156⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        156⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        156⤵
        UAC bypass
        
        PID:992
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\IuIMscQY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe""
        156⤵
        
        PID:1764
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        157⤵
        
        PID:2552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        154⤵
        Modifies registry key
        
        PID:1952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        154⤵
        
        PID:2228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        154⤵
        Modifies registry key
        
        PID:2528
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\GgcEwAcY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe""
        154⤵
        
        PID:1052
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        155⤵
        
        PID:580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        152⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2184
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        152⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        152⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\hEkIEcQU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe""
        152⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        153⤵
        
        PID:2576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        150⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        150⤵
        
        PID:1744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        150⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1752
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\hKwQwwcw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe""
        150⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        151⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        148⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        148⤵
        
        PID:2668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        148⤵
        
        PID:624
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\xCQcEsIg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe""
        148⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        149⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        146⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        146⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        146⤵
        UAC bypass
        
        PID:1848
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\auYQAEwE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe""
        146⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        147⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        144⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        144⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        144⤵
        UAC bypass
        
        PID:2652
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\UIIQwYQY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe""
        144⤵
        
        PID:1912
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        145⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        142⤵
        System Location Discovery: System Language Discovery
        
        PID:2756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        142⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        142⤵
        UAC bypass
        
        PID:2572
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\OiAIogsg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe""
        142⤵
        
        PID:1320
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        143⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        140⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        140⤵
        
        PID:2588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        140⤵
        Modifies registry key
        
        PID:2400
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\CyAIIQos.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe""
        140⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        141⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        138⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        138⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        138⤵
        UAC bypass
        
        PID:2676
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\MKUkIIIk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe""
        138⤵
        
        PID:1468
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        139⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        136⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        136⤵
        
        PID:856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        136⤵
        System Location Discovery: System Language Discovery
        
        PID:1672
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\LWEMMkEo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe""
        136⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        137⤵
        
        PID:352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        134⤵
        System Location Discovery: System Language Discovery
        
        PID:2008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        134⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        134⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\DOsMMkIw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe""
        134⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        135⤵
        
        PID:596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        132⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        132⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        132⤵
        UAC bypass
        
        PID:2112
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\bIYsIUYg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe""
        132⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        133⤵
        
        PID:1848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        130⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:1548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        130⤵
        
        PID:2444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        130⤵
        Modifies registry key
        
        PID:3012
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\eYsocoIo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe""
        130⤵
        
        PID:2740
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        131⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        128⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        128⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        128⤵
        UAC bypass
        Modifies registry key
        
        PID:920
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\uSgwQAgM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe""
        128⤵
        
        PID:2652
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        129⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        126⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        126⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        126⤵
        UAC bypass
        
        PID:2560
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ucgsUoEo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe""
        126⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        127⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        124⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        124⤵
        
        PID:288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        124⤵
        UAC bypass
        
        PID:1056
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\IYcoEIQI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe""
        124⤵
        
        PID:1260
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        125⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        122⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:2664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        122⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        122⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\JAUYAMsE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe""
        122⤵
        
        PID:2996
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        123⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        120⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        120⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        120⤵
        UAC bypass
        
        PID:2292
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\BCUsAYoc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe""
        120⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        121⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        118⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        118⤵
        
        PID:2992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        118⤵
        Modifies registry key
        
        PID:920
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\PoYwwkkk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe""
        118⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        119⤵
        System Location Discovery: System Language Discovery
        
        PID:2384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        116⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        116⤵
        
        PID:856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        116⤵
        UAC bypass
        
        PID:2008
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\JUQUYIgk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe""
        116⤵
        
        PID:288
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        117⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        114⤵
        Modifies registry key
        
        PID:1560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        114⤵
        
        PID:2652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        114⤵
        
        PID:848
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\EiwEQQAk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe""
        114⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        115⤵
        System Location Discovery: System Language Discovery
        
        PID:2908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        112⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        112⤵
        System Location Discovery: System Language Discovery
        
        PID:2364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        112⤵
        UAC bypass
        
        PID:1604
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\aeIgAYkY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe""
        112⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        113⤵
        
        PID:2612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        110⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        110⤵
        
        PID:1008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        110⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:1752
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\qmIYwUwE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe""
        110⤵
        System Location Discovery: System Language Discovery
        
        PID:1944
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        111⤵
        
        PID:1492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        108⤵
        
        PID:264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        108⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        108⤵
        UAC bypass
        
        PID:2528
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\KsEEMwUA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe""
        108⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        109⤵
        
        PID:768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        106⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        106⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        106⤵
        UAC bypass
        
        PID:652
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\KswcsEMQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe""
        106⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        107⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        104⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        104⤵
        
        PID:2568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        104⤵
        UAC bypass
        
        PID:1468
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\dSEggkEA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe""
        104⤵
        
        PID:480
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        105⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        102⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        102⤵
        
        PID:1744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        102⤵
        UAC bypass
        Modifies registry key
        
        PID:2652
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\REgIMsUI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe""
        102⤵
        
        PID:2588
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        103⤵
        
        PID:2512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        100⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        100⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        100⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\bWIsgsUI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe""
        100⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        101⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        98⤵
        
        PID:1056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        98⤵
        Modifies registry key
        
        PID:1604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        98⤵
        UAC bypass
        
        PID:1508
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\BkMsosgQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe""
        98⤵
        
        PID:584
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        99⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        96⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        96⤵
        
        PID:3052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        96⤵
        UAC bypass
        
        PID:2564
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\sKckkIMo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe""
        96⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        97⤵
        
        PID:1172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        94⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        94⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        94⤵
        UAC bypass
        
        PID:2348
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\wAUAgcEA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe""
        94⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        95⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        92⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        92⤵
        
        PID:2740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        92⤵
        UAC bypass
        
        PID:1140
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\EuMsQssw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe""
        92⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        93⤵
        
        PID:1200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        90⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        90⤵
        
        PID:1560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        90⤵
        UAC bypass
        
        PID:1932
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\gmokogsE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe""
        90⤵
        System Location Discovery: System Language Discovery
        
        PID:2576
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        91⤵
        
        PID:2332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        88⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        88⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        88⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\doAMIQMo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe""
        88⤵
        
        PID:2984
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        89⤵
        
        PID:684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        86⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        86⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        86⤵
        UAC bypass
        
        PID:1584
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\lgQMQkwo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe""
        86⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        87⤵
        
        PID:1260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        84⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        84⤵
        
        PID:624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        84⤵
        UAC bypass
        
        PID:2472
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\vMUwUowY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe""
        84⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        85⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        82⤵
        Modifies visibility of file extensions in Explorer
        
        PID:328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        82⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        82⤵
        UAC bypass
        
        PID:1572
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\TmgswkAI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe""
        82⤵
        
        PID:2432
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        83⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        80⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:1268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        80⤵
        
        PID:700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        80⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\lcMsIUUg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe""
        80⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        81⤵
        System Location Discovery: System Language Discovery
        
        PID:652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        78⤵
        Modifies visibility of file extensions in Explorer
        
        PID:920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        78⤵
        Modifies registry key
        
        PID:1740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        78⤵
        
        PID:2332
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\cEcssAkQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe""
        78⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        79⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        Modifies registry key
        
        PID:2832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        UAC bypass
        
        PID:2188
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\SioEkwUA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe""
        76⤵
        
        PID:704
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        77⤵
        
        PID:480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        UAC bypass
        
        PID:1260
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\AKMoUUYg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe""
        74⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        75⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        System Location Discovery: System Language Discovery
        
        PID:2008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        UAC bypass
        Modifies registry key
        
        PID:1104
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\MQwAscUc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe""
        72⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        
        PID:2608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        UAC bypass
        Modifies registry key
        
        PID:2204
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\AQEQcwgQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe""
        70⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        
        PID:1060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:2784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        Modifies registry key
        
        PID:2240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        
        PID:652
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\BiAoQoAQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe""
        68⤵
        
        PID:596
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        Modifies registry key
        
        PID:2768
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ncYwUAQQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe""
        66⤵
        
        PID:1476
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        Modifies registry key
        
        PID:2376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        UAC bypass
        
        PID:2936
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\dCMEoQsw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe""
        64⤵
        
        PID:1848
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        
        PID:2500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        
        PID:276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        UAC bypass
        
        PID:2704
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\cOMEIwUY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe""
        62⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        
        PID:1492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        UAC bypass
        Modifies registry key
        
        PID:2760
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ySAUEQgg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe""
        60⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        System Location Discovery: System Language Discovery
        
        PID:2724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        Modifies registry key
        
        PID:2284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:2236
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\iAcYgccs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe""
        58⤵
        
        PID:1780
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:2432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        
        PID:1140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\mAIcggQo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe""
        56⤵
        
        PID:1200
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        
        PID:2588
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\nCYIkccc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe""
        54⤵
        
        PID:2512
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        
        PID:1244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        UAC bypass
        
        PID:2936
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\JissYAIQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe""
        52⤵
        
        PID:2160
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        
        PID:1304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        
        PID:2552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tecockgA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe""
        50⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        Modifies registry key
        
        PID:1172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        UAC bypass
        
        PID:1508
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\deIgwkAY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe""
        48⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        Modifies registry key
        
        PID:328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        Modifies registry key
        
        PID:1696
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Dowockkw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe""
        46⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        System Location Discovery: System Language Discovery
        
        PID:2184
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        Modifies registry key
        
        PID:1052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        
        PID:1384
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\CooYsUYM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe""
        44⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        
        PID:980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        UAC bypass
        Modifies registry key
        
        PID:2176
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\gmQMQoYE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe""
        42⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        
        PID:1468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        UAC bypass
        Modifies registry key
        
        PID:556
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\eWEUIoUg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe""
        40⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        UAC bypass
        
        PID:2572
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\AkMsEYYo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe""
        38⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        
        PID:2608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\nekcEIAM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe""
        36⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:2612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:2432
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\RikUkccg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe""
        34⤵
        
        PID:1056
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        
        PID:888
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\DUUMAMcA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe""
        32⤵
        System Location Discovery: System Language Discovery
        
        PID:2008
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        
        PID:560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        
        PID:1424
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\nCsIwQco.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe""
        30⤵
        
        PID:272
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        System Location Discovery: System Language Discovery
        
        PID:2684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        UAC bypass
        
        PID:2788
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\BYQwkskI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe""
        28⤵
        
        PID:1820
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:1848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\YakQEkMU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe""
        26⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        
        PID:1104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        Modifies registry key
        
        PID:2220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        UAC bypass
        
        PID:2844
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ygkAosAg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe""
        24⤵
        System Location Discovery: System Language Discovery
        
        PID:2852
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        
        PID:1508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        
        PID:1756
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\icooksoI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe""
        22⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        
        PID:1392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        
        PID:768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        
        PID:1140
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\pGYUwcMA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe""
        20⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:1824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        
        PID:2320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        
        PID:2176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        
        PID:596
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ngUgIwIU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe""
        18⤵
        
        PID:2332
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        Modifies registry key
        
        PID:2944
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\VUkUQsoI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe""
        16⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        Modifies registry key
        
        PID:2132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        UAC bypass
        
        PID:1260
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\jusAwIgI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe""
        14⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:2028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        UAC bypass
        
        PID:2852
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\FOYoUsoM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe""
        12⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        Modifies registry key
        
        PID:3008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        UAC bypass
        
        PID:1652
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\OeMIIYsE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe""
        10⤵
        
        PID:1472
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        Modifies registry key
        
        PID:288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:1140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\aUYssgQk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe""
        8⤵
        
        PID:1384
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:2284
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        
        PID:1200
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1740
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:2332
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\EigwgcsI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe""
        6⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:1068
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:2096
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      System Location Discovery: System Language Discovery
      PID:2944
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:2616
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\YOQgocMc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe""
      4⤵
      PID:2908
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:1164
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:1744
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2812
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  - Modifies registry key
  PID:2592
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZGIgoYAQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2548
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:2160

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "16846432262953923921742457683925354585114835070364680575969458567205051029"
1⤵
PID:2572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile23.bmp.exe

Filesize
186KB

MD5
a414bf54752a88729f927c94d3d26a17

SHA1
8e1b527d724c05f4a9e3b0f263389b03a9e05988

SHA256
ff2de3f3c15b9c75477e5297edf4fc16bcfa3b4cc69cbaa312bc6edf6cbfcdb7

SHA512
c91a049eeb99bb68c9c7c8f04a86864171acba5b9070b369bd6d29ea11d7c5b9ca07be64a15fc9c6ceb77155f2fb3ac1887b0a40b13d8ba487f10953db1cc472

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile44.bmp.exe

Filesize
180KB

MD5
0f0c5963ac911f434d512b851599b90b

SHA1
d62beee244643980f0d4f2b722bc62a9d2421f3c

SHA256
dec28548e5113cd9e83c07a8b3b12526fc6f95b8531e8e66342bee554172854c

SHA512
f9515028d452ccdc7241ac286f6596fcec5db03b013da2f390fd482a1fe3c947311a6faf16f23e59c547b9f858c14e8beb675d717478a742ddd7a7f56f8ba37b

Download Submit
C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe

Filesize
767KB

MD5
0c4acf2724da96ba0958d5175483d63d

SHA1
e82f9a7f8fe4af0e15d2d7851911d349d4f51b02

SHA256
4bca5209d9943e7ca60b8f33125517f6016d68b5083f29f9d51ff06e9ef748c4

SHA512
dc287257f09b9058d71c93fc5f327ed5f60227eb86e31c5d295797f2410783568d4e53eb071a1ffdb3cd371e038e504f97e8951ff902c81158e5eac6fd7ac05e

Download Submit
C:\ProgramData\yeIcgkEE\zockIsws.exe

Filesize
134KB

MD5
aab9efe27e63f34228d04eefc628a409

SHA1
e3f2051c0ef20d22b0d5f11706e4294daa870dac

SHA256
da4b59e7792febe3171c7453351ecb115d2d4f1e5d3fb55550fa6251b95e9a6c

SHA512
c0260ca537e56f894a51dff660572b52b314d3242a12a1270a9479b0426a1fa6246db655ce19713a8b751a42d59862318e96239dfbc08135741ff3856755012f

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-09-07_9b2c74478464af11cc7a8d075183837e_virlock

Filesize
4KB

MD5
4f72a54da121782b90c964ad8d6fd093

SHA1
8b11893ef467ae1d96cae5cf3b4060247799b3f8

SHA256
3d1f5002f58971618500024d3dd5172319a10849eca834156d85fdab95d57159

SHA512
fe177717a8e007d0454c8eba795b5ccc17523449ca0f2879e34d81c8b1cef74adf1fc9b34f386c00db2067d043fef859a9bc9640482da37994ca903ae93e1302

Download Submit
C:\Users\Admin\AppData\Local\Temp\ACkwoEkc.bat

Filesize
4B

MD5
1a50186e85d70cee226c42a9ed527fec

SHA1
d5056386abc0a83e2a195a97e3777287126246a6

SHA256
e4c6493b6a87b6e2fe5d22976b21363eb498b11693e88c82ccb42e091c5fc22d

SHA512
f24ed73bb69e7d3a9060710551c76b8163147a5ff29ce07d38758f70fd152d00d5ea29b9fc241879aa8f50c1be4ad301947e9f1282a8f7de3d87a6c5e725b325

Download Submit
C:\Users\Admin\AppData\Local\Temp\AkAc.exe

Filesize
170KB

MD5
cae00248da66ff457bcdd6d7b9a6f212

SHA1
f0587c64087ce3348a815b39159ef6c5ad7ae2da

SHA256
f3144203ec8eba01ef8ff5ebfda384e5f92d980a484c07d0fd24b6cf8d24692b

SHA512
e7115a9fd61ca7241c3427667475d47821696f88cbb7a7fa9f041f80990cb17146cfdeb40fb4c6e0e06b2bb31969c2961cebf4201e13009ea4ae5a66baf04c86

Download Submit
C:\Users\Admin\AppData\Local\Temp\Akwe.exe

Filesize
140KB

MD5
20ed2b150b40448d41117201a025c162

SHA1
2f0043d63def078004c9f57af959d57ada1f2744

SHA256
96b261d584ed08b2f3cd741976b02a44efa49d1b21b04ba64b320b8ebd8a00da

SHA512
dce616c8217b284ac2c91b69977220b14d7f6e00c0f75538e73f36ade14e2e153d93b405f2abccf5304a46a1477474304a020256c554b7691d39e80d7bad36cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\AoAU.exe

Filesize
180KB

MD5
fd89b665318ed2ff56d40dc28ea216dd

SHA1
a1951cb3dd655e1bb777c9a9b22802f3b8481ad1

SHA256
cbf46e871935300aedf99a5c2d34403fbbece7540fd2c91634ebace2c0073f0d

SHA512
9fade3de751619ef2bf2790f6bb9c7446312ed57813ea9695c99cfc05c196e736548db297cd623dcdd22e20e153bc0cb37859d0231456628c9449074b727bcb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\AowG.exe

Filesize
178KB

MD5
7aea35b71ea50ddcfec1e5d0e9174810

SHA1
56750c1e8e51885883cf02e380b65bc8ce03952a

SHA256
a62385709a4bbe89aefa8819aa926b4065e5ce598a6215cea9a55a3353165102

SHA512
6d397b9ed1fa9ed589d27f2b92cb2ffe27fd63e6e7efb7e73037022e93248ee365ee16df8cf14967025f7b34905e6466be1207313718e700fe89f5ef147c0e67

Download Submit
C:\Users\Admin\AppData\Local\Temp\Aoww.exe

Filesize
132KB

MD5
6dc3a8f542eb5446a23ca1056f1b79bf

SHA1
a617779857718c6a829164997d0b804901b07750

SHA256
3a882eda21902ebe056475f492e6a126a8871453ef35870b244162ed51f81777

SHA512
c5fc23aa7fd460cbdbc9ecaa253a6e83aa6524ddbeeb45da7d3b1b87ae9f612c3b641ee3db80fbd5cb1f05b007960af0b67f8228101ef19c4beaa4c4a89356bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\BMQgwUgI.bat

Filesize
4B

MD5
e39b1f2e694ce5394b6850b790a4709e

SHA1
ac8dbc038bc24e3caf1c8c65a433cedbdfed3c22

SHA256
61746f3027edd4be4edd6de93c3136c3a62ef52f7388389249592de55001c766

SHA512
155cb9d06a6c34a116316aa51b683d5e6262a121ab9f72ae005638203337bf0864121eeb20e64f46d7d6d79fa606f9eb57306b2ff480a8ba9fcba52819080ac9

Download Submit
C:\Users\Admin\AppData\Local\Temp\BeQAIMws.bat

Filesize
4B

MD5
456d08254490f017a855b1d41ac1678a

SHA1
ab0933ce76d0a63ed445ffc1bbacb26e1c405be6

SHA256
a0663d0bb39413ed413dbc048ced3ad80909342ced08d18d41b1e8145589861d

SHA512
ba1481ad95bebf8f0f0c4fbce472abe38dfd0dd5d692d16192111596ef9f08327acf6aa81397c35fae937838816ff958cc1bc628f1cecccf22e5a41cb05e9f52

Download Submit
C:\Users\Admin\AppData\Local\Temp\BwgooEsk.bat

Filesize
4B

MD5
538397ad58034e9314e6008902770591

SHA1
6f1cbe22e41e2e609569a63a4bfa662e5d3a333e

SHA256
16b766833695c1edd7bf422aa0fadd26f76b3fa76b3dbe2a6a604fc4435d51a1

SHA512
b2d9d047822958f7b99bd4cbef193f511c4125572df60d7d54a0cb128e56af22ef65fb29006d1ee327532c7521fb30b6fc2a7467263206c6f33636a24e71af58

Download Submit
C:\Users\Admin\AppData\Local\Temp\CEYo.exe

Filesize
189KB

MD5
1cee8a422bf7f7e7b77f82c56fdccc7c

SHA1
157acf6cfca4e5692478c679a93dbc9411bd4f40

SHA256
ed21f914fe17838f9ec97dd988dcf58e93f40634f1f4d0ec9bda64eeba7b3567

SHA512
5724d21253929d8a68bdc33d60f503caf45c8a41073dc700c6cdf6b331ec2f6cba33f37d35265b2747392c25947023035f0b7fca465fb209d8176e207ea4d4d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\CEkA.exe

Filesize
1.2MB

MD5
f063ad624435daa52908a4bdb27f5549

SHA1
bc4beb8956174d1d778d35aa4e7b132627aac14d

SHA256
1f764e0974acc59c241b6dc1b23cff45d485573d78966cd04a1412db18966756

SHA512
358595e9c7f368c3037e96b3876d6ffa21152ea07fcb4680a561569774309fa052caeeb9396f68c543acea4f53d615fd9f29377f1d6f20ebf3847e56b8a4b2cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\CEky.exe

Filesize
193KB

MD5
5129f0f88ff74f31fc5f160b4f688ccd

SHA1
7de2ad23dc904fe20679b27a938ffd9f35d0a19e

SHA256
c63d868affad8855d2457db0582525dd1e51d7f7d06bc27c30282d8dff00cca4

SHA512
23f1ad8b8dd40d1c731ba40692e69450261a37b12756b74225ea99a15bfd020806f8ae56be9784ca5a0fa9d80961bee73fee41112e3cfccee0c272b3eeadb62c

Download Submit
C:\Users\Admin\AppData\Local\Temp\CIkUQYQE.bat

Filesize
4B

MD5
84ecfd96ec2bac6a9e2fc3efb535a992

SHA1
04b19e8eb6f7760b2dacccd2e1f05e4ad3f99f65

SHA256
d899a1a5a141be788455d13c7d02068f051c081a8141b5efa082664037e0d1c1

SHA512
c8dbeed5f8ae573cb5a2f200b856958e198ac5a6d4092e5e2be36793b7066c3cd8d3b8b3e62924f0bec18db54ca873d2de7d7935d60f3768411e82a2ac2f4455

Download Submit
C:\Users\Admin\AppData\Local\Temp\CQAG.exe

Filesize
186KB

MD5
59379ce34366da7cb90a6628595d682d

SHA1
5c66454aab91a97b316584da42673dcbbd6226c2

SHA256
c164c47420900a27f634699409ba0a59d7df1545ac2370506d592f54123df577

SHA512
c29e9a9986c6097fe454d2456c53e6686078f330d549ebedf4973bcd87226353c2104980451283a9f2d70d873688ceecfdd0045ba82b5d280e341c0b7da067fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\CYEG.exe

Filesize
177KB

MD5
6bd7cc800190ac1219ee60dfa0dde85c

SHA1
2ea7c5a9ee9cad16c45ad9a03e79bfdcc52357f8

SHA256
d7e630b074a39a81563d6fb009493094c85d93661476c5f24a46786e8b50b64d

SHA512
4881e32fee700683e5061717b30c89dac0addcc232447f58eb0845c4253d85a4469e9527ca26ab65704008ad9bdd821ac4fab80e36eb4d211296a574a88bd55a

Download Submit
C:\Users\Admin\AppData\Local\Temp\CYEQ.exe

Filesize
182KB

MD5
2c22b2fa45d1fec34885001af1dff669

SHA1
6dada166c040cd0e57fd78948312daf45b77b88f

SHA256
5c9f2325d01f024ca744ad624dfc73cedbf0478be4038dde315550cdd4b6292c

SHA512
3ebe509ac57bbfa8a02663c2addfef32eec0316a9444ccf48704ce11c50db5fa3719db8ac696c1739fe991ee20506c241c52c1cb121a3b0f563213856f4cafd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\CgUq.exe

Filesize
187KB

MD5
508ef2cb45b7c9aeb7ece048e936622a

SHA1
0573c07490ea3a3588eb2ac44fce6ed3e1f4ed47

SHA256
290dc2c217aa4f50a11f16f6faab12d4a4f3f2c6c0bb929c6d0cd91d41f00943

SHA512
9a78890e80dcb08110f1d8ad3499f60dbfedc80be68f2e16b8c4eb76e69b3bf5246447810502d298810e8fa2de17e102b787ff6cdf3ffecc93524367947c48ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\CoEgUIww.bat

Filesize
4B

MD5
c7529334e743fefe873981d97b2d6b34

SHA1
d98d1697987d8cd06864dc35c59b3fe1acabbc4d

SHA256
7f5c096fd92da954ad6ab7bf868fa4a1fdd2190d7672965b4b6aff99db6fffe3

SHA512
54100ce24f09b533222a4a6432b63cb2b049eb446b9e676efd87d4328db699ff548716bef979930eeeed64c02ba5f85b8727831b51356391e469f887dee17030

Download Submit
C:\Users\Admin\AppData\Local\Temp\DGYoYsQg.bat

Filesize
4B

MD5
dc08a8913d4b606eb5155dba0635415a

SHA1
c7be4b9233ad050ef497785c88a0606eb6bdcf82

SHA256
e371e71f845e48cd77163b2ee206f74a09bd049c4eba3cb8984a3b3a4908bcd0

SHA512
036c20683c55048bdf5cf717b935938f7cf1a637c79d96a1b014d10cc643ec40521764555b89a712071028f97afa2e1a23dab717b0e2789792ada59f407bdefc

Download Submit
C:\Users\Admin\AppData\Local\Temp\DYUEoAsg.bat

Filesize
4B

MD5
1c308d5518a216bd0d40a90bf88440d2

SHA1
aab48d41a072e361d002228a9f666f0ec7fd5da8

SHA256
6ea688618249cca205ea7f85117b7193e2cd1342a0c1ef6aadfe42c0163bc86e

SHA512
1b945a128ec0122e1f283887eae248205ea9ae664e4552774f013dd13d8cd7edcf5086e8c4e41711db809ebd1f7722c7e6a0120ae7774d6b09e04481e31319d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\DeoggQks.bat

Filesize
4B

MD5
e5a1dc711404224508d3ce22e9392599

SHA1
52dcb6140dd6194fcb19ab91bf169a348d7a38c8

SHA256
40a7b9b01ecb370af065b9344d6cbd279d657c82b77867f04cc9071711eecddc

SHA512
f27884e3d71748b7cda1640ce53e76cc7cc7b7bafc8dd690ed767191f617c1bbb0fc60f4a9909a0cec506ef65eddbcf77000d2e2d47041742374d5661d1d52b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\EAIM.exe

Filesize
579KB

MD5
88c9d7fb22d4dc88c29c630f8a63af54

SHA1
40ab8fe4fac9a7c22c40053bfba07d81df64f9c9

SHA256
a1a6a2962bf267e22181e23c3169c80dc02cf2a4cfb91647b91c53befbf2392f

SHA512
db3ff26167bc8d9a7071a02f01b8e9c5e2bd1d8c3b1b2e671985ba774f94171ed9336e3bba3d19fce1b559301e82c48ce21bfc75c8103376b9e1f61958885ed7

Download Submit
C:\Users\Admin\AppData\Local\Temp\EIoM.exe

Filesize
172KB

MD5
00fb93d16e54cde18a0bd484669c74e9

SHA1
e028e8bfd43dbb39ddad817cec2adecd3c40f30d

SHA256
d2251cc793ebc2750498954f5a37cdb521ee710672ecc1642212e5d23bca4c47

SHA512
63258e5fee08f69b04405b470dd97c07ccf7e682b66c8a9207ba34e19a31aac670b8f5d39a0b7d96bd00682f443d6c8f9752123a993316dd86e3e071cdeaf3b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\EMkM.ico

Filesize
4KB

MD5
6edd371bd7a23ec01c6a00d53f8723d1

SHA1
7b649ce267a19686d2d07a6c3ee2ca852a549ee6

SHA256
0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7

SHA512
65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ESgAokIU.bat

Filesize
4B

MD5
24b8f9fc9e8dc8ef31d4210d151b2191

SHA1
df191fbec9921eac21ae42c394c96e7e4f61f7ff

SHA256
a11d43c9c0b3a2fc85df63994d2a1dc8a108e76eef756e2472c339abdcbc1406

SHA512
5797e5997404463d8c9f68b01fa8f6d1ad2b3d997588c61dd144ce5e82655d1b26024a43ef0eb37f9ba834397c98e32fca60b5974ba546ff8db6b15db3e3d46f

Download Submit
C:\Users\Admin\AppData\Local\Temp\EWAEkAsM.bat

Filesize
4B

MD5
c3fad0064385a968b687f3bb2d6d20ed

SHA1
a32a9207554925b07728001fbca0ad6c1a14d974

SHA256
c5785867c38ef2abf4c86dafaa1c37e6aa4ca96d3c56a21e0a89edd9cf92874e

SHA512
b7a47621321f01ec5f976aaf301d96dea16f6e668626bcc8eb29d735ef8e6124103112a2cd45d3c0aa69ad03714a067bc57c6a38511fb6c8e4f8a29f27446235

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ecwk.exe

Filesize
507KB

MD5
a03aaf62d90efb22a8d17b5b2bc1a126

SHA1
fee12208b4883e62a97bddcd25b557ef25079870

SHA256
c70d8f524147152592971c23024b236101d343b6a3c3ba102231589f36022813

SHA512
a1683bd084d57659548a15d7597b114730e60b12c6ffcbc5c27b7efeafd43ca55dfe46b107f2baf696364c67589c8e550288218aba38ab34db5b512004dffbad

Download Submit
C:\Users\Admin\AppData\Local\Temp\EoUm.exe

Filesize
184KB

MD5
0da065d5deec4724754df2c63250fa4c

SHA1
c77a9126dfc8654cec84e67a5e22d4edfd005220

SHA256
964e76c4a450978cd6b77f7db12b917c16d33a4d465d5dcd8e448d6e66baa488

SHA512
612324008e65c9ac468bd79852e78f433a71791ec7f4e513e2bdb9fed7f17a3aafb67fd03217188cdf97bad9b88f27fd79b4fc98746466e91e4b139f59cd5c63

Download Submit
C:\Users\Admin\AppData\Local\Temp\EsccMook.bat

Filesize
4B

MD5
b4cd06202899106be2c8a2bb840bf447

SHA1
17f8fdaa441095498856d4c0dcc9377a3df5c53c

SHA256
7e5dba97101236a0d487b67f39cd9751f459f5e7d4c2196ddd22923deb31be24

SHA512
74a99b392e8af13e39a0e9fbe109bf8203d7737ae68f9cd7cef748ba95d8dc12f59bac9bb7a866417c41b4e91eaf7807610af9965e4b70419c5d29f49ed2db02

Download Submit
C:\Users\Admin\AppData\Local\Temp\FAMUEcgg.bat

Filesize
4B

MD5
e28f80515e1cf650589af3c2b5eb5185

SHA1
e35a85e3553b28a19d0a4e4a1422fc5c7a338751

SHA256
3fff0fc0d14c7c45033a0c9213baea0906309963dca500a292bc44387913cf93

SHA512
204e6407ad3ebb1364fb7c251edd63570861a34c326ce7933a1d5c92ab41e281562089e8510024fae771be0570939f253e24063e621a6e13d589a76617d1c4c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\FOsAAQws.bat

Filesize
4B

MD5
16766bbee7cd29d088df3f7f9d49b36c

SHA1
0d3a27b894b4f90a3f8ff26e0f808d2e10949781

SHA256
2beb9f80c80ab4793e65646f2a6c805eb3e473fadf3f23114651ec4ab8dce2cf

SHA512
0e11f3e9872e1f0b57e310e80665e87f8a1f9e4277ff96c82dab59b3254b2b10b3f3867a2c573b4a958dee691b841d404db19d3aab70283d424ed4a80c92fa74

Download Submit
C:\Users\Admin\AppData\Local\Temp\GAMK.exe

Filesize
1014KB

MD5
03a9561e56aa02f043fbc15c1e34ad03

SHA1
3c7d8b01a84ba65d5657a65e3567363e675d4b09

SHA256
c71a5addec91e2a6263b1a1d3c107be674afc3c224ddd74d572cfa555fd8497b

SHA512
e38e367bcb1d6de15830d84a4930801a62f08d45803d22795e9e7bb577773cbb446fe062feb40e778aa814b5b56f498c7555de106764564b93c7f374e63135de

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUEY.exe

Filesize
141KB

MD5
b3eaba161572f4c181955fe6de1e7d89

SHA1
588e9a94de5bc7212290cca67dac5d3d6509200d

SHA256
387c7e412780241c3e9c43cea20d288e9a8356e64985d02882e24700c49da363

SHA512
b7ce77cc70905bb74ec0794e7971677b18a5382c40578bc55403048f5802ba29e208fa6e752766b04a6f9c7de76263b6b2d40f70c01cd263c46108b5857eb317

Download Submit
C:\Users\Admin\AppData\Local\Temp\GYYA.ico

Filesize
4KB

MD5
f461866875e8a7fc5c0e5bcdb48c67f6

SHA1
c6831938e249f1edaa968321f00141e6d791ca56

SHA256
0b3ebd04101a5bda41f07652c3d7a4f9370a4d64c88f5de4c57909c38d30a4f7

SHA512
d4c70562238d3c95100fec69a538ddf6dd43a73a959aa07f97b151baf888eac0917236ac0a9b046dba5395516acc1ce9e777bc2c173cb1d08ed79c6663404e4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\GgIk.exe

Filesize
171KB

MD5
8180e324f55aa26e83072351d31af486

SHA1
555b5eea994ad097a7a83c2c4361641bdfc5b3fc

SHA256
a399269ef4e533420172e6447bea2116a8b3b46943d130d894f8cb023c69cc73

SHA512
c60e0820dc054e9ef373b10e72d3fd7cc3fb65a9de0be13b063fe79270077130c595db2700404769f0eb1c53238a33fcc7b613fcc02090381cc7b54011dff75c

Download Submit
C:\Users\Admin\AppData\Local\Temp\HQIAEQAA.bat

Filesize
4B

MD5
5e4d015e6ff3abdf1825b111ee8ac614

SHA1
3a85a933de2be2935529aaae58d6386917417f67

SHA256
75e83f20841ebe934d6f1d8617726cbf4fb513e76a6191e0af3f706907bfb206

SHA512
43a85d3fe0420d6afa0518bfdc4682e50d0ded464070c014932a091729c0263431617c0e9dc3464f0c65a3efd11a2a0bea49ca51d1dd90e400ac2af00b4a09eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IAMO.exe

Filesize
180KB

MD5
560858391031c75dc95fe10dc66f7daf

SHA1
2ffe537256aac29a9aa9f304d0a8273231efe0ad

SHA256
75c5c75f010db9e8a402e2ce3427a049574152ad9875334d4fb13eceb4b8738d

SHA512
1a47093a6808a4a2258d4046709f010798d99903019744582e669b21a9818397d58cde95e39448fe913151e37061901c8d5faea29f2909932866b5a445409863

Download Submit
C:\Users\Admin\AppData\Local\Temp\IIki.exe

Filesize
179KB

MD5
32472487fd7c2249c60102e405251b23

SHA1
51a047b1c789e1dcdc2e17230222cddf3f4f529e

SHA256
a5b2d97186df96e9ca01631e6e6a148bb7d6f94a5b91753d27a19da59ab7004f

SHA512
cb2e36824da3daeaf970708d1c5d7adca40dd8e6f983411133a92aa5a101e64195926f4eb5e943fc23d6240f44dce19c4af232a32c47fb2d055d88bdfbbe587b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IQkC.ico

Filesize
4KB

MD5
47a169535b738bd50344df196735e258

SHA1
23b4c8041b83f0374554191d543fdce6890f4723

SHA256
ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf

SHA512
ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IQoG.exe

Filesize
186KB

MD5
0134728da223117ac231a42765a54d0f

SHA1
1a655dcbaab404ad80e260fc7213a9976131e478

SHA256
2b55767c20033eb933004c210ee936f6f14b0d1bc77e85a35f7789838d0deffb

SHA512
769bb60a8b8e55d906829171833f82204c2ea6cf9ec47fd7236aadc1c6be8774a2bbcd737e66cbe2ae7e24205920e817d85182b7b722e01bc512c22e4cc64e57

Download Submit
C:\Users\Admin\AppData\Local\Temp\IUYg.exe

Filesize
770KB

MD5
000a1d950ea11dbb11f02582095ca541

SHA1
b776dbb429641c94b241e210c4a7b6e015e62d93

SHA256
fe5c9fb8247b99d7b0e6440eb8e8c04874078ba49dcffcceb22a50bb6ade5938

SHA512
cd526e49fc7c4e3e1d0641ad31fd3ad869d09b0d49fc8923143d06b9d1a0cb813478208fb46836d9095d2076ec891dd0441cac3f1c9c52161bfba8ce0c6b48e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IYgi.exe

Filesize
186KB

MD5
a61ca62037f4bd2c85ca3be6b3c42316

SHA1
2b54d77e6abd7d25d4ebb1f3fa1caffe6a56b25a

SHA256
eaf0934ba3ecfa0e332ee4de5ae2d81d4080b1f2d75b0ac099030bd9e834d2f8

SHA512
6c10af018296e36cc6e3ded497d8071ce229edb43b20ca5131f1685734d93966126aac21d4f8ac841a0d9ffabff58d18a5c9a2d68d24bef245af1ad941e67daa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IcEy.exe

Filesize
145KB

MD5
097f56c9d1d27dc09f249d32e5890b3b

SHA1
d383065567043e568ad457cc038c66c273475a3c

SHA256
819be22ef24d7b2ac5b05fb97ef4226fe05495ed9edfd92ca56c912c6d4b91d5

SHA512
5dd05016840ddc8aa3a1407640b642f8ce94a5e2bb909883930928a082552f09d9f46a82fec05d39d8e7941000ec5f4db8f58724b910c82c4f28628fb3e7a9ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\IukIkoYw.bat

Filesize
4B

MD5
0e7150053966488780e1af0cd4b3b268

SHA1
d200e9f7c891a3e42e039017210180dfc3329bfc

SHA256
a438889cb7eecfac872eedf2a4bc770c46ceb607b7378c626f9741a47aa9af3b

SHA512
ee8c0ea966fa5c815622df93bcf1339ad9e7dcb455bbeb3c4b48b10bd1dda17151d692a0ab0b672cfd9c99956cd8628b1e3cdd78818f461be6370e159d63004a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IwMUoYMw.bat

Filesize
4B

MD5
3566dca10902fac77ee12865bd82aedb

SHA1
c838a53941e5ccc6b22383d56db91bfbdbefca0e

SHA256
6e4336de16350d16ef1a0264af7fa4d25cdc451fe378324cfc43d7103547549e

SHA512
e0353579c7f82198834067a153c778dae538f595f00ac4fb05885f42b9525f2152555000fb101045b8a84d7d389fb7bb3d51a8cefeb437c5f478754719e377b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\JAwEUQwA.bat

Filesize
4B

MD5
ab50cb2598a435e393d319c275fcd90b

SHA1
5e50a31034f844881db7969d0288b0ff2b6e9434

SHA256
836de0140977d593f4d8baca3917792209367d07fe775b4e974bdfaff6c7032c

SHA512
9a804870a9ca7af003fd59ee719c812181e32629340dec92312c66efe5208f335a66c880988d71fb1c7be8614898d76173ffc96b9f40c257465a10cc1e5b9883

Download Submit
C:\Users\Admin\AppData\Local\Temp\KOMYYMYM.bat

Filesize
4B

MD5
e6b42b9d790be826b34882bf87181874

SHA1
d672d0d6faeca632abf0dadbb0693c08adfd4f4d

SHA256
37309053a57aa2bbac1d8302f98b9e3b768414555768942fe07063a35b1ad100

SHA512
2e721279cbb5c544230164dc5d338f5a3522b7d9a724eca2de863a861a1272722cac230272662e680c48a757662dd73f2821dacf9900fabb74e28904a5748a7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\KQYM.exe

Filesize
739KB

MD5
6edf41fec3f989d22d3bd3105c556508

SHA1
9c1e9f85c6ed6d75890974407fd56b3f0e8a8b45

SHA256
9cb57b4815e24c2b157c190676407d3001da1421f465f080240bedc6129d3d53

SHA512
517a98b2f22efe9f7d5d88b539b4f95866d12acff360e1fe9529f930c50e31ee409cf2851ae7b108ecb5491148ace4dba452078e28438c97960de22287cd1ef7

Download Submit
C:\Users\Admin\AppData\Local\Temp\KQYg.exe

Filesize
189KB

MD5
af5d956668f004185a742fec7dd6600a

SHA1
ac1535e8e25bb47691fdde6834d45426eacfb6da

SHA256
7b3b9d6ed55b82b57a54b09c9ecf0f888b87da48ba87c74ee174d438f10a56bd

SHA512
285885b24478613f604ddbb9143dc425340a350ddac682c1ac4295159198205ac9803fd260c665bdda95268ce64dc348fe3498753a9f2f1a44ffecce6aeb3985

Download Submit
C:\Users\Admin\AppData\Local\Temp\KYAo.exe

Filesize
261KB

MD5
bb6a5039e3f91f98bb64679c611192dd

SHA1
459a46616e08d94d8d402a6cfbc3926ad05462dc

SHA256
859f2db394fd6e7a1bcc945e790130b197bdbede0a574408e33185235f4c73da

SHA512
b4539ff0c44628948818a0ecfdac4873fe36eeeddda52dd2d040b9288b57ba5440bccccc06bbb681a191cc3ed8e1366ecb500184629f27f4651240ccb4b3cdd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kcoi.exe

Filesize
180KB

MD5
7d6c6e6a497b2c46017ca64be6ca7cc1

SHA1
2b11d6a46af8b3eded8a567dc8de2210ed39222f

SHA256
9bedf2d980a9dba9d0863abbac811076279d000fe597500bf0089b94813e8d0e

SHA512
e0b0bd57b9f145cede3a1abfe692050b3e9a09d93fb2040a18a67bee41f447981786b0dd864b90f1e9fd125aa1d39ae837b3c41ab5c82620575b201e68894f8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\KwYg.exe

Filesize
181KB

MD5
5f429db48744dcc6037924f4a7b2da52

SHA1
d74b2f29a214469043045a465021b949c656b655

SHA256
ebc3fc5f34733f052feff6a65a2469f2d2cbed9b431bd13f80977d774cc63c70

SHA512
30f918be1fafa8bd40a81d8f9a7eb5de5a704e5ca6f5a891ecdfce6a5a012a276d9e43bffc957a437f8f9095c4f21a52cdcb75dad52aa70fc0ec05a3a1630206

Download Submit
C:\Users\Admin\AppData\Local\Temp\LIsEkYEY.bat

Filesize
4B

MD5
3094ac37983d6dd9e153bab618ca95a5

SHA1
e9a15d8e41846cb5adbf598d376d60286e4283ee

SHA256
99724dd8137e5eca2f07a780caf80f8ba0c35ef4e57ee05b001664fdf58fc11e

SHA512
929ca46e4ac190684ff44de4369bb6cfb2897cfe11ffe1e7ac0a4991002ad5e4746c2e5b60daa21f4cacea971fae642d46051268d00542e064259d61241851aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\LgYooIcg.bat

Filesize
4B

MD5
1ca5b07dbd7e18ad766ec6e1721d29b5

SHA1
225f26b29ad06cf740db84456268413c6c31c80c

SHA256
38f2996dfd7f4f7ccd8d073ec5016272ccd2131b60eaf112d90d57b13a61f897

SHA512
ebfd8ac13a746e7d6824ae7224feee70cedda4031b8cd8f1a358fc18ca759592454247072275766ddf4bab5504abb043c799be8eee37700cfcbff55b14f112a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\MMAU.exe

Filesize
187KB

MD5
d0d438af0f2bf5b3053c2c6f09694535

SHA1
603f0e4686e4ce51fc478c69e07607339bae3cb4

SHA256
4391a8d594123cdb4e70cbeb5ee23c4378a2cabdf966624aecf0cdea9fb7b1bb

SHA512
063c188bedc83595f124b68cd3f794cc63044337e1746e9ddab0dfc7d3f238997ccf5250bfbceda2190b1027853a6776751778e2c4d968b818c8acd153f6aff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\MMEa.exe

Filesize
184KB

MD5
d64ca094dfdf7635d3f5ded29d059478

SHA1
21064cbdc3e78d6ca52a238825c8368539485d1c

SHA256
441079c6f5f69ad962c89e8fbd93b06214aa18902cc263a9451f42fb0049fb2a

SHA512
d97492a528e15b7a36e20f2047406bf954bb8b14deb09b0f8933883c42a2039c78da1b4d9b85803d801a6b3ddecc2cbd7050d061b7a852b473931daf708dc806

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSUMIcYU.bat

Filesize
4B

MD5
070521dec289a3822a5b3bebed89f2fd

SHA1
3655397f9827d11011a26a6269336e8ef0efbd81

SHA256
e317ce640020a2eb25115ac04688611ef505b878a00ff6f7126467cd80333cb6

SHA512
866b936182e11b3b39e49ae2ec9b611bdb38d2febad428b74dfdc8a40360f267e7961a6d47a3f0887fb0063344260c8dc0b68a187d0febc62fb78477714c2478

Download Submit
C:\Users\Admin\AppData\Local\Temp\MgcA.exe

Filesize
180KB

MD5
1aafea31404ccfc03335b568a4d72c19

SHA1
7749665ffd75cefd937089bfb06eb7ce7e7652ff

SHA256
a22f2acb99a7aa161e03e49c23baa2b37af30fb47a27d83a99c75fb0a292ce1a

SHA512
622e4c75bf9d83a1c03a269cab50b84fbdc22f01d4163762140b604e345275d34873db4eb5eea1c290e348f2550ed0febd1db3d46a390e524b7c93d888986891

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mgwq.exe

Filesize
4.1MB

MD5
962512215a9f302bed8063b2cc90a844

SHA1
7e7cc90ff2927e9b6da872113c6804ef8b1168fd

SHA256
281bdbea0e0e66443cd910535c424b30c8f8f9eec8b81f9b5285268d2d7c8d82

SHA512
41bd5cb0b8f0c8a333762ca9da75d75d13ae1bbae4ed1c7a54aee4929a54f34902000c424fc347d962680b39cc2b083a1558621344235c3b63890881af27fdcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\MsQo.exe

Filesize
392KB

MD5
79912dbb99258a64062baf6b4d304fcc

SHA1
33688be72641bd327269630d10a623e3082a26eb

SHA256
8f8872c92a169718ea6667e36174e019840394dd619fa515ad69cc14f07814a7

SHA512
a6e067a87ba2077d6ab81329d2b653eb1152b2e834b989aae54c8d2777943b150cb0120c8c7b26d3271ca8b9f895fc476fa1c716d6c43b9a5572b4c4cec3fa4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MsQwYsww.bat

Filesize
4B

MD5
135ed788abce05d4bbeeaa3ba9abef0a

SHA1
ca93aeeba7a45584b18ce26561727fe6d3772cd3

SHA256
049c77d71675b9e040af002e0136d76ec71067f690fae79d6fe865baefe1063c

SHA512
9956616bd419c9ecb8751b9c524373cd967a6a93fe77a70d16c99741bb86d36f3a6fff7528c672462dca773fde450c104342c8d29fe75e703824df2cee69b7e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mwog.exe

Filesize
154KB

MD5
dac35b5e1d92155335c1bc0f5a153181

SHA1
85fe662ccc5bd65fb9e552cdd69cfc87e3fc2e3c

SHA256
163107c38dc9524faa617ad08448e1c50af39890c4095a6e63eceb55aaf8199e

SHA512
79b93b7e66e56db56a3be221de8c8d76b5efc5f5ea3e61b96be822565bbd5360fe3c0bb44466c71f905e160959e0d0c19f9e18097fee6b9b50518162ee98b273

Download Submit
C:\Users\Admin\AppData\Local\Temp\NKQYEoYg.bat

Filesize
4B

MD5
dc981e10b52951e6743b988badd50201

SHA1
1ac26bbed43ad1b89a1c2b845dcd892f887d60d2

SHA256
0839a97ce0aa3d3798910b44632aa5074a092a933ab149a6a8af1ec32cbf3687

SHA512
01b366580d9518a43c3aec2456c54e4295774bf498562979e943b543ef3d11423785b7d13f11f91bc9394c1927af089c2c949c176205b09cc585551af6fcb109

Download Submit
C:\Users\Admin\AppData\Local\Temp\NaowMQAY.bat

Filesize
4B

MD5
eaf52c652019bba9fe33c9cac5d24554

SHA1
0d0070436ebaa4ee6b7282c361b74d23c313812f

SHA256
f647562e89f9103a0a8ad9b2e8de9c1f9f9ac5b69681b2a73b3dfd7f0a050b29

SHA512
a5b53d2d960a8e9d0c8ff4c3083600c2e66284c9ee37dab8067bc4d7d1c8522b175d2766bc1c19d3d3e0e55a6fd7a31249307d753ba0a889c923c0aec56efc63

Download Submit
C:\Users\Admin\AppData\Local\Temp\NiwAQsgw.bat

Filesize
4B

MD5
c67a05fe01006f720756d2b643363d8e

SHA1
83054e1bdfa345c89ded3d7ecfc4e06c5f12a2c1

SHA256
fa5449add41d9ae6f9149e49df4a0859af1e876ca26eb113bce29e205f3077a4

SHA512
a5ca6dfec747be5f6951e984967324bba44711afd883190b76d1f100665a88c8f63b727d39437c8b777f9d96c1f962e18401b8cb33306bcc68241ea563bd63fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\OEUq.exe

Filesize
183KB

MD5
9261848b2830719fb244ad84f4538c0d

SHA1
93a28a70e3a95c20d50e8a6f55c41d43bff7bc59

SHA256
8585dd4ea00fe55a44ee61c583abc6f3f659a520521a89debb7efe78dc69ba2b

SHA512
5a35a0fc284e7ebc7c4c40be6487a643b780fca489cc13aa16cd896c18115a83480d9972abd7e0a8cc53c80a618bc8308fb2167ab397c1ce18a5f9afacc66cb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\OEcm.exe

Filesize
173KB

MD5
035807139a9e27d9ebcfb36326272f53

SHA1
e211959809283d69845f68fdd3208635f1fd2ce7

SHA256
24bf970b821aa308fad63320a779ff9821f204ef56c4abf0146b14a1d690a302

SHA512
e166d3202f918ab4a07e5fdad7e4e493658aeb0a1293b25b2a8b955f975d4039732d062c727c7c1e6c3d312cef581ea2aefc12ede5b2b1e3c95b5a25c23585ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\OEoIIwEc.bat

Filesize
4B

MD5
cfd2ae0db001c5544f2cfc199784f1c7

SHA1
eb1bfb1aee6b3ebee10e641859aefabe5413ada0

SHA256
96aafe836ef7e2f7edb148aabbc72a447b6868e544e237796f75bab0fb767163

SHA512
0e1228cd55bcfc85f1596e18d804175daf2e88e0c8cf5b2c585b858d085636d051204863d25b6e8d45a42b3de49f18db433030dfec9ccd353d20feb22977d33b

Download Submit
C:\Users\Admin\AppData\Local\Temp\OQUU.exe

Filesize
174KB

MD5
73b6e340ff26c3d2dc0b09d15e47abb8

SHA1
14ed5f452749fe08ab1aea329f13b52d18b1e931

SHA256
e17e0b3419bfb35b1947341b1c7c7fe7d02891c59f4ac4138d94192f177ea40c

SHA512
68fb40b309321c2811ca88d91d5dc8c3668b7171391e2e6b8b2ee52f3e5e75289804287e1d646fc3c2c952d1e6a55c3f081a84a3b4fe507ba842c5ede88829b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\OUYe.exe

Filesize
191KB

MD5
d91971208c6d697ba7c0ff25c2eee0c5

SHA1
25cb78ba10d272c4f0e09d65e8a14b940ba59329

SHA256
5cb3d98d67536bdcf17f3d9935d0111ba6a76f8af538815806006a2f180d0bcf

SHA512
71d3dd8815fc6a51229a8e9341b056b4593820cd43b63b885e00e2987d153188f4513da50663ffcc135637d52b2725c878f115fc06fc5616e724c06ec82e730e

Download Submit
C:\Users\Admin\AppData\Local\Temp\OYkQ.exe

Filesize
183KB

MD5
83832753bee8cb4059db176e34fd780a

SHA1
f4332e8cb1bbff17a33019b3bc657f6f358fa8e6

SHA256
cc5c7fb16b6e3cf4e2e8b8c1a992ead0aaa6af0820a0a19b62e944a172341e22

SHA512
fb34023cff60ff656d463321f26d76ebc657637b033fa1e3ff6c83ff593e5685b400342b71285a28d28dbea44406fea3443c6fc9377158c2a05a9195bc839b28

Download Submit
C:\Users\Admin\AppData\Local\Temp\OcYIMcYQ.bat

Filesize
4B

MD5
eb9c3f7a12e8a8508ff68a16e81a6daa

SHA1
e9a2a69328d5bf8d0959d5a898570f903a3e41aa

SHA256
e08038f87be54af0e5c7b62e305bcd3b034982b3fd5f26883fe5fd53bab902f9

SHA512
93d634f3f20644d037e4558c2e8a55700a244608ea7364a84288ab235f55245dcd146907e8aa09ebbbb0a73dfe73ac43fa9ddf69c070ba99513ff57ace1dc1e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\OkQW.exe

Filesize
2.3MB

MD5
ec28cf035f803441d5a6aca37760dfef

SHA1
a42223cbcf4f4cee69c2a1a83ff0f31df6bac78d

SHA256
c772b9c9f4f73892219efbfdd00e9a1a04fb69335705352cd0220954f22af23a

SHA512
c5b6c55d2a1ff70bac77c093bd1e1716a9da607c9a8f022dc9fc84575f8696ca081b073349cf0d835ff4dd0d6091001edf5bb395f1f669402d5afde768c3f5da

Download Submit
C:\Users\Admin\AppData\Local\Temp\OoMg.exe

Filesize
957KB

MD5
7d553609c2b921722f7aab57a6b41e6c

SHA1
d02b2dcbe1a0bd4b6a73beb6515b983158ac7d7a

SHA256
159cab6743d16e227f409d31fe6b1fadbbba53cc869dadcc5c6c526d2372525b

SHA512
031ae262a1a86168e239925d6aa3c90e1dcadad4e8cf5ecec5ea1215fea4f32655e6d536e211c17926aecd10f0fa8957f1215c27f5a13b6e7f243bf4bbcfc6e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\OsEy.exe

Filesize
190KB

MD5
58d5f64960bd8e9fdc3dd1ba7075a030

SHA1
40376cb9170c915dcdad5f84dfc03c6d4513aa9c

SHA256
30fb65797c22f24bfce1d97f76dd4bc14493fb95bf11e3213c382672e4335ecd

SHA512
d6dc3648f3f2208a642debdd95f781a8308dd0a94988535fe0efc62ea9099b31021ca574b69f7cf83b08f377945ea14b2882affe821f37dfcc4393016caf199a

Download Submit
C:\Users\Admin\AppData\Local\Temp\QMIS.exe

Filesize
600KB

MD5
beea7311ec696e994e8e1b6162857699

SHA1
946e0700f8463e30403cbcec58151f94dc6c6a2c

SHA256
9c006a08bf69d7236cd638c5ba003fbc19c844c3130b18678c9084f264dd02e2

SHA512
164d8062f684e9747ee49a14aa2bca0c9ff141931b05bac813324d67c9fae8b569a70e2864cf85697abee70d4cf578e8f0a117d5224fa899c6ec51459093ed1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\QMcg.exe

Filesize
167KB

MD5
99920c4fe9e65767355efa99d3521062

SHA1
584e8cfbae01afdd19ed3243ea01a91c93edbf6d

SHA256
3dbee012ff40135ff150094781a26983bda93cf97db27cb6bd8d160c7bf6b7e0

SHA512
7abe19075b71f64002c9ec15cbe6ece5404d7bfa914339810b3e59ebe739d328af8dace0c156390b78bf10a05552c67786f35575e955dabbf570171e853939a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\QMoy.exe

Filesize
173KB

MD5
7ca24fe38479848a20c074d6568266d1

SHA1
b94f32c5b61a3785bff89a9900ce16726b7c82e2

SHA256
e474096b110664c0dfdab2a3f924a82633f71981222eb06315c57be5639f862e

SHA512
c9735865679384a1a93b2c9dcc77da4f939f1628eb60ad74420fb431b966b83c8d9bddb0dfcefc8158e8d654e6ba92ced8bfa721c45a6dd245c57f1b1f3250d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\QOksEwAk.bat

Filesize
4B

MD5
179ca11cb3b8f99e543c49712a241110

SHA1
8d18245d05f3bf3839853b3d5b18abef6be40fbb

SHA256
92a727eb5476532184076d82cc3cd8679ae7be311e101d860df1e1ccc972a27d

SHA512
25f421783b7c87a9037f65f3debc59a6a1c2751576e018aef643fd67967c6f1d7c623fafbeaadab6c39aa52ce14e6cbac66482db6819f20a4e8853ad906df4fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\QQIO.exe

Filesize
132KB

MD5
813ad0d7694038b08bcc8a0db35728da

SHA1
efbb8f7e4bcfb6a191c2ee89ac05d7729b7cae1b

SHA256
58bc6612dcea07a49f24c70f085060c226fa56e3c24a02422cb6cced13c5821b

SHA512
64e6b3b1c1211654151f3a3497c09ac0773f99e2d9dc951367273c09d9bda72f9c46e87ab15cec87ee20b8ef6250fa0eda64e19c3204351d6e241d0f869d08a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\QgUm.exe

Filesize
1.5MB

MD5
1d9f920f983401db251e939f6d0fa351

SHA1
f0021d073a48b5df97b2f3861d55124e88a7d5bf

SHA256
61afc70d371a7df605e01a250341305c8b01f96a3adb172e23e791f4b23641f7

SHA512
1b2bc59a408fc230798582f4bb770f0dbc143ae2dae6b9a86fb8bf04da3447503e139cf9efba2e5e8cf5eeb4cd2fae816fbd69a44e65f51a312a96afd1292646

Download Submit
C:\Users\Admin\AppData\Local\Temp\QkQYIgcY.bat

Filesize
4B

MD5
4f9ad19bbaf0d70debdc2531a97f88c5

SHA1
a0c3d4ac12a8f5900d645b3138e63d8dd4a367ad

SHA256
7814dc54d9f1b4731315bd487fa4afd2557d45ab15b7e63edc6cbe74266b08e5

SHA512
1c04acbe6a667a2ab0ad3352fc8f213597eec57062f456691ba8ea548d4329ed29f3c5d56e41db67365069db3030676761ebf6ad98c3d9c581d138bfd661047b

Download Submit
C:\Users\Admin\AppData\Local\Temp\QsIs.exe

Filesize
660KB

MD5
2ff9f08a035cdd72e8e1b3de82eea2f7

SHA1
f681d6561324b09befbf7437cfa29926d33cf217

SHA256
ace40905b112c51b11afea7152c35a061ca7c39632ae1e8e5e12abb9104d1b80

SHA512
17696b78005cea9832daf05b77389666b4ac3a309a6e8835b8c6714fe108d36a9127683a0e509f625830e10bf111396ae043e04726e6430647e6f1170ebe6dce

Download Submit
C:\Users\Admin\AppData\Local\Temp\QwIo.exe

Filesize
182KB

MD5
74d1fb3dd179af54e0244d39ba95bac8

SHA1
7df9e46887f2abf08487b34de0ea6a9acf8fdda7

SHA256
83dbc3b9aa00cf0c78d4f2e7ac8e47be80c773cbab17627449a4341b3396bcbe

SHA512
fe13bd458473243c03aceecfe74383567f0feb040e13c934bec96388e8746182c25ab835f2ff11a76b01f28eaf90dc8a4380335724fb08e6b3a886dfb4cbd538

Download Submit
C:\Users\Admin\AppData\Local\Temp\ROkAwMYA.bat

Filesize
4B

MD5
e765a780b099123b142d5480fb2074fe

SHA1
537c2743c0862cf48c96639f001802f6e54a51e3

SHA256
812ddd5e0b0d049807f7c8cb6a9f31245d67bfc6872da64c5d6565017198c526

SHA512
5aaa1132c064ec8dd2e3147282d3c4aceedc537e7523a822920ec6b85194a772995dc1ac7a167f8d2fd2c4ed22a4cc30a12eb755aa59bc6535c3556e16ec32de

Download Submit
C:\Users\Admin\AppData\Local\Temp\RgQQcMAY.bat

Filesize
4B

MD5
2b20dbb50ee70bb5dd06ed77e1c7b74f

SHA1
9db67ce55f63586899a0262a60897fcd609de816

SHA256
0e246814b6f9dbe22e5b484228675876e07a92c2363e5906bba503ed9cc6b49a

SHA512
054b56c22473cf1580a5b97e2914d8574a82f0095487e2ff28730da29bac37f005b942e1be6cb90a837aebd27bc5e4a8d88f34505f2571b86f8b32f4551c2b91

Download Submit
C:\Users\Admin\AppData\Local\Temp\RgUwEgos.bat

Filesize
4B

MD5
007d4b1a48fb145317ae0e3398668dbf

SHA1
534ea370869c9ab3be9bff6d03f2d261186c2ff7

SHA256
82718647c3abe70caa52d985bd9f4f32ebbbec1f088223dc2a561fef360f0c91

SHA512
0eb64e32d1c74603b1ec86bee64e573c2f3df2667790a77acc98654e95940315912221f00b226369459d8ff67d1b05ef1837e7fd023bf49be30ac8bd686a763a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RoIQgUYI.bat

Filesize
4B

MD5
1824625e63ae5a46ac2e0666b178abb3

SHA1
e32f4da493d1a15894350107ddd17c6d1fed59b4

SHA256
0dc2284e4618b775e7edb317cc7b62ff0aa080c4d186735bb431626a9503db5f

SHA512
45cd8592395bb62261eef47268f2c2b551d8c44530e50132eb35d79042fcb37b0d29e71019276c07c6068131dd9892412937abe490349876e54966437c6f04af

Download Submit
C:\Users\Admin\AppData\Local\Temp\SCcwscAk.bat

Filesize
4B

MD5
77ba0baaff87e78e021c60395666763d

SHA1
61b9d0df51e5f4eca074cd6acda637b5d4c0f1d2

SHA256
8aca6a581849a81d6c83ad7ff223c8092eb2d40981721e5e447132a3ab614089

SHA512
16df356dc40b2733d8a5322c15176712011baf8d9d14f3d6883c970f50279216d724746c66519e8529790821f93bd2b50198caf34014b337cb8dc1d942307d10

Download Submit
C:\Users\Admin\AppData\Local\Temp\SIgg.exe

Filesize
180KB

MD5
90a846800df41e670147324096aa3725

SHA1
c16394212f8ede475bdaf7cba8661b53f148b359

SHA256
e2b410427d4c992cfe67091353586ced3de9cb95c913b9c2c0818d302fa64691

SHA512
6bad93bce32fa5544eadb6775ef3e5a29da064bbd8a728936dbcf1340531f5fc180bbfa64882cf3be6c9b9b45b849188096fd41724656e649c77fbd31dfc0b6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\SMkI.exe

Filesize
190KB

MD5
b2e66c4822b54ed59611bfcfc5b31136

SHA1
67483c292a342a7a23ba78bde9018523b95af617

SHA256
d64e35fcbb67ce2dc563170dd1094e4d26b496e629742465c725402d3524d815

SHA512
fcc8caa0432188523b73e2e192fdddc4ceacb1ec8604a8ffdc2b805439a4d770f8ca7de8d1ccce44b97143f35de9b661f8372b66e10aab74acf95ec713fecf82

Download Submit
C:\Users\Admin\AppData\Local\Temp\SgEa.exe

Filesize
678KB

MD5
d2df9fd0b4dc3745d6e76a1ad467bb21

SHA1
4adefcab457fc3e587cecec0f5bbb82051aa67d3

SHA256
692517badd0c6d88f2f0a3613c894aecd079d22dabdbd5b45b6f3e710a0066e4

SHA512
0f2aada609dc62f79efacc1a854e22e4d8a91df540ea8479d79fedc1a7ae62b0abd233de0171cfe805418ec7cd66a377fce6a1256ac52d05269f440805b509b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\SoQAEAgc.bat

Filesize
4B

MD5
e93ef2666837a8c81906b0788d1700eb

SHA1
87f72fb8f027d71e521c9639b2350daaf43c1b32

SHA256
a2c47b4b672127d1be4c1c86457ad420b07510b56b0f271715dc74acd55538af

SHA512
afa9070a47fd42af82efbefe025b62e617eb94f986158559dab0bf9e6dd0f79c4cb47651374c0b70bc6a2038a27aa2f0a62631fe0228f2ecb4d425646133c8bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\SswC.exe

Filesize
614KB

MD5
466895027281621af5c3fd2c7ebc3af5

SHA1
ab9c6d1bdb0faa7c9203871c53965d36f8069178

SHA256
b9f313fbccb086ea81a87030f12b9baa2b39b1098c8a6939dc343b4f069c7c6b

SHA512
405966d99b89bbd812517950960d1084a79e27a574010ff6fc7260a6c35878faaffe81e7fa8b60af816930a1fd275f2dc4eada48d9b708a49632ef61ca70a19b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCkkIYEU.bat

Filesize
4B

MD5
5b064f59a8e798fd1c16a16fbf8d9506

SHA1
19b0d14d325e9829d4fde39a3b15cf54b2437aaf

SHA256
6cfb0c7434110d32dba8bc989fda40163d820fd2622de600099160f5daf3a502

SHA512
7d005de1039a073c3e57d7cdccce428c24c7dd2201dae0ae049ff51e69e87add20bec426775146184a66cb0c5d9e73c2da73db43b2b3522c0fb8389526a2ba45

Download Submit
C:\Users\Admin\AppData\Local\Temp\TacUkgkk.bat

Filesize
4B

MD5
9021210912d0f2f73b40ed2b6deb040a

SHA1
261deec87d076145838f772b591f1c84c59b8a15

SHA256
3739e8032ce44c9882ca0dde4f5c8a680e6d882738385746ff1a928477e7a7d3

SHA512
eb26cc27376ff72b37a0065ff5b5124f5b5728618e24d9e361e72af058082701fd134131c40f4152fe87a60c25c75cf41b1029be742ebce6b2ad00f45b64ae40

Download Submit
C:\Users\Admin\AppData\Local\Temp\TcwIUosc.bat

Filesize
4B

MD5
f8a342f9377200819505f57982e65119

SHA1
a47ca970780d7ba4b56ace602477eefba049d58c

SHA256
454354ef35c167fd949d1dcf2590ebc5b037e49ed3831ca6c7ae52e0995c708d

SHA512
49a5615512ef46ca5f04327de7c36324b7a976b0d1512bb564159d984cec17357d88c998c7582fcdce01667590b4701aeb9b2913b161dcc4c115e7e4ebc1d15f

Download Submit
C:\Users\Admin\AppData\Local\Temp\TkUAcMgg.bat

Filesize
4B

MD5
0edb131d11e920f42733e4cd7532155f

SHA1
c85ceafdfb718110fb10c40ec9a2f6adfdecc7bf

SHA256
6e04e00885d6d925a60555f071439deaaa55516ce8f8f591529ac48996d7e2c4

SHA512
b906d2a38f98ae034dbff3556a01474d11ce1a9c4d64760ca4fe08a178fa93af0f377966383c5f661a5e1aea0b1bc932933a0f81a81e1c4e48cb80814cff5593

Download Submit
C:\Users\Admin\AppData\Local\Temp\TqIocsow.bat

Filesize
4B

MD5
d2d226c45eb5eea9c82f47c7178f5a06

SHA1
3c0f1a5a3bb43294efb46fc06f33ee24ba903747

SHA256
20b252e10c8f43f9246d8cc345f3111f6cf17fcfdeb8c9ad57d1233dcab54c6e

SHA512
7434afdfb4cd36424f2014c939d1750691f024f8366c6c06a4359a284ffef2edc30482ce786e676de9314a34af87ae4f937b4f67b7d1dec8f744f5a5d4019cf9

Download Submit
C:\Users\Admin\AppData\Local\Temp\UEwa.exe

Filesize
169KB

MD5
568d8492613ff58291d03ce7625dbc5f

SHA1
cba29ecd728b3c0761d80b2fa7eb55e066c96d44

SHA256
ae580c86fb1f67ba9fd1a0de8e3bfd18decd14c39b93113efd9b0d67bf17b524

SHA512
a21bf4bc1d524bf1d689e6625ae804678a25d02ed4c886cd7c7420c8151c9133599d8fe8681207476eeeac7150264df579ac469f59fa4b0c4178e4e0f96ec9d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\UOQgAcso.bat

Filesize
4B

MD5
7d7e1a81e2955d65bad66a518e56497f

SHA1
030d05ec2d0741f38890afba4ac64ca27931dfcb

SHA256
07ae72abd3cc49bb556dbf45658f965e72f86aa4e8dfcb0a9a471a6162997d70

SHA512
002655587a25a4efd7a1f8acb2ccbb05d28996538c526c7b1809d05b5d5823200b87d3aa8dfdd7a0a244edeca6019fc6f72882e07ed56bb8d63e8bab65a3d1bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\UQEW.exe

Filesize
591KB

MD5
2b75277235abeeed77e328fe62e5793f

SHA1
6c798aa881c101f73e9ff1d0bbf93b24592808cf

SHA256
acca596d04bb29f242262d7845f3be9eeffc9386e6ee000605f274aa0f4f52ad

SHA512
9501a36abb82a55fa0bf80e0a8825b9804ea9a7c285438c5ef619840d29861a3fd723cffce525117baffd2570f40a8bd7b6a6473980d347d8a7c892a2e7a1510

Download Submit
C:\Users\Admin\AppData\Local\Temp\UYMG.exe

Filesize
174KB

MD5
73ec3348b59c427f4c694d44f7c2fca3

SHA1
c66f4e472cdfb0142006c0ea1af224aa616b67a3

SHA256
66e3cea235d7559ee0c7588c76628d16f0101a88bff817e0fa7a0cd3bea91459

SHA512
ee4865a47899ad2d61003ed8ecb7a3e380cfda187adc1e3a7ce41be08feffe5aa2f03ac5be8835e5da269ee34c686600465b9ac2807651a346f19481f4f60472

Download Submit
C:\Users\Admin\AppData\Local\Temp\UYku.exe

Filesize
160KB

MD5
27184a4012d151c201ad1f0949285093

SHA1
f26e2c71d929874eb2c9864692711bcc6ef4965f

SHA256
382d837e0ccbdcd5a93a4a738e3849fbc9c9f4355432a3991d9c68db6c79bf1d

SHA512
57ba3e4234aa4983703cf1a8a9c984f11707af0a3126b1959160190ecd7e2954a5981fa9042b2707e86b49bee40f22216aa94d629f506195c103a16929c0c5ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\UqUcAkMM.bat

Filesize
4B

MD5
af6a7232f9ad6b7f31658c02623cb1af

SHA1
d405730461115d525b12c19eb265657c0e3362fd

SHA256
4091a36490c253f8d456038b67977272868af3427f162cb2a90aa2fb700f54b2

SHA512
366ab1db15092cdefca1a8aca25ae0c9da812b30276002fc181c26796f3618c2b6cc58be07db60b242d77c25292343bb645e73f5fee3bdc606470399123f61fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\UsEwMYMU.bat

Filesize
4B

MD5
a183e305712ac94e6d7d21fbfe8c3ef9

SHA1
7910a493196cfbe73c6c3ba4087ee3deefb2f264

SHA256
224420bd4271c4ac714cbe9b162600f0cf203d84bf0dfbd747ae6f94f7529cc9

SHA512
2231a6675ab653f65ff578915ead961eb7ffcd4463ea1fcab40d88a9590da4dae3fda7dbf127e238dfdce16fa0a3506f5114f396c782c02b26e056cead5058e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\UsQO.exe

Filesize
183KB

MD5
9b0a78ea374e5ce7128b865094579d55

SHA1
5cd363c4487c0aece4788225d53b22e7e4698f9c

SHA256
aba2d442c54b510630f11bacd13583edeeffae1d95618d5d1fc836a9f28d4411

SHA512
17e7a363a65fa6dc722f1666f0ce0d6fb3634458ce76af24981aadbde80e8e18bee5008db772a205429a2bb16ad6fae736a6e08477586c0057bd3664d501476e

Download Submit
C:\Users\Admin\AppData\Local\Temp\WEQg.exe

Filesize
188KB

MD5
aa46c292e89088a95cd6c5fd40cb60b0

SHA1
5b84c30f89655dc4e8ad1a40b21755775f7e9c28

SHA256
91a88192f823d994cff2f3378b5bdee51c21bee6dc526bbccb01ab06835650d9

SHA512
edb46732ec5e7a210a160fce115362db2bc9effd34ee86990757a5268c61c6acca6c792dffce5cb8334ca0e105a78f4ef4b8f057f9ab8d58fb5d9383eb01caf0

Download Submit
C:\Users\Admin\AppData\Local\Temp\WUYy.exe

Filesize
180KB

MD5
7223d47e79f45d1047931ad39fd140ed

SHA1
c2bbefb367df069ced14a00df6765256d3792732

SHA256
3b94f1fc2e3af7e0b99118482688c2a61f6a9387977fd6b22631638487d909c4

SHA512
f18044945bc0c44e438067a271831c2ea1dfa1edefb705c8c304c155db350a7d6459e9efcda15d8a02ebac697883f37f04f0362a464cc5f1a3b27c21995c2c01

Download Submit
C:\Users\Admin\AppData\Local\Temp\WYogkgQI.bat

Filesize
4B

MD5
3b1e140ed54951a2ff7b0a19d877d911

SHA1
67b2a9cd3ddc9fad33195b580c411399e1d59c28

SHA256
600c0e07c676bde48d3982b9b8392160dcc6f614c57900fd640019c57a35cd75

SHA512
99c3fde3d2100772ca51c49d9d19752f95bf9d208ea8e607cf3a2186ff87aa7320fb8233020b0b6c31fe6cea2056784b3fae7ed24fed3a91b8281424feb52356

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wwsg.exe

Filesize
693KB

MD5
e3781c53b079082eb2e37795ca1ffc4c

SHA1
51afcce32afdc08f70874bf84e454052f3486a85

SHA256
e01488107b4ec9c10b33aa9af4bd22961603e32fb96bd7e4fd7f143551338d66

SHA512
bbee7e7d2bc03dbc7d8c4fd972dc8a3735863077a215e28d1a6356b8068b21257124ebc3445c9d8e0dc0d668ff82a905079a4f257d7fe3021e15fd3e182877c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\WwwkgEoc.bat

Filesize
4B

MD5
74b5304a7cd997fd5b566bbf21170e80

SHA1
f5008dd61cbbb623c149aee539cae0babe2b5340

SHA256
eeb6c8d82aa7a61c0e7f347e0be421740a87211a8dba401b84f65d4e85e088db

SHA512
f5091745d020241e1935d258c1e698b2c09ca8fab77b34e0ca0638de0a89eba27af458a67f29b839fff9e1f31d7376cfccb71b157e480f52376ac3506cbdf0b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\YUso.exe

Filesize
187KB

MD5
39bbd39145afb9b19da5d40349386941

SHA1
b171ecd3228d1f09292a4211d6288ad1598074bb

SHA256
2c63404b1532369af9994ffb2fc0f799973114532f252a9ced4e1caa65ddcf7b

SHA512
34a649fc6de1a250ee678756bef9c0f1cf290e3d426e8948f38a2c2503374023630ec3a7b1044746dbaeb22ff509a79c25674561579f7e64aca12c7e7edede76

Download Submit
C:\Users\Admin\AppData\Local\Temp\YcEO.exe

Filesize
140KB

MD5
48a52a5fe080f5f679c0cb8dda35f00c

SHA1
f7200fc7ea5437ca9df12ff6b88793cbec10b4c4

SHA256
f18bfefde773393b30f0880201c0eeb79d4ded2d05205b1a8f0141fc82fc9e1a

SHA512
f831d69a5e76b8fa9ec3df92ecc55c03cf94ae78a7ac849eef49c0eeb7996c8a76f034f3637f57dc1b8a8babcaf6a83768439af4aebdece0644521e82a2f8f17

Download Submit
C:\Users\Admin\AppData\Local\Temp\YckE.exe

Filesize
184KB

MD5
53141e848a4422d5946bfa310227902c

SHA1
caceebbf7f3b15d8833658431ee1c23a09019f46

SHA256
5f825be2526d59954ff181e51c9844aad879295c358edd3f5798613e9d746114

SHA512
3ec4dfa12ae4b66bfcde0f92b6efc2e25dba2139a0d78dfd7352bf14e34095373b28fd21d0366df51c09cdb22b881f2ff35e5fe41c537c4a85737cad9b09b70f

Download Submit
C:\Users\Admin\AppData\Local\Temp\YgII.exe

Filesize
377KB

MD5
468464fe8573b49554b49263993914ff

SHA1
d65b7df749aaa3f76c7d741d4e4485eb21846036

SHA256
1ba63f4b1a8442bdf29d350213efa0d3243fe7dc7a17a577840de4438f6f6433

SHA512
74c6843a6669506c82ed4d87fd9f6aa56bcbf19ab531fd27cf0ab25a07b50dba627d9c59de8240802a70d969450395078e115c654d6c8846985f11b59587006a

Download Submit
C:\Users\Admin\AppData\Local\Temp\YuoYsoAE.bat

Filesize
4B

MD5
0c66e4723b9d7495f97a0a8f2f63d10c

SHA1
f4ba5a59f2e1bbe90ce21a927975edf5cbd33616

SHA256
56bd08b6f721ee92f3a164e5e5781be23f4e0f913deb64b04982cbccc8d3ef45

SHA512
45fcfef80a574b1911faa5d7eafbccc6922eedb43801bc0ffe3b9da63975a43235573ad37927c4a4b22d26779a31b2228e5bd792d942237d107bd6af6f16c281

Download Submit
C:\Users\Admin\AppData\Local\Temp\YwcK.exe

Filesize
758KB

MD5
a5eb39f3a4ac930bb22a91b784aee2d8

SHA1
1a36fda791ab9716c1c7d3b653370bf8e0bf9c90

SHA256
1120c7df03a2f1b33a917dd87148756863625ffe76c4c5dc03b69026b3d96d38

SHA512
571210b1ead5d6feb80aa0fbb21370d0d3e9a9db15acaa9a693640ae9c4baf22e42037e01af2f9b20757389ac523c5643f4589b6e36266238caf39ba4d36b083

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZCAwMEcU.bat

Filesize
4B

MD5
03de8f8586a6510fdc7b15fdd0536012

SHA1
e7c787e1764f64cba9d4dabbda5cf2a511a1234f

SHA256
5bbd491c0ca8c0a989d85769b0171403d749775e3658494939ca4342c379175f

SHA512
bd3ae377688b56be6547f41020f47ae795340ca6dd131c5d159f5de7144d4a21cfb336073ac40567132716012e1a639a601e5b7f69b910a063257fe1af5a85bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZGIgoYAQ.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZmIUgIQw.bat

Filesize
4B

MD5
548a4d7ae464600d934857e5bb11a4ec

SHA1
1c0fb2d899405cc051b1acfefa45ea921da6429d

SHA256
17fb3c06de4e6d964d4bf3db3b58f6c739f46e2782ad4dfbb71933b12bfb2b10

SHA512
9babe4af975057082fadaa997d69efe0ad4e61907dd50427ffb7522ef62d120afb026d615d359fa6a6da74cec81e7ff0b1b2faea504466aa3d054918ca7802e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZosIUoEs.bat

Filesize
4B

MD5
ece964b2ad95db9ecf47cc4090864d38

SHA1
800bb5c8eb03f015eb329d09d8840d00d2b43a65

SHA256
0c2202a2bb69004bebb1057096c78473ba3ccf66fe1f4f5ce992b0cb3ecec807

SHA512
ff8465974edf5f0fb285467eb8e207f682b57ac0e612104d3eb6a941228481f19192e1213d67775de4608b81b46a2e35805138dca1825dd5fbf97b74d341f368

Download Submit
C:\Users\Admin\AppData\Local\Temp\aKYIYUEA.bat

Filesize
4B

MD5
8444db43684735e16d08c77f5d5470f0

SHA1
2bcb2e5b5e02810f8001cc939f14014613588e82

SHA256
71091ff4d7aeddd2d9700eae2aa72d245b4e6ce8cde5a9ee0c940ae536fbc5f5

SHA512
4f5eb472d33bc4465958c05190d38c033ee2f3b75d8a291e98408d42392eeacef8f5b1cced3bd5a4f69d306966e84ae712437ada78322bb7924f35413ff969a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\aQoq.exe

Filesize
4.8MB

MD5
0f3dbb3a43f0b34f4d719f2a120981f9

SHA1
ecc76edc234f5fdd27100081ab2cbbd8c2c7c540

SHA256
5f7997e2a26f1a330e92da14e50baa12458e33fc406b00853a104b56abb8991b

SHA512
e5fe5a3ce51787aa0550198ab8843aeb79fa24c9029e964f74241ea7024364fd34ee13ba5b3c582b92ee87f93ebd493f4b69ba45529e53081d6b41056796e66e

Download Submit
C:\Users\Admin\AppData\Local\Temp\aUMssMIA.bat

Filesize
4B

MD5
a7ee2702c9ff005786f807210bf83abd

SHA1
c843da5c04f5103bca39f7116ada43ff8afc2fa6

SHA256
b6705b26ead6e6663a3b3de32668b6bfcc0bc2fb48989a802cdf0f26ac06744e

SHA512
4124de4d38f87a1682cffcb451c4e71cf47f7df814e96df1db60260a852b623f0f58e2d11854274570c3aab2a8d6668a448fcd2b415938bf7b5bc8f83daa56e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\aUYC.exe

Filesize
191KB

MD5
576973f0ac45a68d6258cb0c811bfe2c

SHA1
57023d4943fc22105b3473d2a473d974e4039c97

SHA256
28d4916cc5a1b6d7e66e8b46496ba835136531de875a4cb460197322cd9469f4

SHA512
ec2c7fc5f2b76344df3d3393b6dcdc559bdb358eb4fe951170349a898bc9c49d8ebeed813674e324b5ba397e2c30303fb56e1e9d2374cc2b8b1afc15d1d27acb

Download Submit
C:\Users\Admin\AppData\Local\Temp\acYm.exe

Filesize
512KB

MD5
4a0ea1544a39fb0928abaace552f28c5

SHA1
af86d12062cc8537854cba279352b8dfc815cbe7

SHA256
4db74c32e1f4e303870158282da18b98d3ba884c7fba1234bc01e9912936dbfe

SHA512
d6d394bb12b2de6d9d53e868673de48b151e097c589d5272b3f45dea2494156c1df4292b983dbfc5fb86c06c8bf82efb1489319a12c000c07180c3448ca3ff39

Download Submit
C:\Users\Admin\AppData\Local\Temp\asYC.exe

Filesize
575KB

MD5
ede4b57f6d5880d69870b3d2bc28e881

SHA1
3c33238d2c6d17cb5951091b0e000e68bfaff95d

SHA256
7649eeef2e83697e705b18cbfe3016c50ff009aaea73ca63da7bb1a5a36c74f4

SHA512
9dae8f9267bd849bda5f56c017180da6f3d6112c3cecac30a9c4fe94b43cd786265866227a6f4f1ed2c71f3e8f022286dcdd2db523e0b7a0bd7d58b0ddf155ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\auYsUEsA.bat

Filesize
4B

MD5
cd59d282d63e6705298f94d6c457494c

SHA1
7bd22c513e1e79323e3b5031d33201389685fce7

SHA256
46918ae3c0e2691629106c20092c9a736beb1b964a920ab50b719d31d23d45a0

SHA512
782fe11fe35eba8cc4e1cf9632a4ab47f78f307ee2608b7395eea1a65ca4c37f8d71fa36bef67caf64cb836b1d49a809a678e2141bb5394b96e423f69d064ef5

Download Submit
C:\Users\Admin\AppData\Local\Temp\bkAcwoQY.bat

Filesize
4B

MD5
8be27415017c27dbe860628fd85023d0

SHA1
ebe8bbd3dda181cf42f21fe0afba8f5d58acdf43

SHA256
34a44244cb3513118aba7f7838e7b08f80314d12d3bbe3dec33a4ec82deb554b

SHA512
e8b3334b143bd376e1ca2dd929b829787457471aed7219e4bbd1d39c3eaa77728bed72dbca6b5635348e54633f42fcfc09d38f7533aa1dc6e0ad00670af8a0a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\cIEQ.exe

Filesize
893KB

MD5
92c9c73feac89a7d8db25024e00ef8c5

SHA1
ae0155f51ac7a38faef885643cf17d8fbfb9ac1d

SHA256
5f47e73c196740154710440c96b5137465459a47abdcaf885bae6c44fd607161

SHA512
6b65c2e1dd1e224738fd73809dc5bd083124da22bea44c4c092171d9e8553ebfbae8c4b21f41c306a0d65fa44fe74a977924e8da320345eac1f48ad905ef040f

Download Submit
C:\Users\Admin\AppData\Local\Temp\cOMsUYgs.bat

Filesize
4B

MD5
b7d36eec204144b6487ca49502dfa1fa

SHA1
287390b7425dea4e82eb2096b52261a1c8391c7f

SHA256
3f012f280e218b0ca08c3be8479a497c160bc40bec46f2f56fd52d32bb821ac2

SHA512
3aaffca5c1992ee5c04fb2331e5d52e49eadbf47e822f11a06fa8f3cd9076f64325633e5110c5058314d67a4e1b82204b2a3e92b80596f91e95b6a57bdd02348

Download Submit
C:\Users\Admin\AppData\Local\Temp\csYM.exe

Filesize
641KB

MD5
959cece732b92a2a264a3277a29efeec

SHA1
d0d70bc6b8b90715f5843d55f89d437266594519

SHA256
8955e7c444ca89942472b54ccfdf745301456f1ef48270b5bfdcc187ee80c1b1

SHA512
cdc207f3764873ce40f6d1a7421c5836a86ba47b7b2cabb949ebf0e3a0678e15525f285986fac2fee9b4a8e55e3deae4aea31b7d8c9872e91d2e3b5f04ea5a9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\cwcA.exe

Filesize
477KB

MD5
750301068506e388211a8916ca880792

SHA1
61bd2cba84096769de63eada1d5f5cde757a2000

SHA256
28cdd8fdaa53c964d91e9be110c982976b438d8b851fba7b78de94fddc52399a

SHA512
0c9bc0cc31e9419e2a0ed95fd1bf8fefef9e4a176a532c9f6683eab5837939897d75a9245d22fe39313371ba729c83f7f0d25d033b9dad4cd72bde8fb8ffecfa

Download Submit
C:\Users\Admin\AppData\Local\Temp\deUIMkAE.bat

Filesize
4B

MD5
954685a7ea138982d6e34834b9a6e708

SHA1
af5c409995f5863a273628d288a3b96c7f8a2fb1

SHA256
931fa50268239d91d60fa653a8b55474794e8dd15f2bf418859bf9150c4ad99a

SHA512
e025eab99a1a29d1114f1a9f254b43d7d7980329be9f2a5149850584b49ee22bf0f73b041a539608d12194918720ba6e78057e10eb6d6355c15e8dd78a13ac29

Download Submit
C:\Users\Admin\AppData\Local\Temp\dskEIMsw.bat

Filesize
4B

MD5
1d32702865579a50a8505befeae14329

SHA1
c8402164f101c294d6f161601854cc489a271c58

SHA256
b9176d5ed795634f6b9c2a2c7d868b75fb25d710c6979f29ab360f940f5d2cb0

SHA512
50526558b1e084d569e756a0baea6d2adcd57cb10b8bba39e0552d0e0ef54758d5feeb3d076d90e8b6c5f478e7aa9bdb8c51d31217a0f92076e2ea707989b426

Download Submit
C:\Users\Admin\AppData\Local\Temp\eAMW.exe

Filesize
175KB

MD5
2d249d2955e3fe1a4273d1d436b86ca6

SHA1
8ba652088ef477ea59dffb7aad457caa2b700cf0

SHA256
e1b4df1e5f6738dd1f7fc5a0293cfaf9eeefd799a518449bc82aabeb44526999

SHA512
307626a2b598a62a652aacd3d0ea51cefe09faf269a4bb49cd2430beb47e2bdc4460dbdd98599ba5842ef22b21377172485b746aa4ae1d186edde5e345d29b74

Download Submit
C:\Users\Admin\AppData\Local\Temp\eEoq.exe

Filesize
173KB

MD5
ce15a1db402d1eb4f3e86d0183d3322c

SHA1
5304a529ada368b5005ba7cfa4d081b1df415b14

SHA256
34e63f186ac358e66cd34402e47a7edb21e581a5c6e3156488654b2372ed0af1

SHA512
b0662cfe142ea4e4e91a4c04e08ed5598bd3c44d3d58b231f019062f2b91fc079ba886f0533cc080f10e2639e7987dd2c3a3e9bbb9c0132f748f9faff6720b8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\eQIu.exe

Filesize
177KB

MD5
41c4ec5fffb17f1c8f14beaa8cff7bfe

SHA1
730fcb5b041f95c179d3288a838c681dcb41af43

SHA256
16d376a661e0cc71c5c63e2b42916cd8967ac88040dd2345c37a472a1dfee8fc

SHA512
9a398a905031d39672e39f931190552be25814239778d1f0f1e8e8af529ce26e96c2e6382037872f387350f4b0c404f4740e235a140cf2559f7f2caae12d69c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\eQQYccUw.bat

Filesize
4B

MD5
fc842cc78993352a35a8d523be870166

SHA1
d27bafafbad31dbc04922f046977163d07eb3f45

SHA256
a71bb8a9365caa38bfe0e5be296e4ba814a6865b6e39482673a35e4b0cafbdd5

SHA512
e43e747dd51826dbc304a6c485e11a157427f8d46e8d425ea0e9d811152c147310c0dd8e92aebc7d432dcb4bdc64acd95c8aa2a95710a9c1828e4c4d9257f346

Download Submit
C:\Users\Admin\AppData\Local\Temp\ecUcwMYo.bat

Filesize
4B

MD5
5d08fb9e777b6e31f7ee1303ab108c2d

SHA1
c8cb83917a0b8a6fa64dd475a6906184730a3895

SHA256
8d517e19416d53b4520620a1b3322cec3a4a312579f73b03edb9dd5058b9e408

SHA512
c336b9ec0e6cedfa02df0821d5722d4c20ee7acef43de0301ecb26e2948b7ac6b60bccef3dfe00b86a23a15e7fc2f53cbb69e92ee54b0cb4accf1e78da315330

Download Submit
C:\Users\Admin\AppData\Local\Temp\egEO.exe

Filesize
175KB

MD5
a44dcab042a3841e6e631dcd892f8e57

SHA1
26c1d082defd15fd3b482f97e4deab1de2d8b990

SHA256
c4e3e1ba45b0c7fa039a66d8901a0455c89a0b9afdff15881769afe20af8f47b

SHA512
c9a4ca1a0cda5ea70639abdacf864f5f2f9576acd01960a6af851ca926be3775726023ae017abf81bc81212e5c25c8eeecd54d04202c4efdd73e566a082f8e0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ekgs.exe

Filesize
1.2MB

MD5
f425ff8f9d2e18b02b59572b4d0fdc65

SHA1
acffff82ffadd18199d63b1c613a72941e5a141d

SHA256
350ffaa7201939dd5da892a5899c8929f0da9eacf20dcf943323ec7d75900173

SHA512
198449fe781dc77467d1b6c0ebdefb5c76c19f9f79774f40c60e209e66697b03da24efe74d2cbf685aa4dd20f60d0df41c901aad2260169d4fb8b8425c8bdf29

Download Submit
C:\Users\Admin\AppData\Local\Temp\escy.exe

Filesize
195KB

MD5
8ae27117b80ed5eaeb9e90ae28fa13fe

SHA1
b5ef951575154a3af7bcbc9b090f5d451e390867

SHA256
dad43e1c7d733d79a0a70c55411dee774a7a06e59368c196742fe571c5cbc62e

SHA512
36e1a0e1e18f4b77457adec18dc6c87a321e8ac85432cc84e3e4267646953a34fa8ab6377928d28131f8933a318c931bb813fff350a2b4a9e77d1d82242d47fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\euUowYkE.bat

Filesize
4B

MD5
46fe5e2bc55bf71bd13e9a6434b3c2c1

SHA1
fe034fa5e466d82d7ebac524dc905b30c9ae2ae7

SHA256
7dfcb18816fc25077bc54a1c1c7c9fcfb701ce04803a427d121abdc63d486c3e

SHA512
db112e1bac9de0e2f4fb31ea760bf95dab2806ccd6c1b0c1ad79873d6552ffd607f08ff24d805b3436d35b61e5f6b46d7cbd782ac955d779e8cf8029bd87185a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ewkkIgcU.bat

Filesize
4B

MD5
ef8042edd8d80d6be948acdc3fcdcf78

SHA1
78ba7e385952b94f80e65d6850ed0a50481b0bb2

SHA256
8dcba03fd7821c8426418fcfa3a945b938cbe7ebd5f84204aa1aeb25b1caa6a2

SHA512
6b14d904535c8a75ff25bea704228237488e9edb0bf5b00993ca608139bccdff28f85dab47ecd43143d0bab49d5a4fcb024e3d9a92d5514a2828805827c03a22

Download Submit
C:\Users\Admin\AppData\Local\Temp\fCMYwogo.bat

Filesize
4B

MD5
89a21c5cddd778d2ec0804d7adecec1d

SHA1
92427450503eb33d4519bbdfb060808b0aa7c763

SHA256
37f4d24612ca8cf5669c3ba62e1529d01c824848fe2df4ff2c894150946837fd

SHA512
95adc37b76915b7e1f25a222be356640da4c80a11adda94da3db8960e1c2a9e9b1f7d5eaf1d4eb028419c84316df66998c478124e3e0cd5d5ea7055475b578a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\fGIIkUcw.bat

Filesize
4B

MD5
f7120ee16bc9cc4a5273d79d7267a7a7

SHA1
805c3a496ed5e5d1f3fd478bad2a9d8d19c84340

SHA256
b68e60c7228576de3d1647f550000e3e10f58bb1eb1d60d148ff7cff79da0cda

SHA512
2db743e4b3f17a12c5509afe2f43f13186496ccd3a9619ea01a6730d8ca6de2a2079b427ed5bc8f05efadbb29d89a06f6c3a8739425f7b92ff1a22956c70ad15

Download Submit
C:\Users\Admin\AppData\Local\Temp\fQMosIss.bat

Filesize
4B

MD5
e879d9849b6960200c1c3957678b61c8

SHA1
14cfb687938b85ff3a76d3463419be3ce7466d1e

SHA256
a1d0eea9923f0d564a31ec3ae415f881ce81143436305c3b551edbc38b5e84ca

SHA512
234de657ac3756493fcd072c8724a3107ec411f3d0f31ad3bf293e6b3dd1b5c32e87daa3c663720070e1c360fc217f2c518fb515dccd9ce0ecae95b8ba6f4a5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gMkg.exe

Filesize
177KB

MD5
e42a544b4d9f386f02c6b7147a9ed352

SHA1
0b534c6e6a9e411392099b68de0856686cf56661

SHA256
4c880b3593d712d0426ff567a9084b05cb815372ade1ed1014c0ce4d01a22ccd

SHA512
2040ec840927aa891f942cd225a9857ad19f2c2513cb3c9eab48299632927caee97fb6e681af2411102e6af3c2fe2ffcd7addf124ba361e40abe0d35c61653bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\gQAIwsEA.bat

Filesize
4B

MD5
8797a56a67f5cb400cd07148fcfb92a6

SHA1
14e20395ff1c0a12910db45fd891788c33525995

SHA256
1de59e71dda8bbe474bf1e6cc405dbd9d732c9fe7e9b8c0d41e999ec608a0cb2

SHA512
fc74822ffb92f53e643aa885929c3e92625560a307b94e6f9ba49d942eee2496bb753a5686c330e1002e35f240bb312f8e2d90c6a8d6025d533749c86fc7d163

Download Submit
C:\Users\Admin\AppData\Local\Temp\gYcw.exe

Filesize
599KB

MD5
61f5f41a29d04b602c6008a4102e85ef

SHA1
ab351f640e1297f0dceca3a5844528e731034414

SHA256
f023116ab3e7edcbe2f1b4c0897df677d6a880ece3510d6dfcbad7f25983a0ea

SHA512
9833c2542037f7db8fdb7f4f4fa5a303a68d1cac4d00807169cecb5e58367327f1cd6bd889881fb226947365e2d733a7b59a2d7fb0efcffee563cb24a8b26cd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\gYgo.exe

Filesize
186KB

MD5
ebc651baf0351441a543d05ba8f145b8

SHA1
b4bb99c0f29a955b2f9aa616c03357cf4b21b691

SHA256
33bd1237214d7fbdbda441169bf63dfbec65b07ced8e9b37eb603a692a07c894

SHA512
a78d3f8986740d521719c6ddada3c36f91ad7f6a3b411ae93ffddacfe655bb40694d3ecf85020b9b851013c4c397f7b1f7777009b72a803098de4cf6d00fde74

Download Submit
C:\Users\Admin\AppData\Local\Temp\ggoMkgok.bat

Filesize
4B

MD5
3da332980b3e4e36dac913e480a24772

SHA1
dbb12de58e9591ad27b25fb3d68cd7d8c081667d

SHA256
d6dae61baa424e1e55c06a65c0159ab2865d65605f803bdaee5aee685928acdc

SHA512
d75bc1e613345895b7caee945a1fe68b89e31b5f7a2fc4d0529dc81bd9349deb2912bc8a15052875449e86bf3a379dae8ef83ef7ea41552bc43d671c24825faf

Download Submit
C:\Users\Admin\AppData\Local\Temp\gscC.exe

Filesize
173KB

MD5
e8b39faa173a60545745fc4727cad8d4

SHA1
5a0ee679a38e6b57779830c46ebaa9cd62934f66

SHA256
09b97c6379283d1733d9a07e029d86fe949475397694b3f371d62a35b2ba6f0a

SHA512
2a54863d00a672f07ea8d4ef5f359fbfa24d568f261b414fc850fab51a707fa85eab90f822f058e22e4cfdd0b7d5a74db2c3e7c3d108d8e1faccb21fd6576530

Download Submit
C:\Users\Admin\AppData\Local\Temp\gwwU.exe

Filesize
192KB

MD5
e52dd0ee880dfaaaaa7535e78ce828d7

SHA1
610c615df455e2a955466691360ab4fbeba2883b

SHA256
2f734b934261120958c1a536fe42afb8a60a78e82049a2a81abc85cd1f82b85f

SHA512
2f498181b0c2e7822e3294287b43a78e53b36ef40d08b3ea19e3a08a9651c10333b5298c225938ceb46c4500dcb215982c5e0b3e565e9877de8ea811c5b7789e

Download Submit
C:\Users\Admin\AppData\Local\Temp\hUgccswM.bat

Filesize
4B

MD5
f81eceb2a259ac9a79121ee0a2ad1657

SHA1
b4cd9a0f1d984b68965112e06bc54d5999480bb8

SHA256
4e994bfaad4b0352dd05bdb06c8a3acfe6e9c2569c6d4c5f9cd467746ec59da5

SHA512
b2a45e8a95117088a6e62599c1f024eb61a07db6a33dcea18541e66ad6c705b402b0b7c838e6bab041202100a88aa9265330c4038588966988d1b3072d6244e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\heIwoUUw.bat

Filesize
4B

MD5
ef8a725daed872f4b82cff854f1ca68e

SHA1
48c0d35ce4d62bc7f5e40387a6c16d2af105851e

SHA256
654aef5f17f38e9bd633efe432f78dbcd9f0e4c0be8090fa08b6fc35e6f37e04

SHA512
3738a12c25ae4437d9d72144abb8044f96f5505b6a115fd255e18747b6ba350b801258af6f590a08e4ea920e61a900a15366d18fa3aa205e4bc768f4f0f5aec6

Download Submit
C:\Users\Admin\AppData\Local\Temp\hmUIQUwg.bat

Filesize
4B

MD5
f2d87014ee68506037ec48ec2d7c7861

SHA1
1856fdfb29307f94b0e9489508848840b7e24fcd

SHA256
1e27b235027972714e9b38cc25143eca1cc7859c3e4746692297670718d69817

SHA512
a39d8849ceda8c2a01db06b5b85770912a79d3df8917e9068433ce737cb622328d537284c501b99e710b3ea13cce8ecd505adddd0523e794a27e7d7e16387a5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\hqAswMws.bat

Filesize
4B

MD5
3dd7017a389e1177a13fa136b5ec2497

SHA1
cc757fad031082aeb4b806538487ef907f09baa6

SHA256
a9fe23ecba8479c5c40a92268a9b510120589413fae91210c2762b3e50ccd8d5

SHA512
b4e0a5d610f33939098e3e94c8bfb18d100126858d6cdf868755606f5bdbb0028ea6d9c381551c84276bbda845cea5769186f9f09e0c27a6e8d3c1392903bde9

Download Submit
C:\Users\Admin\AppData\Local\Temp\iEsa.ico

Filesize
4KB

MD5
964614b7c6bd8dec1ecb413acf6395f2

SHA1
0f57a84370ac5c45dbe132bb2f167eee2eb3ce7f

SHA256
af0b1d2ebc52e65ec3f3c2f4f0c5422e6bbac40c7f561b8afe480f3eeb191405

SHA512
b660fdf67adfd09ed72e132a0b7171e2af7da2d78e81f8516adc561d8637540b290ed887db6daf8e23c5809c4b952b435a46779b91a0565a28f2de941bcff5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\iYwC.exe

Filesize
197KB

MD5
94be1aab7fc1ebc73ad0c7352eee7e54

SHA1
afa51e263e786ea2b9017025a67bc8bc5f98cb54

SHA256
f3c253e1208b16bf0dcfcbdb7d1e0a8a53f096ab90a6fca280315f19096b36ca

SHA512
211cc2846149610e89fbe33a6a2d36c33d1b15ad5cdc9e9746a6f823e680ef95e12f3effaf831fb225db7fc93a121d39a5a3f8649833749d483689d2425c0c72

Download Submit
C:\Users\Admin\AppData\Local\Temp\icAwUAUQ.bat

Filesize
4B

MD5
6d95c456e3b05bc22368d106d30cd116

SHA1
8f2fb6ad015337caa6d6c30752e993650145c5a5

SHA256
d6cc264901f59efeb8b7f0aa48c6c93745cf83803fdedc10f90908631a8c4503

SHA512
8cc4edfe6417a6b729176b9dc18c2842ffd9606db1b9e26f94d6139e8d6d7ce02f6548561bc6626eeefb0e5639c760c6be629062a684fe8600607a7e27adb2a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ioMe.exe

Filesize
174KB

MD5
11ed63e7e14e6cba9cdb04dba9a033cc

SHA1
7a0c19fcd0167ec683010c9bd6a2f5bed8d5c8ea

SHA256
3e1d5507345bbdd9d1d32a95f01ef02120ca20a19c059bd3340b84c38a97139d

SHA512
6bc92cfcf3e45e4882cd93ffaa8c268ab5161291b3f86393bce9707682816dbffc7cb016ccb4cc05017108a492a906b9b2dc2d3b8f02baadb98b8af91f4acfb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ioke.exe

Filesize
714KB

MD5
86788c80eb16c6ce3b6c1b9bb09fe302

SHA1
1bc08a7047fa4d0db66f61f98de6b4d86409631f

SHA256
dc2de0360ed6680fb35d0e7e8d26e99acbab85838689fdcd833d6c089600dc5b

SHA512
2e2fa72b3cf5016b2b1bdfe1db2819f1b308305077f16865485ae7e6c511f751eb2ca7fd5979913ec61cb4a6a3cf1eba98b7dff16bfc6777f2691efbb0387ec8

Download Submit
C:\Users\Admin\AppData\Local\Temp\iyEsgAIo.bat

Filesize
4B

MD5
64261da39dd6c8ad4edc194c26777b1f

SHA1
89f53b1bc7975fae5a6ac2db3a5faae0aa91235f

SHA256
eb7a1c3be9d71ab3a1c6ed9824f05de7e38d35612ecbda4458f8914facdf8115

SHA512
cd916f01371ee66805f7a6f72fe849b30f9690c1719a3ace8b2bbcc87b62fe5e6d1d69100809a9921533ec3aa2cd5ad4124b5ee01d760c3896256939f5d374df

Download Submit
C:\Users\Admin\AppData\Local\Temp\jYIYEEEM.bat

Filesize
4B

MD5
b68f44773bf43da78faa30e68cc5fcdc

SHA1
f933da7ea42a5bcdee2e0ec40d9a6816c95b315a

SHA256
44476eed275d39ee798434dd30bee25898ce63e3029d64bb7d56d974218b4fc1

SHA512
7f96ea6956509803192e51cb14128d79e4488417c5856afbbb32fa82a06867690275583be239345673a586bec9c070ce99603939170f6e21244c232ebfb40a2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\kIsS.exe

Filesize
188KB

MD5
95597deb24d2d5700fb969e305531979

SHA1
edaae07a3cc010f72697bd4c5fdb9012f37566b8

SHA256
82407388ad940d4541de75d7504ce323718eea926aa38d124cbf9542f1ce2470

SHA512
0f1d4e648f00bf1d5a98b5438e978029ee3a61aed33f00178d8c6602df29e2d63fd363725c57552faff8b290eb50a97d7b263a482093de1d602302ae0ae3a20b

Download Submit
C:\Users\Admin\AppData\Local\Temp\kMUY.exe

Filesize
181KB

MD5
0aa03bc9010d5173f9bb423b3df43496

SHA1
ff393fe6ab425838c5e4157b9f0fd10358e4e53a

SHA256
9131a1541d847b93a480922075be30aecf71adc270b55930ae2f7f0b023d10c7

SHA512
fcd2d01c9e06bc7cfa142cbb3045ea9402699f4e98d65441333029d92a6973d006101d24a34be5238be74b3f9cc3f6b94fce1b85f03ff4eb009dd7efa6c7264e

Download Submit
C:\Users\Admin\AppData\Local\Temp\kYQk.exe

Filesize
185KB

MD5
dabcf47422d060a9cea77d15514b6160

SHA1
5ae9ad653e5df62dbac12008e142751b50b38ebb

SHA256
94a808c1cadd3e0f517d5a90766010fa437f1160f054d583219b56974f979f1f

SHA512
571c6f2b3073837bd403eaf13b2be0265f2c42bea3760a8fe8e67878174de008a783f4714d78fd7f41d7463772bd4bbcccdcf1163a2f0194e23076148ec1f1ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\kgci.exe

Filesize
694KB

MD5
9a2e845e41a54a117bd0c89026b06042

SHA1
9b8aa29880b0726dabde61332fcbed44e2e40660

SHA256
bbe0e0398f7b422652446a246d22d8794e55d05dde354a810fd4b43bb1415e2d

SHA512
efd6a4ae4d47d07711617aefd53bfce64ad1a00054751a1f60f0a120dadff5c45325814694b1faf1f6d899aa841a3eca3997ee6371452f44563400b86e6a156c

Download Submit
C:\Users\Admin\AppData\Local\Temp\kgkg.exe

Filesize
902KB

MD5
85f2cc90475d68544671c166195727f0

SHA1
d12a46adc409f70c3d99313b6db783a21c68baa8

SHA256
c9767ea857f1a08fcad3494904448905b7326cd5ff1851cd843207fe4eb841b5

SHA512
05583dc58d8b5e694e951a40ed85c23540339454af960fff50652ccb862731966b1291cb29601d62e20d9b841d94e7e21453bc9f04d21ddb638bf6527d3a64e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\kwIM.exe

Filesize
187KB

MD5
64423205654b903f8a901e4be23733e0

SHA1
d55a85acdb42d75d004fdfd59dda811a6806b787

SHA256
63a6897017a1694a0cd580825e9187bf6dfbbb1004823c02613b73acf98238bb

SHA512
8d02f687d2f83b4db0127a7c980cd06ecb5c9250b5ca283590ddef8f1f233feec1a06f1f0b848132e6cdc2d0e73ec22a0cd5913c4226a6c076e37381a7d115d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\lOwoIsUQ.bat

Filesize
4B

MD5
179c811c75aa8ae917179ed3a5df8a03

SHA1
183971f4a081c533de14a7be0fb2cbd126acf2df

SHA256
1ba3d881bdaf9574310900a1aeb7ccbbd3e0930a78313ad4b014d8bf9502ecdb

SHA512
0ae32cee022c0848dc186ea59495409e50fbe1567b45b826db8991ef9a5fed12dada0888e57f631abd17dd2e2ba2390667b5e1256186e6750bb373a09f123f9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\mAMO.exe

Filesize
180KB

MD5
1d2ec0963e8414f459823fabb84fec99

SHA1
1315cc86d6370d5b5c6d5757339e2bd9585bdb26

SHA256
65c14bfa6402bb71239ec67ecbee75fe40460a785ffd17b501706ef251606792

SHA512
607490a9695d121685bfcd043840a948f3bf723c29ea3411102d03f8c03e8f9c9596ddc160f136f7434b66fb8efdadcbb7cd030a47d04d7e49ade5bbac34fd89

Download Submit
C:\Users\Admin\AppData\Local\Temp\mMYE.exe

Filesize
173KB

MD5
119907a2a441ca08d7441887d42ae0b6

SHA1
9aa50fa0a61e1359efb6ecc533b4e5a6d36c7a81

SHA256
e5e279144456f2d5dcf231afe845b5f6b14ef772ba50e6e0f03ab5e0c1a06433

SHA512
c07adbe317058426cbd5cd834be66a1711ab419f29a6cabba4e9c51363c55846efe962021fbd57a53099f5a6e248d5031fd46f49797641f7168b056b4b21fdd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\mUAe.exe

Filesize
580KB

MD5
37e441185ccd56a739a26098fa90ad11

SHA1
af736016f02720da97fadcd80debff198181f745

SHA256
de08bb509c4d42ec36b3049ab8e4922f077b3e1ab6d45e25900be7e4da514c2f

SHA512
3832acc02bb1923f76080f1eefbe4aa493135abbcbac6029995748bcc20af3365d910b7f42f5925b932982718ded82c44cbd6740507e7491457e9311b3c9b7e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\mwki.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\nEsEUgIU.bat

Filesize
4B

MD5
7bd1217c674354eec05f0c5f372c7dea

SHA1
934b733dfbfb63348e98a3671ac97c143f8be295

SHA256
287954f2691ae7b547826df6e1779aafa3b2932aca82de1056dee1157fc4e2be

SHA512
64ab46a56aaa33ca3fc0c6d04825fda58ee9aa5127f9163a712ff0b851d9a1f8bc8fb3019bdbdf2116018b50a48cfac328f32d6a134b3fc899ff5653589b283e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nGowoosc.bat

Filesize
4B

MD5
980615f66319f506822143e329120120

SHA1
d0aaead65f95098b4d338fb99f9d42536d3860b4

SHA256
5198d42a03ab25067dbbf57ed6079e9e5b7c7ba501d7fba2091a7d617990e750

SHA512
8af4f4cf807e83f9f423469d957870dc1cb13378f954b9b67c2d0e9f987c1c011ecca252436c801f2bed0547857cb562d2b6d0917a1883ff7a1ac0bad554553b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nOsIMAYg.bat

Filesize
4B

MD5
0148759d1d6be7e1b04e97f950a550b7

SHA1
bce897f7825cf1cf496529c7ba4d6fbd89ab231d

SHA256
3a5829351f4e2a4f78b99f7e6fe522ab48b359168ab88b6e463599722c5fac24

SHA512
5295a7881ed1983c47ae1186762d35d7758e59e444602646b4ceecb6766db9866707134f845abbb6bb04528663382165b3e4117d41819d579f655c179d3f7157

Download Submit
C:\Users\Admin\AppData\Local\Temp\oEAcwMEg.bat

Filesize
4B

MD5
452158dbcad2b4694da1cc1755052b2d

SHA1
f11d72d98a60a85b5067f9af8b99f11c37b8689b

SHA256
07f77f6a451f3d009b1d4a676717a4faaa08341e85e8cbf1a77f1e038f1ff5de

SHA512
090a0956cf05971c6616d3f4279f8be6af11c7c8e7f90d8acfba06c6830021d4b860b82dc2bc86cee18279b3367ce15e62df0507c70d3165fd1a29eacb7a85f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ogIS.exe

Filesize
1004KB

MD5
ec178b0a5bfc69730b085ca6c77d49ec

SHA1
30c64ab8aa0ca9b8a294f8aa56ce983d6c38aa28

SHA256
832f850ba2875c56ddfca8d73cb4a99ce00422248bf2b33bb3be75d6dce9ebb8

SHA512
a03505eb9b7587b8c735879117c98b1db0be17dad9051e38f78522b2dc3d21eda60530552a3a0f023f80b3316ac817bcd3cc618d1f35cd5f04c2b992c006f550

Download Submit
C:\Users\Admin\AppData\Local\Temp\okIM.exe

Filesize
181KB

MD5
c70312ab5d73e2414d445a0baab02d67

SHA1
50133a6f5f00819243e749dbb42fc816daa6e277

SHA256
774bfddb12067742686b8025c541abbab44e895ffc602f4ecb70f30d625a0297

SHA512
6f940a22102d5e3086e8dff7329dcca5ba89420eec81043c570adf230d9666784b10d1a883a125969c082da3d367af7406e8b414083fff27ac5e81e9f0ad9f45

Download Submit
C:\Users\Admin\AppData\Local\Temp\oskM.exe

Filesize
184KB

MD5
1ab9765923d5f1ccb7c82089495b5294

SHA1
101e07839dd80516b9e322da0ca08832a22cd8ec

SHA256
8d1a8411371dbd627e32b0d4d640f95c0b2bd8e37bde7cb1a0a9a27a0d86d8ff

SHA512
e3ae0ba7654111bb3a857b8d75a1ebd9284ba65038543c2d278eeec5795c964bd59dea81e35f9375e43beaf9ec27f7fb783824d152bc3449e88bd7b3c4a995f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\owsW.exe

Filesize
198KB

MD5
8cd70c7f32c47cb1b812340291ef8edb

SHA1
5bbad159ecfbc613f8d2befd3cf4653c99556269

SHA256
47167d33e64ef81120c8943e5c6ae1cbed99fee5be9f29f206ecf9ce81ac0ada

SHA512
d5e3cbc182ab204fbc2434de778924cdafed1ed78a7e7e634889df777085b0969a6a560d20ae189cad39a458a7a5fe57be8ca37c824c9d136f8a639b3efd7053

Download Submit
C:\Users\Admin\AppData\Local\Temp\pAIAsMgU.bat

Filesize
4B

MD5
e9419fdf36289c6212a73446661e07e1

SHA1
7c0990cb6dba5372d208ccf1df98e26c9cf95367

SHA256
4cbbc7b6d3f8136b127db6011915467d5470ea5f2eed7e550cd455a5db6ab3e1

SHA512
4c2295f715b18f47fa4b3dedf619dda21f98f456f2208263e38762f1e5823a56c55a96f7e004479dbf9fc0c9055cea878bb572b9cdbc2d9d0321c1a0a523e5c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\pQEwsQME.bat

Filesize
4B

MD5
cf73cc6d195282a3994f0409d6764896

SHA1
15cdd46e616a8f848c63026ab3396cb5151fa63f

SHA256
6a0932be2759a90575fe878d7411e3fc6106717eb9c468b7e40dc0e2e986b56f

SHA512
728f473bad7fc3a8f193b4a41dd490d902a68c43771ce0bd1b65627b58150aee01f95521d45ead5588f518db4a442edba779009c6da5aeeba72f1b09081532bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\pQUUEIoI.bat

Filesize
4B

MD5
7270967572d05df314694d0adffb2d71

SHA1
322671d9c9b9092db328c8d85394917b3c3f3290

SHA256
2fa94e1b44e72fadc06a95e66be5afee7e7250a43ec6099b852c30b073fcda34

SHA512
31e57fa75d9af9c70d9c05d1746b8361a8b75d06b15e302cbb5df847227e00653a915de5b28c1d856c53395fbcb1f089c4b99950287c8410a5d412e7ef7ca509

Download Submit
C:\Users\Admin\AppData\Local\Temp\pkIEMIgg.bat

Filesize
4B

MD5
6386112fac988e073be0f8adbcdb2df7

SHA1
849ff29ecf70ca2ff871ba3cbe7807a014c96366

SHA256
475ad01acef4e968871365fab8c60df9cafb0dc4bced4466fcee403f519c4a86

SHA512
763195ad587210443eb5d2c588e9b45b329aebd2eb76286ae7ebf9d9fab0acf65ea193313851f47a7371d70d892e55a25ccb09abfb61cb446dd31b7c81fb2d34

Download Submit
C:\Users\Admin\AppData\Local\Temp\qAgS.exe

Filesize
189KB

MD5
64f1673b2c9aa3cb532db44c27985556

SHA1
142ce3117eb1adbd2932b1fc0d2b6bc40c4bd615

SHA256
6b475251ee9b00498b1a0c77a9117502a79109104223b34f9a59c5cbf68eddd9

SHA512
52f176c46ca258a237c7995f2ca41f1f9fdd1f134fa04c1eb1ba92e52a5e7d98aa8b7681d229edccdc5d846855cfcc8fe2e3b38506a9501313f0c784cfc1cb9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\qEgYgUkk.bat

Filesize
4B

MD5
9d09cb4719e2f6912f457500e2c9251c

SHA1
dfe7c4294d37804a09965cd38e9c2af18430db59

SHA256
4a8fc45725eca204b4d45921a0e0d216eb243af4df45029b28d64198ace20bc5

SHA512
c6d4f8d5a4ec37d7907b09d0ba44e053d5d5f4b889807b5e63ae1e9be61b3ea86d62d43dd243331df079281cedb90419739aae5d73120bdd19055fefe7358cd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\qOswosoY.bat

Filesize
4B

MD5
0e98e8eda2714802af9bd914c52e2f75

SHA1
34c0199585f291ebb7c68bcce77d81f202645838

SHA256
882ae9ee8ea4bed2de437e4fe0301ead704ea38da8a6045fb32f73367732cc9c

SHA512
7f9408daa53410474fe3cf6072ea2c925230b6c2763944c35e7d843a6467b4ebad8bc81bd2f006bc80676c98ea2ccc6f9f90033d18acb115029a98c7fdc36e26

Download Submit
C:\Users\Admin\AppData\Local\Temp\qYkQ.exe

Filesize
192KB

MD5
1480e537026dc239d0609c68bc16c2a6

SHA1
7468208cb93527a4e922c56fd86c1046d2185581

SHA256
04df590790dd3d8d58d32a246eff5cd6df0f7f34fa6c1387a4c016e138398d6b

SHA512
cd2e0aef84cc3e531397fffea9d1b4754dee94650bdb3cd558e96e8cce548df9445060d3ba394e32d4df870eebb76a493d276f3446b8396e7bf37f89a21defe6

Download Submit
C:\Users\Admin\AppData\Local\Temp\qgks.exe

Filesize
173KB

MD5
c9033ef1e96f8526ca476aec6b554706

SHA1
25ae4977a55f51bdddd8575a166092c8bfef045c

SHA256
21c03dba5acd75afd600ed4e2484a331c507b1d2943dc30878ae3f10e86e9cbd

SHA512
fe7589e62727f5e945cfe8303a01914a062cc0f840479360e250591be581a2adfb02223847b66f3d803ab061361896fb9f32e02ae23a48d7a7a2c462d6d64b81

Download Submit
C:\Users\Admin\AppData\Local\Temp\quoMAMUM.bat

Filesize
4B

MD5
d19e93be40a82aa5010a0882fc3607ad

SHA1
28a05224ea48fddddf134ad118d9eb4418439841

SHA256
a26a39a6a2152f7d0d10da5569fd68c2224b6645425757071ebf29bb8dc030aa

SHA512
14fe25b3065ebb8562705a4911f9e532401dc17a3428de3473505c1f65a1b360859785bba15a8340ffc4b04c9800ccb748f1ef34fa1e109a9d8001731ef90a75

Download Submit
C:\Users\Admin\AppData\Local\Temp\qwIAsoIs.bat

Filesize
4B

MD5
32dff8565980055678a7dbbacb9e28d1

SHA1
a47f74da5a228b29cd54430a575e29eac7cacbb1

SHA256
58b2efdfe27868ec5c17e6742f0d2325af4d3d2417a7327aaf4bbf139ea68dca

SHA512
845e75cd8d7cbd7d357016a1d0533073aa949bcbd76d50290f24ff00de045ebf2bfc6d131d3319cf67f59dcba3ed812f31980aa7503bcae2a2a71603ea4c7951

Download Submit
C:\Users\Admin\AppData\Local\Temp\rGcQEkQk.bat

Filesize
4B

MD5
43c3f122325a53df33e6189de6870b6c

SHA1
9db5e604be73b1c2df1848e5dff02ea45becbee6

SHA256
39382daf664383e9b19b4a7f9475c8da1bac007e6093abfd62d16db33fa2c52e

SHA512
e868805724e551a434c3b535ccac97d1410c42963137fbfb990f3aeebbff1fdffbf5d22d48f5b9e172e82078cd04afb584469be8984c26d0ee359cc25051b128

Download Submit
C:\Users\Admin\AppData\Local\Temp\rSwoQkcw.bat

Filesize
4B

MD5
57503fd26a99aa9e1e5848e2067fad2e

SHA1
83ca9c3fec787dc000725360435f8cf65fb90d02

SHA256
f291bb95ca9b819048a51f62a012337744ec92baa7356d4f3905513abcf6451d

SHA512
a411f9298ff1142922b4bbff987b29435e0671b079f10cc44279fe17f5d662202c68b7cec1c1d646530069127c494e46acbf8268c6b09b2138a5d21de8b34f01

Download Submit
C:\Users\Admin\AppData\Local\Temp\rYYwQYco.bat

Filesize
4B

MD5
205489f397625fc673b25f8d81ec3c1b

SHA1
0f46c4635bc977b1e784c5282e2bac1da5671737

SHA256
95399398b8515beabac94c52503c058530614b776a722fe50c43993438f33d75

SHA512
90a10a697f589dd6717f96617e2ea6891d64df8db00ffcdd6f661886d30121cd4bdac49a745f808c0e18d7618657bb28b4783961fb3f75841283c42901dffc5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\rukQokgk.bat

Filesize
4B

MD5
596c9dd754d56d062dd05e1c84c654d6

SHA1
721a7e25fe974f0ce29481c230885b80ac7aa0f3

SHA256
99fa2914054a73fc3040b9b64fee2fa4c74476c79f6008668264b234a49e37e7

SHA512
d09bb4f120648ba70e684ff398c7192be17e8047a9fdba2f8c96b314d3a456e1701bb734bf700dfd8be7c5d873b366f9cc6f78e504ce6cfaf743ab1b9854c3a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\sEUC.exe

Filesize
174KB

MD5
e5b92fabd392fd449d8d855f5fec00db

SHA1
d7c359bdc80a15968699739cbe16197dc38d0fc3

SHA256
8e7309af19213828bd0e35c53f0fe8e9a74279a0f52b4da931c33bb780ce1725

SHA512
d9fa0ff585e05e18293ea168c92161c44abd7ae88b55c63de50832879853311bd6a1078940cd22a97143850b08ce85879d670ae25c6c029cbd97b0c1650e09a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\sEwm.exe

Filesize
265KB

MD5
985d992961a8e1582945383c50d4af96

SHA1
7961cf9f00087fb96199da1cff4f61bed8f87a7c

SHA256
e3d81698629565048b90588dfc61df426b94f06d2cf18d3c4ba77cfccf4d50be

SHA512
bff56b43f1b4714c67d8ff69197a5c4d222b84ded8a13ff7963ac298e0f2e3f0a8b617bbdc2abca3db484a4e50ba734f8472affc40e9f73f4fef164c3d612911

Download Submit
C:\Users\Admin\AppData\Local\Temp\sIAQYcoI.bat

Filesize
4B

MD5
d07083f5526aaffb0d783cec1f8e739e

SHA1
aeafacc05e413c036f3416e543f6bd94ab4f7491

SHA256
d83e88ebf4cba1907c4b5c1cd36a87ea2fd301455f2a51cb0de8c986202a7df7

SHA512
59c48411c09cfd2ccf9d1b9dbfc176d2b44c0ed036001f4d00f04dc1ed7c9670a8ed58bcf827a06061ae281234a6bfb0730e12aacd217a468989cb599fac3eb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\sIsc.exe

Filesize
186KB

MD5
c1a0332246277462e276bb337f582370

SHA1
2efae632dc46691a2a4f58eb220ac5bc278fc43c

SHA256
3d4ff14045f406d6dc4a3d062dbeb64ed27f580ab5fb7844f0b782919d1ac23e

SHA512
fe60debb14ad06176f1a4b53895f19521284b7d10e45a00d90a8a555c2e670ea7b016de01cbcd58ff69544f5df31cc15c89ccb6a8a624175747613d4b6d80d3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\sUIM.exe

Filesize
193KB

MD5
873127d37609876ec2bef7e9b293ee93

SHA1
d99ca09425808468e9a3673c125962422c4a9b34

SHA256
f1c94fd0fd5fa1ff46f09033c7648ef1fafc1189a1a4be73ab76e491de1dbfd6

SHA512
16eeec2848bf6ab7898e5ddba45f9ec4020a94d825e505d60422acf291770e8d10393c5156fec9c0b57ad9fb11a3c6817ff817544ad0b11e86935a362efffd45

Download Submit
C:\Users\Admin\AppData\Local\Temp\skkQgMIU.bat

Filesize
4B

MD5
e938f54d5d0440e1b27467f226a78b4f

SHA1
8b245bd45739a622e870ba8fd667a89e05e13d30

SHA256
056d9e7b820985826d992d562577a2f51218c410da1afc01fda4d0489ae1bab2

SHA512
a82ec38049381e6974ed983ccb307ba22d9fbc60aa4c3f7fc836186d7bcdb954ab7fab53eac288c77eac292b9a5ae9a433ec1555d3c73bdb32874cc31e7cf0ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\ssco.exe

Filesize
898KB

MD5
116c9dc7299c469e297d0fc03e1e5d22

SHA1
6943b142c91927e0fed246e8c0c2ceb67db218d2

SHA256
34ee9fa5ca73a0811a7152acd943158096941a7a6d6949e17aea6faadb929d9d

SHA512
cd7ee9406a620e2d9c7b03132275c3a3fc9c40eb302643277baab1c57d45dbda79d16c7737628f545083831e6fb37165fa63f74e14bf1457a0b9bd64a8d78473

Download Submit
C:\Users\Admin\AppData\Local\Temp\swou.exe

Filesize
255KB

MD5
91aaf74f797c0b2c9765663e7b361822

SHA1
f987bb4b41a6319451d5cb2bbbb403c41cdff026

SHA256
2cb8682f9df9f4da3ce9323b0214b14fe8b6d1fa26db335076bbdcbfcb3fbd1e

SHA512
4bc52228a25553c552ca333fa3b8ba7a5a522f151724db8f6bab47818723879cecd25c42dbd63465a6afc1de241772e75c6fb7cf3f3a5d16475543f3f318d235

Download Submit
C:\Users\Admin\AppData\Local\Temp\tWcsowUg.bat

Filesize
4B

MD5
e4c114b0db4d9fe574663be1bb26eac4

SHA1
49b8d779d5255dcf6fe9b360f03ae0edf91cc1c8

SHA256
fe11fc39bcc612d018024d594a8ef9be316d59e91a67da26678bbc3155674033

SHA512
5078ae987882eb80ac6f12637193383840e3707b31b794124125d8dfe5da8b65f418dcfb201b9a17b014904ecdd60963fb4113ff164e5d5d7e3fbb86a7f72be0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tusUYkgk.bat

Filesize
4B

MD5
f317b1da37ed05580b25742e7ed16f3c

SHA1
aa3938133f306191a39f136c8296298b8e203d8f

SHA256
e403719d4bf2aad00ff92b0985fc3c5dd46e83d7565d93ebd6a87070aeadc3a5

SHA512
7e551822a68a926067472ed22f2cd60633af2c75eba2f513b6b97af013e3fade7dc568f1e3f306910e59258dbc655b4c77e3e757eaadfb21a284cb5afad5feb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\uMIC.exe

Filesize
180KB

MD5
074cdd44b7b6a5560be809aef65bb7c5

SHA1
a23802977fb3c7556aaf6552357f74d853c410f2

SHA256
29af0580c89274c65e8ce99baa5d8bf2170b7f42cd85f43d8b57287e6915b9b5

SHA512
719333b3a2a8f5c7b878a380aa6780624399faebb2ca6bd000da45bd238945af59e1b235b31e1b152ee7235ce42b75ce52124c65cbc7c0c5b1e8195fdf569475

Download Submit
C:\Users\Admin\AppData\Local\Temp\uMQC.exe

Filesize
175KB

MD5
7cb94860f9e61a0fc53a0d9238e746e8

SHA1
2b5f439d391520efa5a9541c681582a50ed81c91

SHA256
7671fe2e2a6447ffe08df4b6ad84e4443d66dd457a02d61b976b87a77a15c163

SHA512
a3ccf27db2e4401e0562b9d500a6195ac03ae241a3c412fd8e418600c73ad2b16f8ef8bf014111a08d92e72edfeb2601358054319ce70c9b628e01439b32675f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ugkMswIs.bat

Filesize
4B

MD5
f364525f3d74b45ea8118de37e69e61a

SHA1
cd02dadc3b0e4eff82a4501302db36c1c49c2885

SHA256
58ff9521d0bbc0b54431577b7b690fc26a76874ff526e8210c7292fd1b22afd9

SHA512
0c7e1fbc4e2297a86afc475229dff2511dcf6b90bfd655ef099cce013cc159a4e3cdbd1cbd5eaa2a6776669e2572c4ae716513226a41bfdbfd1c8071745e7398

Download Submit
C:\Users\Admin\AppData\Local\Temp\ugoi.exe

Filesize
730KB

MD5
507d1c2fba70d34edae09ebc2bcfbe3f

SHA1
6f7e52576aa9ffe0386bcec71ecb1f0fe2b651c5

SHA256
588e6e60ea9dd8594d56c3bd92f921de0536a32a99447088bec713e17ab5afca

SHA512
8f0dbff14978116f83acb1f2e0bd253548ed2dde6fbdc7cd91194ea25fca83ed18383077555c26d52b5bd0601cedb3a0e0e43eb6db8ecbb40f771b6607266203

Download Submit
C:\Users\Admin\AppData\Local\Temp\uoQe.exe

Filesize
191KB

MD5
4ef953e5218795b2547ea5d63b2980e4

SHA1
de92df363edc9eb8c8ebfd323fe3d414b77eac23

SHA256
5277f41fab2a1ab1ce154499a599b4dc39ce32596cc8c8386b09e1a4ea0a634f

SHA512
d0ad42f08155c78b76cd4ccccf0af221025d02b304ea97c5a1e5656d2469b60e15475c948e56ed7165abf3bb1eaf5f746be459770383f9afc185119c86997b13

Download Submit
C:\Users\Admin\AppData\Local\Temp\uoQgswEY.bat

Filesize
4B

MD5
2791f7ba17ef6e94383225317a650b56

SHA1
6578af5e10e885a7271aa6efee1a7dc8c8d3cf66

SHA256
24a17022071e1148245081de2a7f8780715757a5237062d9f5c2b9277b56c60f

SHA512
0c1970ff70e0feb9eba4282df64a0257fd7782ed6566995d8e4f2264197b76d60567f2c5f5757b106b92fe65e2073a4afe0427fc63499b820b9b9106462b03e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\vGwokUoQ.bat

Filesize
4B

MD5
8a573f161106bef312f2848d848d3b46

SHA1
3f73b143f46ba87574cc94f686744e14e07b9b86

SHA256
e34a426e217fde03cd02600608ded3e1498ae9d506512af40c2f650b976245cf

SHA512
e76bcfe38c7b4c42980869f2f48433a1c7ef6507c36f5c62ef779d2edafeb9fa530465e7d1ed0d2a3521f3ca675db7d7d57011732244660b2595af722b60a9a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\vaUMgEMc.bat

Filesize
4B

MD5
bfd1f4e842ace1095b1ecedb2d3acb43

SHA1
b90486d307871443c5e6ae50df6b836e4895e63f

SHA256
a017605bc42caf18ec251179631a115a81ad8265ab269b4ce1c999b87926d0aa

SHA512
53b4fc047a89c5959a2642b1c01bc54f70b2552b99a692c5255b24869660248fd2322720c155aee007776ec060bf442506909508bdbc2741b99348730ac6a2ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\vycIQcIA.bat

Filesize
4B

MD5
9cb1b3f241deb3386a6a11975e7607fe

SHA1
c82c20dcb1c69f2e56ba3a260fbcf99a0a14a04f

SHA256
9c952b4abca97963d25c319fefe20269a850e113b4771b6953207df795c68e3a

SHA512
3ca0e511416bd94ffa15ac8435b7c99c60d59604ca2aaa4cd507e28a8797404f299d4755669ff08fb11fab127c3c30190ea4766e78d132f73f8ba40a0a332d82

Download Submit
C:\Users\Admin\AppData\Local\Temp\wAAe.exe

Filesize
254KB

MD5
c4e23b9f16a9de0ed719a6eee88b89f5

SHA1
da5145a1d1f8647059a88eee669cc1b1ae53a2c1

SHA256
0019f3989d62d0114928658010b50b55c0e5a3451fc5bd15424d0d512da56e15

SHA512
cc1723031e3570c3462fd824b60d22359c12de966cb6c880d65d5314fb3176912e337d02d69856e965485a36c9f579399174e750899f8c9ee6dd78eb2e1e3bdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\wAcg.exe

Filesize
1.3MB

MD5
0bbe4bf383544858a5ec3d2a4f4ab02d

SHA1
6d2af8ad6a43cbd95baf7831a3c48413211ed0f0

SHA256
8847b0cc18edcc4c28f068a379c3bebb368fad50654de0ad5e06560461a8d9a9

SHA512
931c326a1aab5e5b78a97146d09139c5c556a9c2547aad288031d866dbc0552e347ba17e8790c514e4d581b5fe440b6efdbc3c87a3a3c44ef8f146e85744b36f

Download Submit
C:\Users\Admin\AppData\Local\Temp\wAky.exe

Filesize
188KB

MD5
eb847a5640b96a041702bb60cb677797

SHA1
adf39dbb47f0cf9fef4ad95a2117d71c925c239b

SHA256
3dcaab4cd73e0c595ab678e0f9ba896dd4ab7b1fa4ccb09752959c2ca9d7a417

SHA512
6923668ccf20ecc61768096ecdb6159d378867692d0659bf8d942a68dbc33457f9e789a86b09903a66a02e37c061fd4293819584c62b5235a9e252c67ea158e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\wMocEQcA.bat

Filesize
4B

MD5
2baebb3d818cb5327059897e2d3835a1

SHA1
181f9f6cf34bcb2eec6ff085c13eabf000a0f0b0

SHA256
631ae719b787fe6eca5c4f38b67b3f64bef842d256b160cfce004d88c16fd030

SHA512
45097801a6c9fd0ce28736c0ac267751464dba5756f0dccd3f40983ce0dcf26a1f655b70ef54f60423125ab7af6a960d79c6f58ab96b8fffb076442aba8493f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\wQYA.ico

Filesize
4KB

MD5
0e6408f4ba9fb33f0506d55e083428c7

SHA1
48f17bb29dcd3b6855bf37e946ffad862ee39053

SHA256
fee2d2cfa0013626366a5377cb0741f28e6ec7ac15ef5d1fc7e286b755907a67

SHA512
e4da25f709807b037a8d5fb1ae7d1d57dfaf221379545b29d2074210052ef912733c6c3597a2843d47a6bf0b5c6eb5619d3b15bc221f04ec761a284cc2551914

Download Submit
C:\Users\Admin\AppData\Local\Temp\wkkw.exe

Filesize
177KB

MD5
c1a8d4b6d160a145a0897b54f337d9ca

SHA1
2dfc9955a281b9a2eca094fc33f78571c619b701

SHA256
ea6daf98788677fc02ab2e0deb3849705b1a189e79cc0a9a85349e5bb7682dc6

SHA512
18d45a5f0addd1c88e450187313a93cc0fbeaeddb81b003bac292cb29b98140f877f3edbfcf549b4b4d32f2a5a6b16f566dc14608ad822e289db89f1f7db6d53

Download Submit
C:\Users\Admin\AppData\Local\Temp\woAg.exe

Filesize
194KB

MD5
cac9f92eed1fdf40cf5cfc50127a210b

SHA1
c5241d85a2698225a12f47e07b71d093268fa0e6

SHA256
392f9c6ab58d6154bcdfb51f8e2069dc3717c16733c909761cdc17eba5f3e180

SHA512
ba9262fa59258f42bec34d7f5fbef77428c5a06670345859b8364991a8ab38d473b8ee46f5ae9d9e54c4c0d7cd91f2dbde4225eff8172915b19ecc2cdf19152c

Download Submit
C:\Users\Admin\AppData\Local\Temp\woUgYwIA.bat

Filesize
4B

MD5
81383ac9cea9ee56095c5327117c70ff

SHA1
4b6e4593f2728a81f64230b3afda20cf17e5c495

SHA256
d71f62de072f8d1a7fdbd26883277eba150fa97c3dc3a4cfd87c81b9e016d798

SHA512
e314f9b8374008a50d5411ab8ba8f1ee8c3c840c9538c49d1be9435010dac8c91e427206b6cae1343a7af5f27f904c6533004ff0665eb7c80f2fe0a2ec9c7ddb

Download Submit
C:\Users\Admin\AppData\Local\Temp\wsQEAQQM.bat

Filesize
4B

MD5
a460384115038b61fb142f31fae31203

SHA1
0e2c7bf6c25cb3e7ea0b9897efc9db7c64f7a867

SHA256
7ea0aa9596930f2e2f3c24a297c34d24f4824a7c2b8f8343a15e28d187a2e571

SHA512
cd88a4a9f8b1dd6d9c9779414885784201aa238dc65925dd5f26e60a9dcc910a8c292960276e611c1419ddac7c8299950fd2939f030cc48e1838b18034b5293c

Download Submit
C:\Users\Admin\AppData\Local\Temp\xMMcggwE.bat

Filesize
4B

MD5
e3d326521e5914a59c121dffe79d0b17

SHA1
37ffa1d12e65746e50bb8ae3d78ff3331ef10b79

SHA256
431e1699a679264347542e5905ef0a8b3adad3e1931363231dfd52b1a54fdc24

SHA512
01ccb52d212f9f58f3fd254484660f188813d44b0c942a3335229703398f1cbc01286875e4ed7b87eb905a1ea4e3379d167220d839440821e29bcc03eb347502

Download Submit
C:\Users\Admin\AppData\Local\Temp\yIwA.exe

Filesize
133KB

MD5
20477d8b87a1b6d8c0429014b57f0653

SHA1
50f26cf3fb764ea1e86fc99a0402f0b8fe2a6895

SHA256
37d84a98d8f4f406d541a487a3930b0907165b001cd411af543213796129204b

SHA512
068bddfe0502d0d1ba4b09e360bcc358a9c2f940f8c468d44c77960d8498477c6ffb5ffc0b4434ad5273573b26525f94aae6906a5f50fbb8033181173241b8d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\yIwA.exe

Filesize
176KB

MD5
3e23e3fb8e112d0129299ed93e23b9d5

SHA1
4fa1172197c285b3920651f925e6790aed09aad3

SHA256
d11ce646fdc63aa0c00cc5fe3d50ceb27498b9eaf36ad52dcc0e28a2c334b33a

SHA512
2de78e654a77ab54a116a227f53e57f8e53a7090c9939538fdd5456e5c3ac9d48d21c6ac7d6b22976473c2301d1f01aa72eb819d81f943161444d3cf81c0d2c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\yUUgEUEs.bat

Filesize
4B

MD5
9d287b9b4e4aead86c65317ab31da556

SHA1
e950ffb0c997dae127725fd5b492dbe4bead1e9b

SHA256
2c3abc4e7ef457b8a73a0ab6b6b2790aca0e38afbb61e6abfb68c6fb01e5d705

SHA512
8edc2003901c32587bba4b8844f235507a3af79af855e8b36387795c77dae822208e4aba4e6ebea48882aaab609d7569a3338032b809534dbfb3ac1efacb4cbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\yUkQsYAs.bat

Filesize
4B

MD5
55fb7e57cf9bd635e32e933dce3d9d23

SHA1
aacb49a45a8dadf12c5cece3b0a69033e97059cb

SHA256
fb3c0076a6da6725acc62a80b32bd88cea4985c772043d4b29a80bb49020c30d

SHA512
c241990c7b6d33feaaa2b3d68e4a4594bcbbb80f06de52c3749f5c1a39567f159a07d42b31c359a034c55f49b1e1962a08618e761c418ee221b97efd0efa8b34

Download Submit
C:\Users\Admin\AppData\Local\Temp\yYwI.exe

Filesize
172KB

MD5
af5d35ffbfe9308ba09d825b751f174c

SHA1
83aa1639cbe550b4559d8779421ba23c09931f6e

SHA256
af98437659d2ad47c863ba78b39728773f6d48eeb89807ec184d70bb2baf81a7

SHA512
9e2f8e0a5b8fbac04a311eafe4f6ac848e7ec92f83733c0a78924abc1daf970ad0c10fe35ecfc201fb9eec9f31f923f2bf0cc4480db3fd1a2e07aa53433d7e65

Download Submit
C:\Users\Admin\AppData\Local\Temp\ycIEUYoU.bat

Filesize
4B

MD5
19a3af3f9355ec7b3817f37eef46f68b

SHA1
04c1eddb19a861d63e874469cf9c2f370823f1a8

SHA256
f18cef00286c0163224e037236259b239c9380690aef21e9e47b3e3714ed33bb

SHA512
7e000afbcd21985ef7913e98a3910e1de8560d6941452f49c30f1d26cd3be970875a64ccf1422c17905631f1054f14d2a4f4aa01c23ea85dcee8d2495917f977

Download Submit
C:\Users\Admin\AppData\Local\Temp\yowcAAYY.bat

Filesize
4B

MD5
9d975b26b529a430db0ce648a7a276db

SHA1
ac11fd6f04ccb48f93825afe2a2087d8f29c9dd4

SHA256
8a8ee4f0dd9a4959f1349982aba4c3c8c5a06d879d45f8aee973ab85ce1d7e6f

SHA512
14244f35a054d507860822262f405926cf80f5fd9cd5d6e3963b2708b19bcec901f0aa1c6bac44118af9c9174e5ec5a8229f20d8f83633936683c8a576a6992b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ysAkIUck.bat

Filesize
4B

MD5
f7126f3a9bb36bd940662b3ac8ceb2e8

SHA1
091587053bab00f1e9d70cbd158d14e63bad58ba

SHA256
b4334f7bdd11efc74828abfffe1a7adc606bc7a109964178b5cb55e48bd3d859

SHA512
e73ea4a9087056d258a8f8a163c14c7eb9f3bbecbc1bc69a5b869654930b74e1f2169895baa1cfcea0456b2cb545fda3dc539bd143f8c303be01f702a78105ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\yskw.exe

Filesize
172KB

MD5
0aa9171c8398d19a64db1a54a3462c31

SHA1
7c3683633a679bd1a35c6d0bba6bbe9dee56324c

SHA256
d0ec6fcda7910cf50e512fc6a85d493e83ba2afe90a3d4d184a74f34f8cf6030

SHA512
3bde18ca7ea03f2f41277782964dfc6e51d1ea9438de92a20f09f7661ffc91f1ed4846fd756b10dd2e03e2480f853426db820c60d01b38f602ff704a742ecbb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ywwAIsYY.bat

Filesize
4B

MD5
5b1ae7bd890c6a05acdc2f5e18c45aa9

SHA1
24c23ca3e653bdf150816650ce9887bee1054205

SHA256
46d2dd6d711d07ee40dd6896525c8511555f4be7d2c9a9050398b3758bd9d309

SHA512
bc6560a8f842d9102a683ce2a0c4ca41df4849009c27871d80f2f25456d002987d01eb8499fa2c396b0afa6bf3ffdd2405eb5b6e0300fb7ecb73f838386b2485

Download Submit
C:\Users\Admin\AppData\Local\Temp\zSwksAss.bat

Filesize
4B

MD5
a3fe9ef404afdd75f8bc185c0b813226

SHA1
f42424b313758630b274c0fbb683ec338b3dd0b0

SHA256
258435f674ce5ae847d2b3aef82b1f05cd99dcc809539c94b6a213fb044b8bbc

SHA512
84a847fe331d714b43890961e1d9de482884ac25be508b40c3b55e6417f51a20fc104df17c86e21cf5e178c1c23e17c72c0ac7d196ef42c50d7a18c32f566364

Download Submit
C:\Users\Admin\AppData\Local\Temp\zqAAgooA.bat

Filesize
4B

MD5
29f45a23e878b511e25fb739e9186fab

SHA1
6c2561f29f7ee7e3f14bd0e3afba25fa73f4d8cd

SHA256
efa4a120b37b918f542610c563625d80a391d47d82a0d121b0f3fde72726f8cf

SHA512
33c450244617758fc203be35e6418273820c2e54c4ee0ca70aac7ec2df92c020d987a3657c2021c068d00e7e408f91588f89ed0342f7b24a1474c57ebb43c331

Download Submit
C:\Users\Admin\Downloads\ConnectSave.bmp.exe

Filesize
903KB

MD5
050b4916adfd3554e7271dc91e56d687

SHA1
b432cbee6025bf013403a54b22152c8542fefe20

SHA256
16a10930ba38d6bf62930bce19372105c48be469acbeda0ba1836e7a42eb2d53

SHA512
0a08b2191ac32049d65efe41282f8eef477e7f52aad7d465af2b8d81f88d74522285a658557e30bb7827764d7a7a0bba140b111fea783f5f83a8195ac3d39ff4

Download Submit
C:\Users\Admin\f.inf

Filesize
304B

MD5
7c335aecbac9d35143ffe69f0ff2e279

SHA1
051b8820f435b70f89c6c1bd808ffd3b96645171

SHA256
11edea1a01a98269f138bf15fe15ab443a50474ab16b1fd504fd9f4ad319762f

SHA512
601878ac3c67f89ae692ebdc3ae2a301238cc98bbac136dc78ef34424670a808e5c0588ec6e4eaf6c115ba093cc6b265863720204c01c3656eb53342bbb53a9a

Download Submit
\Users\Admin\ZoYIwkIY\QkQkIMAM.exe

Filesize
146KB

MD5
6e64fb47f54716134e0524b199d9b849

SHA1
b81bd52bf79f491a62c2297c80835b888013766d

SHA256
3cca7c73db2e89b8cba479eadbf2e11e75cac7a484631c06b1cb95ea82163ffc

SHA512
527ab979d96b6aede637257417b3e65776660b0e3f983ca951774acf73c81d6512079677b796e7332ce466481eec95215ca3fd257ff888ac84f89e8905dcb17f

Download Submit
memory/288-382-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/288-383-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/352-546-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/392-874-0x0000000000120000-0x0000000000146000-memory.dmp

Filesize
152KB

Download
memory/596-508-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/624-518-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/860-147-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/860-564-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/876-826-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/876-694-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/876-138-0x0000000000430000-0x0000000000456000-memory.dmp

Filesize
152KB

Download
memory/896-424-0x0000000000260000-0x0000000000286000-memory.dmp

Filesize
152KB

Download
memory/1064-443-0x0000000000130000-0x0000000000156000-memory.dmp

Filesize
152KB

Download
memory/1064-704-0x0000000000270000-0x0000000000296000-memory.dmp

Filesize
152KB

Download
memory/1112-116-0x00000000001F0000-0x0000000000216000-memory.dmp

Filesize
152KB

Download
memory/1296-732-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1460-63-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1460-652-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1464-769-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1468-836-0x0000000000120000-0x0000000000146000-memory.dmp

Filesize
152KB

Download
memory/1476-369-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1508-807-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1608-537-0x0000000000120000-0x0000000000146000-memory.dmp

Filesize
152KB

Download
memory/1620-30-0x0000000000320000-0x0000000000343000-memory.dmp

Filesize
140KB

Download
memory/1620-31-0x0000000000320000-0x0000000000343000-memory.dmp

Filesize
140KB

Download
memory/1620-0-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1620-43-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1620-12-0x0000000000320000-0x0000000000346000-memory.dmp

Filesize
152KB

Download
memory/1620-11-0x0000000000320000-0x0000000000346000-memory.dmp

Filesize
152KB

Download
memory/1744-845-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1764-624-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1764-596-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1780-280-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1788-723-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1796-797-0x0000000000260000-0x0000000000286000-memory.dmp

Filesize
152KB

Download
memory/1796-798-0x0000000000260000-0x0000000000286000-memory.dmp

Filesize
152KB

Download
memory/1796-302-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1832-433-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1856-751-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1916-817-0x0000000000160000-0x0000000000186000-memory.dmp

Filesize
152KB

Download
memory/1932-316-0x0000000000180000-0x00000000001A6000-memory.dmp

Filesize
152KB

Download
memory/2040-490-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2100-615-0x00000000000F0000-0x0000000000116000-memory.dmp

Filesize
152KB

Download
memory/2104-393-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2116-227-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2120-787-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2120-88-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2120-125-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2120-642-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2132-14-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2132-47-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2164-742-0x00000000002E0000-0x0000000000306000-memory.dmp

Filesize
152KB

Download
memory/2236-527-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2280-384-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2280-414-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2288-170-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2312-348-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2348-595-0x0000000000150000-0x0000000000176000-memory.dmp

Filesize
152KB

Download
memory/2348-593-0x0000000000150000-0x0000000000176000-memory.dmp

Filesize
152KB

Download
memory/2348-883-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2360-864-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2360-574-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2388-662-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2396-271-0x0000000000320000-0x0000000000346000-memory.dmp

Filesize
152KB

Download
memory/2424-605-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2428-86-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2428-87-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2432-249-0x0000000000270000-0x0000000000296000-memory.dmp

Filesize
152KB

Download
memory/2500-236-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2528-471-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2572-51-0x0000000000430000-0x0000000000456000-memory.dmp

Filesize
152KB

Download
memory/2572-73-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2572-52-0x0000000000430000-0x0000000000456000-memory.dmp

Filesize
152KB

Download
memory/2572-34-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2576-214-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2580-33-0x0000000000170000-0x0000000000196000-memory.dmp

Filesize
152KB

Download
memory/2588-339-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2588-338-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2620-183-0x0000000000170000-0x0000000000196000-memory.dmp

Filesize
152KB

Download
memory/2652-583-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2656-161-0x0000000000180000-0x00000000001A6000-memory.dmp

Filesize
152KB

Download
memory/2656-160-0x0000000000180000-0x00000000001A6000-memory.dmp

Filesize
152KB

Download
memory/2676-192-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2772-205-0x0000000000120000-0x0000000000146000-memory.dmp

Filesize
152KB

Download
memory/2776-713-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2792-462-0x0000000000130000-0x0000000000156000-memory.dmp

Filesize
152KB

Download
memory/2808-325-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2824-855-0x0000000000390000-0x00000000003B6000-memory.dmp

Filesize
152KB

Download
memory/2828-32-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2828-594-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2860-452-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2868-653-0x00000000001B0000-0x00000000001D6000-memory.dmp

Filesize
152KB

Download
memory/2908-258-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2920-481-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2936-64-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2936-102-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download