cafbd0fa597ec2d3a5380bed64c1248e6515337d1c296540c67b9b79c303df0c

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13/09/2024, 17:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

20240913aff947a392882d6abeaa90330f647cd8virlock.exe
Size

192KB
MD5

aff947a392882d6abeaa90330f647cd8
SHA1

f13f3cc8392466822894409344866064830203fd
SHA256

cafbd0fa597ec2d3a5380bed64c1248e6515337d1c296540c67b9b79c303df0c
SHA512

23eb4e922ca480654f60127d781f606320e99abbade517f161670f881a959d522198683fc08b26ba7316c2cfd371189474eed86363e91df487a2ca7d227026c5
SSDEEP

3072:xXtCcXcL97sQy5OKXyaF2WoykWJTm0AWWg84eGhRpRSd:xXMyYuT5OKiaFjowSF4bTSd

Score

10^/10

discovery evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Renames multiple (57) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\International\Geo\Nation	fewcwEMo.exe

Executes dropped EXE 2 IoCs

pid	Process
2668	fewcwEMo.exe
2548	BesEMgow.exe

Loads dropped DLL 20 IoCs

pid	Process
1788	20240913aff947a392882d6abeaa90330f647cd8virlock.exe
1788	20240913aff947a392882d6abeaa90330f647cd8virlock.exe
1788	20240913aff947a392882d6abeaa90330f647cd8virlock.exe
1788	20240913aff947a392882d6abeaa90330f647cd8virlock.exe
2668	fewcwEMo.exe
2668	fewcwEMo.exe
2668	fewcwEMo.exe
2668	fewcwEMo.exe
2668	fewcwEMo.exe
2668	fewcwEMo.exe
2668	fewcwEMo.exe
2668	fewcwEMo.exe
2668	fewcwEMo.exe
2668	fewcwEMo.exe
2668	fewcwEMo.exe
2668	fewcwEMo.exe
2668	fewcwEMo.exe
2668	fewcwEMo.exe
2668	fewcwEMo.exe
2668	fewcwEMo.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\fewcwEMo.exe = "C:\\Users\\Admin\\aigsIUkA\\fewcwEMo.exe"	20240913aff947a392882d6abeaa90330f647cd8virlock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\BesEMgow.exe = "C:\\ProgramData\\CIoQYMoo\\BesEMgow.exe"	20240913aff947a392882d6abeaa90330f647cd8virlock.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\fewcwEMo.exe = "C:\\Users\\Admin\\aigsIUkA\\fewcwEMo.exe"	fewcwEMo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\BesEMgow.exe = "C:\\ProgramData\\CIoQYMoo\\BesEMgow.exe"	BesEMgow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\GykUgwEM.exe = "C:\\Users\\Admin\\MwYwMYgU\\GykUgwEM.exe"	20240913aff947a392882d6abeaa90330f647cd8virlock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ZEgMUogk.exe = "C:\\ProgramData\\zUosEUso\\ZEgMUogk.exe"	20240913aff947a392882d6abeaa90330f647cd8virlock.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico	fewcwEMo.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3060	2708	WerFault.exe	237
2384	2724	WerFault.exe	236

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	20240913aff947a392882d6abeaa90330f647cd8virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	20240913aff947a392882d6abeaa90330f647cd8virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	20240913aff947a392882d6abeaa90330f647cd8virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	20240913aff947a392882d6abeaa90330f647cd8virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	20240913aff947a392882d6abeaa90330f647cd8virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
580	reg.exe
2740	reg.exe
2824	reg.exe
1736	reg.exe
2704	reg.exe
3004	reg.exe
1332	reg.exe
1268	reg.exe
2688	reg.exe
2528	reg.exe
1000	reg.exe
2240	reg.exe
2692	reg.exe
1384	reg.exe
2400	reg.exe
2676	reg.exe
2840	reg.exe
2500	reg.exe
2088	reg.exe
924	reg.exe
2564	reg.exe
3068	reg.exe
2988	reg.exe
1304	reg.exe
1720	reg.exe
3004	reg.exe
1692	reg.exe
1952	reg.exe
2352	reg.exe
2124	reg.exe
1084	reg.exe
1856	reg.exe
1144	reg.exe
2424	reg.exe
2164	reg.exe
2936	reg.exe
2428	reg.exe
2824	reg.exe
2756	reg.exe
924	reg.exe
2124	reg.exe
1788	reg.exe
2572	reg.exe
1056	reg.exe
1092	reg.exe
2936	reg.exe
2024	reg.exe
2876	reg.exe
1508	reg.exe
1816	reg.exe
2716	reg.exe
888	reg.exe
1276	reg.exe
1776	reg.exe
2700	reg.exe
1928	reg.exe
2996	reg.exe
1992	reg.exe
3044	reg.exe
1788	reg.exe
1304	reg.exe
1692	reg.exe
2644	reg.exe
2484	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1788	20240913aff947a392882d6abeaa90330f647cd8virlock.exe
1788	20240913aff947a392882d6abeaa90330f647cd8virlock.exe
2740	20240913aff947a392882d6abeaa90330f647cd8virlock.exe
2740	20240913aff947a392882d6abeaa90330f647cd8virlock.exe
2180	20240913aff947a392882d6abeaa90330f647cd8virlock.exe
2180	20240913aff947a392882d6abeaa90330f647cd8virlock.exe
2004	20240913aff947a392882d6abeaa90330f647cd8virlock.exe
2004	20240913aff947a392882d6abeaa90330f647cd8virlock.exe
2812	20240913aff947a392882d6abeaa90330f647cd8virlock.exe
2812	20240913aff947a392882d6abeaa90330f647cd8virlock.exe
2196	20240913aff947a392882d6abeaa90330f647cd8virlock.exe
2196	20240913aff947a392882d6abeaa90330f647cd8virlock.exe
1584	20240913aff947a392882d6abeaa90330f647cd8virlock.exe
1584	20240913aff947a392882d6abeaa90330f647cd8virlock.exe
2884	20240913aff947a392882d6abeaa90330f647cd8virlock.exe
2884	20240913aff947a392882d6abeaa90330f647cd8virlock.exe
1644	20240913aff947a392882d6abeaa90330f647cd8virlock.exe
1644	20240913aff947a392882d6abeaa90330f647cd8virlock.exe
2680	20240913aff947a392882d6abeaa90330f647cd8virlock.exe
2680	20240913aff947a392882d6abeaa90330f647cd8virlock.exe
640	20240913aff947a392882d6abeaa90330f647cd8virlock.exe
640	20240913aff947a392882d6abeaa90330f647cd8virlock.exe
3060	20240913aff947a392882d6abeaa90330f647cd8virlock.exe
3060	20240913aff947a392882d6abeaa90330f647cd8virlock.exe
700	20240913aff947a392882d6abeaa90330f647cd8virlock.exe
700	20240913aff947a392882d6abeaa90330f647cd8virlock.exe
2636	20240913aff947a392882d6abeaa90330f647cd8virlock.exe
2636	20240913aff947a392882d6abeaa90330f647cd8virlock.exe
760	20240913aff947a392882d6abeaa90330f647cd8virlock.exe
760	20240913aff947a392882d6abeaa90330f647cd8virlock.exe
2024	20240913aff947a392882d6abeaa90330f647cd8virlock.exe
2024	20240913aff947a392882d6abeaa90330f647cd8virlock.exe
2020	20240913aff947a392882d6abeaa90330f647cd8virlock.exe
2020	20240913aff947a392882d6abeaa90330f647cd8virlock.exe
2524	20240913aff947a392882d6abeaa90330f647cd8virlock.exe
2524	20240913aff947a392882d6abeaa90330f647cd8virlock.exe
672	20240913aff947a392882d6abeaa90330f647cd8virlock.exe
672	20240913aff947a392882d6abeaa90330f647cd8virlock.exe
836	20240913aff947a392882d6abeaa90330f647cd8virlock.exe
836	20240913aff947a392882d6abeaa90330f647cd8virlock.exe
1940	20240913aff947a392882d6abeaa90330f647cd8virlock.exe
1940	20240913aff947a392882d6abeaa90330f647cd8virlock.exe
3028	20240913aff947a392882d6abeaa90330f647cd8virlock.exe
3028	20240913aff947a392882d6abeaa90330f647cd8virlock.exe
996	20240913aff947a392882d6abeaa90330f647cd8virlock.exe
996	20240913aff947a392882d6abeaa90330f647cd8virlock.exe
2352	20240913aff947a392882d6abeaa90330f647cd8virlock.exe
2352	20240913aff947a392882d6abeaa90330f647cd8virlock.exe
2856	20240913aff947a392882d6abeaa90330f647cd8virlock.exe
2856	20240913aff947a392882d6abeaa90330f647cd8virlock.exe
2468	20240913aff947a392882d6abeaa90330f647cd8virlock.exe
2468	20240913aff947a392882d6abeaa90330f647cd8virlock.exe
2820	20240913aff947a392882d6abeaa90330f647cd8virlock.exe
2820	20240913aff947a392882d6abeaa90330f647cd8virlock.exe
1748	20240913aff947a392882d6abeaa90330f647cd8virlock.exe
1748	20240913aff947a392882d6abeaa90330f647cd8virlock.exe
2892	20240913aff947a392882d6abeaa90330f647cd8virlock.exe
2892	20240913aff947a392882d6abeaa90330f647cd8virlock.exe
2416	20240913aff947a392882d6abeaa90330f647cd8virlock.exe
2416	20240913aff947a392882d6abeaa90330f647cd8virlock.exe
1644	20240913aff947a392882d6abeaa90330f647cd8virlock.exe
1644	20240913aff947a392882d6abeaa90330f647cd8virlock.exe
676	20240913aff947a392882d6abeaa90330f647cd8virlock.exe
676	20240913aff947a392882d6abeaa90330f647cd8virlock.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2668	fewcwEMo.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2668	fewcwEMo.exe
2668	fewcwEMo.exe
2668	fewcwEMo.exe
2668	fewcwEMo.exe
2668	fewcwEMo.exe
2668	fewcwEMo.exe
2668	fewcwEMo.exe
2668	fewcwEMo.exe
2668	fewcwEMo.exe
2668	fewcwEMo.exe
2668	fewcwEMo.exe
2668	fewcwEMo.exe
2668	fewcwEMo.exe
2668	fewcwEMo.exe
2668	fewcwEMo.exe
2668	fewcwEMo.exe
2668	fewcwEMo.exe
2668	fewcwEMo.exe
2668	fewcwEMo.exe
2668	fewcwEMo.exe
2668	fewcwEMo.exe
2668	fewcwEMo.exe
2668	fewcwEMo.exe
2668	fewcwEMo.exe
2668	fewcwEMo.exe
2668	fewcwEMo.exe
2668	fewcwEMo.exe
2668	fewcwEMo.exe
2668	fewcwEMo.exe
2668	fewcwEMo.exe
2668	fewcwEMo.exe
2668	fewcwEMo.exe
2668	fewcwEMo.exe
2668	fewcwEMo.exe
2668	fewcwEMo.exe
2668	fewcwEMo.exe
2668	fewcwEMo.exe
2668	fewcwEMo.exe
2668	fewcwEMo.exe
2668	fewcwEMo.exe
2668	fewcwEMo.exe
2668	fewcwEMo.exe
2668	fewcwEMo.exe
2668	fewcwEMo.exe
2668	fewcwEMo.exe
2668	fewcwEMo.exe
2668	fewcwEMo.exe
2668	fewcwEMo.exe
2668	fewcwEMo.exe
2668	fewcwEMo.exe
2668	fewcwEMo.exe
2668	fewcwEMo.exe
2668	fewcwEMo.exe
2668	fewcwEMo.exe
2668	fewcwEMo.exe
2668	fewcwEMo.exe
2668	fewcwEMo.exe
2668	fewcwEMo.exe
2668	fewcwEMo.exe
2668	fewcwEMo.exe
2668	fewcwEMo.exe
2668	fewcwEMo.exe
2668	fewcwEMo.exe
2668	fewcwEMo.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1788 wrote to memory of 2668	1788	20240913aff947a392882d6abeaa90330f647cd8virlock.exe	30
PID 1788 wrote to memory of 2668	1788	20240913aff947a392882d6abeaa90330f647cd8virlock.exe	30
PID 1788 wrote to memory of 2668	1788	20240913aff947a392882d6abeaa90330f647cd8virlock.exe	30
PID 1788 wrote to memory of 2668	1788	20240913aff947a392882d6abeaa90330f647cd8virlock.exe	30
PID 1788 wrote to memory of 2548	1788	20240913aff947a392882d6abeaa90330f647cd8virlock.exe	31
PID 1788 wrote to memory of 2548	1788	20240913aff947a392882d6abeaa90330f647cd8virlock.exe	31
PID 1788 wrote to memory of 2548	1788	20240913aff947a392882d6abeaa90330f647cd8virlock.exe	31
PID 1788 wrote to memory of 2548	1788	20240913aff947a392882d6abeaa90330f647cd8virlock.exe	31
PID 1788 wrote to memory of 2472	1788	20240913aff947a392882d6abeaa90330f647cd8virlock.exe	32
PID 1788 wrote to memory of 2472	1788	20240913aff947a392882d6abeaa90330f647cd8virlock.exe	32
PID 1788 wrote to memory of 2472	1788	20240913aff947a392882d6abeaa90330f647cd8virlock.exe	32
PID 1788 wrote to memory of 2472	1788	20240913aff947a392882d6abeaa90330f647cd8virlock.exe	32
PID 2472 wrote to memory of 2740	2472	cmd.exe	34
PID 2472 wrote to memory of 2740	2472	cmd.exe	34
PID 2472 wrote to memory of 2740	2472	cmd.exe	34
PID 2472 wrote to memory of 2740	2472	cmd.exe	34
PID 1788 wrote to memory of 2840	1788	20240913aff947a392882d6abeaa90330f647cd8virlock.exe	35
PID 1788 wrote to memory of 2840	1788	20240913aff947a392882d6abeaa90330f647cd8virlock.exe	35
PID 1788 wrote to memory of 2840	1788	20240913aff947a392882d6abeaa90330f647cd8virlock.exe	35
PID 1788 wrote to memory of 2840	1788	20240913aff947a392882d6abeaa90330f647cd8virlock.exe	35
PID 1788 wrote to memory of 2844	1788	20240913aff947a392882d6abeaa90330f647cd8virlock.exe	36
PID 1788 wrote to memory of 2844	1788	20240913aff947a392882d6abeaa90330f647cd8virlock.exe	36
PID 1788 wrote to memory of 2844	1788	20240913aff947a392882d6abeaa90330f647cd8virlock.exe	36
PID 1788 wrote to memory of 2844	1788	20240913aff947a392882d6abeaa90330f647cd8virlock.exe	36
PID 1788 wrote to memory of 2884	1788	20240913aff947a392882d6abeaa90330f647cd8virlock.exe	37
PID 1788 wrote to memory of 2884	1788	20240913aff947a392882d6abeaa90330f647cd8virlock.exe	37
PID 1788 wrote to memory of 2884	1788	20240913aff947a392882d6abeaa90330f647cd8virlock.exe	37
PID 1788 wrote to memory of 2884	1788	20240913aff947a392882d6abeaa90330f647cd8virlock.exe	37
PID 1788 wrote to memory of 2912	1788	20240913aff947a392882d6abeaa90330f647cd8virlock.exe	39
PID 1788 wrote to memory of 2912	1788	20240913aff947a392882d6abeaa90330f647cd8virlock.exe	39
PID 1788 wrote to memory of 2912	1788	20240913aff947a392882d6abeaa90330f647cd8virlock.exe	39
PID 1788 wrote to memory of 2912	1788	20240913aff947a392882d6abeaa90330f647cd8virlock.exe	39
PID 2912 wrote to memory of 2932	2912	cmd.exe	43
PID 2912 wrote to memory of 2932	2912	cmd.exe	43
PID 2912 wrote to memory of 2932	2912	cmd.exe	43
PID 2912 wrote to memory of 2932	2912	cmd.exe	43
PID 2740 wrote to memory of 1716	2740	20240913aff947a392882d6abeaa90330f647cd8virlock.exe	44
PID 2740 wrote to memory of 1716	2740	20240913aff947a392882d6abeaa90330f647cd8virlock.exe	44
PID 2740 wrote to memory of 1716	2740	20240913aff947a392882d6abeaa90330f647cd8virlock.exe	44
PID 2740 wrote to memory of 1716	2740	20240913aff947a392882d6abeaa90330f647cd8virlock.exe	44
PID 1716 wrote to memory of 2180	1716	cmd.exe	46
PID 1716 wrote to memory of 2180	1716	cmd.exe	46
PID 1716 wrote to memory of 2180	1716	cmd.exe	46
PID 1716 wrote to memory of 2180	1716	cmd.exe	46
PID 2740 wrote to memory of 2400	2740	20240913aff947a392882d6abeaa90330f647cd8virlock.exe	47
PID 2740 wrote to memory of 2400	2740	20240913aff947a392882d6abeaa90330f647cd8virlock.exe	47
PID 2740 wrote to memory of 2400	2740	20240913aff947a392882d6abeaa90330f647cd8virlock.exe	47
PID 2740 wrote to memory of 2400	2740	20240913aff947a392882d6abeaa90330f647cd8virlock.exe	47
PID 2740 wrote to memory of 672	2740	20240913aff947a392882d6abeaa90330f647cd8virlock.exe	48
PID 2740 wrote to memory of 672	2740	20240913aff947a392882d6abeaa90330f647cd8virlock.exe	48
PID 2740 wrote to memory of 672	2740	20240913aff947a392882d6abeaa90330f647cd8virlock.exe	48
PID 2740 wrote to memory of 672	2740	20240913aff947a392882d6abeaa90330f647cd8virlock.exe	48
PID 2740 wrote to memory of 1472	2740	20240913aff947a392882d6abeaa90330f647cd8virlock.exe	49
PID 2740 wrote to memory of 1472	2740	20240913aff947a392882d6abeaa90330f647cd8virlock.exe	49
PID 2740 wrote to memory of 1472	2740	20240913aff947a392882d6abeaa90330f647cd8virlock.exe	49
PID 2740 wrote to memory of 1472	2740	20240913aff947a392882d6abeaa90330f647cd8virlock.exe	49
PID 2740 wrote to memory of 1920	2740	20240913aff947a392882d6abeaa90330f647cd8virlock.exe	51
PID 2740 wrote to memory of 1920	2740	20240913aff947a392882d6abeaa90330f647cd8virlock.exe	51
PID 2740 wrote to memory of 1920	2740	20240913aff947a392882d6abeaa90330f647cd8virlock.exe	51
PID 2740 wrote to memory of 1920	2740	20240913aff947a392882d6abeaa90330f647cd8virlock.exe	51
PID 1920 wrote to memory of 1620	1920	cmd.exe	55
PID 1920 wrote to memory of 1620	1920	cmd.exe	55
PID 1920 wrote to memory of 1620	1920	cmd.exe	55
PID 1920 wrote to memory of 1620	1920	cmd.exe	55

C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe
"C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1788
- C:\Users\Admin\aigsIUkA\fewcwEMo.exe
  "C:\Users\Admin\aigsIUkA\fewcwEMo.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:2668
- C:\ProgramData\CIoQYMoo\BesEMgow.exe
  "C:\ProgramData\CIoQYMoo\BesEMgow.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2548
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2472
- - C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe
    C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2740
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1716
    - - C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2180
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock"
        6⤵
        
        PID:1424
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2004
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock"
        8⤵
        
        PID:828
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2812
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock"
        10⤵
        
        PID:872
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2196
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock"
        12⤵
        
        PID:2352
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1584
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock"
        14⤵
        
        PID:2592
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2884
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock"
        16⤵
        
        PID:800
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1644
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock"
        18⤵
        
        PID:2644
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2680
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock"
        20⤵
        
        PID:448
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:640
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock"
        22⤵
        
        PID:316
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock
        23⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3060
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock"
        24⤵
        
        PID:2380
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock
        25⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:700
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock"
        26⤵
        
        PID:3036
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock
        27⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2636
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock"
        28⤵
        
        PID:2744
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock
        29⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:760
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock"
        30⤵
        
        PID:2424
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock
        31⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2024
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock"
        32⤵
        
        PID:1752
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock
        33⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2020
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock"
        34⤵
        
        PID:408
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock
        35⤵
        Adds Run key to start application
        
        PID:3000
        
        C:\Users\Admin\MwYwMYgU\GykUgwEM.exe
        
        "C:\Users\Admin\MwYwMYgU\GykUgwEM.exe"
        36⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2724 -s 36
        37⤵
        Program crash
        
        PID:2384
        
        C:\ProgramData\zUosEUso\ZEgMUogk.exe
        
        "C:\ProgramData\zUosEUso\ZEgMUogk.exe"
        36⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2708 -s 36
        37⤵
        Program crash
        
        PID:3060
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock"
        36⤵
        
        PID:2300
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock
        37⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2524
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock"
        38⤵
        
        PID:1032
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock
        39⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:672
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock"
        40⤵
        
        PID:1508
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock
        41⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:836
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock"
        42⤵
        
        PID:892
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock
        43⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1940
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock"
        44⤵
        
        PID:1992
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock
        45⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3028
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock"
        46⤵
        
        PID:2528
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock
        47⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:996
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock"
        48⤵
        
        PID:2196
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock
        49⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2352
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock"
        50⤵
        
        PID:964
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock
        51⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2856
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock"
        52⤵
        
        PID:1092
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock
        53⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2468
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock"
        54⤵
        
        PID:2424
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock
        55⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2820
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock"
        56⤵
        
        PID:1928
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock
        57⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1748
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock"
        58⤵
        
        PID:2428
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock
        59⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2892
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock"
        60⤵
        
        PID:2620
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock
        61⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2416
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock"
        62⤵
        
        PID:1716
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock
        63⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1644
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock"
        64⤵
        
        PID:1848
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock
        65⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:676
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock"
        66⤵
        
        PID:1588
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock
        67⤵
        
        PID:640
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock"
        68⤵
        
        PID:3064
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock
        69⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock"
        70⤵
        System Location Discovery: System Language Discovery
        
        PID:3020
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock
        71⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock"
        72⤵
        
        PID:2616
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock
        73⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock"
        74⤵
        
        PID:2220
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock
        75⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock"
        76⤵
        
        PID:2564
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock
        77⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock"
        78⤵
        
        PID:2016
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock
        79⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock"
        80⤵
        
        PID:1704
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock
        81⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock"
        82⤵
        
        PID:2592
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock
        83⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock"
        84⤵
        
        PID:560
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock
        85⤵
        
        PID:840
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock"
        86⤵
        
        PID:940
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock
        87⤵
        
        PID:552
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock"
        88⤵
        
        PID:1516
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock
        89⤵
        
        PID:1848
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock"
        90⤵
        System Location Discovery: System Language Discovery
        
        PID:2768
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock
        91⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock"
        92⤵
        System Location Discovery: System Language Discovery
        
        PID:1812
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock
        93⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock"
        94⤵
        System Location Discovery: System Language Discovery
        
        PID:1488
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock
        95⤵
        
        PID:800
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock"
        96⤵
        
        PID:580
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock
        97⤵
        
        PID:2124
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock"
        98⤵
        
        PID:2828
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock
        99⤵
        
        PID:788
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock"
        100⤵
        
        PID:1668
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock
        101⤵
        
        PID:640
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock"
        102⤵
        
        PID:2380
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock
        103⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock"
        104⤵
        
        PID:3020
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock
        105⤵
        
        PID:1856
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock"
        106⤵
        
        PID:2620
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock
        107⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock"
        108⤵
        
        PID:2936
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock
        109⤵
        
        PID:1332
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock"
        110⤵
        
        PID:1752
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock
        111⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock"
        112⤵
        
        PID:1224
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock
        113⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock"
        114⤵
        
        PID:1684
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock
        115⤵
        
        PID:896
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock"
        116⤵
        
        PID:2788
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock
        117⤵
        
        PID:3052
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock"
        118⤵
        
        PID:760
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock
        119⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock"
        120⤵
        
        PID:1096
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock
        121⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock"
        122⤵
        
        PID:2852
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock
        123⤵
        
        PID:380
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock"
        124⤵
        
        PID:2016
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock
        125⤵
        
        PID:1744
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock"
        126⤵
        
        PID:2108
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock
        127⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock"
        128⤵
        
        PID:1144
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock
        129⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock"
        130⤵
        
        PID:1364
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock
        131⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock"
        132⤵
        
        PID:2912
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock
        133⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock"
        134⤵
        
        PID:1956
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock
        135⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock"
        136⤵
        
        PID:1776
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock
        137⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock"
        138⤵
        
        PID:2968
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock
        139⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock"
        140⤵
        
        PID:304
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock
        141⤵
        
        PID:768
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock"
        142⤵
        
        PID:2828
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock
        143⤵
        
        PID:1360
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock"
        144⤵
        
        PID:2124
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock
        145⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock"
        146⤵
        
        PID:2884
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock
        147⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock"
        148⤵
        
        PID:840
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock
        149⤵
        
        PID:1256
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock"
        150⤵
        
        PID:1144
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock
        151⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock"
        152⤵
        
        PID:548
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock
        153⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock"
        154⤵
        
        PID:1656
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock
        155⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock"
        156⤵
        
        PID:2656
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock
        157⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock"
        158⤵
        
        PID:1192
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock
        159⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock"
        160⤵
        
        PID:2828
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock
        161⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock"
        162⤵
        
        PID:2568
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock
        163⤵
        System Location Discovery: System Language Discovery
        
        PID:1656
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock"
        164⤵
        System Location Discovery: System Language Discovery
        
        PID:1380
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock
        165⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock"
        166⤵
        
        PID:1500
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock
        167⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock"
        168⤵
        
        PID:2808
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock
        169⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock"
        170⤵
        
        PID:1152
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock
        171⤵
        
        PID:408
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock"
        172⤵
        System Location Discovery: System Language Discovery
        
        PID:2468
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock
        173⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock"
        174⤵
        
        PID:3008
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock
        175⤵
        
        PID:2352
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock"
        176⤵
        
        PID:1384
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock
        177⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock"
        178⤵
        
        PID:1032
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock
        179⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock"
        180⤵
        
        PID:2124
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock
        181⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock"
        182⤵
        
        PID:1676
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock
        183⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock"
        184⤵
        
        PID:2492
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock
        185⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock"
        186⤵
        
        PID:2132
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock
        187⤵
        
        PID:548
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock"
        188⤵
        
        PID:3052
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock
        189⤵
        
        PID:1272
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock"
        190⤵
        
        PID:2240
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock
        191⤵
        System Location Discovery: System Language Discovery
        
        PID:1668
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock"
        192⤵
        
        PID:1928
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock
        193⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock"
        194⤵
        
        PID:1644
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock
        195⤵
        
        PID:544
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock"
        196⤵
        
        PID:2920
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock
        197⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock"
        198⤵
        
        PID:1840
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock
        199⤵
        
        PID:1588
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock"
        200⤵
        
        PID:1784
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock
        201⤵
        System Location Discovery: System Language Discovery
        
        PID:2948
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock"
        202⤵
        
        PID:1508
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock
        203⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock"
        204⤵
        
        PID:1380
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock
        205⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock"
        206⤵
        
        PID:1720
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock
        207⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock"
        208⤵
        
        PID:3064
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock
        209⤵
        
        PID:1476
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock"
        210⤵
        
        PID:2508
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock
        211⤵
        
        PID:3000
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock"
        212⤵
        
        PID:2988
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock
        213⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock"
        214⤵
        
        PID:1508
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock
        215⤵
        
        PID:1912
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock"
        216⤵
        
        PID:548
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock
        217⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock"
        218⤵
        
        PID:264
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock
        219⤵
        
        PID:872
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock"
        220⤵
        
        PID:2592
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock
        221⤵
        
        PID:1144
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock"
        222⤵
        
        PID:896
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock
        223⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock"
        224⤵
        
        PID:2884
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock
        225⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock"
        226⤵
        
        PID:316
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock
        227⤵
        System Location Discovery: System Language Discovery
        
        PID:2924
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock"
        228⤵
        
        PID:1380
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock
        229⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock"
        230⤵
        
        PID:1736
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock
        231⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock"
        232⤵
        
        PID:2300
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock
        233⤵
        
        PID:1476
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock"
        234⤵
        
        PID:2088
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock
        235⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock"
        236⤵
        
        PID:2620
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock
        237⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock"
        238⤵
        
        PID:2960
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock
        239⤵
        
        PID:344
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock"
        240⤵
        
        PID:2992
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock
        241⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock"
        242⤵
        
        PID:2816
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock
        243⤵
        
        PID:640
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock"
        244⤵
        
        PID:2636
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock
        245⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock"
        246⤵
        
        PID:2648
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock
        247⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock"
        248⤵
        
        PID:672
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock
        249⤵
        
        PID:1036
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock"
        250⤵
        System Location Discovery: System Language Discovery
        
        PID:1624
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock
        251⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock"
        252⤵
        
        PID:1284
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock
        253⤵
        
        PID:1380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        254⤵
        
        PID:828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        254⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        254⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        252⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        252⤵
        
        PID:872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        252⤵
        System Location Discovery: System Language Discovery
        
        PID:1628
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\NakAEkQY.bat" "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe""
        252⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        253⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        250⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        250⤵
        
        PID:1120
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        250⤵
        Modifies registry key
        
        PID:2572
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\OqccMscM.bat" "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe""
        250⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        251⤵
        System Location Discovery: System Language Discovery
        
        PID:2208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        248⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        248⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        248⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\eCskckss.bat" "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe""
        248⤵
        
        PID:1912
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        249⤵
        
        PID:2544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        246⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        246⤵
        
        PID:1428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        246⤵
        UAC bypass
        
        PID:3032
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\wSIEEIYM.bat" "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe""
        246⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        247⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        244⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        244⤵
        System Location Discovery: System Language Discovery
        
        PID:2704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        244⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\AwMckcAY.bat" "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe""
        244⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        245⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        242⤵
        Modifies registry key
        
        PID:1384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        242⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        242⤵
        
        PID:768
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\rSUUocAU.bat" "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe""
        242⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        243⤵
        
        PID:2324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        240⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        240⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        240⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:1744
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\facAowwo.bat" "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe""
        240⤵
        
        PID:2052
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        241⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        238⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        238⤵
        
        PID:1508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        238⤵
        Modifies registry key
        
        PID:2352
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\niIEgkYc.bat" "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe""
        238⤵
        
        PID:1140
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        239⤵
        
        PID:1120
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        236⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        236⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        236⤵
        UAC bypass
        
        PID:2684
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\FkscgcYw.bat" "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe""
        236⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        237⤵
        
        PID:892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        234⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        234⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        234⤵
        UAC bypass
        
        PID:3000
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\aGIsIMAM.bat" "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe""
        234⤵
        System Location Discovery: System Language Discovery
        
        PID:308
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        235⤵
        
        PID:896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        232⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        232⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        232⤵
        UAC bypass
        Modifies registry key
        
        PID:3068
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\yewkUwgM.bat" "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe""
        232⤵
        
        PID:2556
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        233⤵
        
        PID:1516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        230⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        230⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        230⤵
        UAC bypass
        Modifies registry key
        
        PID:2124
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\egYMIwAk.bat" "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe""
        230⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        231⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        228⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        228⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        228⤵
        
        PID:2436
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\mSYAQYgQ.bat" "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe""
        228⤵
        
        PID:1304
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        229⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        226⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        226⤵
        Modifies registry key
        
        PID:2564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        226⤵
        UAC bypass
        
        PID:380
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\uAAUYMIU.bat" "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe""
        226⤵
        
        PID:904
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        227⤵
        
        PID:1424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        224⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        224⤵
        
        PID:1084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        224⤵
        
        PID:552
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\fOAkcwQU.bat" "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe""
        224⤵
        
        PID:1056
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        225⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        222⤵
        
        PID:888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        222⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        222⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\rycgYcUY.bat" "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe""
        222⤵
        
        PID:2740
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        223⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        220⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        220⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        220⤵
        UAC bypass
        
        PID:1976
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\pgIQUcco.bat" "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe""
        220⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        221⤵
        
        PID:1832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        218⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        218⤵
        System Location Discovery: System Language Discovery
        
        PID:1096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        218⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\LukgAUQk.bat" "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe""
        218⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        219⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        216⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        216⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:3004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        216⤵
        Modifies registry key
        
        PID:1952
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\auwYAkgE.bat" "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe""
        216⤵
        
        PID:1468
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        217⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        214⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        214⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        214⤵
        Modifies registry key
        
        PID:2528
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\mcMcQoII.bat" "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe""
        214⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        215⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        212⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        212⤵
        
        PID:1256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        212⤵
        
        PID:1480
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\SuAcsYQk.bat" "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe""
        212⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        213⤵
        
        PID:2984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        210⤵
        Modifies registry key
        
        PID:2424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        210⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        210⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\MugggQoU.bat" "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe""
        210⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        211⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        208⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        208⤵
        Modifies registry key
        
        PID:1776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        208⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\lgcUMMIM.bat" "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe""
        208⤵
        
        PID:1192
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        209⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        206⤵
        
        PID:852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        206⤵
        
        PID:700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        206⤵
        UAC bypass
        Modifies registry key
        
        PID:1276
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\fwAkwcYQ.bat" "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe""
        206⤵
        System Location Discovery: System Language Discovery
        
        PID:2168
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        207⤵
        
        PID:1096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        204⤵
        Modifies visibility of file extensions in Explorer
        
        PID:552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        204⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        204⤵
        
        PID:380
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\DUssokUg.bat" "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe""
        204⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        205⤵
        
        PID:1304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        202⤵
        Modifies registry key
        
        PID:924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        202⤵
        
        PID:676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        202⤵
        UAC bypass
        Modifies registry key
        
        PID:1144
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\OcwgwsEE.bat" "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe""
        202⤵
        
        PID:1332
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        203⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        200⤵
        
        PID:2476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        200⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        200⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\yogkYwIo.bat" "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe""
        200⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        201⤵
        
        PID:1272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        198⤵
        Modifies visibility of file extensions in Explorer
        
        PID:560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        198⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        198⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\CYAIUooE.bat" "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe""
        198⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        199⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        196⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        196⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        196⤵
        UAC bypass
        Modifies registry key
        
        PID:2756
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\KQwkkswA.bat" "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe""
        196⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        197⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        194⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        194⤵
        
        PID:344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        194⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\pmIAQgwQ.bat" "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe""
        194⤵
        
        PID:1756
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        195⤵
        
        PID:2332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        192⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        192⤵
        
        PID:2572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        192⤵
        UAC bypass
        
        PID:408
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\lYYYAIwM.bat" "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe""
        192⤵
        
        PID:1036
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        193⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        190⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        190⤵
        Modifies registry key
        
        PID:2644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        190⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\FSMIEwYs.bat" "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe""
        190⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        191⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        188⤵
        Modifies visibility of file extensions in Explorer
        
        PID:348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        188⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        188⤵
        
        PID:2892
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\zgIMUwEQ.bat" "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe""
        188⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        189⤵
        
        PID:2544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        186⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        186⤵
        Modifies registry key
        
        PID:1928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        186⤵
        Modifies registry key
        
        PID:888
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\wwUkMAUA.bat" "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe""
        186⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        187⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        184⤵
        
        PID:544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        184⤵
        
        PID:2052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        184⤵
        
        PID:852
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\GCIMkYAI.bat" "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe""
        184⤵
        
        PID:904
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        185⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        182⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        182⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        182⤵
        UAC bypass
        
        PID:2428
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\gEAYIAcI.bat" "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe""
        182⤵
        
        PID:896
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        183⤵
        
        PID:1272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        180⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        180⤵
        Modifies registry key
        
        PID:2688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        180⤵
        UAC bypass
        
        PID:2772
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ciEsAcgk.bat" "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe""
        180⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        181⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        178⤵
        
        PID:1268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        178⤵
        Modifies registry key
        
        PID:1692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        178⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\zoEEoUAg.bat" "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe""
        178⤵
        
        PID:844
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        179⤵
        System Location Discovery: System Language Discovery
        
        PID:2828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        176⤵
        System Location Discovery: System Language Discovery
        
        PID:2728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        176⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        176⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\HSYooowU.bat" "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe""
        176⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        177⤵
        
        PID:308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        174⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        174⤵
        
        PID:904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        174⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\JUsIgUwI.bat" "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe""
        174⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        175⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        172⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        172⤵
        
        PID:1036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        172⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:1852
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\zwEsgEMs.bat" "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe""
        172⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        173⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        170⤵
        Modifies registry key
        
        PID:1092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        170⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        170⤵
        
        PID:1364
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\iKkcsAAk.bat" "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe""
        170⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        171⤵
        
        PID:1032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        168⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        168⤵
        Modifies registry key
        
        PID:1056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        168⤵
        UAC bypass
        Modifies registry key
        
        PID:2692
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\GikkwwQk.bat" "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe""
        168⤵
        
        PID:584
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        169⤵
        System Location Discovery: System Language Discovery
        
        PID:316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        166⤵
        Modifies visibility of file extensions in Explorer
        
        PID:828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        166⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        166⤵
        UAC bypass
        
        PID:1636
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\sEQgskAs.bat" "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe""
        166⤵
        
        PID:2124
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        167⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        164⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        164⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        164⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\qoIwAAIU.bat" "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe""
        164⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        165⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        162⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        162⤵
        
        PID:584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        162⤵
        UAC bypass
        
        PID:1792
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\toIAEIUM.bat" "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe""
        162⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        163⤵
        
        PID:1000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        160⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        160⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        160⤵
        System Location Discovery: System Language Discovery
        
        PID:2832
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZIsQYQYk.bat" "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe""
        160⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        161⤵
        
        PID:960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        158⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        158⤵
        System Location Discovery: System Language Discovery
        
        PID:788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        158⤵
        UAC bypass
        Modifies registry key
        
        PID:1736
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\zWMckkYU.bat" "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe""
        158⤵
        
        PID:1756
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        159⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        156⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        156⤵
        
        PID:2352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        156⤵
        UAC bypass
        
        PID:2592
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\rCwUEUIE.bat" "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe""
        156⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        157⤵
        
        PID:1840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        154⤵
        
        PID:764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        154⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        154⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\fqwYYkwM.bat" "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe""
        154⤵
        
        PID:3000
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        155⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        152⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        152⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        152⤵
        UAC bypass
        
        PID:1720
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ouMwQAog.bat" "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe""
        152⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        153⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        150⤵
        
        PID:1152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        150⤵
        Modifies registry key
        
        PID:1692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        150⤵
        UAC bypass
        
        PID:1520
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\CCQwcMUc.bat" "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe""
        150⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        151⤵
        
        PID:788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        148⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        148⤵
        
        PID:1424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        148⤵
        UAC bypass
        
        PID:1472
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\uKwgMkEM.bat" "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe""
        148⤵
        System Location Discovery: System Language Discovery
        
        PID:1712
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        149⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        146⤵
        
        PID:1380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        146⤵
        
        PID:960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        146⤵
        
        PID:2948
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\muMocEQQ.bat" "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe""
        146⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        147⤵
        
        PID:1428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        144⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        144⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        144⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\huMAMAoA.bat" "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe""
        144⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        145⤵
        
        PID:2556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        142⤵
        System Location Discovery: System Language Discovery
        
        PID:1952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        142⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        142⤵
        UAC bypass
        
        PID:2732
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\DqMEAMIw.bat" "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe""
        142⤵
        
        PID:2436
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        143⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        140⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        140⤵
        
        PID:1120
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        140⤵
        
        PID:1480
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\vUgUwMgE.bat" "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe""
        140⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        141⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        138⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        138⤵
        
        PID:1056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        138⤵
        UAC bypass
        Modifies registry key
        
        PID:1304
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\NiIAEUUw.bat" "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe""
        138⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        139⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        136⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        136⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        136⤵
        UAC bypass
        
        PID:1624
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\XUEAksoc.bat" "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe""
        136⤵
        System Location Discovery: System Language Discovery
        
        PID:1920
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        137⤵
        System Location Discovery: System Language Discovery
        
        PID:1472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        134⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        134⤵
        
        PID:1832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        134⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\OsgQIcQM.bat" "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe""
        134⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        135⤵
        
        PID:1084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        132⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        132⤵
        
        PID:2892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        132⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\OiQcoUYE.bat" "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe""
        132⤵
        
        PID:2740
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        133⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        130⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        130⤵
        System Location Discovery: System Language Discovery
        
        PID:2908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        130⤵
        UAC bypass
        
        PID:1720
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\OSAsIIMc.bat" "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe""
        130⤵
        
        PID:1092
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        131⤵
        System Location Discovery: System Language Discovery
        
        PID:408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        128⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        128⤵
        
        PID:2476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        128⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:1304
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\sAIYkYAg.bat" "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe""
        128⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        129⤵
        System Location Discovery: System Language Discovery
        
        PID:2272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        126⤵
        Modifies visibility of file extensions in Explorer
        
        PID:896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        126⤵
        Modifies registry key
        
        PID:2824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        126⤵
        UAC bypass
        Modifies registry key
        
        PID:3004
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\CcIIEssw.bat" "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe""
        126⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        127⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        124⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        124⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        124⤵
        UAC bypass
        
        PID:2836
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ncIsMIcc.bat" "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe""
        124⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        125⤵
        
        PID:1848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        122⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        122⤵
        
        PID:840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        122⤵
        UAC bypass
        
        PID:2004
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\TuogQQUY.bat" "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe""
        122⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        123⤵
        
        PID:3024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        120⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        120⤵
        
        PID:2124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        120⤵
        UAC bypass
        
        PID:3004
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\peQogMIA.bat" "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe""
        120⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        121⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        118⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:1364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        118⤵
        
        PID:580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        118⤵
        UAC bypass
        Modifies registry key
        
        PID:924
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZIAgsAoQ.bat" "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe""
        118⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        119⤵
        System Location Discovery: System Language Discovery
        
        PID:1360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        116⤵
        Modifies registry key
        
        PID:2240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        116⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        116⤵
        UAC bypass
        
        PID:2800
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\RuQskgIg.bat" "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe""
        116⤵
        
        PID:2396
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        117⤵
        
        PID:2352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        114⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        114⤵
        
        PID:888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        114⤵
        UAC bypass
        
        PID:548
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\uSAUIYUQ.bat" "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe""
        114⤵
        
        PID:2500
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        115⤵
        
        PID:1144
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        112⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        112⤵
        Modifies registry key
        
        PID:1856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        112⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\myYMwEwM.bat" "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe""
        112⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        113⤵
        
        PID:1524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        110⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        110⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        110⤵
        System Location Discovery: System Language Discovery
        
        PID:1732
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\eAUAUoUU.bat" "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe""
        110⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        111⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        108⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        108⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        108⤵
        UAC bypass
        
        PID:2908
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\GQckIwAY.bat" "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe""
        108⤵
        
        PID:2316
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        109⤵
        
        PID:1144
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        106⤵
        Modifies registry key
        
        PID:2088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        106⤵
        
        PID:3024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        106⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZiwcoQEg.bat" "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe""
        106⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        107⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        104⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        104⤵
        Modifies registry key
        
        PID:2824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        104⤵
        UAC bypass
        
        PID:872
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\NYcoYcEI.bat" "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe""
        104⤵
        
        PID:964
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        105⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        102⤵
        Modifies registry key
        
        PID:2740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        102⤵
        
        PID:3052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        102⤵
        System Location Discovery: System Language Discovery
        
        PID:2728
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tyQsAAoI.bat" "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe""
        102⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        103⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        100⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        100⤵
        
        PID:1788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        100⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\FEIEokkQ.bat" "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe""
        100⤵
        
        PID:996
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        101⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        98⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        98⤵
        
        PID:1744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        98⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\KSkwcosU.bat" "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe""
        98⤵
        
        PID:940
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        99⤵
        
        PID:812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        96⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        96⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        96⤵
        UAC bypass
        
        PID:760
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\GmYcQoEU.bat" "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe""
        96⤵
        
        PID:560
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        97⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        94⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:1468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        94⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        94⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\YOAMwwsc.bat" "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe""
        94⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        95⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        92⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        92⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        92⤵
        UAC bypass
        
        PID:1704
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\mWUcIgsk.bat" "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe""
        92⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        93⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        90⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        90⤵
        Modifies registry key
        
        PID:2716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        90⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\SsoIMYMo.bat" "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe""
        90⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        91⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        88⤵
        
        PID:340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        88⤵
        Modifies registry key
        
        PID:1816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        88⤵
        UAC bypass
        
        PID:812
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\TQEQUIYQ.bat" "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe""
        88⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        89⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        86⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        86⤵
        System Location Discovery: System Language Discovery
        
        PID:1192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        86⤵
        System Location Discovery: System Language Discovery
        
        PID:2216
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\zeIMsAkk.bat" "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe""
        86⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        87⤵
        
        PID:344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        84⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        84⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        84⤵
        Modifies registry key
        
        PID:1084
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZScYYsYA.bat" "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe""
        84⤵
        
        PID:760
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        85⤵
        
        PID:304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        82⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        82⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        82⤵
        UAC bypass
        
        PID:1280
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\hOQwooQw.bat" "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe""
        82⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        83⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        80⤵
        
        PID:316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        80⤵
        System Location Discovery: System Language Discovery
        
        PID:1592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        80⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\zKsQsAkw.bat" "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe""
        80⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        81⤵
        
        PID:828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        78⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        78⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        78⤵
        UAC bypass
        
        PID:2676
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\UOgQUgkA.bat" "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe""
        78⤵
        System Location Discovery: System Language Discovery
        
        PID:2368
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        79⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        
        PID:788
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\wcMsYQco.bat" "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe""
        76⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        77⤵
        
        PID:676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        
        PID:580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        System Location Discovery: System Language Discovery
        
        PID:1000
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\UqYgIMEE.bat" "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe""
        74⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        75⤵
        
        PID:592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        UAC bypass
        
        PID:2648
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\QekMoUIQ.bat" "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe""
        72⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        System Location Discovery: System Language Discovery
        
        PID:1084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        
        PID:700
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\YUQgwEco.bat" "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe""
        70⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        
        PID:1268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        Modifies registry key
        
        PID:2500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        UAC bypass
        
        PID:2108
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\zCoUoQks.bat" "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe""
        68⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        
        PID:1788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        
        PID:1036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        
        PID:892
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\xEcksAkE.bat" "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe""
        66⤵
        
        PID:548
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:1688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        
        PID:1044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        UAC bypass
        
        PID:1192
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\lggUkQQY.bat" "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe""
        64⤵
        
        PID:1256
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        UAC bypass
        
        PID:768
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\FqcwoEIM.bat" "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe""
        62⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        UAC bypass
        Modifies registry key
        
        PID:1268
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\NgUsYYYE.bat" "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe""
        60⤵
        System Location Discovery: System Language Discovery
        
        PID:2868
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        Modifies registry key
        
        PID:2988
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\wMQIUYIc.bat" "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe""
        58⤵
        System Location Discovery: System Language Discovery
        
        PID:2844
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        
        PID:812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        UAC bypass
        
        PID:2676
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\OoIwgsIc.bat" "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe""
        56⤵
        
        PID:544
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        Modifies visibility of file extensions in Explorer
        
        PID:344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        Modifies registry key
        
        PID:2164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        UAC bypass
        
        PID:584
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\oAUEcwwo.bat" "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe""
        54⤵
        
        PID:1476
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        
        PID:380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        System Location Discovery: System Language Discovery
        
        PID:1848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        UAC bypass
        Modifies registry key
        
        PID:580
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\EWQAAUEc.bat" "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe""
        52⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        System Location Discovery: System Language Discovery
        
        PID:940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        
        PID:284
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\vgwoYAIg.bat" "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe""
        50⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        Modifies registry key
        
        PID:3044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        UAC bypass
        
        PID:2172
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\fCQksQwo.bat" "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe""
        48⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        
        PID:872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        
        PID:1788
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\TCwccAwE.bat" "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe""
        46⤵
        
        PID:316
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        
        PID:1096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        
        PID:812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        UAC bypass
        
        PID:1740
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\hqMAcQko.bat" "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe""
        44⤵
        
        PID:548
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:1516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        
        PID:960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\CmwgYMYQ.bat" "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe""
        42⤵
        
        PID:2544
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:2124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        
        PID:2332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        
        PID:1472
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\sYgwsAko.bat" "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe""
        40⤵
        
        PID:1380
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        
        PID:1524
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\QeUMssgI.bat" "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe""
        38⤵
        
        PID:1280
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        UAC bypass
        
        PID:2612
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\uWoEMEMQ.bat" "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe""
        36⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\noEYssAY.bat" "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe""
        34⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        Modifies registry key
        
        PID:1992
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\XUIkYUgQ.bat" "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe""
        32⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        System Location Discovery: System Language Discovery
        
        PID:2936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tcsoYwss.bat" "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe""
        30⤵
        System Location Discovery: System Language Discovery
        
        PID:1976
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        Modifies registry key
        
        PID:1508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\EykAQMoA.bat" "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe""
        28⤵
        
        PID:1468
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        Modifies registry key
        
        PID:2876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\KQQgAYsg.bat" "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe""
        26⤵
        
        PID:688
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        UAC bypass
        
        PID:2524
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\GiIQsYQA.bat" "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe""
        24⤵
        
        PID:1272
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        UAC bypass
        
        PID:1952
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\MSEYUcMM.bat" "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe""
        22⤵
        
        PID:996
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        System Location Discovery: System Language Discovery
        
        PID:2052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        Modifies registry key
        
        PID:2996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        UAC bypass
        
        PID:1744
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\AKowkoME.bat" "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe""
        20⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:1036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        Modifies registry key
        
        PID:2024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        UAC bypass
        Modifies registry key
        
        PID:2936
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\dyYIgYkY.bat" "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe""
        18⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        System Location Discovery: System Language Discovery
        
        PID:1848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        
        PID:1480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        UAC bypass
        
        PID:1984
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\fYYoIUwM.bat" "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe""
        16⤵
        
        PID:284
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:1756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        Modifies registry key
        
        PID:2840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        UAC bypass
        
        PID:2272
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\xgAQUIUs.bat" "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe""
        14⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\vwMUAAQM.bat" "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe""
        12⤵
        
        PID:1272
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:3028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        UAC bypass
        
        PID:1952
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\kKEIggAM.bat" "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe""
        10⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        
        PID:640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        UAC bypass
        
        PID:2020
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\IQsEIYkU.bat" "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe""
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:960
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:1624
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        
        PID:1900
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:632
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        UAC bypass
        
        PID:2024
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\UeYQMQAE.bat" "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe""
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2760
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:916
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies registry key
      PID:2400
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      System Location Discovery: System Language Discovery
      PID:672
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      PID:1472
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\agsckQcI.bat" "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1920
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1620
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2840
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2844
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  - System Location Discovery: System Language Discovery
  PID:2884
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\DagMIgYY.bat" "C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2912
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:2932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\CIoQYMoo\BesEMgow.exe

Filesize
197KB

MD5
5f457b6d10c45187f2007dd7c3598d4b

SHA1
433c6626df9456e85f8fc6f8cee89c30c149f114

SHA256
6e038d675ee5c7d0102dcc9beb5d98d9926dc206b4a1271f040a13d6d5c65897

SHA512
15e808363c8b920031bac1dc429e56f19f03b00778a2f171c40b63227370ed44b8f63ff7d7b1245e036c498f97fe9fc5d77bd4fe2b1507588e5e4e459eb7edec

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile14.bmp.exe

Filesize
239KB

MD5
e50189cc8019dc2a292b79667da97e30

SHA1
fc6592a13288d1ae17819d528164a9479706d0af

SHA256
ff4df17503bf03f2304fe2e8de93ee51c4c4848998abfb83a21c28ac93ea4405

SHA512
a789e2ed0c4fd6afa2af74ed2c4fbbb8aff342b66c66992373f5973b157409ae244e26bc71723b46470d7d97a994e5236e038d533e06c103d6807be2e0f71c4d

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile17.bmp.exe

Filesize
239KB

MD5
87bdc02a4fd1dbc28721537acf4f5882

SHA1
31597ab168c99b9800f2896a6eff680e60555bb8

SHA256
7015ef10f5c8757e0d8ed555e9092a0e44b9c6de78775258542917e4a40eb7bf

SHA512
7feacee263a4b95c7394d0c72f9279fc75f8c0daa44d6e394583453164bc04f3e4b9240e9b3250bfd472356d74ccf250a809e5f814a5152e1aa7855cba31985a

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile34.bmp.exe

Filesize
248KB

MD5
d3339b678099bace506c183861db76ac

SHA1
be4673b112b7f19c721712ccea5f2083238e8568

SHA256
ef590590b6e7956db8bfba7e2eafe146ae49102c2812eb0ce13f5f8fbc670b49

SHA512
e8af33663aff7c2c99fdfef3ea80358d9c6612b5cb59094d728646a106061c4bdfe40de4c9b941842fd17aa836d816b9855a1c5503b77b806ec3a8b79a51e27f

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile36.bmp.exe

Filesize
235KB

MD5
057c8d346959302d3c7a0cd155fb0aba

SHA1
2ef1630a9266eed11557b22b8e5f91e429a75195

SHA256
6b9ce452aae94bd01aaa1798256e69c3ad968e1153c7147b9decfd6fa66c7ce6

SHA512
68513ffff90dc1b2c407563e88d064a738f9d67bf142e3638382107ed0d354f07e91daaceaa1ea36caecd1e82f4b90f4fb5fc76e88af5abf50b598c916423482

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile43.bmp.exe

Filesize
249KB

MD5
841264a4ef14ef939220402d701323bd

SHA1
78dd5a51688408c106acc4634cae6ec7272e6387

SHA256
21d6be8d59ddfc84395a10379eb7c1f20d9d0cd7e9bcecd29e3735cf96701de3

SHA512
7c0d4dac65b44cb244bbb9b9a6a14bf3c5261e01372ad6ea2a20e6fdfbf8788828f30ab362c7650e5459600bb1f8b37d59a9e3acc17535ed783eae93f9ca16d3

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\user.bmp.exe

Filesize
245KB

MD5
70d44f35a38848c059975589cb166686

SHA1
3d0439e0fe3f9ae18c6da3b5928ba83dba306d13

SHA256
0e52653bdc1097c068393b09df1679a3c3afbfec93beda38abff609717fcce46

SHA512
a7dd4edf8d88dfd9da4ec182f9cf39b9b680d4234a09d9b29348ead57beafa3e39451b1b7c551887c70a98b478cedc710b5de03b7e93e92056c50cb945dd537f

Download Submit
C:\Users\Admin\AppData\Local\Temp\20240913aff947a392882d6abeaa90330f647cd8virlock

Filesize
5KB

MD5
73ccf806485184a87c1090e6cd909716

SHA1
9601211df70ec1d7a6173724a47a4680d9c36fd3

SHA256
25e012961d23f300ed7312a995f87945e2ea3be632519cddd23f9c75018ec203

SHA512
2d91d240afe3d457a758c6adb07207fc5437f8d415f2c50bb79ba79e283fd40975baf32119bcfd8b0c8c9e499836fda3ec4f07da727f0bab3413549c74ded62b

Download Submit
C:\Users\Admin\AppData\Local\Temp\AEEU.exe

Filesize
230KB

MD5
21851bb933f4d44d5bce3724e1e87717

SHA1
e0adbda00b043991cb584b421c0a56ae3a6f552f

SHA256
774e12f4dd0aa15e6561dbf37792230e5e2e7509b22cdb6904d094d0dbc84cdf

SHA512
8fea1c8ffbbe1742af39ae9ed7963139f3997b4d01e3b4a804aa91ef242c9ffe724254ff8427b1fc1abe6cfc44935b061a88847a5aa13e7a41d7e725c38c4bcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\AMMY.ico

Filesize
4KB

MD5
f461866875e8a7fc5c0e5bcdb48c67f6

SHA1
c6831938e249f1edaa968321f00141e6d791ca56

SHA256
0b3ebd04101a5bda41f07652c3d7a4f9370a4d64c88f5de4c57909c38d30a4f7

SHA512
d4c70562238d3c95100fec69a538ddf6dd43a73a959aa07f97b151baf888eac0917236ac0a9b046dba5395516acc1ce9e777bc2c173cb1d08ed79c6663404e4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\AMQC.exe

Filesize
222KB

MD5
937d755bb1307c53c4277d7fc3a14f1a

SHA1
d19d1ae64ba086add65ee5200e9331f3d9847419

SHA256
2fd305d6470424ab9c3755c20049a68ba3f3e33af9be2a7b6668aa19ff5f0a86

SHA512
60fa0a211a9c35a403c73f05dcf07e5e55d83b93fcf56478952a30f1e0f9b7ab7495cd0f1068a90249ec870c0342f7cedc78e08bd57755563b3e3d5e6e296cfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Acoi.exe

Filesize
229KB

MD5
02332746ae9f890d78513cc7a62bbba1

SHA1
cabbea5b20aa6ae567b058657b3745ee2c94ce34

SHA256
568a79c543a1291abb75a21177f4e60ac65bcf66078c020fd72f57aca70ed638

SHA512
9a4d60fa04b1b2b97fb38f1895e90e11988e5beec57d8053e39ca86a34da9b53cb39d36b754c9df6755beacb1d2c115977a9be9a9b700ba6b52d0fff830f99d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Akkg.exe

Filesize
198KB

MD5
279dfa7ac9a1006c981d8cdb5e5b7a09

SHA1
821e18b254709c0b63a542e7beac5086a9725d5f

SHA256
b077be749dd6e69dabc88e663a6b377b27b09a9c79ea3fcc8ca5de20432bfe68

SHA512
138a7bbebb1b58fcdcd935967550864f0bb2319bc2f92ce0e9dfca1fbfa53e31fac8f914beab7f2da36befdcb2ca840916b097bcd52171911f101a55d951113e

Download Submit
C:\Users\Admin\AppData\Local\Temp\BosUUsIk.bat

Filesize
4B

MD5
9c3a295e3bbd72473656bbfd4584c0cf

SHA1
14783b9e5f97759b03476165c58ca2c716b9d8f8

SHA256
532c43544e31ce3a847a6d385c31110740d1eef69352a41bdb2e83cbcab538bd

SHA512
666cb16c51d69ebcf5aef36ff88238e447f019ad48bda8532f42dc8bef77ba5f3db81da2ce67276fc004b0eca4ab938dc1c249b0b0638b9b3e41c8fa9c72c1b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\BuEoMwEM.bat

Filesize
4B

MD5
7fced6327f014b2c595f9c137eb74972

SHA1
0917defeb11b81715016788dd02ee9e20c61b6df

SHA256
dc10124211c5865e1af564a728b6662d533af06df3dadbbce8ca946623ca9872

SHA512
0ddf74662f1deaf5ef3e5f07111ab7036e87d0c3323dc6b30a6bfb2a4fce9eee734501d6cb2a6634e720fb1a344494203333164755a46bd3ad662555195a36d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ByAUkUcc.bat

Filesize
4B

MD5
707778d532fde7491aede8ba4ec76ecb

SHA1
37f1dcd241e68bece1fd977236e5727825b4ec1c

SHA256
11672dba0c113c7dc6a6cebee0c6669367b29ed89c3198098c9cd3f96a40f200

SHA512
d87c8a8aed683668a5c1a8cbc26ccb6a178e7398e4405ba916ea3de5a5727879a5ef7935190fb1eb1d2b2ea5c793e22b9a886aaac3cef4582573d05212bbbff9

Download Submit
C:\Users\Admin\AppData\Local\Temp\CAUIUEEA.bat

Filesize
4B

MD5
f8bc62375d53019963971cc5fe30b375

SHA1
dec3cf7f103e1571520ebdf774ba8a7b1fce4ea6

SHA256
2accf9a4cf0bd22e19dcfe5842160e94bfdd392a669728f8fd4d7d5a8634afb8

SHA512
610529648bb24cb30b7a0c7bbb0eccb72f612dfe4068aa0417562468412468e4a015e37d647f902d8708d23e36880961acbe64e5265fdd4b7588c2ff6d5f6747

Download Submit
C:\Users\Admin\AppData\Local\Temp\CAsQksME.bat

Filesize
4B

MD5
f39d0e228774bc52217f821795b0bbc4

SHA1
ee568f3fea9d1a50cd0d0c45f9a1b36792a884ad

SHA256
d4b30038b0d2d37634d221bcd18bd10225281495fe2d46a14e9a82f55080d6a5

SHA512
7a217360470a5be9fd8ad4819dda796ec59be977edc5aad0a5adc8d6bd402bdfe7a106021e620692e9f58eecea6804b0997c6dcadb3aca2e2b344f7ae09f453b

Download Submit
C:\Users\Admin\AppData\Local\Temp\CCQEMksU.bat

Filesize
4B

MD5
dda24247f36ea06f72202daffa24a25b

SHA1
28675d1a9cd77dc878cea86895485d605b0b15a7

SHA256
f4e9ae833984050c5fc6977565db5cd73481cbd52589476b762357e2c81fdf72

SHA512
bfdafe954dd8572e5afd15b5c18f4e917e75e30cfadacda05138d288ca8080de5480983b7b0d3f0940b15fbf4f0ac37b114f849484afbb05a913147c9e938ab5

Download Submit
C:\Users\Admin\AppData\Local\Temp\CEYe.exe

Filesize
232KB

MD5
4f07e360af8a7baf5b16c0cdf55c4e11

SHA1
b8d99634596286f21d204034b91003232d35ff08

SHA256
453dc41d3d996a10a29dca92d22bb4fa979b4fe6171f5561246eec7f0f8262f7

SHA512
a870fd3f2143b04e57a979ecc372a1299f2836db88b529f0bc07a385efb4474c79598c38872834550386319011b6e40ae2cf213539160acebcecaeae14481b92

Download Submit
C:\Users\Admin\AppData\Local\Temp\CIAY.exe

Filesize
240KB

MD5
6d63c4f36a2129d6c345835a938719fe

SHA1
8ca337e7e696f207a92f386c6cc58852f6f27641

SHA256
d10bbdd7911105f54ca4f98acb1d5ba1d1b1b2058ab43a05e859038b3c98139e

SHA512
1e0d152085cbdf1428986aad332144feda8a454ba41282a40d755f3d0ad44e7b00cf3749239076375e326c97444d6f55dc12c4b79868931f0190434316cb3031

Download Submit
C:\Users\Admin\AppData\Local\Temp\CIYY.exe

Filesize
203KB

MD5
bf24ff5e1a5652de6400d9d723c641eb

SHA1
63856a4fec8122c51de881e33f4f13b305ed1f0a

SHA256
5598b3db284596bb2635d34f8fc1fd0bf024c3ae8073701be46f6b667f37b4cd

SHA512
8f90a0770bf180830886e36d7611b6e08c21c198f47d25f3f5a434699a825cff1a623e633d1eae25fd50cdba0a35b5e803f6773d22ac8f6c995cb55606ffd7b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\CQMMgscU.bat

Filesize
4B

MD5
9715a834b9a005efe367990ce6008976

SHA1
8a80c075bcdc141422c0449afa68b693b0fb8376

SHA256
b1cd4eda05e4bc85a883fc2741c22599e792dfa84a4121ce348ce790049133fe

SHA512
500e91b724dcd57776841f822161db1909a3021ee29f053605c9657f5eac397a3ca8f7654b8fe0c5b0ba2ab35f54e37f01c9966a20ec8e069edf07978df1e353

Download Submit
C:\Users\Admin\AppData\Local\Temp\CWcUgEQs.bat

Filesize
4B

MD5
304b9cada6e1b5b95457ae29bc19d05d

SHA1
4b7dd41d691438facff8438bf3bc258bd2974318

SHA256
83ff955db5ef9de9f71418b7653a9ee49bed8e4f928de0b7ae0b462011b432c7

SHA512
1df02afd6de91c3b76c47c57cf64cd075539b55bf8e388abc186765b442ecb486a177a1d180b9c9fca3f4a1ee63cb2bff0fdc4f312c247679d0d6f71ad350ba4

Download Submit
C:\Users\Admin\AppData\Local\Temp\CYkw.exe

Filesize
241KB

MD5
e07f47154ed9a57c38e3e6003b8a52d1

SHA1
2a62e5271e3206072641ce0266ac57683ce0a830

SHA256
6933e6f862a997e3d7212a89cc7e6779c40b2c6dfd4cc2f5d0705c87a8e33fe8

SHA512
85f997db46f591273eebb84a2148b1c373cac3b10c593dbedf4a55665a1003ce1c1cf66f7b4db75fa340f1d901da79b4a8eb3122409052abfad5bf5368d65321

Download Submit
C:\Users\Admin\AppData\Local\Temp\CYoM.exe

Filesize
246KB

MD5
7bf5a1919c315be36eb2a31fc954f275

SHA1
60e0b18fb55dea1ef8acc25c970573b56c2d8f8a

SHA256
21324489f3a7d65aaf6d3f9758972bc8d4d775b6f7bad9b3aa42d9f0e66c35a3

SHA512
09774375b1ae5eba9069d2bb7b828a5e6ec8cd44c96e38c65040f72614b6991e9463232b8e904cb0295ebd6c3ef2fa6819350f936d6780c6b37bba7032b87fd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\CoYgUMII.bat

Filesize
4B

MD5
f184bccb51ce8bf78b84c7520b626db2

SHA1
72f7219aa40b501006ea9e59c5b9a9603a2fd5f1

SHA256
ac355023e8c3c58872631649c854daa4a73e83475e02c26a8cd8b6214cadcf56

SHA512
b18b58a5bb7b799bfa7213b249f323ec895ead9cfbb9266b4f7f20b396af1ad7182c8e2b3734ee9f22e358094466a8fbdc91760f23fdb3ec40aeed27de507e9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\DWMgkscY.bat

Filesize
4B

MD5
fb0ed1732c9b54713ffa3557cd39fbcd

SHA1
4987d0ae63369cf5fdd5a62834f876e9a2d69602

SHA256
432c697bd44ba2432bc051f9b7302d679ef491393918f3f8cccd59320a4e3ffe

SHA512
096c74e2d7183c3417d955b8a0213f8319f24bd8fef231870eaa7b7e3c7d175048d2261524e0688f86920235f7d4d7acbc51a4d7a63437973b50e3c95b774dde

Download Submit
C:\Users\Admin\AppData\Local\Temp\DacYYUsc.bat

Filesize
4B

MD5
5baba44de07787c09800479f472a0fb9

SHA1
30020e1313875d97e600dc4be8f0d9d15f537e96

SHA256
28413141bcda521b43e2b327a65c497b149b083ab8c3df51b335f1ffcc5bbc56

SHA512
d2c9a6961fc4cc4e248f5683346514339f05b833e313aa6223f7b9af6d4ea59936eb5c21e42a0b8e9d290083718b83a66d0152df951875a9df751df084b6bf4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\DagMIgYY.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\EAEK.exe

Filesize
305KB

MD5
27f9598b27bb413cc9b0f79553806f7f

SHA1
403fce73406767b816d1400ce15e3f0758c7febc

SHA256
30f4d53c00952cf0ad78144ae648b29be861a796a985e255c059d0fccb7b65ac

SHA512
20e352c5cf871a954744671a4a2d126f81d0896b1b66ba07ccfe08fd8e93842f413c02d07a10ab992af7fff0ea5f7157d039f8cdf73106a784a6c9ac86ee3601

Download Submit
C:\Users\Admin\AppData\Local\Temp\EAYu.exe

Filesize
234KB

MD5
df4a49b644455b944fc11099b4b4edb3

SHA1
405543a7acebccb619a141ee5f395dd8e8a342c9

SHA256
4ee3d7ff69eb95ecffda3c92675fe9d52e2adad1f3bcbe04d06384524e2d10ad

SHA512
5526e9590ed963e2a3db83d78c112aef01c7f202cb739bf7a9bb44a935e52fd8e5bf8c4ca30bad39b5ec9fe95e42f14500f8ceb0b02b19ea16c6356268402a37

Download Submit
C:\Users\Admin\AppData\Local\Temp\EIsu.exe

Filesize
187KB

MD5
82e2e4d686b7e69ee7f7eba4fe5f951d

SHA1
c48650b8a74369ce0cff2adefb5975f999fbe4ba

SHA256
d2cab7edb8d48a337b999cdc5493b3f13015f3e62b719365513c96f0ac9dfd50

SHA512
a1baeb7cbe59738d4eae749e9b953fc6fd9ae5b5d058c5e01f772518939806f5217641ec48043c919cf85cd8326ebfc96c60b62690e92e01323ff69fec425cdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\EQQo.exe

Filesize
320KB

MD5
880a71b3a8cafc02fcda6961e5ff72e9

SHA1
29f9ebe1d04676470f28d13aac644c37b77471ac

SHA256
fb4eb8188d8a0e5cd89ff9df0f9f4c4919de1d404e090736bb87ac4bb0407195

SHA512
f89619fb29902415fb5866f52b612bad74f2b43c7c4d784ab5863e1f951f6a0e97e8ffc2e41c7182b97c92d5251f77857b79e0710621db71702ee1e9278b261e

Download Submit
C:\Users\Admin\AppData\Local\Temp\EasIkoww.bat

Filesize
4B

MD5
99885eb23de70d8243bc36b8da7f0260

SHA1
65207a4d1dbae85c610fa2721ff7f46baf028a41

SHA256
abbf2837ef60975ef3264354cc8ea62f6bf468d26f4a1effbf05c8217c7f1842

SHA512
3fa515685a6898c66e071232d1f9ece9867f26bbff101f43793052018a6871c2799f95254f4cc42125352e9200e844135fdb308c8f8a1431aa635819f8dcb4d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\EgAQsoEM.bat

Filesize
4B

MD5
f488deea0cc1cf1d9c3114b8784df04f

SHA1
f3cad137e90dc92590ccddd6b11ae3ad79285966

SHA256
7ee1ee0eb24d05b5432f0a61672edeeb9cae7b70cd975e71e2dcc98ce185204b

SHA512
1067ac185dbacd8cf5cad51c967e7c127e006c4cec206ded952194dc868d9b202d297af8097a309a5b740c0f9420dc923226a4654e0a2c2322ed69511e9192b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ekge.exe

Filesize
235KB

MD5
6f9dcef112d1c8e1cd500760efcd8bc1

SHA1
cfe40c035282d956069b713195235aeac2e260f5

SHA256
de6460dcc307c3ef5f3fb641280eeb4c3fb8e0036660c406af877bb37b39a51d

SHA512
18ff6bd2d50abdf59e5ef5059732032d76b907069c747aa16454065d3accd26e9d4762fa757c23695c9e9015c54b67e1fb39089c47bca37f81632cdef2f9ce6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\EoUE.exe

Filesize
228KB

MD5
b46d5acb73e5013cb7e080b619790402

SHA1
e72f1c3c5775f452fc93f7c5aca931223cd772f6

SHA256
d47cb63b3bdc9a1a1b73da1acf51f1d7ca6431288288f53652fbe88affdc9506

SHA512
94f76e33d8724debf373da60823c24f26139c02273688e9e8b3561f55a41d00d6bc7cf50da3eff19faf50582aeb0917ccea03b2eeafde7f8a453b7dec2a1edd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Escm.exe

Filesize
239KB

MD5
0cf369aba68388dc8437190b65f0d19b

SHA1
a750e6bedbe21d3fe0a9d576e4d4d9908ed97850

SHA256
92cb7953ea8e6f78afc26444ffce947ea355537af7833f68e66ed7d6779df386

SHA512
4848ba989ed8fcb50fd23d6c9d825a096f34126a3ec740caa50292ae057d0fcbfc02ff202e8fa3f204d4444ed773b0e3c94f27297ff75310e86844bfbf50f160

Download Submit
C:\Users\Admin\AppData\Local\Temp\Eskq.exe

Filesize
188KB

MD5
967c52999a06828c5b80ad1205655fd9

SHA1
72ec04ef6ba971542afaf1f740d4dffada67929b

SHA256
fa04801356040ff980d33fd4f0ee957ff5451dcba84c5468b08fb30b6fb1a337

SHA512
221be23e1655b4fc5c02c6651eacd7712403c049e80721fd4019dfd250746be08db4775ee5b8ce61d01c223ce3fa15fe90a89f56898b684b107a8b6dcae1a007

Download Submit
C:\Users\Admin\AppData\Local\Temp\EwoI.exe

Filesize
241KB

MD5
5484ab8cbcab17697f7cffdf33cded98

SHA1
ccb38280552c1de3e143bc3914d4591a8d3820ec

SHA256
3833abab0d4f758eb9e3c8957c19e638ec11e82006f466bd3e698e788f8d4579

SHA512
874da0bc6cd5f9d8663aa008a2d59edab0622c7c1dd2412c37a158fc2501980a8972ce8cfece25a5d53bb4f995448b060919452dd61d4477c38fea4b710c7b77

Download Submit
C:\Users\Admin\AppData\Local\Temp\EyYIUccg.bat

Filesize
4B

MD5
c00aef2c6879ee924dc7c98241db9075

SHA1
8eef98cee051ca532e187a6b90472b94315e9265

SHA256
36a8f73cb843626012af0e3410ee363bc780279e89027b66893d238c4ce55bfc

SHA512
70067bb130d47ca9f90b9419508c71090397fe65b47196c9e2d3e0bbac6866e380f06690cb68ae70a17fc5dec3de87c854b99ee55f72b628b34c04ad3edc51bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\GIAU.exe

Filesize
239KB

MD5
256a40bec22e4aceb6631f5997ed6169

SHA1
2c2aeabdd9c6e3f4f18a21cf6d3ef1fbe5ff98a2

SHA256
a3ce15a08628f0afce1519bfc388087f06b1225cb918df181b08aa9d4ff0bfb8

SHA512
43911dde24136096b38e2ef4ff2b389be03b783d4cbcce1179d1deb5edfad0df8c88afef03092bb7d77704241a6dfc9ce627230b0f5132ededa00d48a8447c17

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUEswwAc.bat

Filesize
4B

MD5
f09d58e2a3db3f4cdd9049397a057bc7

SHA1
9292fb31a6fa5bb42d9505ab94e7e1447f74e0a0

SHA256
598e4176c2f35a5b315c9630c170bc9c2d4c80a7fdb0878b4367d8615da55ed3

SHA512
c68281ab95e145b5db6c56c6a68444d1891be895fc7c85a57e1e09ce18ea0f9171f584389bbd85b79be4c287806f3050143b4b9b1ee366715f6ca0771e449f65

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUsw.exe

Filesize
240KB

MD5
e2c9782a1795dca20520735406ff5498

SHA1
0ec4c2425f0b25ad529d3099830652db36beb0a2

SHA256
acb2b0f3e96986f7f190ceea95468a9c7accb0cf8bb2828ca9f5861f203e33ff

SHA512
d974502ed04b0674e24b73af81b5da0bab7df9b545b82c05fd4230f9f77a3ff3a75193f50eaa83edc4abc7f2dadedd00e2a080c8ce808ab5e4e2de093c51e420

Download Submit
C:\Users\Admin\AppData\Local\Temp\GYgW.exe

Filesize
228KB

MD5
15156395175448d84e04259cdfe3987c

SHA1
555696d8758aa4929a20c2f0d329581d0b3d6e0f

SHA256
45323591e5b5156ddb92d813e24ceeebc81907697f3eaef843e2b0a950c6599a

SHA512
6846462942d6823d960898590bb68213cadcd0ecb974063a50aa6282bdd5bf3601178a45f5cc00cdf84cf15d301c6b36b864a71ad461863659065ace43a156be

Download Submit
C:\Users\Admin\AppData\Local\Temp\GcccMYEo.bat

Filesize
4B

MD5
0b67a97f468e781a65856151b002eb32

SHA1
28fe8a038dff68eb2851bc5d170974377c2dc4cc

SHA256
05c512bc1fbf60e2e90b5b184dfd54a7ce34ced4f870761a2f3ab6680d8cbff2

SHA512
c7d2c97efd489f6a76ee3dcde233e327a4738ecf6138b78fe3d6f584b8d6e8188f1b2b5e92c771703a735d5652b462d1ecaded1fe2344cbc3ab400e55f110c18

Download Submit
C:\Users\Admin\AppData\Local\Temp\GkQO.exe

Filesize
239KB

MD5
ac8ad07867cd6cbd9c74a8f46e5b59ff

SHA1
432d4daf45e8abb6e5ebcf4e8a81ff1fffebf7a2

SHA256
4910c3ab97e68cdb3f8f918965bacd32ec8a015490ab4e472eecd66858aa1928

SHA512
71271e8aec69f519823f39d56be139a1fd784e4876ce28bff271c2fe9ddf432dd20b027e24b85f1c2cbbd3a53efe18b9fd67c09bd6ac1c36a85192429493651d

Download Submit
C:\Users\Admin\AppData\Local\Temp\GqMssIQc.bat

Filesize
4B

MD5
1413496a2d5714bf7c77ef085c09c92f

SHA1
95135f6d1ef0191c1fe50f6303a8a60d0ba6bba8

SHA256
a7577ddad0f17b327692e4243121a93578550ffc1fa0eb7c95132b180e7ebe81

SHA512
f71543f3652b5f2fcb7a7cc1bd09a07b0dd31b19da9f62ab81365c269db07fb80faba3f449c745815f17e138789e98b3d7427466b862e99f1522034805af9d58

Download Submit
C:\Users\Admin\AppData\Local\Temp\GyAMQsco.bat

Filesize
4B

MD5
f6bdc1a59b9d6f9a2fdb273f5d369920

SHA1
b2ee3400b0499a4a17486cec647e8c377e1e3cc2

SHA256
caa285f15a023b420e40fd22e0dbb4be2b62236f9524d21edc5a35d45db379a8

SHA512
0ab4e2167d8f264a460dcb593212890de3b9fdbacc09eb478588803301daf22ecf3c7982a4f31a2a328933018def78006cfa78140cc6df5f47ce4abcc9801ddf

Download Submit
C:\Users\Admin\AppData\Local\Temp\HAEEgkUM.bat

Filesize
4B

MD5
4e3a47af8bd4cafa96631e0828553e35

SHA1
e1d596fbeddd22f2369c95e4ea773fa24c07abbc

SHA256
39753a916607e2d32d55362020c371378bda20f8dcc2a23749950333fbb3c171

SHA512
d072b83a7999632036f3de1098a3682b5a7df84bc8b17a0f34f6ce769ba6fe53b62411afc8309a66290cda66d48a9b44b56fc88f8fad4583d12a18f0bee4bbe5

Download Submit
C:\Users\Admin\AppData\Local\Temp\HCcsYwss.bat

Filesize
4B

MD5
2e2851d3bfad9d4fa098ee6246bb83f3

SHA1
75d0bf76d932886ab423ff32e43249d784fca20b

SHA256
8fef49a739847d2fdc57fb0a9baf80f25cd1bc5747d59cb3218c7816566da0d6

SHA512
cd3262d53cf818cd60ceef5fdc3ada7004d61e73f5a080a83e2cac5cc3f366bfc4d4c8f79562bfac3188457b8de37ebe4ac69ef55a78d20bdf882e30af4670a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\HoMgMMME.bat

Filesize
4B

MD5
2ff0ba91df05d4974f9ee291c563debd

SHA1
6067d48d1ff71f2f56e3a9d74a09c5d7322298e1

SHA256
100649466e8bbc347cd497d5895f838681ecc4688c550e650b1726eb680ced74

SHA512
f9fd7ab2bc893e037c80c44be72e73fd097bce1eb2fdcc085243934204da101dca92c4c8b63157bdd2b8d3de47220beb929fa7a092b6ff42eb7519f6c9d84eb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\HyggocEk.bat

Filesize
4B

MD5
eedc57b9b2b195756fa4f93de7543ee9

SHA1
58ce0766693d4b5b772188423f0b0364cd806bf8

SHA256
17aaa3ff5f1763aa4313d022bf508a19d5a90a79e1920cbacab07a644202e03e

SHA512
14b1c0d977fc81d9ff1c31f5c0668566283d1f60cdaa00ae2efe6cacf4dda420d7ca9448f973ef03caec87dd8970f7b2c47408ce4646ee35cd0e942e044b2277

Download Submit
C:\Users\Admin\AppData\Local\Temp\IAwS.exe

Filesize
247KB

MD5
71c29a02302cbb29b97895c8a3c98398

SHA1
95733eecb443192fc477ed1d656e688f9600e9dc

SHA256
ad6434118626f177ae9ef39b13ad85020dfde1f97a178622ec87531aebeb94f0

SHA512
862f09863f2b683a8031ab8e842f95049a73e10927f2462f34729c6544fea7a0d87f1824859d2b05e2c441d0b00766885d9d9a7d965bca91f0bbf30f4742a234

Download Submit
C:\Users\Admin\AppData\Local\Temp\IEIE.exe

Filesize
208KB

MD5
b1f68c3a901fd2e1e4f98d02e1aae56d

SHA1
f969d28a446c8aa65e9f5cc4d7060c13db97f274

SHA256
396dc413c97ff359792ee9b07c1c2d443235edad2b35780b4f4eec9fb35d9a71

SHA512
407c0bdc6f4f61e7ea8cde47a566c4d53b3872dfe03db98413242e758549c91e9f70a87ccbc71da105f2e1bfdf490de1dcf5aba24a46ddbc0a2d9fb80151cfb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IKIQkgcQ.bat

Filesize
4B

MD5
9b99f46ea3087e573afe3c9b8e25899f

SHA1
0d1f0e01c5d0b9d2cde1368d620a0fff003e1a18

SHA256
f016a68e5061fea77dc68eebe1adb46fd603b8dbc1605981f553fe97b019908b

SHA512
62fb600e1690c1fe320a798130173ab20e3e1ceee2dafbd1cc837cb66d980f70ff822ca96f75072e766366c27f547a591fb7606ae920d7153550140efbc7efe4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IMoQgswU.bat

Filesize
4B

MD5
c409d5054ae54600fcc3b140cea00f9b

SHA1
d26c83fc3cd583d3ba70c136d01407f6b29febaa

SHA256
e2e4c72f0c8d0a34fcffaecb3cccca19730358a399fb7f4749907c7b98953038

SHA512
beef27c3549de7f97b10946dd00c8d80411d4d572745a342a23980e076314bd1433a78d6c58899d159ab2d3ec33f197550319faa11bad29c0120da42bad5917b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IYUo.exe

Filesize
244KB

MD5
129028b9c7c09c4acb1baca2bfe9f4b5

SHA1
c86441f4ebb0aed75e469d50c9703fd015575524

SHA256
8e2f3eb6dbe1844f7aba7a52b1deacb40033f91e79993d744fd76da6c704988b

SHA512
2831d9ee103ca781df5291541c0eaedd51df2f28c1dfeb4eda1e7b54cc970acf485486aa4ef825993392c3b001ed32571c6b548f0a3da646d5951fdca4b4ca4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IsIAoMwg.bat

Filesize
4B

MD5
fd470860bd3649e947811a4a57d51f8b

SHA1
a995acfbad1f1423a01962a1ed2662a3d7f548e1

SHA256
c1214917ca7e74e8147666dcad052bab0e1a8e9b82672cf2aeeffc9f04e043b3

SHA512
ab82ec78a1b622ddcf27b6a2c4288473b0228f890f5e224ae8ef64e6d7c58ecc2c3edb1044062ce88574ddc1d5a5c82e333cc406cf6bf84d7b768e6a9cffbb75

Download Submit
C:\Users\Admin\AppData\Local\Temp\IwMe.exe

Filesize
4.8MB

MD5
60cb4aa8c02adb6970a25bff519df70a

SHA1
0bf82e12a4397edb78e77d98673a7c0754e01249

SHA256
b9356fda4e5d36b96cf9575132ca4e2c87fe117da2249a1babe272c07a5d694a

SHA512
7c70a704e4fbc5742f70ef6bb1e539638ccd72545c667b74e52b4a52be421922928d65706894c75924a57ca88550b7ba9a4eb0a5953cda5ccb774acdaa8fa8bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IwMy.exe

Filesize
249KB

MD5
fea4de16781e25e33f6137902386b3b5

SHA1
e6496d98339e5274819c8cbc10481b80fb72bdb7

SHA256
720843681636b19bc314ab274058bda35c54f020086fa2b44e514c3740eac3d6

SHA512
44f2ff8377a3e230639086a657c3cd918214c0987cdfe5e41506ca55f925890b136550679435f9a237575fc34a93674ec0f05267886929288d69f74393e1a1fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\JSUgwcok.bat

Filesize
4B

MD5
522fb14b389154a75db0ab288ae26200

SHA1
f71fd883ed2666a5d9838e8487dae9c613b95a07

SHA256
f70d186c74dd42c0d4f8899128aacf0131390358d0fa6c109a94f9c117d9e27c

SHA512
11545a80f217338fc28fc62319e6b74ecf8d78f8ef8cf8b4e2e2f6d3d619baad4bffd93b0bf25a19848f10e6373efeb69ef1c772d55694264cff28b2aeee5c8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\KAEcAAIw.bat

Filesize
4B

MD5
10c7c2dd810aa74e0ccb4a307de0b056

SHA1
80cc6f448211a42e887fca0a52aecb942f7e8086

SHA256
08e633eda414c9e50ad56ae8a4259a6fd998b30d93a3806870bd7b5c433d3371

SHA512
f534438caa4e0fe9201d3faa731af90630aca1b9d71e42020dffcb01d1dcc2c14c89f8b3417a19fa045211941c9f91048283e20285c1a3d2f32bb2ace0375648

Download Submit
C:\Users\Admin\AppData\Local\Temp\KoAo.exe

Filesize
197KB

MD5
ec03934575a72fe98d8e392c770a1581

SHA1
bbf68bbc16402a51cd6cbb26c9bb2300d7d5e779

SHA256
e5f061de9874a8d09fe9211e6ce9083373b78e842c2d9929d5953871229b704c

SHA512
9bdd948b2810a476f244255935c860f850087de9c7e5c3f81de7cef0bd0f6a4938ec44364ab05ce1cf3b601e2a16d39190248a97eb75a9818681feed83a35478

Download Submit
C:\Users\Admin\AppData\Local\Temp\KoIy.exe

Filesize
251KB

MD5
e9498b3cf167c28e340e6bd3b2004519

SHA1
0aa2b88e1b793033f49f955a176bc850d9c3c410

SHA256
83efb0a32c50007878d390f4a9aec589d84a840bacca7855e6de258ac78b3e81

SHA512
f749baec9bd607b41e8ea08aca8451d72ecc8e90ac0d7adf3cd34ca4769336da029b947e3ba0a62084082d90acbd6a4ee7c9a01b5626a552b992be4be62cbaee

Download Submit
C:\Users\Admin\AppData\Local\Temp\KsEO.exe

Filesize
652KB

MD5
a214567e6c88c51729cc819ce7dcb38a

SHA1
b8f9a15b7c4837a5e316a09ad7bf53b91eeb3de5

SHA256
5199ccdc8262aec49e6738b4a89afbd593c6a32bd60ff39e16a704f1078a06cb

SHA512
b75913a26ec64f0d65502e392aec9c068372283441c1d4871b8af18503b1129e4c9f5ed2a99ff79d985988b3101bb3004b2f812ef844a233a383c89e6d50b32d

Download Submit
C:\Users\Admin\AppData\Local\Temp\KwUo.exe

Filesize
231KB

MD5
bb204c94862a479270bcb1beb98bd922

SHA1
5f824951e841c1d18fd964456cb2208ccbf49dc9

SHA256
288d4201e544d9f6215ec149b9bd69f8e2a79990fc0c942bcf8c48ebcd0491f5

SHA512
e850fa414da8aecfa39e46d7eb676523287d5d0eea1ef6950c5a24ef9dad711a39d17f28040675da1cb963d5c1da86a1831c78a34b679e465c409a48bfe7ef4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\LCYMcIQk.bat

Filesize
4B

MD5
20f94b50364ddc3640fea9862ac075bc

SHA1
7c6c7b999839e1aa6c1aa9034ea0266bbd4d50f2

SHA256
e911159b42edcbb1866d1785ba0ad85964d7e4303e4ca6c7a5e185f798999395

SHA512
9ea7984fb0b1d796fad50dd30e28fdef24e1cca0bc0f6e17f378fc813c64b15d00392a1b73f2f14d4cadc0e42ad64132a8c1a9b23af9b596567cf86009f024f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\MAAc.exe

Filesize
230KB

MD5
e8b92e4cf81099193535c1d75f4634c9

SHA1
354c3f14447d38c6b395361c28123b5bde9511be

SHA256
fbc85d7ab0695eab7e21a82c302315a33a28b364dc8cc3cd5342cc9eadbd5d19

SHA512
962ec9a658db3a0ba2cf7651f9757c2b1200ae4801b468e0dc92376e3d28123ec64750e253b5bd644114448b34dccfb56cec0dff3e38872df095c25bd2cfdbe3

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEkk.exe

Filesize
229KB

MD5
a0248a9f685e8c4d00b1eeaa64ff2c40

SHA1
553fc7adee5b61ebe238c07176f40080dcd17d86

SHA256
f99608c8dd4c33ed09d02bc132487c732ecda9c43852404361f66fe38d75e951

SHA512
bd9151e5d5722138761a9fa5abdf9447469d3296118555095593c78faf87ef80c7afe3da38022f2b71c0813c836ad9b4cc7e6f656c81e1d2893ce7e3878b997a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MIwU.exe

Filesize
241KB

MD5
df567a7ce846436c08dc846940109d17

SHA1
2cd8511736bf31f0b63c36f858f2062cb7a28265

SHA256
586049ceb06b1734a035e437e877d2f72fec5df8f2418b42ee5d30cfa25d46cb

SHA512
799299396db171b02e114e37cec776e103cf3cade2f67e7ca95b251d87c422be27d6f87001723c9c2ade5bedaac0bb5e4be24a8f94193f1a658432ff9d140bff

Download Submit
C:\Users\Admin\AppData\Local\Temp\MckS.exe

Filesize
310KB

MD5
d137562bb50221e098639d708be4e118

SHA1
a1b63f1ed4bf503744eea22ebafc0a35dd6dc932

SHA256
8aa1beead73068e13f0591e9ad673d90d6cbcdbf4fae73c2d646488d5d6c1169

SHA512
9d8b115d36e6e9dc90c612a978c9dc84949c139651516d467069da6a846d3b8dffe316dda7fb319b3f60907477cc304ec583d66306b55eb78ee6d3844503034a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MmgooMAQ.bat

Filesize
4B

MD5
1f87bd769fe2df2f5118ce20ca0a7815

SHA1
4e59a0bd10e70afe05e7fb7537f72ed649cc4e62

SHA256
473a31e1c1fa385e8b74c3130b6e1b2dbe1152fc47180613456e2916c16c9c15

SHA512
a408b19a34491ad5d75a996d2e6d60af9b5eed3da7325191e62bb575a0bc14ce7d41ab43596909a539ec17e5db4a1ca01833451f59d87ede32046fa3a5426883

Download Submit
C:\Users\Admin\AppData\Local\Temp\MsEO.exe

Filesize
627KB

MD5
30d6d4e63307a44055d0e63d7cb94812

SHA1
666acfa76d775d5ee13372ca7c19663b12a95f78

SHA256
7e47ef9f15b8d8c852601d4cb590cac54fb069de5b7692e377f37ea6cf38b5e5

SHA512
5de91aa5348c4b2699a114ea6d0970441cc858f1196bcb96f1eb3cee7918ec22859bf5868cdbc50dc4f75a6cc8d3d4227ac5c37e22d25acdb332cf45e621f983

Download Submit
C:\Users\Admin\AppData\Local\Temp\MscG.exe

Filesize
233KB

MD5
cff4be9fb78b1655bb1dd9797e501f06

SHA1
22634080665eeffe59d38bc475efa8921194aca2

SHA256
fc4053c9888ebc6a56eb379d310d9c2463d1eed82355a09f3d404787cd414ed8

SHA512
2d1cbce36e381a4d736c384921f0047182a1d75dcc2e381f705feecd4a9fc1ff11d70b28175bedff0ef37e507aca1cb70e818ef1110a86012c24896fdf9e2506

Download Submit
C:\Users\Admin\AppData\Local\Temp\MwQs.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\NawIYUUQ.bat

Filesize
4B

MD5
ec3ea8b61d82053c143334ebef00b201

SHA1
3f88d72dc373b742956ed194a2c3f8eed3df253f

SHA256
e2d1dc3b566bff501b0d522223799c09c169b697558ca1f056af64c0ddf1fb1e

SHA512
12b9426b8b004db1e6f1422404bbcacc6bf9b7d1167c21f2e764b511040b6a139d2d221a813ceb8711089ac086c0b7746fc2820704f9fbce93e3af3903fcd1b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\OAoC.exe

Filesize
231KB

MD5
58ab9821d21fc061ffa3b92b1e89ce2d

SHA1
9b755612027afb21dd93ce19efa55478b073441a

SHA256
7d1384ea6530868013229fbd265fff51609c04bed82bc0906b1e70a349c2c5b1

SHA512
5e3a9446518c8ae854743e5e1d50c09f3b8cb1c26ce0f3e1049521c7f431a1a3115d2dfaec7a6b5209ed4f8a4ea1f2ec6addcdb78fba9bbae5d7463b97d7e850

Download Submit
C:\Users\Admin\AppData\Local\Temp\OIgE.exe

Filesize
615KB

MD5
63d50eec8969bb24a89998e6dd20466c

SHA1
ddb8f1605357e0376040b8b5783ff2429b742f92

SHA256
e7e231f456f54724bd7ef70beb48ccb3f065aada0fc6dae204db0e478b617817

SHA512
79e66adbe0567d908cf919a00648227e173dc8c91c23be238b9485995e4f590d2dc1de872c2b2e7d2828c04f3a6d99c0c59f4c9eba60b4aca5f2dc51b7de96a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\OMAg.ico

Filesize
4KB

MD5
6edd371bd7a23ec01c6a00d53f8723d1

SHA1
7b649ce267a19686d2d07a6c3ee2ca852a549ee6

SHA256
0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7

SHA512
65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\OMMw.exe

Filesize
231KB

MD5
4eecc551a14a16584f144169639103ca

SHA1
d284843a9c6eacc2c0421ebd1e746be98ff706ec

SHA256
baa03bb2e92bc5542990e3e06fe9e6c5a6ca9adece75dead5c0fb0e0a34def6b

SHA512
bc820fc2d87312b4766e1c838e6ec54ccfc62f6a3417e783e550227e3f13cb60e36c91e565bba5293d195af1c3dc6fc675d7617e5e8939c0e8da3f50ad4161e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\OUcW.exe

Filesize
195KB

MD5
61e85ee4dbbe1cf3831652d63fc2c81e

SHA1
b82ee024b2a4bdee5f52a532d823f8ea7521a7d4

SHA256
1801dd3181bfe10c3c4bf12c24f10c198c56795d31c56cdfa11fdbf3669fa17b

SHA512
d662efc8c1932d1e03d424f267eb89090bb96740a3fef65c6225a54574bd9d2fb4dc5a7478bb16ed37c3601e4701ae78305c181d035f795479937ed8a96d1c08

Download Submit
C:\Users\Admin\AppData\Local\Temp\OYMy.exe

Filesize
942KB

MD5
82788c6c2bb11f60557a671e11eb369b

SHA1
76454d87d93938d72c1c4812e0921ef61345d4ab

SHA256
61a1b0cdeb5cc9552fe5b9815631066ccd1d994eaa6c863eccc44dcdbbcd29ac

SHA512
02d3f0730d37ee2d7a413ee35614bb557108895f0d9e82007b02564a2407d3040e3b8390ad8a7ad7148551811912ac0f102bdfb83c8db1126f504ff8f104ff0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ocgg.exe

Filesize
1.4MB

MD5
b3b2a54e952fc89926108fe2090e859c

SHA1
0bbff10d35284c8e1ba14b82e8141182ae86b53d

SHA256
339f5a0f3a110c4eaa1b9981436f3b6cca305e34531d2cee5d2030adbb19ef4b

SHA512
dfb1d05f328283e55229b696235218c48dd7a6c9ee645801501e0be09613ca475f118ed6f75f31c39b4c00c7ef8068aac0f781fb44f99e8a91a7c90d23766215

Download Submit
C:\Users\Admin\AppData\Local\Temp\OkEC.exe

Filesize
238KB

MD5
ad2253477d0031f21b1dd1fab5d4bf66

SHA1
7324ade46c0a35e22323c09d60be3ef945c1d933

SHA256
a960c94cbbf633289007634e516aaec11d42e110001450f23efbdd77a38abfcf

SHA512
fd67703c70fd1b5aea3cf6cb28b5208a2a595677c6e8a33f847f082520946751914c74d7f8f32c0997b46612230491739a401054bd22dd9b80d0ccbbc5a6a248

Download Submit
C:\Users\Admin\AppData\Local\Temp\QAEsQwwo.bat

Filesize
4B

MD5
130588b6d98ae9e49ac665b42e6589a2

SHA1
831a3b7b33e18e6960bacf6a24b17cdeea33f5ed

SHA256
693e14377d2f87e9ac14822777267763d69acba53d63b2cf4bacc4dd644ba9cc

SHA512
911fee202c83584364ba58fcbba2d380dc71a2cf31d165f8cf0e5a29a0a06a30b141e1b8c8c942ea991ed2b42ee0fafe4971ad962466cd180dad0b191982aa46

Download Submit
C:\Users\Admin\AppData\Local\Temp\QEkokogk.bat

Filesize
4B

MD5
deb8093577b6ffee9a262f7a86d808a4

SHA1
d5007478ac1fa764858249c993b8e780b650ff18

SHA256
3fdaedd0ea8a86f8723c0cc83a567e39067c872c28a1e50d731c7ea5763ee0fb

SHA512
ff7e7975af4511480bf38949fc5a459255f58e46bfd721747e0572e08a70320d35d2d420c2bfa244a5a09d55a11ddfca375fef022793491bf2908312fd1898af

Download Submit
C:\Users\Admin\AppData\Local\Temp\QIoK.exe

Filesize
244KB

MD5
099c1ec957231e8fe7f97add529c043f

SHA1
e9a3800bb64e9c0e6add07ceea525f47ee950108

SHA256
718fc4270a446f7a43c6d0b20c0a9ae8361005a5e8ea778ac5daab39363df5eb

SHA512
02fb4c80f1fd5f913b8125b0a97fa41bfc497ddcf147f09baf67de91cf0bfba7a38b09105ceec2a353257debe4a702a24c419745632844ab6818bc75db1eea69

Download Submit
C:\Users\Admin\AppData\Local\Temp\QUQm.exe

Filesize
1.0MB

MD5
96481342840a7ab45dc57dfe40f56573

SHA1
333dc31b56382bed18b77b10ab0310417cef5a66

SHA256
2eddceabd47a09f9404f08397f67f5497823aceb1e61c4596bbc5bae6bd59ad1

SHA512
d6b66fb30cd3b553278661519a182704550327076d5aa94b64f3d2def90519bf47dfeb343f4c6ca44c44f835671d79b7ae835d33fb2d89af3e7af81fd5d3123a

Download Submit
C:\Users\Admin\AppData\Local\Temp\QYMi.exe

Filesize
196KB

MD5
1d51e86375a544684a93e9870519873a

SHA1
25a359d544d7147ebdfca59ab8199c6a167e85d8

SHA256
8fafb90571f770cee5b8a371e2d186ab2e6744675ffe3bc716177616ad7763ce

SHA512
50b61967312307226ba9c5af8874f8fe672caf3bff517bd3242e3e461c26815fbc530bbc38fab9e45c08192681eada1ba92098bacbc051418366dffd8034b817

Download Submit
C:\Users\Admin\AppData\Local\Temp\QgYw.exe

Filesize
250KB

MD5
13d0cdaa6af930bfea360dc4b6738a90

SHA1
1b3463547a02ac24671908ae1d38564963b5e399

SHA256
277c473631d26fd8b1473456a717ededba835000476beb49559a47ba66403094

SHA512
ea0c20375d35209e7f4054f33750c0c42037e69e63a06177f4efba385584e81eecd5fa588a72ffbb931422073405abcfe7d19a7363a5a3c3cc1fb95a306ffcfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\QkkwkMkM.bat

Filesize
4B

MD5
637b704bddcde7b67c9f291654311296

SHA1
201216104bac425725db1b61e658f7767992ffee

SHA256
d1cedcfa2ba5ea81123f92919fd01534b0c341e880eea6d53f0c102178c6f386

SHA512
f7edbd213b18800add2bad9d7e19c9ac628852765129f58c0545d2a68dafc78d83218544e441c878edd7e59613398d03c07c30edb24187b3e05b0bf3dd012602

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qksq.exe

Filesize
185KB

MD5
3019e5e6fec7b2062a2427abed5b7fce

SHA1
a6f6aa9a2e679c8435a7d208e8eed7eb3def159f

SHA256
d04132b0cb99b9ca9ed1d2068c4cd292daf813cbe1823c8788fb3c7e4bc2ffa0

SHA512
c980589ee0dc463bb905ecd91149fdc01bb670633941bb7eab9b713779b735b1a0cda108f6d851c7b6b009eb687bd4fa3d94a2bb25abde84ae2608af6b3456f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\QsEW.exe

Filesize
637KB

MD5
c9375e6eae892117eaa6b641a8f4acf1

SHA1
f013ea60e6145266e477cb781d4dccc50db03c18

SHA256
c4b44f6fde4a0cd162d8b8b8eb71c9ccc59f5f2a44c19e654819cc1bac6bd6aa

SHA512
ef30d9c9db61fea08efd8da75e9525947f5cc1f8a1a774afcb1ce3759627ee711036b4af1e1791689e766010494b49be5db58525526075ac7719c2bd21f7df29

Download Submit
C:\Users\Admin\AppData\Local\Temp\QssQ.exe

Filesize
218KB

MD5
d1f4591e61a83b4de75ab5b537c08d55

SHA1
bbac751ffe7f79dad600750680c55451bc537068

SHA256
f189beee980a1a016ef2267ceccf80a0b100af9a2e7621e328890922159f06dc

SHA512
5cb85680fe3bd5c0e1564b969a83cb29051e741da57835acf039b0de5d543bab55c9b8936a1ae38fb3beba9492920f603799652d7e48b1fd12ff3e84cf5369f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RAgEMQsM.bat

Filesize
4B

MD5
269afbe4df7cb7530a115aa56422059e

SHA1
37a02eb54fe9b5e834455eac5e4ebb88d622fcc3

SHA256
c0639edbc008f874633455479598584f7220279860dc5cc4f5d735bdfd282606

SHA512
3d3b87b800008e93a37e321aa54c00eae13aa75c3dabab07d7253d8f4b67cbafb71de9cc3fcfbc5bce00f21b582ca8c48132c0d488f7649be0798c3e7a1d9fdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\RWMcIsoE.bat

Filesize
4B

MD5
4a0856c11db8d23e000c44b940320ec5

SHA1
95b78cd67d49b905f2485071399a62675eb62382

SHA256
9202e24c8ea1e14de05245eb166f1a88d8081ec43d880ed5649b4f2c63b32c1a

SHA512
dbe98bb7a76f53f15e68e020379c0a60b86754a6d1cd9be24a58fc60be416036e31d0e57b770d3b17acbfde8d9d1f820acf18f9a2925b1da3bbde42bc40a14d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RyEYYgQE.bat

Filesize
4B

MD5
84ed0e66089ff665e79331007b53c0c4

SHA1
08bc9e94ae98b6bf8e3fd3d2e187b4d48a078666

SHA256
fbaa09f2840efbc50bb71867b705aa655f3dabead3123293eda7cbe5dbbb0cf5

SHA512
20f497814aaea0036d580becd6a03296628ffb91fdfa861a1646815a0e4f2a5d68f894022b917a4bbf780c3e1451793dd3ecb7e4ad6955bca964870b220c3ea0

Download Submit
C:\Users\Admin\AppData\Local\Temp\SIowgIkM.bat

Filesize
4B

MD5
cb5d9287e896c35a1e11532ecaf6f05e

SHA1
72c188be894fff0f96099fa33c462e1a49a6c06b

SHA256
03707394999cfe15e9ccd716ff2d58b726d6bf88b16cf87e4e0acb6425ccba6f

SHA512
7bd79293e4e550aa801340da638eda28fd268b4d3c68816effee937c7acd7965cc033a88eb5b2b470502b1c18377f2b4fc7b8aa44a55a03c8a0ae5c8a0c5b734

Download Submit
C:\Users\Admin\AppData\Local\Temp\SUEwsEcc.bat

Filesize
4B

MD5
74727d319d1074982ce7ee915432ddef

SHA1
46808b9e397a775730293d87fb5d750b893244d1

SHA256
8e2d6ccb9c876c351ac6b7dd260a6cf90f455605315b0522356ea07d09ee28af

SHA512
5434b36593ac6e8ac1359ae391575d893d6fb3ae1e8844ef3744facf3c8af8f2a06e4fab1236629638a8d7d6de1ac6d129838d13ba6a04335da89fae9ebd9f2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\SiMsskgc.bat

Filesize
4B

MD5
8656f75e5b55af694a0697f83f844830

SHA1
faec8adca10e0552c62f80853850c7cabcf8a034

SHA256
9ab31f4a8e956ab1121a8da36caef5f62f79c0988795fe8deb173b1eaf05d474

SHA512
7bd13a573c77c885ecc5accd8a6a8e8786b6840c8b4c24e80d09427909577ee81f268d8274e2eb45b36423729639afe89a78d7b98cda9c1d89671594c3df3b7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\SsQwkUgs.bat

Filesize
4B

MD5
d96909705c1471c7c0bcde0ffb0fddfa

SHA1
70d7ad3de16efb7e938a0ed4c41c423a4c8ae717

SHA256
62b021c0be599a17bf2cd36a28879e2b5612e621bf616ef7278fd23123691871

SHA512
f0fa0f057b24d8aeaff1e168fc234587e779cd191c2db19454d1eb5721569b946259d23b6af97414fb56719a3a95a0783c021d9cfc70eef7ec47c850b8422760

Download Submit
C:\Users\Admin\AppData\Local\Temp\TQEAkgMU.bat

Filesize
4B

MD5
036378e0dc52d84901f23c2be294732b

SHA1
577dfb318b8bcbb0e807afba39e6078ed50c8ca1

SHA256
32aeca09d0ef0d444ebb7e077aa258b2ec0fce6ee43ec68fb68791608d689fbf

SHA512
73661564dd5905bdb733d0ec8f54b70ceab5c9e1a3cd80831a9c8b98bd936e9ad3b547ebd6123bda0f467cc4d9e72e24c81a47023d570318d505ec9d3dd2b7c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\TysEYQAE.bat

Filesize
4B

MD5
5ad27bd1128cfbeb9f29632d4dce4e6a

SHA1
57d5339e1458c2280bd685e0c45b6bc81fbcfe29

SHA256
c7039a2f14f678b87b53b80d04b352470afa4d88c2fd1a504a5d73c51f37e5fe

SHA512
92f31f84c4823d94e152a4102280b19b50987eec2f4879cc9346cc1085c8135c80d1561961c8ea0ca39cdf384e52cb19208153651baac6935e37cf279ab745de

Download Submit
C:\Users\Admin\AppData\Local\Temp\UAkS.exe

Filesize
248KB

MD5
67c68289dde94b268e8cb4aebca00a34

SHA1
07b38a5239fa86aa77ac4aca45217bd3bcf685bb

SHA256
7971afc661ed6f3fd9f3925c97bd931ea2e49f9d7b0c0a4963e0af7644141404

SHA512
9cf82be8a9661ceaeb06e35af3dc11a1a58d8fdf535ee59e9807f4d0a61cb2a5b59cee20396ee769e93b4e3e8ca20b621754f537d3522588d149d75a705e58ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\UIgq.exe

Filesize
236KB

MD5
9a6f6d2d42d4a18028fdf8c7138c8b89

SHA1
5b81ccaa165a2eb584564bbb8d43a10ad541678e

SHA256
db11ff3fcbb383a939f64e3fd436789d84560f91d47855603d352b3fbe3058ed

SHA512
0e3b874a8445a2ba0352687220c7fc81aa1a0f52aab50225d50fd3e0b3d21d11a0fe7f65779d1f3fbd0e1311bff970e272e57490af40e26c37896af32f76e8a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\UIwK.exe

Filesize
242KB

MD5
e3656c503e5cd73a3450762300d3802e

SHA1
f7ed31ae9ffe09b5b3f35b5f301e055b4bdff7d1

SHA256
2325feb65e628c81a3687f175348c832a101a0cc928778e8fe9a00f383a2eca1

SHA512
05b8c0cbec6776a8ac435d7db1791185127da943394a206db58fa58a3da60fd861216116fa150a5491883b76759cec14a4f55bdd18239991a63fe19b3a68f88c

Download Submit
C:\Users\Admin\AppData\Local\Temp\UMwMYEUU.bat

Filesize
4B

MD5
786e2ffaa98e82d9af9af4eac443abf8

SHA1
396fc7cb761a8e64df8a688ce0faa18b8a74afb7

SHA256
039da8f1355ca33ec129c81987a8afd8242934083512a25c4c204a42c57496d0

SHA512
2e9c8cdcf588e10bbfe6d5a342a00da86184e849efce438cdfdc7d14b2b135e3d5e14108dc9d3231a36e0397d636ca8850f29a125d11f5d82b678eea8956eb32

Download Submit
C:\Users\Admin\AppData\Local\Temp\UQIa.exe

Filesize
195KB

MD5
0fa220b2e54445782930caca19218be4

SHA1
1a51b3eb9775db1f5d5e68b8317d76936bd831ac

SHA256
2a42ad0f76120f786b1e333d96a66ba3bf4cbc4149f74ec6de7cef46a3c05ddd

SHA512
88a5b703339c247a8d2e097686aa9ad80d02c5c27dbb2e091acc7b8b675b3a45102c162d9e1446416294ce54eb083022ea0450644bf80b0a4bd66f89bd4e36b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\VAUsMokc.bat

Filesize
4B

MD5
04aabbe2a2fc77d300affa6fe5c7bb4b

SHA1
c9048e3f431a58582f175a9cde22c5e75faea908

SHA256
089684697ce7b4dafe73b6d482850ce417486b755554191be2715a4224a6ce7f

SHA512
da0b536d9e7478526902ddc462ad3fa34ea0d1d246a70d1c8b4878173b4103519adb265415a3fe1e229c2cf3d806009daa376f469379e263e052af43369e72b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\VQUIQYgc.bat

Filesize
4B

MD5
4e60d7e3694c300b25673c5b39f1c0b8

SHA1
925abad02c2ae457176d5306ed1a6ff102965be5

SHA256
9569ed06bcd5d728939b1bcdf50c82f7d9fde515bd9e89ead915d852afaff594

SHA512
e7379c4b50fa012bf0e448e6eba6cd72514f4405f21eb474dc4941770d1b991bc7418b87f297eb7bd238d879619f94ab7a5e2edae52f8208cfa6b53f978f7741

Download Submit
C:\Users\Admin\AppData\Local\Temp\VSgswgkg.bat

Filesize
4B

MD5
1ca753d72d1b3caecac45be65d61fb5a

SHA1
916aa0c481c64f770d839bd75bb7daf7d7542552

SHA256
c33240c8e1b7149fe6684cb22dac1dad19ace7f3f713230f292dba10b0894776

SHA512
b29f8c4bd500875005b25762b68f10c145b0c1d0d4c8342ce388383ce4bb42e3152f6245ced04a0bbf4067301ca5bd0986f2aae4fadcf7b5c3f37a274637966b

Download Submit
C:\Users\Admin\AppData\Local\Temp\VyUMsUgk.bat

Filesize
4B

MD5
287f3b0d0ae4c0cd536c3da97fa038ae

SHA1
88394a3b71a8b510bba208f713e6b97bc23a283b

SHA256
a224d8b31ff69f38fc357e35301fff4d0b65bdb0d7cfc7391c10bd126fd61805

SHA512
4a14c79283f71fda850beeb8b3a01258138479644ca8d9403360c7ea91c1a16b8d37704bc157829d0852ced3c36abfea7a968a838ea989247b61c99b181c6db8

Download Submit
C:\Users\Admin\AppData\Local\Temp\WEEC.exe

Filesize
191KB

MD5
6159587e12d53104f3be1602f67fad33

SHA1
331285a92edc17508ec3fa8cf07529a4511571d6

SHA256
a2977b577426eddb8497cc5ca6342150c29332d27ad1dca737a2a344614459ae

SHA512
74c3cead9fa505dc4240c32424338751daa537f00bc042ac355397f234f3ef97439e6f08f5a87d8662ac464e110213fe861963a316800b2e1203ffa907b590da

Download Submit
C:\Users\Admin\AppData\Local\Temp\WMsE.exe

Filesize
184KB

MD5
9d21585fb18844ff96658f4e0f8b691c

SHA1
8edafa85c3a0ab7382f8890d20de19d45095238d

SHA256
71f496decf0c7328dbddfb6bbce58039d7c93ec32458918d0aeb1787ae2e5709

SHA512
a9227d8daac778f69e9a71008b51708c6e5069f2a5a8b7b9c4f1bf7945c760a356a25e14349f27b696717d4f254e24bd2254cb1c03ff5b4898dfedc23d1cbb7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\WQAS.exe

Filesize
228KB

MD5
340a79d6fec8a92d3e6e23228f2a5dea

SHA1
557607059740a4c56c8f3c37ae1c0a4f8788aced

SHA256
06182922eab0b727be3a546c64ca41449f6cc29b0de929da9b129bc046f1812e

SHA512
4c112cb761f945eaeb2c0747106201231be8e232a0a06de075b073601f07000b656bf34c26efa2c686c59614c89ec6c3dcae4965c0d67129670f208c5c963d3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\WQAs.exe

Filesize
203KB

MD5
7251b71fb7974bb917a808a2ebde76cb

SHA1
0026e0cee437b02506235e869344330fde7b1f8d

SHA256
8b787ee06542796fdc2be93783632bd653ec937a17231b2f160f44a5ebe9bf97

SHA512
b5180d55aa6cd53a68a8c0225b6bdaa71795ed99653d325fc9fdf1a936013288b80f6a47ff1faadeb72622547c27d28fccf411fafd261540ee385873ccab444e

Download Submit
C:\Users\Admin\AppData\Local\Temp\WUIAMMYs.bat

Filesize
4B

MD5
076b18559120d73e90f1713c585fcffd

SHA1
09cadf7548039861e18034359bcd63c0017c2c8d

SHA256
ff9534641148c3c6fd781af1e14a82dc86a9d03f9800655e62fdb269b252b970

SHA512
d176c6c477f2b092a028ef8efbc37a34f750608cb25f153b06ebbced3fbfb67cf0e96f96f644e77d814f81c90817148a0c85b57d2cff0d49af57fd3cbda73500

Download Submit
C:\Users\Admin\AppData\Local\Temp\WackggIQ.bat

Filesize
4B

MD5
ee18cdb2f31d5ed9deafe42e21c787f4

SHA1
07314634dac2ade2181732550d6bd24fa3cc6043

SHA256
6d06f656ebecb5303fa2b2eeadf6a2f1bfe40f5f9f828f2d77f7c983873e4a79

SHA512
b5e8dd851824824bfcd1ffc6d445160e80377bad482f1355c138cbccf3b0117724316335fe952192dfadeffcd7f20ea562e90e9dac6c0bc113c77ca71643a4a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wckw.exe

Filesize
245KB

MD5
7c57d2b53b8dcafdefc8b09128c50c7f

SHA1
7093b7dfe871fc47728acbef2f63324bcf4bd154

SHA256
27c6bc8828b41eb2580d450a4805ec473521e0dc3f8e41b99aa76bc6ea15cdcf

SHA512
b24c74b143383a1b41708eb04ad2f9e276def76a710df9bf1413d26014d8d93dde81df5ae8358db57e0233a686332676c71efc2d8f127eef4d338fc56f62c7e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\WoMu.exe

Filesize
773KB

MD5
b864bc6c053cd3b9df5f625f3b172aa9

SHA1
555a0c744bb4e17a88eae4627d8d408e7b51c9cc

SHA256
0ab0bfc1bb1b6337038dfecaf55d6349c21ea2ef7b3c90ede4b1c779461f07bb

SHA512
5e9f00844e5f6147015b56b99249a4d0445835220ad82e15a103c3f35a8d4a5557ab68ddd2c50709a084bd103a0fe58fd62cec2c18cff99e7d01585aa64f6872

Download Submit
C:\Users\Admin\AppData\Local\Temp\YGsYYcAk.bat

Filesize
4B

MD5
ca67e4efcb82bf33d2d6637cf3fb8e08

SHA1
2d165a802c4693e07c7512e19ef08ef9a154a339

SHA256
5d6f1d7ed052a7a46823dcc0dec8983fdea2dbf48569d6c90233aaff779e9885

SHA512
4dde1fec7f6f61376b9b1265fcd893fafc76ecd0762a945c20a42eacd6cbfba712507cd218356d2ed02e8ab434dec66296b071a71005c0953cdaabc5a702d9ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\YQwe.exe

Filesize
232KB

MD5
10892c6dc987b2875947a3320df3a0db

SHA1
a322765288db9215b29f7832d30c9f61f1134025

SHA256
e648ca16bb3d3c942486f28445791ef7df3dc3f8624b40834e2dec0e9b542313

SHA512
4935a74ecca89a2dd96816398bb9f7640819a85d2182f625bd0f99cc98d6be8b69e9f9bcfecb2f61f42bdec28b43b084e6df1ca4670f6cf6b1ba7ad267f98c1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\YYgw.exe

Filesize
658KB

MD5
c9c5761c3e2ad9ce2543ddc330891ab2

SHA1
5a85028d015d3c33530709441df32b70209b2d0b

SHA256
1e09e80dec146c4daa75405bb00179162d6bca2c114277162d0c81ce2338a9ee

SHA512
29ac59d801764193f6ba8b02a84b261f2863b0ae00c9b952b6f0e19d14f940ae05e9bb1e6b407b7bb97bc5edb0dc1ac884de02575db97365a914fedc05e6c235

Download Submit
C:\Users\Admin\AppData\Local\Temp\YcAQ.exe

Filesize
814KB

MD5
bc9a225572b9a2ced4faf69533c6e92a

SHA1
8389adca0564b9d67fbc777df4a47700b294e621

SHA256
5e61371192b8519e8c8048af79d75c0730492cb87b6102e9f08945dbc8b54785

SHA512
f99501885c63daa08ad3ada55531a3222d88803f132809c79b81acee08ef21ee8998eb37df7cd56dec560b5720864eef7a7be274286cc8f644e1ca05d04445f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\YisEsMYc.bat

Filesize
4B

MD5
1b0cb6f0d1a764e5e414bb8a9f3d83e4

SHA1
cb1e453974bb64db60022c83c97b9a6108a7689d

SHA256
a186e04067d574b6b3b54e0134819121c39f88e686d06a9bd6eea706b727b3a8

SHA512
84ef132ad5df91a309d165a363a29f4b848c0fe06c1eb55d46dcc8cf0342f59e70382151323972f4f47cbf25a5ac39ac56b7ef3c4dc483e38f42cb9957a13c67

Download Submit
C:\Users\Admin\AppData\Local\Temp\YoEMQYsM.bat

Filesize
4B

MD5
c9974ef7d476cde17e3fe1648064af5d

SHA1
4dfe24923eaee30fa5936747207017005ffef1f5

SHA256
06528dd5c7d39b722c936ac1589d39ce25547d8342de6f4e4cdece9fd342c7c6

SHA512
61b8d5fbb95aee132e5e84ef5677482ce2e3496989982966a3c70a595a30c56da931e0acce06b9b29ea1d973ece9677b0b19f6c0a44a7d7329b8254e7f314a34

Download Submit
C:\Users\Admin\AppData\Local\Temp\YsEU.exe

Filesize
973KB

MD5
84e0b520a24050d6237fd2c9872dca18

SHA1
9c51dcb78cc601649aa471fa73354c9419804817

SHA256
6fadbe728017582b25f0b1630e9936fbff90ac394b244f21de3703efe2eb9001

SHA512
8413be90065571e74a4ab0a8590e64d1c9d2e06b0c942f91021797f7363687e4bc22f8f5fc37df13b9c99b63ecda835f5bc53765588c741cf4d7dab1fa1ed3e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\YuoQEssU.bat

Filesize
4B

MD5
3b0b398a7d820de3953466c7404335b6

SHA1
544b6f613ee30378ecba425084a67fd65c4c246d

SHA256
781bae601eb84cde5a9772eecea4308645ac3f12e27f84fa54886d589ea5a0a9

SHA512
ac4addf49e0c3aa7d3c15f420d6dfca1f3ed516d6e9d2a7638841668e98c4ac0b03d10e24b061ae90035179237dc35ea0738122b03ace296b991529058803612

Download Submit
C:\Users\Admin\AppData\Local\Temp\YwQYAEIg.bat

Filesize
4B

MD5
07562e217e3e327ce4187b429e9305fb

SHA1
c97c2db434b199b4a5bb5b5f799302770f2fdf0c

SHA256
298d15be0a3d921ca00bd2dd5f3e9e4c8f4428cfb8ad843b472e51e4014a5cd1

SHA512
4cbf554f2039b3f9e67a72d0bcb6e36d60aaad1ecaf15286c984e93a6c2b71a81ec44fec962101af12d3eed257a9e8bf6c34e5f6320f0541a27919d6a2428636

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZKsQEksA.bat

Filesize
4B

MD5
bbdf7e69b3015473b049f834394c31fb

SHA1
f000dc0f5ab18897b139d78f4b002aa3fda68d98

SHA256
e91db1e8e2ea12c292c6ed3cbc4d9d339bc74d7d28ef9b6dcc200c3c657ca90a

SHA512
28b86f47693347b298839f3d54a5609388dee09cb08da3916f0e0bf7767947b2dd633a81af877f0dadd477d97e2401b4e27e4f454335a5f4a1ac305c47dac2ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZoockAgU.bat

Filesize
4B

MD5
1ec267090650fe91228cfa2bede9836a

SHA1
86127903ea8f7abb924658ba01b3fe2bb191a4b1

SHA256
79f573a4fbb69f2861ba8d827f923adc776a88cc5aad11485b8967a0ecb3baba

SHA512
aaabb021030f16d8aa3466b40eb3aa062dacddbbe3d314fdf27c4e2f58fe0bcceee7ef797b8d6bc24d5bedc43c79117aaee1eb70b0f1809c93efb1e458bc873e

Download Submit
C:\Users\Admin\AppData\Local\Temp\aQEc.exe

Filesize
804KB

MD5
cc8fd54294dfa1fc44dc9c738b75f438

SHA1
dae19352330db99aff2e42524fbe81d47d31fc28

SHA256
acc9a840fdacde91c623af7da8972ce7dbfec2a098dbda350ba4cdf0f1395eed

SHA512
1e851b868502ad1fd4692168a7d8dc2042241fba7fbaa93856dae20d4536f3a854a6845c7fafde131ef1ae2df6eda4c67c9a78ea13074dd7f4c471dc10bbe93a

Download Submit
C:\Users\Admin\AppData\Local\Temp\aUkG.exe

Filesize
229KB

MD5
799b395d3aca68b23c0b5677a417a983

SHA1
2272f2111dc32020ef21d40cc298557f4b35f5c1

SHA256
3ca5392a4ac61ee02949f9d3150c554d7dc6d1fa5e5692f7915b8716562ac908

SHA512
37bb8bb751f2d3e2aef2077c872d13c9e7d8957e291d4a4125b40e6cd70e7507868568008cd47907dd64372652f3e178b90fd9a49571001e763e68cb8190e579

Download Submit
C:\Users\Admin\AppData\Local\Temp\aYEE.exe

Filesize
244KB

MD5
e0eec70fc6f933287a9bb616391f1ff3

SHA1
da264210d881b3fb1ef4b553271058bb326799b1

SHA256
494c6f06aace77c0cbc6662d56826c36221e32593089cc4e3e35c8a0c7306d8a

SHA512
8dd7564692f3d7f2d1cc7da548dfc0b1166c473c6fee5be87af4ced19057a3f6f8d888cccfff0c54ba488b1c7e3a6c52e60c7f27144c6cc9223dea63087e31c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\acIe.exe

Filesize
239KB

MD5
d0e9f66e9e50493c7b2a8d84142775fc

SHA1
db6c977afd50bebad79068950aca894cf1a5a920

SHA256
bc34d69726c02e8993a5bae95647acc39cc200e20d32b9fa654b3172f61f61ed

SHA512
cca63330327a38bfc122e242c8ea02bfdf320dc40d24639e0d926514ad6567b4a752e5142c27196944d4a63c8b4fe21ca67004709d79d0dd7cbca911844cd955

Download Submit
C:\Users\Admin\AppData\Local\Temp\acwsMYAU.bat

Filesize
4B

MD5
dd7fa77f779151a2123f598e8c136321

SHA1
d764c03dafc482aa984f256d73b276f4b1e9cb8b

SHA256
6bdc692fffae3a1829a1f2f67703a854c5c8bb090f9d91d8c0c83a296dcd9197

SHA512
7e78e8fe73aeeb45ed8d36331df2ab9fdcfb21d0cbc62b6b92431f6c70285f7157c0a471b4600ae8ff1079bedb486bbfb5077957aa0c2fd9f23184a518911dff

Download Submit
C:\Users\Admin\AppData\Local\Temp\ayoIUMkg.bat

Filesize
4B

MD5
35ca25d57d991f3a1b473b6173261712

SHA1
731109f3b29fc49487145070b5950be630ac354b

SHA256
9d0a8f8982255c97e83acf38a67af55ad9d191ddc94bb41e90cab17cf71c7552

SHA512
3397d6afb1abb7dbf424fd7d03970b8c494f964469f3c462af78c30874c40d397be442241b9c2e5597c5896e0f65262ca5fbdda5d1e931f9ffe9178060637451

Download Submit
C:\Users\Admin\AppData\Local\Temp\bEUMgsck.bat

Filesize
4B

MD5
93e4e9094c5a617381562526d6d5b5ea

SHA1
b43c24fdbf1dc4ef680668a79a37656691e5e374

SHA256
f8ed71e49986b6cb4ca73065f670842db7de1522c9d80adb22a0dcded0b84eb7

SHA512
2ed4159e59c06f0726e6cdc07f5406cd0ab68c3bf7ebea4a2234a5eb8897bfe8ad323151211fba0b52016b37f1bc7258b6ecdfef5c549d94c9777fdc27abccdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\bmUMsAkQ.bat

Filesize
4B

MD5
4c63bbec19ed0413384127635eecb873

SHA1
fe95043fe085fbaf97f72ea9302cfaa9b58a2ea3

SHA256
47c740066192b78bc9a195626892fb42bc776ab74a9a5d911d06d910b2de4cf9

SHA512
bee9590eafdc96fee582e2fc525454432238de9d063c71b3c1f01ccee4098622ae346ab531d0899bd21bf38077f83a0cdeff1e4182b3408588cb4cbf7e495eca

Download Submit
C:\Users\Admin\AppData\Local\Temp\bqcUMMYQ.bat

Filesize
4B

MD5
17be945853c95ac58acc2f652ba9e54f

SHA1
a4c010b1808a73c97dba7471b1313b5f3d96c56c

SHA256
78e883528ac79151cce030ad01bfe6e5b43ed8ae867398be4cefef08aa4151bd

SHA512
5936e0e37440667b5a08771831381fc2fbaa82eb99ea52e45f34a81afafe527b85a0bfc3fc3eed0595099661ab96036fe50b2dd43845cf5426c9a6c34d5b58ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\bwUggQUQ.bat

Filesize
4B

MD5
3abc1e09b00c004ecae70ffce93bc2e0

SHA1
ab23c9e475fef1fc93d110e2561b52c0e05537b0

SHA256
0f94f3dac36ebedaf816698e884c60c0066bb173c8684141d78699628ccf5e71

SHA512
1ea238866fa40b76d0c447ff99e9001d8bf160d803dbd2a55d5934cbe3822030dc8e17b53d17483591f71d92d52bf6f83457efe3578cadeff15af1c02c352b74

Download Submit
C:\Users\Admin\AppData\Local\Temp\cEYo.exe

Filesize
239KB

MD5
a8561f4d2ee16f3484f5388d3d843958

SHA1
f9c262e5945731d19d56d9af50462276dbef1e0d

SHA256
6672489e6a321abe4af1a1a9f379439d85986d96cdebbaf9c8d9b694a9256fd2

SHA512
39a5a9da75c5466cfe420c6b1f025f878fa10d921fa3d9666c231da0bad477f61fa82f368a7f22949b352bbc40e2793c49fb3f361283dcf1d626e06a50bc71bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\cQAe.exe

Filesize
241KB

MD5
9d44a709bb98ed114bacfd3714ad8e9a

SHA1
e396190baea3e631b9c377b5d946320a9a838bac

SHA256
77afebcf242e4e63dc6c6f4d3644ad716e35b6b54675ee69be38440d1d005c9f

SHA512
fbef510a2e2dbc0594ac0b5aef8de7b3e2a119d8053358000cbdb5b4b93d256f1cc5824c59a769d6f832bd62ffb7b381fed83fac9b3901ed612b1298d2c03404

Download Submit
C:\Users\Admin\AppData\Local\Temp\cQQe.exe

Filesize
1.2MB

MD5
63aaed03493b47b13cdfe4c7a69bf329

SHA1
6485757b69eea465863a8c8fe1bf7e31cfdcbe7f

SHA256
ecd5a9516d81aa6a801db2c00faad57eb6f856a645e87db8ad68088af20206cc

SHA512
bea0f86dde46397a27ac7af7893d6c2e3045b26e77000f1903d531ab53c1d93f68a4ebd6761a04c45bd552dd93dd68a7a7b8cc35e5aeb6cfa03e365fbe0f0c33

Download Submit
C:\Users\Admin\AppData\Local\Temp\cUEa.exe

Filesize
231KB

MD5
0c5295698b820b5ce83ce64e9e3cb889

SHA1
e9230cf746be76f7386985ed1475ba157c661980

SHA256
99e0805a80e698b52126ff013ac8a0d8fcae865a94fb00da8e540fa916f6d7b0

SHA512
5fe296a99388cf8765a52a9fdbfd95d3b6436fd630363ba24ab860ee397a9370b6d898339317f701bb8ef2fa07c4a1caff44b72f51fe3e7a91ed4801c388f806

Download Submit
C:\Users\Admin\AppData\Local\Temp\cYQu.exe

Filesize
549KB

MD5
0dc9ebae2e3dacdfcf3b29c2f7e6227b

SHA1
438f3e6b7d09515e721570bf356a85c15a7ff17c

SHA256
f8adbda188efc781b438833e9d396c381e64846c50f7540d4359da9781ade3f7

SHA512
b28e6589b78653db3d3c83ee4f47a52645798dbf7e7a9435e22b40f3d756cd28e52a1f23c414e03d8a95dcf78ce54e23790fca5febd17ce45213202b1c93b3c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\cYYA.exe

Filesize
185KB

MD5
9ee0e475f3f0e8a42811eaacef568d06

SHA1
7a27dc42f64c038edb5730768fe8795079e49bf1

SHA256
59bbbcee72fba66bd01776ad1de6eeafc16308b773f2061409868350d70979d6

SHA512
80253883fe5d71816bc86953bdd2eae0a22ad72f686adba49462410ad7df42522dd726c5358464b9bf8e90cbce968bedb72bc3487ee677532e10f9983573d6d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\coAm.exe

Filesize
227KB

MD5
a145421c30f9b1b4f95cc3ca9e2958ee

SHA1
b543ad0449ae1814116f459ab649182258621fb6

SHA256
d11194bdea3434e60b194ccb920a31fe2b6ddbe20c21a8e0ac9bf9c318c4d751

SHA512
496ff6cdfeda77c445d2cdcba7049e6936cdeb4ee4dd562a0c650e802f39509b5b94e08de34a5b5344182f1fb4f393f0ac8b722d85ce80efbdd001e60ff85042

Download Submit
C:\Users\Admin\AppData\Local\Temp\csgO.exe

Filesize
230KB

MD5
57f481621a9689c8ef77a787f24b59f0

SHA1
5426c1ac43891874341975a9e5e7cc548333f5e4

SHA256
5d449e0babb5bc952cb679488fcfe6eff9ad42ee0023022422a2b9a01dedc0d7

SHA512
d3c50da8510fff59bc2237f14a56a288ac4f140ff869e8fdf5de2c38360a6d174f090e1441fd35d0138ab55487a5f8cf952c7a7e3646d18e30b3a99a42091fb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\dYgwMsck.bat

Filesize
4B

MD5
781469eae77456d40090dc5b3a21ed18

SHA1
7ff8c4f0c9e03e83a451c0ffabf601e2b8da096f

SHA256
c47602bb89de6fed5faa47fe82534fe68850a19507427923b2296e4153c9972c

SHA512
fff369e5725485ca46cbf6796c65171a7208844709086a4105c23e8f69359cd299c2f298d43721ae488ec472ceaa741c463aabf606a23b359d5dedebfb0ea34b

Download Submit
C:\Users\Admin\AppData\Local\Temp\duQYIkwo.bat

Filesize
4B

MD5
b1dd8a13020251dc776ad83033d3008f

SHA1
3ed7155406a70803bb52f223a39ee0def4769dc6

SHA256
e185e9d2842bc1c4d98f881cb4d2ef493bbe2640ed60054052ddec1894a33aa0

SHA512
17f3787407c289a9a84776b38e1095488dc8648a901be37edf70a2befe24eca7f2476edaa5212272fd05dc77779f2aae8a0284d384bf879365147d5a0c1a63f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\eAQu.exe

Filesize
248KB

MD5
81c37fea26a83e7f9cedf69e96eb0184

SHA1
b0356c20fdd57fa3b08b5fc834581b9dc1890889

SHA256
eb5cbf1bf356a6d5e3d9db9e6356ceba356f8aafb97cdd0bb5b96cbe73d6e8e3

SHA512
1a94111a1408fa5946ed4847923077a3f3dcb8eb24d931f5486263295319c0166fa10a29044722aae8c1a1345f8c2550d82b75fb43977756a85784a6adc4765d

Download Submit
C:\Users\Admin\AppData\Local\Temp\eIAK.exe

Filesize
197KB

MD5
8051ea992d68296e4de77960aa0bc8a6

SHA1
5d407b033a242547d1175573f498b21606d7ff21

SHA256
4674c76eb334ce2a393eef5e3671b72c9ddd91367328dba20d856892b6454d31

SHA512
3d3b5c77dfa3050f1bb2c9462296523cffd78b3b043c24409d8c5fb7444404cc46adaf76ed18e2e2e744d7f5f17db6d41bedbae2ef487ed4f3799eafdec80d48

Download Submit
C:\Users\Admin\AppData\Local\Temp\eMIK.exe

Filesize
1.0MB

MD5
3b1473fef816a10880533177dcc33e33

SHA1
97652a128109b9f980775ae953f757cec5e6cfdb

SHA256
b00b6e97e30f2adbe3f1dd8db99bab14adbb48b4f68e9e5c8fac1aad334c6ee6

SHA512
2bd5b95dfd453e33b428de2bb492b8836708d25aad3297cfc18077410c5d78ac9c72d19c59b373548639aad0989b26f4cbfcb4f90bcbb86a9590ee804a1a2d3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\eQYM.ico

Filesize
4KB

MD5
5647ff3b5b2783a651f5b591c0405149

SHA1
4af7969d82a8e97cf4e358fa791730892efe952b

SHA256
590a5b0123fdd03506ad4dd613caeffe4af69d9886e85e46cbde4557a3d2d3db

SHA512
cb4fd29dcd552a1e56c5231e75576359ce3b06b0001debf69b142f5234074c18fd44be2258df79013d4ef4e62890d09522814b3144000f211606eb8a5aee8e5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\eQgI.exe

Filesize
326KB

MD5
369503e7c7f585a8d8017f0a09dc74e8

SHA1
ffeaf9dd1ba5ae3f845e15ccac239b75a35e96d6

SHA256
e7f71f5a7280923546cf1e7c7fa1562e4df63d766792de19b61ec9e1b2707f32

SHA512
e01f879ca234b9c8d58cd9d8258941c5b6799bab7b56ae63766a108067fb22065b834bd1046e911a1c0fe65b8f53127b8090d5279664a4613f7e3ba8f403459e

Download Submit
C:\Users\Admin\AppData\Local\Temp\eUIk.exe

Filesize
227KB

MD5
0c6075650f129705360cdc36ffefc3ea

SHA1
7683fb7653d3c2a05a401c0e581e3a9ab53ace14

SHA256
cbb6b52e204b4c75c8d50bec17abffc5f4638a93076991c6cae086665d71606f

SHA512
9d6d024ddcbc3e935cee1e352f97073a7abdb226a7b2cf86b50461dc1e6aad7bec4b737781abe16874f517c9b3f4204f02b0bfb7952bb3cb43b817f26b788dab

Download Submit
C:\Users\Admin\AppData\Local\Temp\eWgYEccE.bat

Filesize
4B

MD5
008e60e248c79fd84b816bf38d3309de

SHA1
21d382bf9603556bf572ed73b0c9b271df6aaa87

SHA256
489b192bc0a40bc6c2e80c2ea103f209c2e1b7e20d151425e68e8b89884c9c45

SHA512
121d3b4edbea0b1d151ba162229bd42096846d88e2ce0e901d01e3b9b304d0c52f371a4e8ceba973b04c387bcee17555212f8ea9e48b4979339527c7d9996083

Download Submit
C:\Users\Admin\AppData\Local\Temp\eaUwwoYw.bat

Filesize
4B

MD5
90c3e583b2484e47ade0e6da7f16241c

SHA1
afecaef9ac25cc9dd962bb91430ecac154f79aa5

SHA256
ab1e69bd5f19cec0fb1e96e78bbd385eddcf85350c00277d937bc1191f953bfe

SHA512
99dbf07c5c63f63f64d253e9f32f9fc1a1058f2ebc3a2b6c110813a9893782c3fec2a0d5bcd1b10e711ff327a79205f0be0cf4f81fc0d6ab23d37f819dab5ba1

Download Submit
C:\Users\Admin\AppData\Local\Temp\eccI.exe

Filesize
229KB

MD5
3c5c7155d5d90a1f197f171a717f886d

SHA1
aab830ef5f0cab6cbdecce8a9af1316370bf789f

SHA256
11be330b826e21a839a8b35265e79bf8a28884f00467076a025362d86319a81b

SHA512
c425d654737b2ac322172e4b807b067c50a514642d733c033521c69c8f67142a0406af7f807c96c6f3e89940b527cb2c374f00027f2f9b0d44a3588bc47c6b73

Download Submit
C:\Users\Admin\AppData\Local\Temp\ecgu.exe

Filesize
230KB

MD5
0bf65a2c580535454a273779f54aa752

SHA1
28dee5d34457ed8425ab799fe3268889200a388a

SHA256
c088c18577bc33b94d1ca9c1fbf029293ac3ea8a9513d554c5fe94ff26e0abcc

SHA512
19a72a16cb7177ec31b017613828330d1ea68d32e2a6dc45f972b88c48f0b2abf9b961f139fc620e62c17b6e63ba9c18f98f4e5c107a4644bf54d069f7833cfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\ekcIUMEw.bat

Filesize
4B

MD5
bceddafc1d06d545c8e44f7f81ba6feb

SHA1
ea9464bdef1b5500b79fb90da36776bed5c1c92c

SHA256
677d094616d45bb2e144e450ed2e87d66e5a959d2095beddf18a97f0fa81b208

SHA512
3e23a2c2e1d74f1964664244ba4dd9c82b369eff609ceb4945b9e55f00af06c76db37813372900e0fee8eb8dac5cea7518213659c797701f3c6a3459a9f9d0f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\eowI.exe

Filesize
253KB

MD5
c84e15c83aa35ce2d448d10074ac994e

SHA1
f824f393c245edaa25115b7a6ccdc93f57cc25b3

SHA256
5e2e897a217be00fe7354e86159945ec461b589b5849752bf09e6fc97f0a9ec3

SHA512
6f6eb109433df64ed30fac8c12dd6a4268a217cc125c5fc68aa84a8fd071b325937e83bbe652e0bab72600eb792d05e69602f4794be5d0f6ecfd5fba4b0db2ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\fIwQcwgQ.bat

Filesize
4B

MD5
1c5aa9fb792760e87e383ccda4dd7b4e

SHA1
21c822a71ad76a4823be9ff4202fb57728397489

SHA256
44f2d8220593d24e97a90f63e27cdc01c5e42ee3361135b9c2899613eec96967

SHA512
4310068a821d1ba639aee5fbca215c0da366d7084dc5fc0a9563e3368c85afd24bef09add0fc62b5e690e06433dc7cf199656e3eaa2d2e5ad71a015fcedfa51f

Download Submit
C:\Users\Admin\AppData\Local\Temp\fOgIkcUc.bat

Filesize
4B

MD5
583a0e90d5b1401a977d753ea3712b46

SHA1
fdc975bf40c326cee8abd2cfddee8f6f285b6fb3

SHA256
2173560d878152e9fc3f63d2789bbb12502b62a1c73e83b016eeea261a1bbb76

SHA512
55e3e698f18a9c850a4bc84882710c5ef88e11310fc6d04480bf4a39214f0a5e1e3c9880c3ebd6b15aa93099c798e5221f4523349100cfe637e1920510b1e45a

Download Submit
C:\Users\Admin\AppData\Local\Temp\faMQocgk.bat

Filesize
4B

MD5
140d9c47be2d533522e35fc1bd04f848

SHA1
aac7f75db5c162e00ac64699b709afc58bf33c81

SHA256
1bb7d250b5fcfa7f42904d7db2c5f85f408687b9efde0c0dbef5c10284682c2e

SHA512
08911dda69538f192d8515d2356dab039ff683a992fe4fe39e0ebff056fc16420ce2e4cd0ec7ffb0185da080ae860c7f40f5053ed40b1ca705fb407011bff90f

Download Submit
C:\Users\Admin\AppData\Local\Temp\fgcQsYsY.bat

Filesize
4B

MD5
8c2b8663a63aeec451341591d0321c68

SHA1
f2d51d5803f1d4cdd3b777e9b66f2fd29c0727c9

SHA256
5e6ab11bedecb718a1dc9ebe775f44b245b2cc638e8575436cbe46c4adf0fcf2

SHA512
87daed7f9decf142cc24e48decec635d25de7f5474bed0702f6c3d8e4d03ba91a623e74b3156c2eed7f1502212ef250840188607d50f65144b4db90147a6321a

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\fsAggYAU.bat

Filesize
4B

MD5
d0aa62ab81659e98d81f4d0138b35d3f

SHA1
2a71abc6d14719ab9e972986642eff17bb49b0db

SHA256
d43e7a68e73730ab2e29d0fe3b0d93d58ab0e172cb3b0f1a3fd8ccb4ee99a8e3

SHA512
abd230d84327529bdfb2927ff651f7689bd6d46dc4f6a2a5ab1addcca37c88ead4140e89d3f08934b698fa9833b88db0a393d3f53efd8749f00546e2d4e26a77

Download Submit
C:\Users\Admin\AppData\Local\Temp\gIsIUQoc.bat

Filesize
4B

MD5
b3897261ed20d0bbf1db65c63ae35b37

SHA1
32c81d34084a56896a4ecfd17253134f05566e77

SHA256
6aaae07c2b4df2fee665ea30b0e4195b4f11088c41bf095a728e86f21c46b281

SHA512
57869935f83fb445faed032d8f1cd39c3b5fdc3bfc7af5489ef08085dbaf1058d326d6427ca15b023948cb192407ecd220df7ca45912edb79f95efe972e76dad

Download Submit
C:\Users\Admin\AppData\Local\Temp\gMcggIcE.bat

Filesize
4B

MD5
b424d9d68565171e5c09df353c561708

SHA1
703f0291c60432177e16b46d18cd59c62b896ba4

SHA256
df5a24a787325e069db25f9f3d6c4f283c67e8428b54c15c2a816ad34b5de43c

SHA512
9132485b51fd5448771d2b4914628a55320c4b0a57caeb092cb00ad32d4969f59de2e57146459a2b74875c9764022b42b58c0074bb39b49dfa026b4ea1651453

Download Submit
C:\Users\Admin\AppData\Local\Temp\gQgk.exe

Filesize
245KB

MD5
5bfece6bc10b27fc2749f383b88586d4

SHA1
63089dfda81055d420159c8318af4df03f3d4e2a

SHA256
82ec418cc41416125b2e95405343b8052c56d0dc1aeeae3e378c89d66481f7e9

SHA512
502b3ea8ef04ad649953be80acd61233660bb0fb4c20db9093532d02d20c5f20509fd635c1c258b756f4387b08fbd6b2fdf02784f8702e8d859b9a2e318c0b8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\gQgm.exe

Filesize
227KB

MD5
86be834e56745508f569d6067ae17b95

SHA1
110c71497b6585572b69a6fc8ba0f6b58fd59407

SHA256
d765ab59b7cf098f5a31f003144ad875c3b698a52db3f1a33498cae052310c19

SHA512
6dde685dd02fa92e28c9333e7c08695b65dde20a52036738dd25cfc0514f2173e15a1c74e99469816332b9a603074edf0d79876a7fcebdc9fdf62e9494fb20e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\gSUckgoc.bat

Filesize
4B

MD5
26fe490d5e9fa293d7651b43dd708f66

SHA1
f567a0f5dff53a5edae620b0e3c839c308479177

SHA256
4bedc790146ea9b0e4b6f5ab0345904369402f4e7b914aa7a5077a4c9ff92bcc

SHA512
d635086bad8c51b95aa16a2a78552a8ea3640fca77c733fe128ad447aa6ff5e406a8849d063cdf5c2b991bf2c09bd58204324d8cd9836a714d57cf76621e708f

Download Submit
C:\Users\Admin\AppData\Local\Temp\gUoi.exe

Filesize
413KB

MD5
05bb482d6e0c8d2beef687c0d2a1d25d

SHA1
f307e9a6ed5fbddbc71c7a7311e66b2b85cf0226

SHA256
7c89da9e809c1e5f432127fa6b850c63017cf4972937848dbcbc12e2e1ce6adb

SHA512
28a02a60e74d3a976c4ca546249f2b5c741d92dea390881d1647e002595e59d72ae595e106ecd3c6a8ef47708b88c312038bc02deec94b4ee5d7b7f8f53ca5aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\ggEs.exe

Filesize
645KB

MD5
d8831abd8f206a7ff2f41fcb96a34f3a

SHA1
6a94d83a16410958330e01c0252828f6511892d4

SHA256
90535366130bba101ee19fd9c9436ab6d9716d4c8926c3ec33ca5d04d0b77459

SHA512
37dd0f6fa4d7ca690fa5247864d8d696913ef29db4070ad37e1243fd57df8075f0fb851942385859b146193f38cdac10542f1b7b32a201d34f0bec97528055f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ggMy.exe

Filesize
898KB

MD5
d2c557327dcde2e7a66d4eef7a3f85c8

SHA1
5d177c14df4e0739b0538b51f699d59e2de0e3d3

SHA256
f8431131e4fe9ac20c85ced89dfe6a4d29c804c106f3d1bfe005c7a5eb798020

SHA512
1d0f95564c72f921abf274fdeb999f99f5393c8a3abffefeb9570e8329b742dc92f75d60d53d902c3491592dca96d9d5e46f93d1d5a6536b2c3aa5bc50a0a9f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\iAEsUckA.bat

Filesize
4B

MD5
4736608a9f6e6af86af9efdbdfe12ff2

SHA1
639d01c48ee6235e83166d53151ee3f5c41306de

SHA256
1e8110e95e5292eaf4325816327cb23b7e8ec0c9806686a36d9d6f00ab2e92de

SHA512
0a587f8903424032148fb91ca57439d627409c4be9aa3ac33f1f1190652a051710e7c266b33a83452ac3595f6c63f5bdafff9f8e428dc5c12dbeceaa451ca4c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\iAIwYIMI.bat

Filesize
4B

MD5
5a89a73037dcaf60120c7847c985bb01

SHA1
8ed1d67707600ed853d8800348f35d28c199fb4b

SHA256
6939d58c6c46474238415ff14a891a51df263a4214004782990c5a0c950453a6

SHA512
3806304ddae2f437407f0dfcd4d9835b843ecffdd94e3e4b79a1f8ab31029164a7d23ccc0f914288480ff6560952db28c4c99cd88631b4ae9c09f9a5b5962e14

Download Submit
C:\Users\Admin\AppData\Local\Temp\iEAW.exe

Filesize
956KB

MD5
641af040a01c81c9a9fc2bfb1e517628

SHA1
e77f2c783b9dd5761bab85699199ae7da49f5611

SHA256
af826bc4df86d4beabedc0f80c10a6e2beeb89d7f2d0ca27dee81a5ef6236aa0

SHA512
4c6f4713283f44e54dcadb2033c492ec8f1286f4770d35f39a362d9b1c687ef38dc1054369da0f465520c25b1546bc5cb655fc7e709dd89c337283334ba3f190

Download Submit
C:\Users\Admin\AppData\Local\Temp\iIMa.exe

Filesize
244KB

MD5
cae2d6cb9fb9937b0e7489066fefe4ad

SHA1
561a4e0495876d7dde722a05f35d25d7e73c7539

SHA256
744bdc60b492dfc3148aabf817141e8b0b01fa4d9ec48ebabed3ca79039fdb3d

SHA512
986cfaa784ae63551d16c96f67cca9988d40bfbf74b81e19deca782e8b568939f21ff9e71a3ad210036af84c1d61312df95a25b258bd3276efac8636e78ec72f

Download Submit
C:\Users\Admin\AppData\Local\Temp\iIkIkYkE.bat

Filesize
4B

MD5
7d616fb0ec05530003622192c778836b

SHA1
36e3bd7fcc17ad61959c5cdd741a417623a1cebf

SHA256
9b911cff82bea277151fd87e5bee3ae126049844e9017f74eef5c58f65ee285f

SHA512
fa55b200d0f93b0562a10a3019395aceaf61908e7a4a88e4d8c3af8b4359bf73e43e70700898eb44e1beafb4e6857b5578c74564877e6059a7f190e17e64a0af

Download Submit
C:\Users\Admin\AppData\Local\Temp\iQQC.exe

Filesize
229KB

MD5
961191f2d690adc13aeba851158d139d

SHA1
dbc2dd9c8f2c9f6e1df894d52786e0e9923de37d

SHA256
dd394cd4caddc34747806258f54f2255f491f3f3ca51e4fc95bf6a086119d401

SHA512
4de4847304f8f41fb95d1b003af5a9a4673defd2b42d479ccad05a65a894e7f144cc9178ebd0c84a12e3fc381d138972f4370770c2af9268556777f9df492bf1

Download Submit
C:\Users\Admin\AppData\Local\Temp\iUcS.exe

Filesize
230KB

MD5
4c0b4954538a20534b1293bb00c00b8e

SHA1
f9ea00952ffc53d29b69651bc827ad169472561b

SHA256
264a6428d2006cbff97afb09e5f02cfa7728d3f38bbff866d848082e77556dae

SHA512
4818ffa39d8bf8ac17c9de4e1e5a0cef35e8db8284a1d258af28d529f6be86a8b7521690a168ce5e7566e53486a3d206b8e71a06693e8cfc3be98db270934ebd

Download Submit
C:\Users\Admin\AppData\Local\Temp\iUki.exe

Filesize
410KB

MD5
ca460fb0a4e36d315da09adbd46025a5

SHA1
5d1410bbda01a8f95591b36652bf22abbd892fc0

SHA256
9960e4357b3045dfb8185d0438f98b28c53d4be3a3f3ea69a4e88f9df3071f50

SHA512
b5e7e97b7acfc6ff9475eb52707c6a7539a7c1ddcbd58e8d4d3b952060ba5adb5e04cf135c8a4b32ec450520ad3f1a8ce107f314e69ffeafb405691da8f7888d

Download Submit
C:\Users\Admin\AppData\Local\Temp\iYYM.exe

Filesize
250KB

MD5
8cd950fc8c57cb571ff6e2e85a9b2efb

SHA1
4be349df35b7f38a276922eb99542d3b1ce17076

SHA256
77c2f4f8697d36ebb20c86841283d0f363a79967541f9cee96d86729f55390aa

SHA512
7e66fdf9beb22692e26920339ce2c787d73ab82df7f27ac552518dd4c9f0a1096fa6a9e29176bdf56c22d3f08fc03e3a80534ec81c5dd310137d51f2bc4bf989

Download Submit
C:\Users\Admin\AppData\Local\Temp\ieMkcUUg.bat

Filesize
4B

MD5
b43bcdb078e41ea41e6e098454689fb8

SHA1
64a5be4f943816b1b8261c30fa45ea797f4b5ab3

SHA256
77e2436f395aac4aad2883497a07be1ca038a1d3533d190ddff9fe3edb573e4b

SHA512
2d8b50fd246c55465a620ad63f4b22c6886ff810990bec60a0d31019a9c5ec4f4b4715175c71d594ad395ad993f0426952b779d636fd48eaf7f987256dae4bb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ieUUsQYQ.bat

Filesize
4B

MD5
97564a87a815cdbe9e73ff9778516f42

SHA1
a83966522d646a47f98d5fa3efcf9a7040dc34c2

SHA256
10426602c05d470ccf47ddd0303d17857109670585b74eb6e131b9d322aa7654

SHA512
90ee01eb4563c4791227c10f8cef0ca7bc5706473091fa47430d57d4a0f3bc818bd0c82f82198b3267c5d058f63c4e20d4bcd061f5eb4dc004e7fdc0bb67cb1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\iosq.exe

Filesize
607KB

MD5
836a0bf5c3defde40f8b38fb0085d9ef

SHA1
ebafb358aef2d45c70f73079ba595e20fa6bfe52

SHA256
4ed619e9665c6fc94dbf51a65495418f0e540befc29ccbf197f644daaf3960c1

SHA512
26719ae845fc1ee8503592d2c9aa1065ecfc1b8217773309fdbe74b93913b413ba71a55b0770a4a576b903d96dabdbc6f36235390246ff583a758d394a64414a

Download Submit
C:\Users\Admin\AppData\Local\Temp\iwIk.exe

Filesize
410KB

MD5
c2639613ed63d88e3864b82060277fba

SHA1
8860b5ae5b8125b0fa6b64bb4b8d794f26226853

SHA256
afd7494be2f13322064edfd42d8bb8fe7170c2a939f8332fd68795ba8588da78

SHA512
17799ea11038c154a0643f4da8c19315255407bdcbbe3a57bc06ff8d26d29eeeaab38852e2189a28271c376464b0cec9e370b81f804d8a8e2590e290570e4185

Download Submit
C:\Users\Admin\AppData\Local\Temp\iwwk.exe

Filesize
227KB

MD5
4de4e5e11f09840a3999d88a2587232c

SHA1
029c5cfd06abb34614cb75950ff6f2ef484caee3

SHA256
85712acf2b3da0b26d8a246e7f14a1fbde370c3ffb2b7670020022b88143d850

SHA512
f65cf1e5a53ebd2dc544d584023758f5b5cbc95165a4fddaec2cdf2100c3bae4b5b37542d60d961e1d95e8c325473a210a5f561e0fbea3535ec3f38f8817ae97

Download Submit
C:\Users\Admin\AppData\Local\Temp\jMYccwYo.bat

Filesize
4B

MD5
1b0ea748d0963d6e9fca3ba77f533af3

SHA1
9c713dbe355680de889f89f7e5d8f27798dc7d87

SHA256
0391ca44701c09b9ce4df9a5209da36997e2846ee2b8a1d8704b6cd612938a21

SHA512
c444bf69918268218ea263c804b8ed01f64a7a7737a4e8d77ef94854d7c36981e7b75e1c96106074ecff0f07ba64f49bc50be36cc5cf404cf3198d0a919d6ecf

Download Submit
C:\Users\Admin\AppData\Local\Temp\jcIEsMAI.bat

Filesize
4B

MD5
25cc3df10bff6b96e92ff30652f59401

SHA1
4a59f9d55f3d9b69e8b4694649e0aa05fe5bca0f

SHA256
550eb47aa69b4e60a8f8c074cace23ddc876d684e5c26e4a57ccfbfadcfa020f

SHA512
70a4b1cda58eeea4fe734de40c47065dbaceafe43e718082d9b76724374bd6018238d7791a4bedad21b7cb9985a7eaebbebad9ee97899bde1518e7fafec708e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\kAMk.exe

Filesize
226KB

MD5
bcb95396f622f5c2be7203a74413a244

SHA1
4c69f4d873947536b1911422f5fbd9f0bdc85a2c

SHA256
866cddb2404a27751c483b889949f0f265b393499d21a14e813215192a5bdef2

SHA512
3c58d563f76f81b912d92144bb792b695fa1a187ee1e84e9915e580d5af9fa53eafd34dac0ba29f41f52c70880814fe163077d7105e5a32a73daa94bddea45ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\kEce.exe

Filesize
227KB

MD5
78d34bc80fc70e9c85f97647c9f09da1

SHA1
f96816aa3c48b9bc6449f9b7e7654146c5b43209

SHA256
4de2207aba80d4cfe0ca4d8cbcf3228cb9738def4907cd1090e7ab673e381626

SHA512
37b119ec39ff64616817f4cf48b4c5065174a24058ffce53e1e9f25b0a6bb2192a6df0e0c4d0da6bd6a755bd90c018600a8c76d218b8a82f1e98964b5160e08d

Download Submit
C:\Users\Admin\AppData\Local\Temp\kEso.exe

Filesize
205KB

MD5
57f2f1ae8d4c7e1bed7af94145b93781

SHA1
502341aafa4d0f8559068f4994c490f82366a373

SHA256
18248b126feac0767bdd1703039f85f5a4bcd2b5b71fdfd35c56cdada2e727ed

SHA512
45c9dc22b3899db937afec957384028df65636dcd2c39fa4b74e0b37eab317f6873796f0cd99b31239307c55442376b0013bf49b7221a3572e1255eff38821c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\kMgu.exe

Filesize
241KB

MD5
8c38326206d3c4b9beecb7c101fdfd4e

SHA1
47341a29e34ee6550f68dcd25e65bfee3b2d3134

SHA256
27d8c6bcc32b98aa584e64f3dd2cc9d7e110e43949024759d91b8ee6709692eb

SHA512
95dcc8e1e08bd371db8d1e9d80ba811a7502bcfb89db3a033f0fe53e9c15c3ecbfb00595827ed3ecc04acd81f0f0c5d130fde6bbb9b25f059e0c2ae9f0b55687

Download Submit
C:\Users\Admin\AppData\Local\Temp\kScwEoYs.bat

Filesize
4B

MD5
20e4429c0c8421e83ac2358b1a868a95

SHA1
3b72893ab9cc354ede7fd8a2faa4b5d2e0218d46

SHA256
96de8f126724488ecf6f87a25c0f11eac28810f4a3f5cb8438091ea18c5b1ada

SHA512
c4751d7d3b6a9cd8023e5f6dbdbb673cecdb42b42bc1e8bbbf2e29f8e0f3ae042e5480f355e42b12915f5b4215f9fbe3b3d6a94b7f6b2269e7ac803d4748e2e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\kSgkAEow.bat

Filesize
4B

MD5
acccd8b5b0c2ef48a673320994d7a011

SHA1
4bb96df58b1804e732403568e1f4fb83a105fdd0

SHA256
b450827c15baf329bc7cc2a2f42e18fe406bffbf646a888828f330ba456c75b9

SHA512
2dd4c61bba403499e372cd1c3d2cb788786e71a9414e924b014efbfdb420d43a55e4756909b06e8e0656659148a6370c1249b26f7b060c8ee74381fcf8baa0af

Download Submit
C:\Users\Admin\AppData\Local\Temp\kYMg.exe

Filesize
228KB

MD5
5bf31e772a70ccf7085cb6870d682abe

SHA1
0e43ce45a86173982f9a5f39b9952c2d3468db00

SHA256
a3ec46d047374e7efc42f5d6782a80ea22852140efbcdd9216ba0bfaac7b0e52

SHA512
c8833445bafd3e52585b8f8d644a52e3e6aebc6374d112cf9cbef56326239bad174175da6e5135e8bca296de17a94d74ae39831b898217774dfb85de6f6205b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\lYAEIsUo.bat

Filesize
4B

MD5
f7f754ddc06613d38961c931ab0e2d48

SHA1
0df64e3b5835b4ea1ef9aa999c23e23614c2450a

SHA256
af67507a20f4ce64185e83280b112194b6ee7abd9de43bdd694efda8948f3b75

SHA512
cb079f5b6a6ed3964bf9f189554bfc0cdcda3069bd18c75be369961905bbf2e7a596005abcf0db33bec2c1b501670831843717364a6c73c78f16e57b30997cf1

Download Submit
C:\Users\Admin\AppData\Local\Temp\laUIkkgk.bat

Filesize
4B

MD5
a6fbed455726b15c90cb96ad5e9cc3e4

SHA1
f2f570380a5172c36b2edc6da936f60e469a1e05

SHA256
011c5599f17a4e9ac564500d88ad663f893f7df55b1bf09bea4010f2967e72df

SHA512
bfab0455c0cd5ff560b544885278271e66ca9d49597c8e28e722f63a2f280248b5dad833b92d5a398bee5bfbbccf1a703d97d1c1cf0a0e08e13bddcc63097755

Download Submit
C:\Users\Admin\AppData\Local\Temp\luIwEYoY.bat

Filesize
4B

MD5
9c65b726c4b09abca266d9e391059f66

SHA1
e1410725657722f5451e8ec1bc0c6f39450eb2be

SHA256
77ad992187f9d25d0246f0b5e2d72de10b65895a4be1dac2ba7e7191144ad7bd

SHA512
9a7e6751f420fa4dc8981cc0f0718026860501f1a1f6e7bdafeaa0582b775c87479b3e50c346d2a6fce2e190550e88de9ff1aac5c856c3ab0ae0f31e96840b5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\mAQQ.exe

Filesize
189KB

MD5
83d23dce765b45b2601b13285d3ed974

SHA1
a92ab455157bdf83ca83e0fdf4207e39f457094e

SHA256
b80b6b3e6960c1899dd03ade312347e646e96c8b5515f839ca7511721bde9fbc

SHA512
45fef97fcae28c9134545bcc01f00b268ae0cfabf02a5d502de42f6db6a40e8c8444a8bd5b3051f0702df2a2e09cc9c0216416cee2c1f4d6a91a8fe8cce99089

Download Submit
C:\Users\Admin\AppData\Local\Temp\mEkm.exe

Filesize
198KB

MD5
646c2a15eb614e7ed39f10966804a1c2

SHA1
646d4acdc11a4d4106d82331bf657210c03bfcc5

SHA256
d39cdd910b7925fbf176675323e0a4ade060a96dfb74ef0bfa2f788b0f006886

SHA512
28524c69c1ef4345d489e270f0135004dfeeedf6b8e2adffa7bfc33021d2fa5e9724682e9796b45e211a75ebcb4e0de1c438fe0bb397ba3ef6074a609c370a47

Download Submit
C:\Users\Admin\AppData\Local\Temp\mKEckwMg.bat

Filesize
4B

MD5
22c8a20d5200656ea8677b3e38e489e5

SHA1
54556c124c10752d6d37f6b297451559a00148ea

SHA256
9dc7264c7b02fa760dba3f3778e3d2353e0c4b2074b3516c46972cacdbfe4eb3

SHA512
0588aa3ccbb2ca09a43e1e3a1ba63bfecd44cc2b3ac4de9cb834e7107ea5714ec9411783228071ce3f126fc63a68366c4e9111ae1f87648169b09387bb2cc991

Download Submit
C:\Users\Admin\AppData\Local\Temp\mSsQsUMM.bat

Filesize
4B

MD5
02d5647041ed1ef0662a67f34dcc6dc4

SHA1
264dd31f97484a41efaf627f00c9aafab1d0d979

SHA256
f5296395f13d42e4dc50c52787b951d5ddd2de080bd737aeb00c1d14793ed319

SHA512
d829b997bbda0c3ce7af148b15f707e972347af28541e35e81c7565ce7d53cb52335f7dc3d0f4c016b1f8f12bc668b0ba6c0e8140ca7ffac2419fa3cedd3610f

Download Submit
C:\Users\Admin\AppData\Local\Temp\mSsYIYwM.bat

Filesize
4B

MD5
40434ae70a42fad842e9885596219adb

SHA1
942f1c934b93dd475f119ed893edf2a8f45ab0a1

SHA256
bfc5bda96caa1f6db158836396b405c42e87707e8807e8a22fb356b287c3b24c

SHA512
50df97fe2adf7f561b47036068492a6f8d5ec0494687721f3ef7a57a17d2d0a39cb15c5dd87d2ee12046f9cbf164fd40990ac9e3017880e266dbdd9328d6ba67

Download Submit
C:\Users\Admin\AppData\Local\Temp\mYkE.exe

Filesize
206KB

MD5
47f20dd2ebd746355133657dc2435c5f

SHA1
6051466524898959955aa45102bd1ee153feec93

SHA256
0f8ff56caf24946a7c4fb90beec5f1fa1dfd89d0984dc56fddd0d6ec58b91bdb

SHA512
47f0a345e84fdb84391461eafb13d0804bbbbe0cd574fd2c3365270731e422125e4b72ff0845211cbfbfdb08b88da08ba1dafc4e455b6b5c25f90dda4459975c

Download Submit
C:\Users\Admin\AppData\Local\Temp\maooQAgs.bat

Filesize
4B

MD5
25f61d455448d1aee97ffe3fdab2c0f5

SHA1
b45c6541a53918180164f1ff03c9995b69456b9b

SHA256
a0e08eefd029f17337c3c9b48eaa479cbdb9581fa054e920a9772a868a131f32

SHA512
b5b81fece9a10d3fccad8d2c1cb84cde52fa798f28fbd3b56e6d122c102f33c55b0d87bf2bc7f5dbb413a5c4fecdd7a952970dfcf4d2b7606b1139b43bd4d7a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\mcIIQgUc.bat

Filesize
4B

MD5
d9c45a2d5f8533ff7836db6a28254c6a

SHA1
e01d2ce0633be36d931fc13beff02cd905505993

SHA256
be57975a179b5c9a64ef84836446b3fe80fb13081a0c5547b451f25cc9b94e6a

SHA512
f38bd31cda852258e6ee1b84ff731c4384cc22152dde3502a003fe3f4595e1716ec4ae1d0429bb4f9a46d2e7e6bb45c58bda4e29d9e4f111e04086ec41b6149c

Download Submit
C:\Users\Admin\AppData\Local\Temp\mgsC.exe

Filesize
206KB

MD5
e740632dce8b47f8aa03d31b4b92724e

SHA1
1a0382e5d8dee344515b5138722b703d5d5a86e2

SHA256
0078de7aa6963d3c7cd1b8343293465bd5c230272bdb95333e63eb237172744f

SHA512
118763ed1f98d9efae4182ef5e6bf7686eb7544e4a2a004c7b46cd68c2b6e2090765c4c5e6baa21aa73215e3c0924ea1b8668ad55cea0e9b54a0a03456c945bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\moIq.exe

Filesize
208KB

MD5
85cffee38a9ec6f299fca4d3fb26efcd

SHA1
7fb32581b64d22093be9202cadae0fdb43e37599

SHA256
db9e1dc6e4ab8e0a5afa1f07a22c76d98240aea7722723932f36c51f4ecf3ece

SHA512
519ee1e5169fa09b65f18dc2563d79b024dd04318e2ce16cae2d171915f6ad429e3293d0e07b98bb2cf57bfa371a16b6ad1fd3c2e10efd8c5495a9707bb9deaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\moYa.exe

Filesize
235KB

MD5
ead754af1a6c919e152c02bffbc1da4c

SHA1
4d6f0b06ddc9bebe7dc0c987773671fadc1639c2

SHA256
58bb179f1895cb8faec2f1e0a7981a5a0f75e5e3909171674bb2f83f96882cb8

SHA512
813a612f8b012b02df64b527ffe5729cb974e108a569538a26102b683ad86bf8f5cda4b05afbc8fc71b1ad07834a037d85f2575ed03597d4bf62d529a2eaaae1

Download Submit
C:\Users\Admin\AppData\Local\Temp\msEq.exe

Filesize
247KB

MD5
063ee1ede1d37fe4e5e2a306ad70e63f

SHA1
0bf0a33a6310b64fca1b24fdbb0582485465955f

SHA256
47ac063ad2f24ec17b1200c85e47590f60c3d311a2353d5b8994bb2928846192

SHA512
b7296eb41cf2f299094ab94de7a9aafd56c659345c2922a90115ac382998b4da1b8abb68031f2bd40338f4d64c734633a7ac20c41a79d989240cd1953ae3256c

Download Submit
C:\Users\Admin\AppData\Local\Temp\mssi.exe

Filesize
245KB

MD5
7949e5423aec089c833ace34ea817af1

SHA1
f282e342ded6e05a6497acc620a658338947d661

SHA256
338647174c7e2fd78bd6d3c214b090b330a11d9652e7d8066b422d90c55bfc93

SHA512
12e5c5aac6d52f2fb48af798d230adaa4ac8da358aff38700527f6eb89b11d6e7ae0c42d6dece160d81cb30c375f627ac7fc7df004c68e9376657784057cf05e

Download Submit
C:\Users\Admin\AppData\Local\Temp\mwso.exe

Filesize
197KB

MD5
5dcbc951ed4ac0ccc9a6d7f8affe89ba

SHA1
bd320a7ea199bb58678a8084b8572b041886f5cf

SHA256
fea07ac5443e60b26d968da8afca48ea2f9fe42ab1b7082b8b6cea7853446a75

SHA512
f23fda45bd6b220d062dfe7700be9ee692a2adcb55796a186efa9b2db5a8490b2a1a8897ad90819669f465d67faee8437e35e61b53473bb21dd0c246588340f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nKEscEQE.bat

Filesize
4B

MD5
bed22ec89ef484e92d65ad3c6ddda15e

SHA1
04b1f0d25d16e5b22ba4a87481a6e5fe3878140e

SHA256
31f3af9d3ce5cb1c4c800f60b8ff9d9084825173296b40556e6e60ce04b13cff

SHA512
7b9b15979f96e31493417a5aab92dac7c9a26560ef1d00fcd4fc232858ce3baec7b285b3f467a3f6a0a3f8ae70ade1d822de2e6c817d312c5a04cd92c88d6734

Download Submit
C:\Users\Admin\AppData\Local\Temp\nKssQYUE.bat

Filesize
4B

MD5
7e49cdef3a8f444446aeb6a2fbb72ab1

SHA1
27bad0af9557afceddca2c826a1a551ef06ee892

SHA256
2989a41cf5c83b28d13d0f930434da6e8fdb99f35388c19f29108f50e73bb218

SHA512
e6363b80e9d5f76092fb67ab45d02f41a6412e2085ef68f195447a7c42acecd9ca383248df9bd3da17f6025f2bdb78e486890dd054434a7cc9841e7a0b276360

Download Submit
C:\Users\Admin\AppData\Local\Temp\nmIsYUAk.bat

Filesize
4B

MD5
e1c0b84e507b5ae5e7b227a16cd2b58b

SHA1
2b6fa8ed2ec3b4b58a96b9119c91e150f3a9b303

SHA256
9f9d6b790f67e639da6449bde07b2e0d37d518c3a69eb459037745873306c019

SHA512
9e90ded249461e83a0c3c7636f864cbb25560a25a185993a189ea6ec917897a686e642d103e116b906b47044e0264d8d28d2d26c443bf255382df96c81f2642d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nosEQYwg.bat

Filesize
4B

MD5
5eb954e1a3ed8b966b771a1b76179d12

SHA1
1334cc6d8139c4983e857c02fc453b675d09eb68

SHA256
a3e7dc57d2e925d38b430995682543e40b152d47a411e0e69984acf5e3c75514

SHA512
22bd423d6d4ce283d5bfb18ec755cd1fbdcf4454e5b1ae993968cd4e3ee88e147c126b00f71929eaa7b8fa87b4b5c5ddaf29f5c2714d2b900a4be05963dcb6a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nscEgEwc.bat

Filesize
4B

MD5
10951e4840dd35b26c25240e2c8bb772

SHA1
0d2d187bac2b7729f8cd477d8a08cba234ea7757

SHA256
16666c3a5f7c79bbc9df387e60f153f28004bde009d2a6be5df3196758e63e07

SHA512
3f9657fda3c6f6981b97e9e987df66143a3cc82e6327999c8f9bed6e8c932615e1fe01438354ba51250231cfea2f80fddd8f502a96794a0eae3589343f6e4ecf

Download Submit
C:\Users\Admin\AppData\Local\Temp\oMAkEwkQ.bat

Filesize
4B

MD5
ef68bbb7e36c2638f9edcec885877619

SHA1
e77e8521cadc011fd6f4716a10d79b107fd554c0

SHA256
8d6f3527c2329dd8b4f39efbe4b379bd57b18899429fd4d3b27f0bbcaae51852

SHA512
766513a026e8c3da47c361547d2e4136e9b56062e39a9f00d46bdcd46d2d173a7287dc01b32ec0ec760170b4e155ba92127c0eebbbd96f98c3606a0719f27300

Download Submit
C:\Users\Admin\AppData\Local\Temp\oMkEEkIg.bat

Filesize
4B

MD5
8b687e4908b4cfea3ae9aa5385ba6910

SHA1
1722a9b50f5b8099d2e1ff64ce01884d9edf0a61

SHA256
cb412ba0aa00fa83a1b76357f0e93c26f1c76628a9189935af886bb29958c0ca

SHA512
9b7775dab3ff5468921599deb04cafc0abef4be8b24b4e9331d7ba0ff0bd761416feb15dd3b98709c656e64a8fc08e6a1c920be73fabf6f7605ee60f46823a34

Download Submit
C:\Users\Admin\AppData\Local\Temp\oMow.exe

Filesize
189KB

MD5
29a686e19139de0cd60d8a390c93e703

SHA1
15846a9ff671d8ad72c6e8896dcf7e53f9ae8c1f

SHA256
781896af152e5e28aa71d2fb0149f82e3e027d74c47c3bf1a17832a5fe31f93b

SHA512
29c8871ab73d86754c24287b05c8d1ed9bf7bbda47c691b91ce5165fe57221a9d660e7a24595c070c6d0a277763f73a1bc974cea2b1057bd355dd88a02a398f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\oQMm.exe

Filesize
240KB

MD5
e2695c3b2a6bfce16798dc8e3dc5ecf4

SHA1
3fda3c962a452d7e133b09bde0bae6a7d59f8888

SHA256
fb171fef3aa5542d27eb344bf2ad6eb1e5437219f45730cde59c02b44793173a

SHA512
212240699bbf29b2d52e5c33f29e55816b88f39316dc06d2b75110d9e5bc88fc1e9801218ad56494c5dd4a748e545a309e927f837d5ff01391fa87c49ac5d85e

Download Submit
C:\Users\Admin\AppData\Local\Temp\occk.exe

Filesize
561KB

MD5
fee298955146da79d978efefffd8d52a

SHA1
34edf8c592b7e8894a1e087551961353ecf40a11

SHA256
be715424a2ae3dc55da52926847cada6740f241a02ce90cf2e8079209b978be0

SHA512
8d4b3c7d8541b971c41f8a1b581fe4dbb2fd36f9813782d761327812012bb21c3240d64c2af90de39d0be6c36db543e4dd3cc38b629d4b7d22707ca30b6480bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\pCMoEAAs.bat

Filesize
4B

MD5
1fe9aab1a980cdceba85e9ff89699c72

SHA1
6fc8ce70f4bab434b84b2904db7e825c2d7f4cd4

SHA256
eca4e6f7ca38aeec61fa4a4b252c520834c35155850998b1b5165123cbf1f243

SHA512
5027b911207999c672d50ea05afac2820d9789fe020c35db1763fabdb19e10bdf63a559795b48b51daed6a728bc9607668f5da0c5f5cc02c9bdca03c71b624a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\pKQwMcwk.bat

Filesize
4B

MD5
94fa12fd1839f2ff66e35c42e4b82b4f

SHA1
27442066942cd0a079c95940df63a37312e3d762

SHA256
508868996c8562c4e20832132b0503a00d9ff0dc6ebf43c574575006632c506f

SHA512
9689d76fbd5c651c7f570dde6adc4c76a4184279a5229319d4571dd8db155a11e65dfd9c64e579c3a75dcd5b8043e138d870a5ad5cee1c0bad5c022e7975cc48

Download Submit
C:\Users\Admin\AppData\Local\Temp\pQAMYoso.bat

Filesize
4B

MD5
4a5a89343b265fb93a2dc5fa57d2de7c

SHA1
fa737ceb2717640328df9b42556b51c14f3cd393

SHA256
f8296db7824c044a5b44d7ed9dd567f24f19c1afda085637ffd8338597f47551

SHA512
979c6d9a9be165f74ae6f4fc5800e2e5278fdda6e610f3c289aeb6ddc85aacc9b837f2af9b03d7ea87775941df8b4e6024a367f9fb8dfb0b4a287c2291a1c02d

Download Submit
C:\Users\Admin\AppData\Local\Temp\pisQIooU.bat

Filesize
4B

MD5
bf21123a9bb35f9f145b3fccc5ee57fb

SHA1
a1726cb473b82bef0e55a4f54255798c456cec0a

SHA256
1b53fb70b332334550475710162d4da5a694292aad455bff42aa47b9c7e7b5df

SHA512
298c5e9da5d2059b0c7ea13ce5219145dcb61fbfbe34746440db5e6d14c10aabf6982ca4454e715b7061816833655b3d35349ea37f7e25c7be8cb41a2b54435e

Download Submit
C:\Users\Admin\AppData\Local\Temp\qEMm.exe

Filesize
235KB

MD5
f4eed82c4af3710035d843b10c121377

SHA1
0cc0d3c8db769b289432ea97dbb07a4cc4dff959

SHA256
fdc451da8280f0cfb77ac64a55fc94898558d37d5beee52bd2f10130fd28e42f

SHA512
ecc339ffe1007a937ad2f62f1d61cb27aa253026c21f0e68718a2490368970f591ca91dad93e0567394663d606bad2bf255de9c7e36bed253570d55bf84b5e35

Download Submit
C:\Users\Admin\AppData\Local\Temp\qEks.exe

Filesize
251KB

MD5
ec54063e8bf4ed0abb3ef3fa7b40d910

SHA1
e6c1e0710e93232a743a16257b01d9e1780d6007

SHA256
174dc403d45afe53ef11451d04e0bea0ba1119149307b6c9926fff18ce3e51bd

SHA512
9b4ee2ecd58103d1f87cb037152552d77ca4a70747fdf837548e204fd24e7f77ff9856678ea3ad459f2e2fad62bd50f3965ed6202ef87a5055caf6f9545c2f19

Download Submit
C:\Users\Admin\AppData\Local\Temp\qIQA.ico

Filesize
4KB

MD5
47a169535b738bd50344df196735e258

SHA1
23b4c8041b83f0374554191d543fdce6890f4723

SHA256
ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf

SHA512
ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\qIkW.exe

Filesize
8.2MB

MD5
07b5e4c2b0eca93a6146a58dce1fed68

SHA1
f2508503a474e40d14c2057ce5b3f3988cc7741c

SHA256
460c1125cc51812493fa8dde3103b400dca07d076af3436d5deec9acd93d3743

SHA512
2b2497ef87d9fa8cd4214ddf370ae2f2b79f33fe7c855b5dd0b4c32ac2bff1065b14b1234bfe02e57fe3978cb0ddcd35bbfe8fa96767eae31052f0317339ee19

Download Submit
C:\Users\Admin\AppData\Local\Temp\qmMgcUsQ.bat

Filesize
4B

MD5
aea53b9b78a53be4cf3973ef041c64c6

SHA1
269614cb791bc92e82c023998269ba82cd3dd115

SHA256
db9f79d5a95ed9aa4dc93a221c0d013f091dfb035a188b9ef09cabba574344df

SHA512
3be9423946105eb33ab7d5faa268a63fbbf8ab08ef53c247a953d1c7999d5d60816270f09ae6ed13e429a3d65597b3e20ae0dff19a78fae8aac2f4771e026f5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\qqAoYkQM.bat

Filesize
4B

MD5
f2e4fdac8ae77526e81a1c079fa47bd1

SHA1
352ce326707f03508677b0528d57bbcbc1488c8c

SHA256
61eca830bb4e0db4106811f352d066898b49995b0c63702b4ad14b572912a7f3

SHA512
db0cc7f185d62bb6081534556ad0c92866f008bf81ce35ea70661d1746d1f5ca30d9e7ecebdd5afc46f629a6a5c1945c12afe44b1c0aac97e71e65d458915e26

Download Submit
C:\Users\Admin\AppData\Local\Temp\raAoUoQo.bat

Filesize
4B

MD5
0401a13403d14201bfe3b87426b7d745

SHA1
118318003dba12ba6e2da254395abe750fa70b66

SHA256
2bc4d95db07e8daf9c7c46c678d901d277f4a386a32a665e7eb4e01e75a8881b

SHA512
06759c7929769e1941719d538a728a05ebb6bf723012da4123e28b8921acc69ac12b8112df571b91ef7677ce94f4dc2723dab67af7fa4ebe3d65364c7bfa414c

Download Submit
C:\Users\Admin\AppData\Local\Temp\rckcMEMo.bat

Filesize
4B

MD5
a118ed700c4550f721b583698ffa94e6

SHA1
94a1e8dae863df67577eafde9170b89b27e6c0e0

SHA256
1d506e05c48266dcf59a61c248ee11e1de7ca002e7f0b0a5f68f4ca88f9511b4

SHA512
7fb8f57d7aeb2a85e19a9be0afab60cfab45cde4137b6069b702782bbbe509a32c9e755458d76705ec07fd89e5c6355913878e2d7193a0cd8fad68bc33b2c445

Download Submit
C:\Users\Admin\AppData\Local\Temp\ruIQQwQA.bat

Filesize
4B

MD5
d6f011b2ba325219b14127ee9d3fd432

SHA1
495051ae8609560fc9606bf619c82e8dc1737741

SHA256
b5902d4e6418189e391143cf6b46b88601e35f10baff415304348df34bebd590

SHA512
06817925165b37e83569dd239bc8b7a5fae969b53fd089182850455fd615a40829fbabf40d0ec750feae9e2639d1f7f41776ea0e98ba694ab29cdd51e83edca2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ruYkwYAU.bat

Filesize
4B

MD5
ed45b55be0a63bb8b2d4bfccd737c907

SHA1
383c53f544b77e5e5e93adec4e8decf31b0da3e8

SHA256
aa2acdb0c6a35377b3e370c6575ef7a9cfdc5d85f061f44aaecf11859754a8cb

SHA512
207db9084c5a3d31d71dcabf636aaccaafc03771c339b6726a37f5bafa196279d85b33ba16c9505dc7aae963aeabd4a9e5531edda929e71ade7b2dc7e89cb81e

Download Submit
C:\Users\Admin\AppData\Local\Temp\sAgA.exe

Filesize
230KB

MD5
85d02bd6365b63553fb44efbd9872295

SHA1
f91c1f045814c19cae16520ed4a724a3f397e06e

SHA256
111146377db0d0d6366d5b3937bbd08f18c842d9610cee38933b717678d57808

SHA512
5592df9d9cdefb62347aae962a0f4559a6a985f72f19afdfc2a6f87646a7e0a978ec8df3d5111fd00497504db5570b37897a92a4a8012afb0fbbc6b43b9607d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\sUge.exe

Filesize
349KB

MD5
8f7d5f019c8590fc23f97148f96a2813

SHA1
73aab8e3bc62e1f9066fa3c1e61f603d834340b9

SHA256
5fc2d4133ff0d5d3ab11dcb1e558d8a8150926f84ce4a538d035c629a9a306af

SHA512
06fc513648fff2cfdb4504add117ae281a8314db124c0d23d767b953e05deb3ef34e4338e08ef11e63727ec53c720aaf4d388dbecd92f4407093394fc7269cf0

Download Submit
C:\Users\Admin\AppData\Local\Temp\sWQMogko.bat

Filesize
4B

MD5
666350677f7bcc6c3d26610e8b00a7d8

SHA1
4a71508a517bd70decbcb8b819258f4d7eaa0ce7

SHA256
824d21f37a4b70be8eecc5dad962f8e7fdbea0028198c5302ed06177603c35ad

SHA512
355f4843d63308b81894eab5b69eedf2a3197bb83f6b52c04a39e7c4b494d9f3db18639677493d41b473ae25d5d5dc3070b6a016db90153561d77b38cfc35208

Download Submit
C:\Users\Admin\AppData\Local\Temp\scwW.exe

Filesize
232KB

MD5
d651f516f31df795c142593d04e84b0e

SHA1
f7ad443e0c788e9e611dc00722bb1a6ea83d5079

SHA256
54f32b4bd7f9399233ea2149f0287c8c69e7f192bc435a5fbb0eb89b8f970add

SHA512
5ac69e7c9b9af0a036e07e5cb0b330104f4163f5261a0bdf75113c08f1e2ee8613232821b43ab06a8933f9c6f4c69b80c22b2bc756755c8155aff05a7da3a0fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\sgAm.exe

Filesize
199KB

MD5
9b8d6ca4cc6c53d34e70ea28b9e2fc68

SHA1
33a54fb3295a42e21051bb29755767856bfae354

SHA256
d44369cc8c84962f356167679915cb0ee1f6fec8abf5b510114a4c8eaec92442

SHA512
8938b02b033377dd0eecad075e5e888fc43c7b87c5e21524e3557ff771ccfe6c2cf5e4a3b0ff22e9f65dc3995b77b683627786cf138914f4d47f0f16fc528042

Download Submit
C:\Users\Admin\AppData\Local\Temp\soMI.exe

Filesize
821KB

MD5
86e2953ad2174b3d14144b244dc92540

SHA1
f3738f5f8e05d25975c20b25c71102d230721028

SHA256
64fcc0fd79e28e0374e3bd53288c7dd41dbaef510058843292de3948440cedc7

SHA512
7e16bfcd5d8401f50c38c853b68776cad8297e3029273f487245d8f3af77525c788a6d6a42d0d2305382c24ba65fc9b51dbe1145eda48e80c63ba7be96cce957

Download Submit
C:\Users\Admin\AppData\Local\Temp\sokE.exe

Filesize
248KB

MD5
5acbe1b56198b11ea27e9d8c443069d8

SHA1
1fd27126387ad3806cdc20ea252b27e18d363334

SHA256
d98fbcfe484e4f6ba35eea81313db1ad72618addcdfeb61e08a1f8cb9a74e10e

SHA512
30a52e33d03753024ba1335b5c4d058f06e9b74dbd17b9d28631ceebd2f94b895c9edaf9bcb6e6ce2d382b5d106f21c7474443f7cd8a7aebb7055a3e581cb1e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tYEYUUQM.bat

Filesize
4B

MD5
faac7d38e8f30d9e3003bdcb4283eb63

SHA1
0fff0924ccdb57bf5c53ac6313ed0d73e5f06e71

SHA256
91d22126182db624cb0fff521a3318798dd8e42475fc5b0c8d92fccb3611031e

SHA512
d2fb81e8ecae3884a91e1df49d64808fc11f45da66cdcb6af5aa0d3459d23eab053f6dba13ad70062d3bc2241a1742c8c1284e254b56f8304f56b5a0f393d8f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\tuIkIsIQ.bat

Filesize
4B

MD5
b9e12f4fb1e28d408d0909db22493665

SHA1
73bf26184e41afec6d74d0ecd7dc010bad4bdf3c

SHA256
b70f893c33a80d6e1d9622833f9e94607553b588ac876a9a1baae6ba9b33a55e

SHA512
543161ce639a6dfca508277a13ba58cb79d4bba2d592e05c56729068f1bd7773fd5bc67a87847f194822dd0ed5a8cc74a2853c03baed7d3c6dd5127e90f5ee35

Download Submit
C:\Users\Admin\AppData\Local\Temp\uEQEssEY.bat

Filesize
4B

MD5
5816db3651faea44a0a4a59295f34cad

SHA1
cc5d080c046c913ac3be4de9d405b32b08716a31

SHA256
cdca1c1d3119cf2abb8e42594cb6f9fe15366552c634ed1f8df99ec48b9b3080

SHA512
9f45c11e22e7f8e169dbb41629f36cfeca61938ff23ef0dadce1e883d7fc7674c1f14af0800b635bbd3b45ca9cff4a26291a83bc75ca12356e66b7b140012158

Download Submit
C:\Users\Admin\AppData\Local\Temp\uIgg.exe

Filesize
205KB

MD5
3597c0322e81a21d95bcf67902839e0a

SHA1
548ca71f6f8553b7999ae8fbde2203c4f057268e

SHA256
7399a62e67847cd476fe1233d046810122dbffe43fe703a23c749cc52f899548

SHA512
5f6e35d355e3f2c7c86dc4075a9008a6a2e75dd56054e41a046b608147f20e5fca47ee6f8fc682452b7d1de02a64b6dd5405da1d3503356bf0ee0352cdc702d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\uMIo.exe

Filesize
4.1MB

MD5
a0122914fea0faba0fdcb600e3d8ef60

SHA1
1a6d624932f52b0ed2e9ff3b63954d77eeb0f5b7

SHA256
250c63a306fbf9886ec29a574a92d5b5624ef77cbd9260f24ddc06b4694857f3

SHA512
42bf184c9b0d10373438795f7f1d204c3d811d41e8201d9729fc2d9e7f0cb59daf6290ac81fc88f82c47d81c819ce97f446e55793b05a047213b3de408f3ff61

Download Submit
C:\Users\Admin\AppData\Local\Temp\uQwcIAgY.bat

Filesize
4B

MD5
a24791ca546340df839a865d957a0b0c

SHA1
0f6154da4607d27e44aba47d35765c90ce5c4bd1

SHA256
9ef18472ff90bddb353d5b11762a1db4477f10753cde6098c8981b1ba6ac4553

SHA512
cd69dcf3edd9b316731ee2654390d319065ae82364569f1f9d8825505fc655656841546316ce6915777385e00c0fe336f39833033a325abc393d291288e88bc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\uiYIMgQs.bat

Filesize
4B

MD5
61f1a45c2bdbb38f082bcdf7a8900bb9

SHA1
ba907a8640f2e140e0bfafa13ea9a01e55d6628f

SHA256
44e46977d3c777976ab2ad8ce8e12e9995d080d389cc9c02c65123d2e89a4ede

SHA512
3714e126a82b5ed5744925e15ad48d93c3f421af1c3a2f5833f850d73cc007f61bcaa4460483676c65bd41e3d92b72932637517352dc4b3920c1fa43f64502e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\uwogkUQg.bat

Filesize
4B

MD5
16968eb3b1197d902bb64d43d630a34b

SHA1
1e8c87278061e20409b91cf0629bdfd69d51ff74

SHA256
534c25e2c6ec9df30c8468619ae451378c30e427cb22aa29072c0568c9e015aa

SHA512
102a9f9cf9301868a7d09dabed71d09ec0423202647ffc0a6761ece2b841816a83e2586c070cef1cbec28504aeb773e83dfe61079b4eb1ad9478137ac234f6ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\vIAogIIA.bat

Filesize
4B

MD5
e3a81722f3d9be94bb5f2661c52021a2

SHA1
20c2509f9ad7a49f1f07e85bbd9e43d61178cf83

SHA256
2c155f11f3fbe8865614357dd9ba0d68a5baf9517d9f61e61821bdafdca810a8

SHA512
e091b9d3d384aa482f56da6d0764892ba7246b4f85fa4f625ebce5d703d5e2246b361b08b05de63cd50f440130474dda119459bacf593af6551e12484f810568

Download Submit
C:\Users\Admin\AppData\Local\Temp\vWsMYcQQ.bat

Filesize
4B

MD5
4386a223bc5fcab7e261bcb2a1c7900b

SHA1
ecb492231de5c7d6b67a69fa9e2f4093165da82c

SHA256
7e072309244167cd9489188ee8cf3f0e644c412d73822eb576707008b31c7672

SHA512
454f81a9650f8f2cc53d7bf8059e6d2e8c4392d6d3960f0cd72aa6dece19bfa09de7dc0f3d837da9d1e053f925bb9bce7b99fd6caf752a36ff39f6903bd55deb

Download Submit
C:\Users\Admin\AppData\Local\Temp\voQoQwYw.bat

Filesize
4B

MD5
87b1f0c4e01e7484bb2e2552502ee954

SHA1
bb8af59fd0db060b3461fca7ecc871d4d036fbb4

SHA256
ce2b2a646dfd6a0979c28d1c51e5a2a261b62aeccc4ffcb98abd19b9d53d9a74

SHA512
67422968826966ea495847422ab5f299c5deadaf6ca65942363afeaecbb5686009ba28b21f7db0bbbbee59014afdc7b48d0c9eaa5f94e3e7a9573cdac408dcf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\wAcS.exe

Filesize
226KB

MD5
aefd73564bc5358f51761bdcfab5f1e7

SHA1
82e3840f2b861378b9957d9dbf916650c5014ed0

SHA256
efaa7261d26861428d8070d47e641fda45c542d698f851a58ab66bbbdcc822eb

SHA512
f84aff90a8145ab34dcbe325f89de6ee649670d80f63f3e329d90b83d7ec25145f64dc63395d6003a995bf4c682d6d759da5f8b4b7ebb728f9cfe9f5120f4618

Download Submit
C:\Users\Admin\AppData\Local\Temp\wEMIcwgg.bat

Filesize
4B

MD5
fdca4086937032d9a97e52b2e6dd14d0

SHA1
8b59f6cd1a8d7e31cff81c5f80defd9d566bd6bd

SHA256
aa73c86488d833c073dc7dec60d40d47b6d05ce0168393cec057155abcab45f9

SHA512
d01a5940ba6f1a59390a83e59dfc936867d2b038791c3de0fa22b188f59ef767ce58e8887c44d1441beed345f485859c93f02e6b67212d5a718598a3a16c113e

Download Submit
C:\Users\Admin\AppData\Local\Temp\wGwEUkwM.bat

Filesize
4B

MD5
5358d8d3ed98baf1ac1ef6152dd09bd4

SHA1
39fdbaf296ac4b44618e9c8ebc2ac101855f5e4c

SHA256
8d01d92ec39b5403471d01ba0e1823b666b9b8d6e1344d0932804bde2421cf16

SHA512
1a856b3063244baf965c5d3e809de4305a002f8606e555836459e56a3d5cb6da8f78cc9b3b7dc06b3bc4a906f02443b49ce3b1ad1dada7cfe984fa87ded7d7e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\wQIA.exe

Filesize
234KB

MD5
850712922b3cdfb3cd9c5ca9054a5c92

SHA1
99eb4ffe808dd726f1d3e340b119172afd8e25a8

SHA256
3c4162ef8fc05b40b69a72cac5bd3fa8c4af9a47d89ce8464bf423fa33812323

SHA512
d15c0447fe0d36122708f0ce3ec80bae773cc7af2f650ea0d882aa4d4bed4c7f560b49e1e666fe2f31cbb99c349a9509e0388034bc9b1bb8b6c52789d7762fe1

Download Submit
C:\Users\Admin\AppData\Local\Temp\wUkc.exe

Filesize
537KB

MD5
351b191b7839f5a5ae446f7237a2b9fa

SHA1
54068ae6b95212a3f6bb6d5bde553b1f9a1f9e6c

SHA256
ecb0f6e32e6a752fed512ce6ddfecaa456399000bf36e2357e7d18081258d451

SHA512
875d6b02f7446667ef041f24bda655fc278e248e1c29e08d1eb666afee8945e54973aa032fadab1a409e8393a30fdd6c1834518ec2cd613a27087cad48bb8204

Download Submit
C:\Users\Admin\AppData\Local\Temp\wswW.exe

Filesize
188KB

MD5
03c731be2982c74d976b412db99f8336

SHA1
603ac46afd32db71f80f43f5187df8438f18cb63

SHA256
7fb97285b757d5b4a1eaa9c1700532b01323431957da834870c41d4a70ab106e

SHA512
2b16d6df7507220458f8e86d701a76fbbcc497c394070428ed5e0f950692edfad123c16ad115e39ff6f5ec8aa3196a3402e30be52f52f5b8f105b3e100b84c38

Download Submit
C:\Users\Admin\AppData\Local\Temp\xWMYwQgg.bat

Filesize
4B

MD5
65854e7821792acb5cf3fd86b98d8d8a

SHA1
c21a2893d53bdfff23f606a40d917247002ae3cb

SHA256
954ceef91ce9178dc06dae8d54827f4efe0602166eec9cf4d4c5c64676f8856b

SHA512
13c7ec4f1ab6b0f11bb0069f9abcadaa6ee0ffe5a6bd0af13ce1f291707795b5f51af4eb2d2d514c3da2ff4a659aad2e392446e47700bc10dea160968c7efd60

Download Submit
C:\Users\Admin\AppData\Local\Temp\xkwooQwU.bat

Filesize
4B

MD5
92f87b6af2961ef7bda8f2a2d5fecd40

SHA1
6cf5952e561c10a76adb03165f5f78069155bb56

SHA256
33f2126f32108a38e870743a6ff0158981bea1a91e6e759e8a04f0da6405888b

SHA512
de771acc53f601f76fa4feddcd8a63daccbf1b770f0e68fbe72a9ade66012e64b73daf67858f8ee3fd58573b8cb831ef5aab01a389bf9fe6cb7cef506cbd4536

Download Submit
C:\Users\Admin\AppData\Local\Temp\yAIk.exe

Filesize
953KB

MD5
efbecfaaafd51a82617292cbde938b85

SHA1
d276c2a65a50530eca9bf648994839372a0d8903

SHA256
e0c4f80953310682f0ec5689e6cd23ddb2e87384181b63086b013f4620d343b1

SHA512
d18ac4e017e6634fb910b5e45bf6fa3cb7448aeb5860a84c1cd920bc29d1dc29eebe73eda0b4a7c48cf692eb9ce7aeb79e0f8454899795b2a268d7bce52f9263

Download Submit
C:\Users\Admin\AppData\Local\Temp\yMQA.exe

Filesize
460KB

MD5
932372fe0729e62a57d190851070b301

SHA1
2f2dceb63f6f323f1296fda453e78dbd1eadf5dd

SHA256
307f3d96ff89d0d53d393dcd5fa253a41e4841919c46f23f4ce39d96bbf902cc

SHA512
beef5e883b01252433ce0fd7bf53e3b9b137ba0a6a1a9f1e5108a254a4d9ac71c84497cc72c5a096950ebaf0fa40729280f704e3d3ed657d25a37c0ba15fa786

Download Submit
C:\Users\Admin\AppData\Local\Temp\yMQC.exe

Filesize
239KB

MD5
bcdfe6349e65af7ba00f8ad02f804314

SHA1
6478652f1b28d9604db8d12575418d88916e8c1d

SHA256
d863e6221cf8e8d3e7ce105ca765a196fe5a94ad176155e886a3d30e474ea49d

SHA512
3de6f031aed9ee60edfa74abaafca8c442037b6cc79b90dbdb54a8f60a5bcba1c4de47961be0c394713ec1e1d407230aba3e3d0beb0e77fefc59f57d56447738

Download Submit
C:\Users\Admin\AppData\Local\Temp\yMkM.exe

Filesize
427KB

MD5
8ad1105c6fb2ad5bd9d44b35f877fdd4

SHA1
43e5a2fc166a74a24a59478558b7510c7696e8e1

SHA256
373a1875d4a4acd905d7c93503d54c5322320817d55abdfc48738517ff358da8

SHA512
b2997b2942c76a8c64895393366aaa0e343ee29b274ca3abc18ec24486347b09abf25d1d26d8befb7343e8a74dad9763f59b337cf2b1244e10ab93d82b1c1b74

Download Submit
C:\Users\Admin\AppData\Local\Temp\yQYU.exe

Filesize
445KB

MD5
d8bec654f626d446511206323bb7e1fb

SHA1
cfceb40f8b4b6b54c703af3f62900076df720cc5

SHA256
0c739d031dafd8ac75fc1a3c6a00075cc12936e90797175604a432e5115b7382

SHA512
ef2cbeeee25ae29bafb74821728f7ee2bec2cbd6939d200dd5f78b7a142f4ab4ce2492148e0f53b54eb8543fb39a61fb64932d7bffd387f6af10d2acd1263a0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\yQsc.exe

Filesize
231KB

MD5
95d0bf3a4f47b8803ba8327c0abfb27f

SHA1
5def9528d456944ba8f480fb5f1d2b539365c142

SHA256
9a21b91b5abc3fd6b1d9441dd222bf3e0801cf58342c3708ee12018c5f3dc5d7

SHA512
d0493f80d5bf2301a4d59151a641a870d9e12978012a3306f8e21458c333087d5d1769ed94b9f0da50652404d47c4c158202f6f575ad8c6d58d3127cbfa878c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ycIM.exe

Filesize
527KB

MD5
ea9207d65d0a33e17525774cca3f265f

SHA1
385f12b3dcecfbef342e8897cd96a607d9186f79

SHA256
30fdca6ec25bca4eb208f59627813d646fc3fd3d7ce0e7e7206b151ec130274d

SHA512
752b91d0deac4165dcf59b7284ced4e528623c934f4369cb0a670921bb51de5cc85c85fb0cc07a35df42e9545790a3299788521c5db5f500a966f941037c47cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ygcQ.exe

Filesize
745KB

MD5
ce3eff505d67083346bcafb93d9c9655

SHA1
4ac12f80712ec73913addfbdd7e36a5ad56428c8

SHA256
7fdb999a250c42a37063175549494634b477a2b2a900b327cbcbd78a00df08ef

SHA512
3f4fe0e6ca2f2c1af282dbebd8c6f827ddc7d0459861950bf4329ce7e5891d4678de8e5918237945eaf04966a84b6f4515662b45d10e706d9792e26a850344b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\yokE.exe

Filesize
198KB

MD5
fe461281a911edcc50a004f6354ae5d2

SHA1
6534bd0c95c322fec14d251569a80946ac0ce086

SHA256
fec2ba5faa49f3e7854602f7d25ba20cde1542a927f2a745ce57ad9b4cc94ba9

SHA512
0f98d38be45e51d86ca9cab03bb92f7c7f54de0ed696b430b4e775800c1585528470f034569bed49da01530493f653980432a2084f0768db029aa69e00772de0

Download Submit
C:\Users\Admin\AppData\Local\Temp\zmYQAAUQ.bat

Filesize
4B

MD5
0ee1d7239658bc193bb17027da7ff14d

SHA1
7fd252c7e147e9fa7fdb2c761bffbdb1c9742e4f

SHA256
6a36d1c27afd9633979d72c835fb9981ef78ad7803eeeb152ae0a69ade64fe19

SHA512
d1f2391d553dec179fcf2bed31d82cad4fa5ebef3d3299dbf9329c241f4d703b504bcd61a33db4bd71c538cb7ceda82fbda4d2c9fcfac730ee575699ad8dd3b2

Download Submit
C:\Users\Admin\aigsIUkA\fewcwEMo.exe

Filesize
189KB

MD5
6bb807ad6ae1b50264031087198a7448

SHA1
e19be0098ab4de4d91be3cfddda86b8a631a02b5

SHA256
ef9f9c6852422c01ab1c48775afe21e57145bcf0f3255834e15a024f3defeab0

SHA512
b8bcd7b4268669f6e7830965ac57c008cf206bc26bc806bbf0eeb624a5649def14e17b6f6c4ba82b4b1a82d5e13c9873c0fc97c48e0c8add4dfb2a4d7a66aa48

Download Submit
memory/316-258-0x00000000004F0000-0x0000000000522000-memory.dmp

Filesize
200KB

Download
memory/408-393-0x0000000000130000-0x0000000000162000-memory.dmp

Filesize
200KB

Download
memory/408-392-0x0000000000130000-0x0000000000162000-memory.dmp

Filesize
200KB

Download
memory/640-268-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/640-752-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/672-460-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/676-732-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/700-312-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/760-357-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/828-100-0x0000000000360000-0x0000000000392000-memory.dmp

Filesize
200KB

Download
memory/836-482-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/872-123-0x0000000000520000-0x0000000000552000-memory.dmp

Filesize
200KB

Download
memory/892-473-0x0000000000160000-0x0000000000192000-memory.dmp

Filesize
200KB

Download
memory/996-541-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1032-430-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1092-573-0x00000000001F0000-0x0000000000222000-memory.dmp

Filesize
200KB

Download
memory/1556-865-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1584-179-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1584-149-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1588-723-0x0000000000160000-0x0000000000192000-memory.dmp

Filesize
200KB

Download
memory/1628-801-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1628-831-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1644-713-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1644-222-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1704-864-0x0000000000160000-0x0000000000192000-memory.dmp

Filesize
200KB

Download
memory/1704-863-0x0000000000160000-0x0000000000192000-memory.dmp

Filesize
200KB

Download
memory/1716-57-0x0000000000360000-0x0000000000392000-memory.dmp

Filesize
200KB

Download
memory/1748-638-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1752-370-0x0000000002290000-0x00000000022C2000-memory.dmp

Filesize
200KB

Download
memory/1788-0-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1788-27-0x00000000004A0000-0x00000000004D1000-memory.dmp

Filesize
196KB

Download
memory/1788-29-0x00000000004A0000-0x00000000004D3000-memory.dmp

Filesize
204KB

Download
memory/1788-12-0x00000000004A0000-0x00000000004D1000-memory.dmp

Filesize
196KB

Download
memory/1788-42-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1812-771-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1848-704-0x00000000001E0000-0x0000000000212000-memory.dmp

Filesize
200KB

Download
memory/1848-703-0x00000000001E0000-0x0000000000212000-memory.dmp

Filesize
200KB

Download
memory/1900-853-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1900-822-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1928-610-0x0000000000260000-0x0000000000292000-memory.dmp

Filesize
200KB

Download
memory/1940-502-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2004-110-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2016-843-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2020-402-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2024-379-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2180-87-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2196-124-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2196-158-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2196-531-0x0000000000150000-0x0000000000182000-memory.dmp

Filesize
200KB

Download
memory/2272-791-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2276-844-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2300-412-0x0000000000120000-0x0000000000152000-memory.dmp

Filesize
200KB

Download
memory/2352-148-0x0000000000160000-0x0000000000192000-memory.dmp

Filesize
200KB

Download
memory/2352-532-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2352-559-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2380-281-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2416-675-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2416-693-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2468-600-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2472-34-0x0000000000170000-0x00000000001A2000-memory.dmp

Filesize
200KB

Download
memory/2472-33-0x0000000000170000-0x00000000001A2000-memory.dmp

Filesize
200KB

Download
memory/2524-810-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2524-439-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2524-782-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2528-512-0x0000000000160000-0x0000000000192000-memory.dmp

Filesize
200KB

Download
memory/2548-31-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2548-572-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2564-821-0x0000000000160000-0x0000000000192000-memory.dmp

Filesize
200KB

Download
memory/2564-820-0x0000000000160000-0x0000000000192000-memory.dmp

Filesize
200KB

Download
memory/2616-781-0x0000000000160000-0x0000000000192000-memory.dmp

Filesize
200KB

Download
memory/2620-673-0x0000000000550000-0x0000000000582000-memory.dmp

Filesize
200KB

Download
memory/2620-674-0x0000000000550000-0x0000000000582000-memory.dmp

Filesize
200KB

Download
memory/2636-336-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2644-213-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2668-28-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2668-571-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2680-245-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2708-409-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2740-66-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2744-326-0x0000000000140000-0x0000000000172000-memory.dmp

Filesize
200KB

Download
memory/2812-101-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2812-133-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2820-619-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2856-582-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2884-200-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2892-629-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2892-672-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3000-407-0x0000000000470000-0x00000000004A3000-memory.dmp

Filesize
204KB

Download
memory/3000-410-0x0000000000470000-0x000000000049F000-memory.dmp

Filesize
188KB

Download
memory/3000-4475-0x0000000077880000-0x000000007799F000-memory.dmp

Filesize
1.1MB

Download
memory/3000-4476-0x0000000077780000-0x000000007787A000-memory.dmp

Filesize
1000KB

Download
memory/3000-2335-0x0000000077880000-0x000000007799F000-memory.dmp

Filesize
1.1MB

Download
memory/3000-408-0x0000000000470000-0x000000000049F000-memory.dmp

Filesize
188KB

Download
memory/3000-2336-0x0000000077780000-0x000000007787A000-memory.dmp

Filesize
1000KB

Download
memory/3000-418-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3028-521-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3036-303-0x00000000001F0000-0x0000000000222000-memory.dmp

Filesize
200KB

Download
memory/3060-259-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3060-290-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3064-742-0x0000000000470000-0x00000000004A2000-memory.dmp

Filesize
200KB

Download