dad6ab102599c5cb76607a39bc989acdb3f0caad236d54965845e1f52ba64227

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20/09/2024, 11:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
Size

204KB
MD5

3b885ddc27f542ab37b2396c624636bf
SHA1

3c572136ba01a9adf1645e0ec29503be85a4fabd
SHA256

dad6ab102599c5cb76607a39bc989acdb3f0caad236d54965845e1f52ba64227
SHA512

a5c1a367099769def5aaad14efb353616386bd85aca6dac684c33d3abbc29ace0cdc4914307a2464f3028c90a95e07d316235542470fb5eff345111b1bb6b5e2
SSDEEP

6144:PBCbU10CHdesprzuj8Vw7fNiu19xDkxdWrdc4cysWfp0ttPsYVoIBcNrLt/dzZ2X:T0Yrzumw7fNi09xDkxdWrdc4cspMPZA+

Score

10^/10

discovery evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Renames multiple (60) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\International\Geo\Nation	BMwoUEsc.exe

Deletes itself 1 IoCs

pid	Process
2720	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2156	cKowcAQc.exe
2444	BMwoUEsc.exe

Loads dropped DLL 20 IoCs

pid	Process
2364	2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
2364	2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
2364	2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
2364	2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
2444	BMwoUEsc.exe
2444	BMwoUEsc.exe
2444	BMwoUEsc.exe
2444	BMwoUEsc.exe
2444	BMwoUEsc.exe
2444	BMwoUEsc.exe
2444	BMwoUEsc.exe
2444	BMwoUEsc.exe
2444	BMwoUEsc.exe
2444	BMwoUEsc.exe
2444	BMwoUEsc.exe
2444	BMwoUEsc.exe
2444	BMwoUEsc.exe
2444	BMwoUEsc.exe
2444	BMwoUEsc.exe
2444	BMwoUEsc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\GmUAwUEk.exe = "C:\\Users\\Admin\\wyEccUUs\\GmUAwUEk.exe"	2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\tKsQkgIg.exe = "C:\\ProgramData\\niMIAkwI\\tKsQkgIg.exe"	2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\cKowcAQc.exe = "C:\\Users\\Admin\\EWcAkggE\\cKowcAQc.exe"	2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\BMwoUEsc.exe = "C:\\ProgramData\\SwcQUokc\\BMwoUEsc.exe"	2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\BMwoUEsc.exe = "C:\\ProgramData\\SwcQUokc\\BMwoUEsc.exe"	BMwoUEsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\cKowcAQc.exe = "C:\\Users\\Admin\\EWcAkggE\\cKowcAQc.exe"	cKowcAQc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2832	1928	WerFault.exe	1401
2004	3032	WerFault.exe	1402

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
2344	reg.exe
1260	reg.exe
1300	reg.exe
1624	reg.exe
2360	reg.exe
2952	reg.exe
2100	reg.exe
1964	reg.exe
2640	reg.exe
1808	reg.exe
3012	reg.exe
1884	reg.exe
2064	reg.exe
2224	reg.exe
1776	reg.exe
532	reg.exe
796	reg.exe
3056	reg.exe
1880	reg.exe
1884	reg.exe
2080	reg.exe
2964	reg.exe
2344	reg.exe
2600	reg.exe
112	reg.exe
1552	reg.exe
2004	reg.exe
2420	reg.exe
792	reg.exe
2388	reg.exe
1932	reg.exe
1796	reg.exe
776	reg.exe
532	reg.exe
1496	reg.exe
2792	reg.exe
2584	reg.exe
2688	reg.exe
2920	reg.exe
568	reg.exe
2340	reg.exe
1132	reg.exe
1040	reg.exe
2772	reg.exe
1756	reg.exe
1948	reg.exe
1152	reg.exe
3028	reg.exe
960	reg.exe
1976	reg.exe
2900	reg.exe
2532	reg.exe
2596	reg.exe
2664	reg.exe
2920	reg.exe
1792	reg.exe
2704	reg.exe
2596	reg.exe
1596	reg.exe
1132	reg.exe
2028	reg.exe
2532	reg.exe
1300	reg.exe
2648	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2364	2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
2364	2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
2604	2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
2604	2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
2296	2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
2296	2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
300	2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
300	2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
3012	2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
3012	2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
1544	2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
1544	2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
2128	2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
2128	2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
2316	2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
2316	2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
1300	2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
1300	2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
2656	2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
2656	2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
992	2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
992	2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
2388	2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
2388	2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
1496	2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
1496	2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
3044	2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
3044	2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
760	2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
760	2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
2496	2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
2496	2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
1020	2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
1020	2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
2240	2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
2240	2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
2788	2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
2788	2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
568	2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
568	2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
1504	2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
1504	2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
772	2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
772	2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
2228	2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
2228	2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
776	2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
776	2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
2828	2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
2828	2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
1552	2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
1552	2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
2232	2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
2232	2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
2288	2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
2288	2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
2092	2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
2092	2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
2196	2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
2196	2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
2284	2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
2284	2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
2328	2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
2328	2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2444	BMwoUEsc.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2444	BMwoUEsc.exe
2444	BMwoUEsc.exe
2444	BMwoUEsc.exe
2444	BMwoUEsc.exe
2444	BMwoUEsc.exe
2444	BMwoUEsc.exe
2444	BMwoUEsc.exe
2444	BMwoUEsc.exe
2444	BMwoUEsc.exe
2444	BMwoUEsc.exe
2444	BMwoUEsc.exe
2444	BMwoUEsc.exe
2444	BMwoUEsc.exe
2444	BMwoUEsc.exe
2444	BMwoUEsc.exe
2444	BMwoUEsc.exe
2444	BMwoUEsc.exe
2444	BMwoUEsc.exe
2444	BMwoUEsc.exe
2444	BMwoUEsc.exe
2444	BMwoUEsc.exe
2444	BMwoUEsc.exe
2444	BMwoUEsc.exe
2444	BMwoUEsc.exe
2444	BMwoUEsc.exe
2444	BMwoUEsc.exe
2444	BMwoUEsc.exe
2444	BMwoUEsc.exe
2444	BMwoUEsc.exe
2444	BMwoUEsc.exe
2444	BMwoUEsc.exe
2444	BMwoUEsc.exe
2444	BMwoUEsc.exe
2444	BMwoUEsc.exe
2444	BMwoUEsc.exe
2444	BMwoUEsc.exe
2444	BMwoUEsc.exe
2444	BMwoUEsc.exe
2444	BMwoUEsc.exe
2444	BMwoUEsc.exe
2444	BMwoUEsc.exe
2444	BMwoUEsc.exe
2444	BMwoUEsc.exe
2444	BMwoUEsc.exe
2444	BMwoUEsc.exe
2444	BMwoUEsc.exe
2444	BMwoUEsc.exe
2444	BMwoUEsc.exe
2444	BMwoUEsc.exe
2444	BMwoUEsc.exe
2444	BMwoUEsc.exe
2444	BMwoUEsc.exe
2444	BMwoUEsc.exe
2444	BMwoUEsc.exe
2444	BMwoUEsc.exe
2444	BMwoUEsc.exe
2444	BMwoUEsc.exe
2444	BMwoUEsc.exe
2444	BMwoUEsc.exe
2444	BMwoUEsc.exe
2444	BMwoUEsc.exe
2444	BMwoUEsc.exe
2444	BMwoUEsc.exe
2444	BMwoUEsc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2364 wrote to memory of 2156	2364	2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe	30
PID 2364 wrote to memory of 2156	2364	2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe	30
PID 2364 wrote to memory of 2156	2364	2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe	30
PID 2364 wrote to memory of 2156	2364	2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe	30
PID 2364 wrote to memory of 2444	2364	2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe	31
PID 2364 wrote to memory of 2444	2364	2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe	31
PID 2364 wrote to memory of 2444	2364	2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe	31
PID 2364 wrote to memory of 2444	2364	2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe	31
PID 2364 wrote to memory of 1876	2364	2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe	32
PID 2364 wrote to memory of 1876	2364	2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe	32
PID 2364 wrote to memory of 1876	2364	2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe	32
PID 2364 wrote to memory of 1876	2364	2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe	32
PID 2364 wrote to memory of 2688	2364	2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe	33
PID 2364 wrote to memory of 2688	2364	2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe	33
PID 2364 wrote to memory of 2688	2364	2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe	33
PID 2364 wrote to memory of 2688	2364	2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe	33
PID 2364 wrote to memory of 1628	2364	2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe	34
PID 2364 wrote to memory of 1628	2364	2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe	34
PID 2364 wrote to memory of 1628	2364	2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe	34
PID 2364 wrote to memory of 1628	2364	2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe	34
PID 2364 wrote to memory of 2316	2364	2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe	35
PID 2364 wrote to memory of 2316	2364	2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe	35
PID 2364 wrote to memory of 2316	2364	2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe	35
PID 2364 wrote to memory of 2316	2364	2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe	35
PID 2364 wrote to memory of 2744	2364	2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe	36
PID 2364 wrote to memory of 2744	2364	2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe	36
PID 2364 wrote to memory of 2744	2364	2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe	36
PID 2364 wrote to memory of 2744	2364	2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe	36
PID 1876 wrote to memory of 2604	1876	cmd.exe	42
PID 1876 wrote to memory of 2604	1876	cmd.exe	42
PID 1876 wrote to memory of 2604	1876	cmd.exe	42
PID 1876 wrote to memory of 2604	1876	cmd.exe	42
PID 2744 wrote to memory of 2712	2744	cmd.exe	43
PID 2744 wrote to memory of 2712	2744	cmd.exe	43
PID 2744 wrote to memory of 2712	2744	cmd.exe	43
PID 2744 wrote to memory of 2712	2744	cmd.exe	43
PID 2604 wrote to memory of 3040	2604	2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe	44
PID 2604 wrote to memory of 3040	2604	2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe	44
PID 2604 wrote to memory of 3040	2604	2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe	44
PID 2604 wrote to memory of 3040	2604	2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe	44
PID 3040 wrote to memory of 2296	3040	cmd.exe	46
PID 3040 wrote to memory of 2296	3040	cmd.exe	46
PID 3040 wrote to memory of 2296	3040	cmd.exe	46
PID 3040 wrote to memory of 2296	3040	cmd.exe	46
PID 2604 wrote to memory of 1988	2604	2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe	47
PID 2604 wrote to memory of 1988	2604	2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe	47
PID 2604 wrote to memory of 1988	2604	2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe	47
PID 2604 wrote to memory of 1988	2604	2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe	47
PID 2604 wrote to memory of 1808	2604	2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe	48
PID 2604 wrote to memory of 1808	2604	2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe	48
PID 2604 wrote to memory of 1808	2604	2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe	48
PID 2604 wrote to memory of 1808	2604	2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe	48
PID 2604 wrote to memory of 1680	2604	2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe	50
PID 2604 wrote to memory of 1680	2604	2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe	50
PID 2604 wrote to memory of 1680	2604	2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe	50
PID 2604 wrote to memory of 1680	2604	2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe	50
PID 2604 wrote to memory of 1760	2604	2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe	51
PID 2604 wrote to memory of 1760	2604	2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe	51
PID 2604 wrote to memory of 1760	2604	2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe	51
PID 2604 wrote to memory of 1760	2604	2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe	51
PID 1760 wrote to memory of 1728	1760	cmd.exe	55
PID 1760 wrote to memory of 1728	1760	cmd.exe	55
PID 1760 wrote to memory of 1728	1760	cmd.exe	55
PID 1760 wrote to memory of 1728	1760	cmd.exe	55

C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2364
- C:\Users\Admin\EWcAkggE\cKowcAQc.exe
  "C:\Users\Admin\EWcAkggE\cKowcAQc.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2156
- C:\ProgramData\SwcQUokc\BMwoUEsc.exe
  "C:\ProgramData\SwcQUokc\BMwoUEsc.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:2444
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1876
- - C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
    C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2604
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3040
    - - C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2296
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock"
        6⤵
        
        PID:1660
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:300
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock"
        8⤵
        
        PID:1944
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3012
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock"
        10⤵
        
        PID:2236
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1544
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock"
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2680
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2128
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock"
        14⤵
        
        PID:2304
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2316
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock"
        16⤵
        
        PID:1808
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1300
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock"
        18⤵
        
        PID:1288
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2656
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock"
        20⤵
        
        PID:316
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:992
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock"
        22⤵
        
        PID:2900
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock
        23⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2388
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock"
        24⤵
        
        PID:2468
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock
        25⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1496
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock"
        26⤵
        System Location Discovery: System Language Discovery
        
        PID:2964
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock
        27⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3044
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock"
        28⤵
        
        PID:3040
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock
        29⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:760
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock"
        30⤵
        
        PID:2920
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock
        31⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2496
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock"
        32⤵
        
        PID:960
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock
        33⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1020
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock"
        34⤵
        
        PID:1228
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock
        35⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2240
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock"
        36⤵
        
        PID:2648
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock
        37⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2788
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock"
        38⤵
        
        PID:1344
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock
        39⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:568
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock"
        40⤵
        
        PID:2296
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock
        41⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1504
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock"
        42⤵
        
        PID:2480
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock
        43⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:772
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock"
        44⤵
        
        PID:592
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock
        45⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2228
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock"
        46⤵
        System Location Discovery: System Language Discovery
        
        PID:1744
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock
        47⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:776
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock"
        48⤵
        
        PID:1572
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock
        49⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2828
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock"
        50⤵
        
        PID:2832
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock
        51⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1552
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock"
        52⤵
        
        PID:2492
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock
        53⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2232
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock"
        54⤵
        
        PID:872
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock
        55⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2288
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock"
        56⤵
        
        PID:992
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock
        57⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2092
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock"
        58⤵
        
        PID:2864
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock
        59⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2196
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock"
        60⤵
        
        PID:2508
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock
        61⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2284
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock"
        62⤵
        
        PID:2940
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock
        63⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2328
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock"
        64⤵
        
        PID:1884
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock
        65⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock"
        66⤵
        
        PID:1044
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock
        67⤵
        
        PID:2480
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock"
        68⤵
        
        PID:2372
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock
        69⤵
        
        PID:592
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock"
        70⤵
        
        PID:1708
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock
        71⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock"
        72⤵
        
        PID:1428
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock
        73⤵
        
        PID:1332
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock"
        74⤵
        
        PID:2844
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock
        75⤵
        
        PID:700
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock"
        76⤵
        
        PID:1132
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock
        77⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock"
        78⤵
        
        PID:2548
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock
        79⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock"
        80⤵
        
        PID:1544
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock
        81⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock"
        82⤵
        
        PID:1452
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock
        83⤵
        System Location Discovery: System Language Discovery
        
        PID:1720
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock"
        84⤵
        
        PID:2472
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock
        85⤵
        
        PID:1344
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock"
        86⤵
        
        PID:840
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock
        87⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock"
        88⤵
        
        PID:2800
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock
        89⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock"
        90⤵
        
        PID:2756
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock
        91⤵
        
        PID:1020
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock"
        92⤵
        
        PID:2900
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock
        93⤵
        
        PID:1876
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock"
        94⤵
        
        PID:1820
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock
        95⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock"
        96⤵
        
        PID:568
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock
        97⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock"
        98⤵
        
        PID:2664
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock
        99⤵
        
        PID:916
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock"
        100⤵
        
        PID:1528
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock
        101⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock"
        102⤵
        
        PID:2228
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock
        103⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock"
        104⤵
        
        PID:2672
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock
        105⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock"
        106⤵
        
        PID:1428
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock
        107⤵
        
        PID:1080
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock"
        108⤵
        
        PID:1152
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock
        109⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock"
        110⤵
        
        PID:2924
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock
        111⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock"
        112⤵
        
        PID:2256
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock
        113⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock"
        114⤵
        
        PID:2892
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock
        115⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock"
        116⤵
        
        PID:2492
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock
        117⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock"
        118⤵
        
        PID:2640
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock
        119⤵
        System Location Discovery: System Language Discovery
        
        PID:2856
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock"
        120⤵
        
        PID:1656
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock
        121⤵
        
        PID:2704
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock"
        122⤵
        
        PID:316
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock
        123⤵
        
        PID:2532
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock"
        124⤵
        
        PID:792
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock
        125⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock"
        126⤵
        
        PID:1228
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock
        127⤵
        
        PID:1764
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock"
        128⤵
        
        PID:2064
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock
        129⤵
        
        PID:328
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock"
        130⤵
        
        PID:1756
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock
        131⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock"
        132⤵
        
        PID:2380
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock
        133⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock"
        134⤵
        
        PID:2700
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock
        135⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock"
        136⤵
        
        PID:304
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock
        137⤵
        System Location Discovery: System Language Discovery
        
        PID:3060
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock"
        138⤵
        
        PID:1516
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock
        139⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock"
        140⤵
        
        PID:1332
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock
        141⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock"
        142⤵
        
        PID:1336
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock
        143⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock"
        144⤵
        
        PID:2604
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock
        145⤵
        
        PID:1044
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock"
        146⤵
        
        PID:2720
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock
        147⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock"
        148⤵
        
        PID:1452
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock
        149⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock"
        150⤵
        
        PID:912
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock
        151⤵
        
        PID:2476
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock"
        152⤵
        
        PID:2892
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock
        153⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock"
        154⤵
        
        PID:780
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock
        155⤵
        
        PID:1228
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock"
        156⤵
        
        PID:112
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock
        157⤵
        
        PID:1824
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock"
        158⤵
        
        PID:2024
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock
        159⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock"
        160⤵
        
        PID:2080
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock
        161⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock"
        162⤵
        
        PID:1084
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock
        163⤵
        System Location Discovery: System Language Discovery
        
        PID:564
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock"
        164⤵
        
        PID:2852
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock
        165⤵
        
        PID:1288
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock"
        166⤵
        
        PID:2720
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock
        167⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock"
        168⤵
        
        PID:2828
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock
        169⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock"
        170⤵
        
        PID:2348
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock
        171⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock"
        172⤵
        
        PID:1504
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock
        173⤵
        System Location Discovery: System Language Discovery
        
        PID:2184
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock"
        174⤵
        
        PID:2884
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock
        175⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock"
        176⤵
        
        PID:2452
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock
        177⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock"
        178⤵
        
        PID:2680
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock
        179⤵
        
        PID:296
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock"
        180⤵
        
        PID:1656
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock
        181⤵
        
        PID:1260
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock"
        182⤵
        
        PID:1728
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock
        183⤵
        System Location Discovery: System Language Discovery
        
        PID:884
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock"
        184⤵
        
        PID:992
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock
        185⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock"
        186⤵
        
        PID:2580
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock
        187⤵
        
        PID:1872
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock"
        188⤵
        
        PID:1588
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock
        189⤵
        
        PID:2316
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock"
        190⤵
        
        PID:1028
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock
        191⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock"
        192⤵
        
        PID:2296
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock
        193⤵
        
        PID:2052
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock"
        194⤵
        
        PID:1228
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock
        195⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock"
        196⤵
        
        PID:2452
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock
        197⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock"
        198⤵
        
        PID:1620
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock
        199⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock"
        200⤵
        
        PID:2056
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock
        201⤵
        
        PID:1836
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock"
        202⤵
        
        PID:2188
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock
        203⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock"
        204⤵
        
        PID:108
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock
        205⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock"
        206⤵
        
        PID:3032
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock
        207⤵
        System Location Discovery: System Language Discovery
        
        PID:1608
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock"
        208⤵
        
        PID:1760
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock
        209⤵
        
        PID:2612
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock"
        210⤵
        
        PID:1288
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock
        211⤵
        
        PID:1452
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock"
        212⤵
        
        PID:1564
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock
        213⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock"
        214⤵
        
        PID:2228
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock
        215⤵
        
        PID:892
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock"
        216⤵
        
        PID:2400
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock
        217⤵
        
        PID:1560
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock"
        218⤵
        
        PID:308
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock
        219⤵
        
        PID:2740
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock"
        220⤵
        
        PID:2920
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock
        221⤵
        
        PID:640
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock"
        222⤵
        
        PID:2176
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock
        223⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock"
        224⤵
        
        PID:1080
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock
        225⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock"
        226⤵
        
        PID:2344
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock
        227⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock"
        228⤵
        
        PID:2904
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock
        229⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2516
        
        C:\Users\Admin\wyEccUUs\GmUAwUEk.exe
        
        "C:\Users\Admin\wyEccUUs\GmUAwUEk.exe"
        230⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1928 -s 36
        231⤵
        Program crash
        
        PID:2832
        
        C:\ProgramData\niMIAkwI\tKsQkgIg.exe
        
        "C:\ProgramData\niMIAkwI\tKsQkgIg.exe"
        230⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3032 -s 36
        231⤵
        Program crash
        
        PID:2004
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock"
        230⤵
        
        PID:872
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock
        231⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock"
        232⤵
        
        PID:2236
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock
        233⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock"
        234⤵
        
        PID:1728
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock
        235⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock"
        236⤵
        
        PID:2080
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock
        237⤵
        System Location Discovery: System Language Discovery
        
        PID:2652
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock"
        238⤵
        
        PID:2364
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock
        239⤵
        
        PID:1336
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock"
        240⤵
        
        PID:1608
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock
        241⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock"
        242⤵
        
        PID:2884
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock
        243⤵
        
        PID:540
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock"
        244⤵
        
        PID:2492
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock
        245⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock"
        246⤵
        
        PID:1716
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock
        247⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock"
        248⤵
        
        PID:892
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock
        249⤵
        System Location Discovery: System Language Discovery
        
        PID:2240
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock"
        250⤵
        
        PID:1976
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock
        251⤵
        
        PID:1828
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock"
        252⤵
        
        PID:2740
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock
        253⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock"
        254⤵
        
        PID:2896
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock
        255⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock"
        256⤵
        
        PID:2820
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock
        257⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        258⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        258⤵
        
        PID:1744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        258⤵
        UAC bypass
        
        PID:1740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        256⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        256⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        256⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\vWsMAAAo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe""
        256⤵
        Deletes itself
        
        PID:2720
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        257⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        254⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        254⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        254⤵
        
        PID:1876
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\jMcEkoEs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe""
        254⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        255⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        252⤵
        Modifies visibility of file extensions in Explorer
        
        PID:672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        252⤵
        Modifies registry key
        
        PID:2772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        252⤵
        
        PID:1344
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\rAwMAUkE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe""
        252⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        253⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        250⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:2880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        250⤵
        Modifies registry key
        
        PID:2704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        250⤵
        
        PID:1336
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\YiQgogkQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe""
        250⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        251⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        248⤵
        
        PID:328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        248⤵
        
        PID:2840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        248⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\KSooQEoo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe""
        248⤵
        
        PID:980
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        249⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        246⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        246⤵
        
        PID:2608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        246⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\SeIsocwk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe""
        246⤵
        
        PID:1280
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        247⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        244⤵
        Modifies registry key
        
        PID:1796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        244⤵
        Modifies registry key
        
        PID:1596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        244⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\esYssEcs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe""
        244⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        245⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        242⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        242⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        242⤵
        UAC bypass
        
        PID:2260
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\LyoscsMM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe""
        242⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        243⤵
        
        PID:640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        240⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        240⤵
        
        PID:1088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        240⤵
        UAC bypass
        
        PID:2368
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\LgEEwYMo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe""
        240⤵
        
        PID:672
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        241⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        238⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        238⤵
        Modifies registry key
        
        PID:2648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        238⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\rCEAsUEY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe""
        238⤵
        
        PID:2704
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        239⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        236⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        236⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        236⤵
        System Location Discovery: System Language Discovery
        
        PID:1080
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\BYoUIkEE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe""
        236⤵
        
        PID:2840
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        237⤵
        
        PID:328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        234⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        234⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        234⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\aQYgggIg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe""
        234⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        235⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        232⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        232⤵
        Modifies registry key
        
        PID:1880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        232⤵
        
        PID:1568
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\iMAsYgoE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe""
        232⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        233⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        230⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        230⤵
        
        PID:1072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        230⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:2328
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\cSYUoMkg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe""
        230⤵
        
        PID:2436
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        231⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        228⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        228⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        228⤵
        UAC bypass
        
        PID:1216
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\EYAEkoUo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe""
        228⤵
        
        PID:1824
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        229⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        226⤵
        
        PID:1756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        226⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        226⤵
        UAC bypass
        
        PID:568
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\wskUYwsw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe""
        226⤵
        
        PID:2892
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        227⤵
        
        PID:776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        224⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        224⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        224⤵
        
        PID:792
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\RcAIYckg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe""
        224⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        225⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        222⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        222⤵
        
        PID:1252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        222⤵
        
        PID:1876
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\vWsUgYEQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe""
        222⤵
        
        PID:2608
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        223⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        220⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        220⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        220⤵
        Modifies registry key
        
        PID:3056
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\TmAcEosY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe""
        220⤵
        System Location Discovery: System Language Discovery
        
        PID:1568
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        221⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        218⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        218⤵
        
        PID:1340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        218⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:316
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\lgEkgMws.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe""
        218⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        219⤵
        
        PID:1020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        216⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        216⤵
        Modifies registry key
        
        PID:2100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        216⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\iQUookAE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe""
        216⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        217⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        214⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        214⤵
        
        PID:1844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        214⤵
        
        PID:568
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\iEwswAcc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe""
        214⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        215⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        212⤵
        
        PID:1280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        212⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        212⤵
        UAC bypass
        Modifies registry key
        
        PID:792
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\EGgIwgEs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe""
        212⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        213⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        210⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        210⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        210⤵
        
        PID:1104
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\OycgMUUc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe""
        210⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        211⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        208⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        208⤵
        Modifies registry key
        
        PID:2920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        208⤵
        
        PID:640
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\racgsUkI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe""
        208⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        209⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        206⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        206⤵
        Modifies registry key
        
        PID:2340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        206⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\fKEsckgQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe""
        206⤵
        System Location Discovery: System Language Discovery
        
        PID:2728
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        207⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        204⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        204⤵
        
        PID:1032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        204⤵
        UAC bypass
        
        PID:296
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\HksIUsUI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe""
        204⤵
        
        PID:840
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        205⤵
        
        PID:700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        202⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        202⤵
        
        PID:776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        202⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:2256
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\bGoUcMwM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe""
        202⤵
        
        PID:988
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        203⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        200⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        200⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        200⤵
        UAC bypass
        
        PID:1880
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\OSgQsIcg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe""
        200⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        201⤵
        
        PID:696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        198⤵
        Modifies registry key
        
        PID:2952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        198⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        198⤵
        UAC bypass
        Modifies registry key
        
        PID:2688
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\CWUUEgsk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe""
        198⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        199⤵
        
        PID:1336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        196⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        196⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        196⤵
        UAC bypass
        Modifies registry key
        
        PID:1776
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\miswYgEk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe""
        196⤵
        
        PID:1080
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        197⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        194⤵
        
        PID:1288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        194⤵
        Modifies registry key
        
        PID:1040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        194⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\aOAwIksI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe""
        194⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        195⤵
        
        PID:1344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        192⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        192⤵
        
        PID:1768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        192⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\hCcEwAkw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe""
        192⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        193⤵
        
        PID:696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        190⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        190⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        190⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:2528
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\NqUYMsAs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe""
        190⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        191⤵
        
        PID:2892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        188⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        188⤵
        
        PID:640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        188⤵
        UAC bypass
        
        PID:2112
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZMwgYsUU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe""
        188⤵
        
        PID:1084
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        189⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        186⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        186⤵
        
        PID:912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        186⤵
        UAC bypass
        
        PID:2532
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\jgUAAQMQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe""
        186⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        187⤵
        
        PID:1880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        184⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        184⤵
        System Location Discovery: System Language Discovery
        
        PID:2528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        184⤵
        UAC bypass
        
        PID:2652
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\KegAocAk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe""
        184⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        185⤵
        
        PID:1768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        182⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        182⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        182⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\OqAYAIEs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe""
        182⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        183⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        180⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        180⤵
        Modifies registry key
        
        PID:1932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        180⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\iMgkMUso.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe""
        180⤵
        
        PID:692
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        181⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        178⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        178⤵
        
        PID:1216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        178⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:2080
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\GKoUYwcM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe""
        178⤵
        
        PID:2232
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        179⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        176⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        176⤵
        
        PID:1048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        176⤵
        Modifies registry key
        
        PID:1808
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\gEYUIEwQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe""
        176⤵
        
        PID:2892
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        177⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        174⤵
        Modifies visibility of file extensions in Explorer
        
        PID:696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        174⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        174⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\LGowkAIk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe""
        174⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        175⤵
        
        PID:2316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        172⤵
        Modifies registry key
        
        PID:2224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        172⤵
        Modifies registry key
        
        PID:2584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        172⤵
        UAC bypass
        
        PID:2496
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\beAgggoA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe""
        172⤵
        
        PID:1884
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        173⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        170⤵
        System Location Discovery: System Language Discovery
        
        PID:1684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        170⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        170⤵
        UAC bypass
        
        PID:2896
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\bMwkwcsI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe""
        170⤵
        System Location Discovery: System Language Discovery
        
        PID:1928
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        171⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        168⤵
        Modifies registry key
        
        PID:1300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        168⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        168⤵
        UAC bypass
        
        PID:2952
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\jMMYskUk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe""
        168⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        169⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        166⤵
        
        PID:1104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        166⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        166⤵
        Modifies registry key
        
        PID:2004
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\QWggwAoA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe""
        166⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        167⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        164⤵
        
        PID:884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        164⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        164⤵
        UAC bypass
        
        PID:2448
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\QGYYQcYU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe""
        164⤵
        System Location Discovery: System Language Discovery
        
        PID:2724
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        165⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        162⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        162⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        162⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\KSIQcMoU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe""
        162⤵
        
        PID:1792
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        163⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        160⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        160⤵
        Modifies registry key
        
        PID:1552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        160⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2640
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\yqAUMwMg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe""
        160⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        161⤵
        
        PID:3052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        158⤵
        
        PID:2508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        158⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        158⤵
        UAC bypass
        
        PID:672
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\jKYAIAEc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe""
        158⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        159⤵
        System Location Discovery: System Language Discovery
        
        PID:2716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        156⤵
        Modifies registry key
        
        PID:960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        156⤵
        
        PID:2628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        156⤵
        Modifies registry key
        
        PID:2664
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\XSQYwkQg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe""
        156⤵
        System Location Discovery: System Language Discovery
        
        PID:1704
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        157⤵
        
        PID:2436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        154⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        154⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        154⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:1724
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\XQcoMsEA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe""
        154⤵
        
        PID:1392
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        155⤵
        System Location Discovery: System Language Discovery
        
        PID:1072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        152⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        152⤵
        
        PID:1132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        152⤵
        UAC bypass
        
        PID:1056
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\HuwEcIss.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe""
        152⤵
        
        PID:320
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        153⤵
        
        PID:2176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        150⤵
        
        PID:564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        150⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        150⤵
        UAC bypass
        
        PID:1592
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\EocMUYQA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe""
        150⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        151⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        148⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        148⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        148⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\KkgYUgIk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe""
        148⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        149⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        146⤵
        System Location Discovery: System Language Discovery
        
        PID:2092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        146⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        146⤵
        UAC bypass
        
        PID:1984
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\oUwUgIcA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe""
        146⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        147⤵
        
        PID:792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        144⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        144⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        144⤵
        
        PID:2612
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\KIgosAgc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe""
        144⤵
        
        PID:892
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        145⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        142⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        142⤵
        Modifies registry key
        
        PID:796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        142⤵
        UAC bypass
        
        PID:2488
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\fOQYEYYo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe""
        142⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        143⤵
        
        PID:1792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        140⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        140⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        140⤵
        UAC bypass
        
        PID:2652
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ncIEQoEo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe""
        140⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        141⤵
        
        PID:1344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        138⤵
        
        PID:2228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        138⤵
        
        PID:1028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        138⤵
        UAC bypass
        
        PID:1612
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\XOwEMwQM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe""
        138⤵
        
        PID:1568
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        139⤵
        System Location Discovery: System Language Discovery
        
        PID:2476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        136⤵
        
        PID:1340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        136⤵
        
        PID:1452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        136⤵
        UAC bypass
        
        PID:2492
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\HaMsAgAs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe""
        136⤵
        
        PID:1876
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        137⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        134⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        134⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        134⤵
        UAC bypass
        
        PID:2720
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\CKEgIEAo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe""
        134⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        135⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        132⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        132⤵
        
        PID:484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        132⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:2908
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\osUEgAcY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe""
        132⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        133⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        130⤵
        
        PID:2628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        130⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        130⤵
        UAC bypass
        Modifies registry key
        
        PID:1948
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\GccUkwkQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe""
        130⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        131⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        128⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        128⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        128⤵
        UAC bypass
        
        PID:2328
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\CkAAIQQU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe""
        128⤵
        System Location Discovery: System Language Discovery
        
        PID:2224
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        129⤵
        
        PID:444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        126⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        126⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        126⤵
        
        PID:2228
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\GqQgIMIA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe""
        126⤵
        
        PID:1568
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        127⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        124⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        124⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        124⤵
        
        PID:1828
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\xaocQkwA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe""
        124⤵
        
        PID:1020
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        125⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        122⤵
        Modifies registry key
        
        PID:532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        122⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        122⤵
        UAC bypass
        
        PID:1132
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\rGYMAYIk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe""
        122⤵
        
        PID:1056
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        123⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        120⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        120⤵
        Modifies registry key
        
        PID:1976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        120⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\rOgkwwYM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe""
        120⤵
        
        PID:2436
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        121⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        118⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        118⤵
        
        PID:1088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        118⤵
        Modifies registry key
        
        PID:776
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\pwgcEoss.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe""
        118⤵
        
        PID:1872
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        119⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        116⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        116⤵
        Modifies registry key
        
        PID:2344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        116⤵
        UAC bypass
        
        PID:760
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\PuEEIQUg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe""
        116⤵
        
        PID:1340
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        117⤵
        
        PID:304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        114⤵
        Modifies registry key
        
        PID:1260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        114⤵
        System Location Discovery: System Language Discovery
        
        PID:1720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        114⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:1868
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\UiAoEEAw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe""
        114⤵
        
        PID:1252
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        115⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        112⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        112⤵
        
        PID:792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        112⤵
        System Location Discovery: System Language Discovery
        
        PID:2752
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\wQIAwAkA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe""
        112⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        113⤵
        
        PID:1568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        110⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        110⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        110⤵
        
        PID:1032
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\kEsoIAQg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe""
        110⤵
        System Location Discovery: System Language Discovery
        
        PID:1716
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        111⤵
        
        PID:484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        108⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:1228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        108⤵
        System Location Discovery: System Language Discovery
        
        PID:1824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        108⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ImEQEIks.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe""
        108⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        109⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        106⤵
        System Location Discovery: System Language Discovery
        
        PID:840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        106⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        106⤵
        UAC bypass
        
        PID:1968
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tAUsIsIw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe""
        106⤵
        
        PID:1288
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        107⤵
        
        PID:1040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        104⤵
        System Location Discovery: System Language Discovery
        
        PID:1544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        104⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        104⤵
        
        PID:2628
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\hoEgMQAw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe""
        104⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        105⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        102⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        102⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        102⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\rOAkkkwY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe""
        102⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        103⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        100⤵
        Modifies registry key
        
        PID:1884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        100⤵
        System Location Discovery: System Language Discovery
        
        PID:1436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        100⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\dGAcgQkQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe""
        100⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        101⤵
        
        PID:892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        98⤵
        Modifies registry key
        
        PID:3012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        98⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        98⤵
        UAC bypass
        Modifies registry key
        
        PID:2080
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\KyoQYoYY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe""
        98⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        99⤵
        
        PID:1792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        96⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:2952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        96⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        96⤵
        UAC bypass
        Modifies registry key
        
        PID:112
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\YmswYEsg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe""
        96⤵
        
        PID:796
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        97⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        94⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        94⤵
        
        PID:1872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        94⤵
        
        PID:1764
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\OUQYgoIw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe""
        94⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        95⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        92⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        92⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        92⤵
        UAC bypass
        
        PID:1816
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\YuwUgEkc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe""
        92⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        93⤵
        
        PID:2628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        90⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        90⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        90⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZmowgkEg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe""
        90⤵
        
        PID:672
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        91⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        88⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        88⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        88⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\pkoIQook.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe""
        88⤵
        
        PID:792
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        89⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        86⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        86⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        86⤵
        UAC bypass
        
        PID:1716
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\VYYYkMkY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe""
        86⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        87⤵
        
        PID:1588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        84⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        84⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        84⤵
        Modifies registry key
        
        PID:1300
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\rgIUEwYQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe""
        84⤵
        System Location Discovery: System Language Discovery
        
        PID:3036
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        85⤵
        
        PID:2652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        82⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        82⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        82⤵
        UAC bypass
        Modifies registry key
        
        PID:2600
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\WIoYUcQk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe""
        82⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        83⤵
        
        PID:1072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        80⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:2368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        80⤵
        Modifies registry key
        
        PID:2900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        80⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\qyEEkkUg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe""
        80⤵
        
        PID:776
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        81⤵
        
        PID:2504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        78⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        78⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        78⤵
        UAC bypass
        
        PID:2452
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\WmQUsogo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe""
        78⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        79⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        UAC bypass
        
        PID:2780
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\iKQUMcgo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe""
        76⤵
        
        PID:1048
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        77⤵
        
        PID:1880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        
        PID:1032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\FQcMIQUc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe""
        74⤵
        
        PID:2772
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        75⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        
        PID:1440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        UAC bypass
        
        PID:2924
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\XYwMcQcA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe""
        72⤵
        System Location Discovery: System Language Discovery
        
        PID:2284
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        System Location Discovery: System Language Discovery
        
        PID:1720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\PUEYsoMU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe""
        70⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        UAC bypass
        Modifies registry key
        
        PID:2596
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\nkkIQgEM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe""
        68⤵
        
        PID:376
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        
        PID:1152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        
        PID:772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        
        PID:960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        UAC bypass
        
        PID:2716
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\YAkMUgkk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe""
        66⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        System Location Discovery: System Language Discovery
        
        PID:316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        UAC bypass
        
        PID:2396
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\aSooggMI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe""
        64⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        
        PID:1288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        
        PID:2124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        Modifies registry key
        
        PID:568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\SUYYgcgM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe""
        62⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        System Location Discovery: System Language Discovery
        
        PID:2832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\sGoMMQQE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe""
        60⤵
        
        PID:1820
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:1332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        UAC bypass
        
        PID:2816
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\NMwgwEIo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe""
        58⤵
        
        PID:2468
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        System Location Discovery: System Language Discovery
        
        PID:2856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        
        PID:1020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:2108
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\xIkAwwwM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe""
        56⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        Modifies registry key
        
        PID:2064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        UAC bypass
        Modifies registry key
        
        PID:2344
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\JWcMkggc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe""
        54⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        
        PID:112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        UAC bypass
        
        PID:1792
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ViAMUoEc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe""
        52⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        System Location Discovery: System Language Discovery
        
        PID:2496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        UAC bypass
        
        PID:2192
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\gqkoMsIY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe""
        50⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:1344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        Modifies registry key
        
        PID:1496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2388
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\OUUUkgko.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe""
        48⤵
        
        PID:1392
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\aAUooEMs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe""
        46⤵
        
        PID:2608
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        Modifies registry key
        
        PID:2532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\qIMsQocA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe""
        44⤵
        
        PID:328
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:2064
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\WeIgMUIA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe""
        42⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        
        PID:112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        UAC bypass
        
        PID:2492
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\pYIwEMYA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe""
        40⤵
        
        PID:1084
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        System Location Discovery: System Language Discovery
        
        PID:2876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\zOIIgcoM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe""
        38⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\lcAggUks.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe""
        36⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        System Location Discovery: System Language Discovery
        
        PID:2196
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\fAUogcoU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe""
        34⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        
        PID:304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        Modifies registry key
        
        PID:532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        
        PID:2228
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\fYQQYUQs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe""
        32⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        
        PID:2480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tyUIsgoA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe""
        30⤵
        System Location Discovery: System Language Discovery
        
        PID:2024
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        
        PID:1844
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\WosYccEU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe""
        28⤵
        
        PID:2772
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        System Location Discovery: System Language Discovery
        
        PID:3056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        
        PID:1344
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\yYAsUsUk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe""
        26⤵
        
        PID:1512
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:1820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        System Location Discovery: System Language Discovery
        
        PID:2736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        UAC bypass
        
        PID:2452
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\GIQIMwoA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe""
        24⤵
        
        PID:2840
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        UAC bypass
        
        PID:884
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\qOgogwkw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe""
        22⤵
        
        PID:1744
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        UAC bypass
        
        PID:1280
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\RAQoMQsc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe""
        20⤵
        
        PID:1588
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:2228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        Modifies registry key
        
        PID:2920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        UAC bypass
        
        PID:2260
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\jSkEsMYw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe""
        18⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:1880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        Modifies registry key
        
        PID:2420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        UAC bypass
        Modifies registry key
        
        PID:1964
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\xiEQscUo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe""
        16⤵
        
        PID:1056
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\VGUgoEgQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe""
        14⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        
        PID:2468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\WawYEswA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe""
        12⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:2688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        
        PID:592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        UAC bypass
        Modifies registry key
        
        PID:1884
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\skcAgoYY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe""
        10⤵
        
        PID:328
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        
        PID:1240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        Modifies registry key
        
        PID:1132
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\cAYgkgso.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe""
        8⤵
        
        PID:960
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:792
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        
        PID:1288
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:2032
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        
        PID:112
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\CicgsUEg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe""
        6⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:2924
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:1988
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:1808
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      PID:1680
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\vcYgYosc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1760
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:1728
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:2688
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:1628
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:2316
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\PwcEQAIg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2744
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:2712

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2025182755-17038512391701384393-17171752991040032673-13936506277330063291561331292"
1⤵
PID:1152

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-19077237341444991824-69037588-1807213618199583686012530355491010932621294609622"
1⤵
PID:1032

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1581266029-1940741934-213836717620184556711480599898937418025-1160201670-196195891"
1⤵
PID:2360

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "495448590-748451854-509970867937659330-1489322620-109293977320473831301587498033"
1⤵
PID:1816

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2294161031735246436-16255960122143971341-3706275925083035515085657752097192771"
1⤵
PID:2940

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1875712501739704663-8869649068577997-211533521178843292330247433764598050"
1⤵
PID:2092

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "336215889445745813-2029505876114115958125579071932411264310208502261076307947"
1⤵
PID:1228

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-781614786-1384823697651715809365622656-1695840481482261588-1319358371-1004627249"
1⤵
PID:1792

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-46702834320332630771124749031173573859114571772601365959265-2670137591292263702"
1⤵
PID:1600

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "9388743624796036941451596686-930466658105372701922366865-1322432810206734344"
1⤵
PID:2024

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1594277050803806311-1844830808-438140718-452330316-4762838572047173931-1470759609"
1⤵
PID:1720

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-72154907120399507261274662218734750992-174579721-620470575-1917759427-1965494672"
1⤵
PID:2900

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1447467651835402083-760135888-12781977041463281419498735311-670835684-888755031"
1⤵
PID:2312

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-897212719629510884-10820345051987418515653739048-1785027535703486419-1072558633"
1⤵
PID:2496

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-18775625701042758072-989327611-15274322631679255381852226646-493450036-2042960976"
1⤵
PID:2348

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-16201812911292614829-6478029441706136388-15376706711319346678896989708390444393"
1⤵
PID:1928

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-142482867-1477118199-475598945156855807-14537008535328445731285013476-176096160"
1⤵
PID:2792

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1432699112-5004631621648082073-1991483189-1451630163-191067047414262595041256462401"
1⤵
PID:1300

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1399149911479204418-460742016457782801417441500-1434713329-1887494266-1729276969"
1⤵
PID:2528

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "630651388-1214029114-16728472051260862968165785757310124244761787442143833637718"
1⤵
PID:912

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1466502139-15446137212140558983255618910-778169593-943799078-1185096958-108279202"
1⤵
PID:2892

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1747262284-1064547525-1439353614204204852820625321841687156851-920243495-1093446564"
1⤵
PID:1528

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1333495305-173985551-1288219365-1341847608-1880654910-81166512667407517717377733"
1⤵
PID:1216

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1487201655-8782681411625871606-1191357966806504773176400221379799153-1463459888"
1⤵
PID:1956

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "3224341871802934172999235412-1622185228-14311429631730621805-216332221-1127759553"
1⤵
PID:2080

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "80527082-512037819-788024066-36002050915257378611174494209583745924301356474"
1⤵
PID:2380

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1616639576149994666015572234-12544897241419740981-95390026919750842511808507073"
1⤵
PID:2580

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-20017172528497853335861885539856266911101972092-641053738-8936084491681096577"
1⤵
PID:2652

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "366388288-21079538241816512522-800105404-17590593461313578814-17978986891634346570"
1⤵
PID:1132

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1002938605-1315424216-256485912-57531267719826044281126127336-3068024711912117382"
1⤵
PID:1588

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-443332697746281513627708331-5838749501074961486-101852793864477512906338299"
1⤵
PID:1868

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-213411565-371870387-11901984101034605400712893507-1560773958-1179637132323641142"
1⤵
PID:2680

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "263492232-265087669571950703-1633979959-1249606933-4087236792117403369-2040903686"
1⤵
PID:1776

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1844140367875138009-88767973314242286541237045323605048709-653265462-946507043"
1⤵
PID:1592

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "3495572142131777257899241451614345975204061995-968835387-5086377671693806714"
1⤵
PID:696

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2138991655171360764663601522970382663-3746342131652602443-441645415-1632605634"
1⤵
PID:1880

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-952785857-12780404242096714792123972005853378-121836654112563555382121435469"
1⤵
PID:1836

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1000779793-6497853321590054704-395484817-849355664-199765397-11297856621820709798"
1⤵
PID:3052

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "497164035-1510563003-1330616899116782600512561532706273310291680628416-774736385"
1⤵
PID:3060

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-21139794879493203541473615205-47028615129313394728685519-33909652841350470"
1⤵
PID:1620

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "699819479-1649632176-97628853-638284121-2030161867-1136550557693054378878517082"
1⤵
PID:2780

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-15838395789767377711366580120640741891-1286510423-445958600-1347466943-2019803850"
1⤵
PID:2488

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "338860429-246916974-1819075236-259597166915779951-1432981587-1768933132318391740"
1⤵
PID:1040

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-305557793-453506061-8798499-1905341351557883031-1060183939-2065148175-508114604"
1⤵
PID:2920

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-9292909741404667020-139182488-19830570727568883-2141781684-135890007-1268037826"
1⤵
PID:2056

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-3415059911419470445-416808922193734090-224241387281205697-11477286401414159746"
1⤵
PID:108

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-14670725642040607251291275281855493515-1392015446-1629966552-220340412-618810517"
1⤵
PID:2456

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-496016913614753407-1952356471620268687426157685-585970201548333554-586816554"
1⤵
PID:2892

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-127270855211061201851451214287209838591-4422725481413826602-2136556666-562642624"
1⤵
PID:2340

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1501247995-547669773-1662704248753791972-366679126-200149615217720140171620626110"
1⤵
PID:2100

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1757219182-176047130065659572-255145799-205472340631233496-1038905274-1747085927"
1⤵
PID:308

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "472813329144391415119255680662061516135-625781302103898095-14946886681977067435"
1⤵
PID:2612

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-7098458811002820236-1275971993676495663111503844167831748313468998971067768030"
1⤵
PID:2112

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-7523742611973700353593618454-443995430-17743034301166846331-1122041747164369213"
1⤵
PID:2736

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-637680062-520306844485519968-94446704-1049351234-1987217901199916449-140036726"
1⤵
PID:1988

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1070814109-11152602701881600036-187796002287531221766389800241121760-729618204"
1⤵
PID:2364

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "152925080916993993902021645867-18067580292015641131-15664249221006154946245212440"
1⤵
PID:2184

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "83057301316290262692141321341871596191-1186971574-51047742-821159462164951640"
1⤵
PID:1528

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "988408640267091011-2128609660-569833035347274237581056416646062851438251109"
1⤵
PID:1596

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "14493519512094949304222100269-314805308-1761877310-126346696-663961140-2080983132"
1⤵
PID:2416

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "3816810702246710022052131425-584087887302910113-506476146-944480530512088908"
1⤵
PID:1992

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1514483614-1513072417-6454031701102170474-457825931946744993616946400225467753"
1⤵
PID:1792

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-596563601-727330337-53589591215786585462075458621-103023453-1548138436610147683"
1⤵
PID:1080

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1384068686-11605315115088159-986299769-1769685730704456060-1127971626241951831"
1⤵
PID:1728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.exe

Filesize
212KB

MD5
4b8870ebd8b0ec7d9c9253bd7980d899

SHA1
68efe97477588b0aad500ceeb007c6c5ab70af81

SHA256
b267c544b2cb535515186e494bcb8d66823c7725f1c9d3682fc3ba2ae2887f8a

SHA512
d407e2f20cc49e48c1e444c871a3f122a3bd1a0961ebcf3f95c2b97af9c186b4b9d882756c7e3ed0e7154502e932e78be982751ad83163a51ded4bac125ce99d

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile17.bmp.exe

Filesize
237KB

MD5
b02e991eb0767d3918fa82a2e64d0b3c

SHA1
04b151a4ba97d0a253cad0afe2945f4a3da64298

SHA256
db8fd93b4303b258b33b75430b4aae8972a38c28b89a00d9445c419dce24aa5d

SHA512
2a8bb6f04f240de63fdb48b475682313e764f385c91a532d3bc0e92b9117a016974b1c779a12338c083f3f2eb6fb1f34ea4a0e34adc17eeb46191e1d6a30afa2

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile26.bmp.exe

Filesize
245KB

MD5
6f1d86483ce3c8eb1df3162e304c39d0

SHA1
5995fd443de3c744e5f4c5b2bdbdd9b224dfa561

SHA256
690c6b6d6fd4f0521fc348da9606a47f2e70a5843480703c2eb78525cce440e7

SHA512
503634857605eac9ef8cc1f1515e7261a9f33c7279aee187f1984589828c609a5b1681afbab84db08335b54d2c882b300dcde97180edbccd11fb8f98e957e0d4

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile27.bmp.exe

Filesize
246KB

MD5
1e0d9876002265aed127a502eb6ae841

SHA1
51907263ffe2b49e1a47782fe5c31e8d42741efd

SHA256
9f2c7fd659d0971d740c80f4bd113dae16ed5b9ce5ede8845ccb56299a6aaeb9

SHA512
bb75d3709b163b1aca82366ac823242342a3356ce1561c998fcc62639de6d7050251524c3e3337b35a42099bb74c628b79788f451f8c70ac0da56d6a30f6a2e4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\64.png.exe

Filesize
196KB

MD5
7407ab6274e47566ceb332896ebc91e9

SHA1
77bc88b0274b7784ad3ebbe9f46068e1e8add79b

SHA256
35c1457d65ccd21a483a5c1168bdd5c28d6d9fb227b28e1e3803f0d030684fa6

SHA512
6c1f01da47c01993a506bc835d4bdde92e9aa759c0c3405609e26eae2f07dfae594118361c256f0bc399d58dd1dc24a478c607129218d6a06e805f98f49580b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b885ddc27f542ab37b2396c624636bf_virlock

Filesize
3KB

MD5
f914e6e58fabc9e45dce8645ff188bde

SHA1
e16ba069be4ac338fbfb731d5dca60685300ffdb

SHA256
51d110882b29e686326a7f942b829e9d1df5c0deb804b59f4e62bab84cdac26b

SHA512
2f3924f255c453ee32bdbced2ca690ef6ed2ef1b09dfb4922bc8db48071c174d7217916109c63ff1a38b09714b5d5f3557dd6aae8edc99e775bf3fefa7d046b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\AAMy.exe

Filesize
417KB

MD5
15fa8e2821c2f6fbf9117d52469afea8

SHA1
c9ac097159a1557ffbb74e2e51650a549d9da534

SHA256
52f9c381159fa2562ace20469ab8c9aabea3de43d6e9695bc2af4fb8bd23dda4

SHA512
7594524523b00be6540628c419a3523f693443267179713f545a5798a9eff1f7cf3f23dcad073c435023c90aaecc3db1b8d83214d1e9843f84eae89d7bdb48e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ACsgsYkc.bat

Filesize
4B

MD5
ddd9dac6c3367638c369a9add14dbcff

SHA1
3e26b35981e1fef67a5fa6ad51c5e05c0be4eb4d

SHA256
8d409cb1809b6534c14655895383673bc9887fb347f80616be12ba89cdac96e6

SHA512
7ce1d597f4b313191f37933ccdad7d248e8dfc460765ec41c6df08b0de395a29b8ad7cb08624918cad82ce8410b05a6e8e20b9dd6484df55a5ccb03f52d46715

Download Submit
C:\Users\Admin\AppData\Local\Temp\AMkU.exe

Filesize
190KB

MD5
1ec087f75da5e09049d6fa7b1f63a92d

SHA1
274323bf5878103a052b459b053e54c43f0dd8f4

SHA256
6e0444cfe32416eb5cf4ff611fb95f7a884ff03b4acd64269a80761730046d6a

SHA512
d81d23b9441e80ae1bdee351416305ba339eccd002fadd0d7e9dacfecbc05f55c164029ec06607ecae19b5bdb6aaa69772cf1b199cad3855f78fb1e6c5be0727

Download Submit
C:\Users\Admin\AppData\Local\Temp\AUYo.exe

Filesize
228KB

MD5
ba037b53aef97c238b208105698e31f1

SHA1
56bd2b9b7a118b00cce99c872967adcff7b9ba75

SHA256
0091bc0f685a1b9b7639e25acda799de722eac8098d72ef7cdcf945aefd8ff61

SHA512
9b0ca4263b60718ec57afd29d91c1f2be1692b953aabcbff45c633915d73226833f46dc6022f891c08ce7d3bf751c0d5ca0051c7a6c76c13769d4c4f1dcc9543

Download Submit
C:\Users\Admin\AppData\Local\Temp\AYAU.exe

Filesize
198KB

MD5
9f29b69db561522f4acd69fcfa3f59ce

SHA1
62feeb8dc4aa1cb3e3aa300c55170168a8926371

SHA256
1f53312705c758113aa5a648cd0f1e6e9f01b8cbed06a686a17bfd234848dec7

SHA512
624775550979d29eb480527463a7a23bb84e51709a697693359edb3e12ed4586ff688e37de9815383949a0f2a909d5dc9f28d9b2cd8375ab6fec08be37ab2c2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\AYkq.exe

Filesize
793KB

MD5
8eec975548a9811743e45e949cf5bd32

SHA1
385849d1880c8adcc46bbf1d62f702351dc0ce59

SHA256
e42beadcc81dd7ca482284718b758496f2c9726bd6b99f29465d13886af1d65c

SHA512
18365e651c7b400bf580574bbaa67539f48422fa4261c8af89aeb999567563f2c977cbd227637dacb998d074234c82918cc84ecfe3f071bba2f9306cf38ae386

Download Submit
C:\Users\Admin\AppData\Local\Temp\AYky.exe

Filesize
243KB

MD5
e135a264d3c75d40154df883894c2854

SHA1
25015fc96799fd73575571dfd6e3f0a81626252a

SHA256
57d4b380e000ad61ff0b4e5f083c556db7afa50f7182c3554f072ef64f37d1d0

SHA512
831ee683d8f8f157a12f4d31bc4beb28ecffaca4d88e64d1c010f13de8ae487abd9a65c6922e0ad93eb83de71187510c73ef129fc888a92ade2003b9fcd7b3a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\AagsUsAI.bat

Filesize
4B

MD5
2bd4b782f0c439cabed677cfc8c70d46

SHA1
d77683954a5384ad0b34bbaa3e97010fc9abf841

SHA256
e48aeca071f94487b27c740052da5d65863af1de17e803bec1a0384cc1ea723b

SHA512
f83849ba4b387d95bc3f144c6ed23928c6206d8d233ee3887ccb002e2f5623b4f7a940251947ade9e9833f78047e99a4c7cd3d19bce400d3723d0e46b6041351

Download Submit
C:\Users\Admin\AppData\Local\Temp\AkEc.exe

Filesize
200KB

MD5
109f619017636dde2d8680f3301c052d

SHA1
5c5365ce2b5b7655e8b307deaf33c1c16b9dc030

SHA256
7071db8137ffda930b6bcea26962f7dcad82bafd844305bb582cbbb90b05a673

SHA512
da65faa8e80eab621b4e9f957faee0a0aeb8273bc13e90b63e84b4548f7e1cefa29157139786d58c9a6f4ca19abf035e5a4c98d4c0ca62ef6d53d7fce37bcc58

Download Submit
C:\Users\Admin\AppData\Local\Temp\AkUo.exe

Filesize
235KB

MD5
247e29ff987816cd6f87310dda14db71

SHA1
82f09505aca51748538671ceeb855e942448a779

SHA256
92689d950ec83878af6d9b0cb5b09025c41c8d25c28f103256cf13fd76b6c8ee

SHA512
cf51d6e6c18578a447ba9c457a45a372d73067ea6088ffaccb0542d9412ac380b6b49724aa5db661d0c82d2acaa32782c08441bc6501ffa1ee4d14f364f0cce6

Download Submit
C:\Users\Admin\AppData\Local\Temp\AsUK.exe

Filesize
249KB

MD5
80eee1982de8ec6df1bb9da525446b77

SHA1
2931b60e742d697d01421945207d2c07cbe71924

SHA256
83a14a34240797056c0dacf6f775836a53db09b4a69715996f4899b9d29c96c5

SHA512
fd81fd681efe866462922b7c0684268d4db0d3645408a62014b0d530dbdf27f0b55c147f9b8da25e03e0086101c606373cc387227f5cf527e8b6f4ddc9255bcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\AsYe.exe

Filesize
308KB

MD5
82243f1d8c7a6d3c4ed6daef6955ac6b

SHA1
ac5b8d3934d73411dad85de99f5f2136f6079f23

SHA256
049b1f200e219eda9d8bdaf3f8017a987c8f7076f8170db1adb3c34207eb745e

SHA512
f3f24c32464189148e4cabfb6c3334b0aa6169c35ad3798a292f2a08e463e76c04d682e07bef500ecb1dc8d640aef5cbf3e349e13437cf3d9006a9040f3fd5db

Download Submit
C:\Users\Admin\AppData\Local\Temp\AwIK.exe

Filesize
369KB

MD5
d9950fc83a243892e45ac978cf367068

SHA1
887543bd2a563ff50c91371a69397227a9710ffe

SHA256
ff6b10397b0ca34d4afb384a58aaf9152304c850e3118da15cf92caf5265de97

SHA512
d23f98b40326558f8979035222fc871b440dbc4b0ba9b7e72ab9aff231d22b8f105947130cbe9c7e082cd9b3582c3c51cdb3a293cc4cf9c6a42f7a86865ba736

Download Submit
C:\Users\Admin\AppData\Local\Temp\AwIO.exe

Filesize
197KB

MD5
ff9ac90389bb4ceeae0731e7904cf37e

SHA1
a255cbd869470d231cc6c32ac8f5659da40c2f40

SHA256
6267dee3d6be7827c56c56849fcce93649cda8cf1f37cfb3a0bf9ed80780f053

SHA512
d5a74cf71764460bbc8ba06b3dbdfed70597c7bdc3433f1a1346f145fd11b8fccd9e42c0874074e6444e361afb896d8ca010bf76afa1306801c5e490a12dc951

Download Submit
C:\Users\Admin\AppData\Local\Temp\AwQG.exe

Filesize
234KB

MD5
941eda69ca2fcb4f546d4a7483c2222a

SHA1
435d717b3645aeb039dbaa768e9381f2a0bf5d6a

SHA256
9a9c3c16e2f83b26a8d11898e281ab9fe5d27bff23c45bbd592dd7c37d3c9232

SHA512
d030462c9077317b21aaf1a6e36f1cbc4d85ccc56013444f30930e8a66055d967560dc890fd051ea50638a5d9b5ed7154bd693a55981243a7c6a4c4d3d4c1b66

Download Submit
C:\Users\Admin\AppData\Local\Temp\AyYEQYQU.bat

Filesize
4B

MD5
d5b2d04aa1cc8347ffaad2944cb9da09

SHA1
5316f95b47a5a6c803ba02f8d4799fb09308d7ce

SHA256
ddeaea81cd4f42c0d40ff063b1c0dbe8317b6fd95a7537d06c17c7dc70c2477e

SHA512
2232622c14da371aa9ff3c247b2a031a18f396f6248fa9116ff9de91ee274521f06f9e45969d42863baa2e318c5a5a584350bbbdd7e8ef564f3b4ee8ffede905

Download Submit
C:\Users\Admin\AppData\Local\Temp\AysQYcEQ.bat

Filesize
4B

MD5
7469b4bef96ff97f1272e431585465a1

SHA1
3cf69c6eb10a233b55525ff6d405df9c7c755a9e

SHA256
5a4bef0a5ac27e041ca8587ce54b8fe3ce7962d47b3cb8e9b9ce4e9dd1304dc7

SHA512
28455a2809544832c1c05ab701965947e406fc12aa8250947561e63f7dcef7e745d085bedffdf88751bd9a273b1171e707e9ae2c23e950bb30dc7735dfe92c01

Download Submit
C:\Users\Admin\AppData\Local\Temp\BossEgYs.bat

Filesize
4B

MD5
5859831e2b3db23528c710b1451e13fc

SHA1
b7e26906240094900e95bfd854b3d92a80814c29

SHA256
6a6ac8386005b00f2af86a300f1ae811527b9d979db505e11ae7c5b85fa679c3

SHA512
09a1d01b5b120d321de9529369640316ddb120870df1ec03b3f2c6dd39c1ff6ecf8de5e56eb32d79c9d06240eaf5de027f6e7b9df2e2e1a4cb38dd548460b757

Download Submit
C:\Users\Admin\AppData\Local\Temp\CQkk.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\CYUW.exe

Filesize
228KB

MD5
c29b836a4893c1e969a758c832e4fba8

SHA1
770ba1e0beec8d1af969040855c6a0d845d0769e

SHA256
a30d2e9f0c01cd874862a72c02806a52152d86a794f27a6b4577437c39341a03

SHA512
42e22d43f25d6ed8f6ac5cbcba6bcc75a120b52e56b41f2761277ac1c5d06e303bda4e46421d0fd111a9787d171dfd5b867e620f908499deaa2df748aa479441

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cgcq.exe

Filesize
460KB

MD5
55e793593e7b39550157094139eec86a

SHA1
2b4db7636441abb420aa2a23bfff4bbe9b30c1c0

SHA256
3b81dc40789dc1a903eb64da5b6b0495ba362ab63e44b596c449eccd8e963e6a

SHA512
95c1dec655ce89082233c59ad4e1a9215039d687fef1362784eaf703acd6aa3eadf483e8b0e176a9b0f63b4e43811552f501a57b3f830acc628722e63e2e0648

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cgkw.exe

Filesize
944KB

MD5
3f75bd4e5b5164c5aef55887a76ac236

SHA1
7caa0d714fd355d58fc42bbc81a4c3689c8869be

SHA256
0a46d943d62cc1a21af72c496dfc31e3fc135c82c12c7be7e600bd6c6f577878

SHA512
b0811d514ca6e93cd5d0fd8219aecc6587e6087d098d6eebf3da8c565ea5c6ee8eb474b35f341def753b460c5e96e09ff5125d5d46f8df70a6d55908782b612b

Download Submit
C:\Users\Admin\AppData\Local\Temp\CsAK.exe

Filesize
568KB

MD5
e5f1545dd52852fc301ce0322d162029

SHA1
3d01b02c89847f0920e90ff4e11e07ee7d094aa1

SHA256
58fb56b6e80ba99af561041559e01c48153cb4d2d9b1cd71448a013f716ccc91

SHA512
11687a6908756ab608c15ad2bbc9b1725affca0136243e38e0f183e398b11166e0eab3c77e93a64fafe7901fd5a07c20e339c2336f4fca9f85c51be5d168d959

Download Submit
C:\Users\Admin\AppData\Local\Temp\CywAkgAI.bat

Filesize
4B

MD5
a958733e1321bb248fb1feb709f6e0f0

SHA1
0f29e0cf7697a19cf25bb66c2337270235617577

SHA256
3353d6d532b4a83e407f4098f079535c054b0fa8178e0b2936e793ecfd91ad62

SHA512
66603454232a097edb2bee9c1f9d8a1720866019349b198a3a37eb79a485655dd964d4e681662d9dde64a97d586e139a3e7cfa63a29bb6a22df0f41485842e27

Download Submit
C:\Users\Admin\AppData\Local\Temp\DMQIUUME.bat

Filesize
4B

MD5
21a38eb87d49b9ef967d79571b0f382f

SHA1
127d95da7346e480d161a8816d76a73a8c6a0a16

SHA256
96aaa060596a8a9e040a6ed2b209f7efbe2c02fbfc1be913053563aba16ea263

SHA512
c89c4b63e1daf39bc3f435d8426fa66a701ec5598b00d4c42ce977ada01807cb2b18d1346de00747434ecdd3d8ebe8ff44510a52a491ddd2e9db7c417d1d72d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\DSgcsEYs.bat

Filesize
4B

MD5
b79cc461916fc888ad00eba9148e6699

SHA1
c582789d86a30d725e3cbbfc18668dfc24c4d722

SHA256
8a93d0b18be0bb4a5cdaf28e64ae6cb4ca79238b012f49b78bc633a2115b260f

SHA512
99e0243be39754212efe9eb0f68eec759f15d596345eae8eccedb03a299a126291683a4151fd0310e32e6859965086c7314a5c594f3dd680dfd042b90af5ab92

Download Submit
C:\Users\Admin\AppData\Local\Temp\DWkkYgEM.bat

Filesize
4B

MD5
a8ac303c2534e338b68980c84ed699c2

SHA1
faa9686fd809a160517ac599122621fd292d0244

SHA256
693607369aa4d5733d9ee342bbf2f599b5916116845049dbf69d69ecf66652f2

SHA512
9d29a4683864eea77ca5822d9b8c80e99d1a083e05cefa882a42169fc145c3749000a14a81cae35b2c54fa93b2054c56b9870fe8270860c4c8f6fab4a5d48e0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DuUMkQIY.bat

Filesize
4B

MD5
02df4417b4797f3a19fb7f1fdaa0812f

SHA1
a5f6ae0b28878992f8069febb298974551403a6a

SHA256
814dc51498d2da7a2be902f8e61885a4673e3111e8c631133310fbec8ac23c07

SHA512
f3dd58f36a83179259d9513e3fbb966f529749b03326034a2a8ee702a1dd5ed4d9b41aac2483100a2095a7000ef6397ebcb6fe75aa5865ab3e7c57526d036889

Download Submit
C:\Users\Admin\AppData\Local\Temp\EAQu.exe

Filesize
413KB

MD5
c8b24d4c3bbb9ab891d50f54a1171ceb

SHA1
7c994e8b737c1b2cef1035840b687a82008b96d8

SHA256
843fffa91f77712c1e4b647577d85aa97c272185d07729b1e568da9dd62b10b4

SHA512
d769419222a29df14ce8e5699943d2e3e690699d63781dc0bcd1361d70a67b68ad7374a65ed8189e03ae5f163404268941a965dac9d6031bb6263afef6ececc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\EKgAMoso.bat

Filesize
4B

MD5
ba608d8ce49dbd1cb27e40b0eb222e53

SHA1
473e7fb488f34186fa5e0090db3d2ed114962a3d

SHA256
150921b797b095ffe9336fddf2e9c5fa76d1bb95800725f932b3c47d533c2227

SHA512
315f1079fae516414aaa0aecf9a4d4f1c5396186d9cc31a4e660ad9eee2ef2384009b76644a8b6faa6cc130ce679519d658613ebf52da0c28482f01cdb80a8d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\EKgcgUwc.bat

Filesize
4B

MD5
620acd915a5769097eca759c4f9c2aec

SHA1
dc84f73756320d75b888c63df069d4097f3c012d

SHA256
cef33ff51d31d3e6aa88ea25aec2f37c682c9109ecb698c5a57ac22dea90ebd6

SHA512
d5ccc29318002dab72229f255856427b0e0b540c39c469713b5c6032c52a3dfe3a3135facd5a58b51a1b66ece0ebdbc19741786147021e142fd0c32aa26ada8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\EMcosMYM.bat

Filesize
4B

MD5
589a4041267d399a2a549f6a1f73e47c

SHA1
95863f9a96ef0b1743b87bc2f4a7c045d92861ed

SHA256
a363287f7504a3a9adc3719fc87866a3adaef8fa4c19884d7ce8dd84bdfba002

SHA512
deffc2dfcca63fa814cd0253391794a2c5fb70d97547c6111fd88ca9e0474d5e59edb322717045f7778d1ed2563dc2a3054a95281cba299f1c58d633473db4ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\EUQW.exe

Filesize
244KB

MD5
32794f5d956042af73aad59adc3a8a57

SHA1
1aa1101e170aede3818458f65859819db8afcf64

SHA256
2dbd7d909f3932b4d263d8b487e041a234fe2fdb56a9f2f7b8c2b562fea141e1

SHA512
3d4626cf066fb93ff27e0cd3a04b4031bc7f4e92ea3551f7a27469523f210216ce987aaf65d52541b2c132deecad2118066cd6a135cd8f73e1420812992c92b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\EYgU.exe

Filesize
462KB

MD5
19ea9beeb35beca1cae8312ce84825c8

SHA1
ca673d97c5da6604559302e88c9597ce431a7780

SHA256
2f79de25e8a9505e689336ed0c2e1dc38c07d671cd7702b9a7fc7f7a106ba253

SHA512
439eb9856ceb6f385d63ae653536371de56bbd555b949f44ac913f1d36fe7b08173b22eda0502688ee606e4cffcbc2207737157cb312754dfa36e7dd2ebd4f4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\EgoG.exe

Filesize
236KB

MD5
30bf9fe890ac8e257e17b6ca627ef9fa

SHA1
032cf1419e6ef707421d76389df1aa8aa6042aa2

SHA256
30feab06ff6719793049fd7a670890a15395fd13107a96aebc9f71aeee23148c

SHA512
253034e6159797a39ad1a22ebe42eeeac8a689040836163d9a31d22f329f1fe87c465268cecdd0e8fd3a624e9ddd1586cc660f7e9958358dad1d0c356a5ee6b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\FgYMkQYM.bat

Filesize
4B

MD5
6f31efb0e2f6221a8503314cc727b00e

SHA1
37e50925343aa8ce51edf769f4edbace933baed6

SHA256
6956013f2874b0531c0bb0f4cfc9b084d488b0108cbfa516e7e7b850c1bb8c46

SHA512
cb08e6186e065e221d5579e5a524bbe47387050872a9fd2a0a4b0ac3eba6d467b394f6fdc56a112ac41af2a781a8fbdfc3a8cfb425717c448537239e53044e29

Download Submit
C:\Users\Admin\AppData\Local\Temp\GAsG.exe

Filesize
233KB

MD5
c5b4d000b59a1404834792a46332342e

SHA1
2a9c5d377dce36959bd2d96cd993a53cb236d2d4

SHA256
f3da67de3449d933d23dd772adad167b63727f036d77255011fc731caecc0f2f

SHA512
e83a1269b07d54f01652d5eb4dca8f2a348a1663045750b196de6273461de046dcf0976605410b97a2f731fc1565be3081465026a30c8a24ad3626fbe4e4b827

Download Submit
C:\Users\Admin\AppData\Local\Temp\GIAEkMMY.bat

Filesize
4B

MD5
745a94cf8911da7a50b1501adbabd94d

SHA1
c91ffec51bc932af4286056430643c97c99ffcae

SHA256
a0165c8c760e95aeb77479e8f7387e90594d19c54c5082f2b737910f2d9d15d7

SHA512
baff2cb5e0975ea3ba4526f2da4ecdcf503fbfa6bebd2f43f6be37f1be8253c495bdb8ae48f387db82fd6bce08046cce3dffc23ee4175258a3fa4a2cac3e147b

Download Submit
C:\Users\Admin\AppData\Local\Temp\GMcA.exe

Filesize
461KB

MD5
4944f3645a661a152d2ae939f801627d

SHA1
8506b5a8d59b939803274f2b160497e112336ced

SHA256
70f6148505ca35b45941be428f88e2c8ddecdde1cd80f4ba28caaaeacf0fe573

SHA512
87fda5a72135b4caa66971c5d354f365fb88f77d5f137e96df26e05dcf952ccf5a2e8cd67e41159b1a2aa193eb2eac38d668d8a41d2f736775f1728ea012fff9

Download Submit
C:\Users\Admin\AppData\Local\Temp\GecowkAQ.bat

Filesize
4B

MD5
84251c05d4ed729c306ee6598ab0ca4f

SHA1
f3f756ffabb45b858cfb018f6d91d15ce6f34171

SHA256
3eae902d742920f185c4f69da47def21ca783675c1c3314848c691c996a67512

SHA512
d2f6e4871f9e6df0be298bb46c46cb5deff2985e0b528ae060389155cd3a0e65aa2654e228067350e617350213d0ed6a797c2e8808f91b0409fd64068afe343d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ggos.exe

Filesize
831KB

MD5
5e8c386d11dd591237f5854ab04eeed2

SHA1
30c8f683e74179abced0b28a37feee9240e2299d

SHA256
9e09b7ba570ffa0e5496ea39fe0f4758728d3ad0ea7af7bc867d24716763d992

SHA512
63d279882371735c155c63db5334690bd5853fa32de19205879b9af960011d1eee06363698de9c9c9436ebc7e399b7ee601fb21903c03f3b547327898cb1a991

Download Submit
C:\Users\Admin\AppData\Local\Temp\GkQk.exe

Filesize
237KB

MD5
54c3f3ad7ba03b0480ced3d0556d490a

SHA1
d3b7738698538be5f4ae5cb00f6c1dae0263f13d

SHA256
9f0979feaeaf4a4825099bc955d67147aa06bd36debb01012a30ddb35ccff56a

SHA512
645fa76c7354320dd657283627d91858db36d461e798e070788c4313dd6a3da71a38a88b69461dd76788ae9a274bed6c620b46d616437107d5c0ed05ec56444e

Download Submit
C:\Users\Admin\AppData\Local\Temp\GsYk.exe

Filesize
232KB

MD5
d7b2b05451afe05287b6c191f789a850

SHA1
517248cb751723e42eb0ad06fae0fabcdcc540a2

SHA256
81d921747f78cc031c40c4172e76ce2671be8603d773693079c65730d5d91549

SHA512
668dc0295f4230a75b06b4777371c0ff05b83801e4b822b3f441aba6fedf1d708abaeff192f92a21c068487b877c30a5606d64ba0558baa71331befd7cfa5f4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\HAsIgskg.bat

Filesize
4B

MD5
0ee53089f18e67ea17bc230474bb49da

SHA1
ef4b1d29f4558c245ea0fdbb86332cf7d252aeba

SHA256
58044c43aba866ba354e293e9a74d76531bdc095a157002334a015115dde91f7

SHA512
bfd0b47fce08d62b82a249f84e4c021e9236c3ce39a01cca85500e8561c69f2617488d4829dcedfc9c654ca224514a6468c6250d00dab782a6aa1529f62028bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\HasMYYQI.bat

Filesize
4B

MD5
24ba08bc385dc8d36c872adfd8b5993d

SHA1
1fd475fdce4f113acfe3e650e9251190cb80268c

SHA256
c8a0aced2f0186e61e87d19922ae1eb3bdc62cb311c66094f010b1cb3d802030

SHA512
bd8c8b19943ec02ee46b844c326af9f322a20142bef0387cf04be6e563525ac4e2fef4eb59b3ac6a72a05c686fd205997da7117dbf78462d4b259c487a0f117c

Download Submit
C:\Users\Admin\AppData\Local\Temp\HiYcoQMo.bat

Filesize
4B

MD5
2dac36d809102ada909600653d34f62d

SHA1
e5f8e02a5b1076a16cd345e03178fc6a103763c8

SHA256
04a17ea2425526f19cf0a6121fd0ee47cd072daef9f6fb9ce6d52a0f5cb1f5f7

SHA512
95a801eddd1a1207b4f8f302e42b84b6b5b8cdc83f2127657dafbf0c493c090689a2cd4757bb00c177948f34aed657ce536d8962da6eb169e66fca5025b08e3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IAYq.exe

Filesize
647KB

MD5
931128ab44271448ccd7b42265e84839

SHA1
48abbe6f5a962951a5fc9b5794dd0d95926b38d2

SHA256
9a89055cfa1a9809461a51841dc4fc95226c4f0ca32656872ca3631140ba7a37

SHA512
8d1dfc02ada1b3ac5ca92bfc918d94d82765fd4ee548d38300d9e40af93ea0b8d5762b5c9cf80c7038f114c23f3e76a4825d9b2696fc97a4fd8722bab4174a12

Download Submit
C:\Users\Admin\AppData\Local\Temp\ICwgMAUU.bat

Filesize
4B

MD5
e012d05ee8ff2eab4c123b730ef7195a

SHA1
54e507672647e25d154f43528957ca1848c47e7c

SHA256
8e279fa18c3567754c106c6c10d37412ba93cae97f0b459d096f26c983e217ff

SHA512
6cbffc04db0859480d55d838fb82fcbf29dff6373ef0a624ad82c98998430a01a29e5723d7bd89ac5b097119a38a2616661e519c5640a64bebe8705f902d3508

Download Submit
C:\Users\Admin\AppData\Local\Temp\IEsMgcgk.bat

Filesize
4B

MD5
278f8d5d136940f6896839bd1e01c276

SHA1
0cf12805db135cea5bb9da7f5cdbfb176fefefcb

SHA256
779ca306a3c8b6e19948d32f73d89e86c1d068040f93f9cf711d446e9bc6d926

SHA512
e675c31ed851f9779efcb40c410f90ed3a6e15aa16fee3955103845211cf2a1f69657f0c5ebd059617e04726a7177efd4e1158f0a8a1d6562396ac47d3dca7f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IMUI.exe

Filesize
246KB

MD5
039b0806bab45b48b9e05ef3abf4a68f

SHA1
42845d38395beae5b63fc6fcbbdd55b2c4a93584

SHA256
330fd02af80859d9c7e0aa6f7f1854a5cbea67578964d33ec349ccd2dc9c73e1

SHA512
3942c90f87757274747991a26dabdded204638ef57a4c70eedc5f9364e83d7b76fdb4822c5312b26068a0fda75888e4106adc1797099b24ed2df69ead298e75f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IWEckAQc.bat

Filesize
4B

MD5
496515fc9d424414b21c2183cf961401

SHA1
b5cf05825c483f656e3d7db23e0b9142b8f4131d

SHA256
7ef67f0b7f370a2c4c0bb162dfcdb21b7851bc0927348cef9e27506d000e2bc3

SHA512
51724e84694afafbb1893924132a2760a9f22b1df05c6521d1befccdd4aa3a85f06d846fdd49e7df06e7061b52063bf78086ff3d5b74b75ffdb5fc534ec1fc9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IYkccMos.bat

Filesize
4B

MD5
5c9806711b9bb1f10c09ab44b52ad75b

SHA1
28411b47773dc52598bb084605187fc37c5e507f

SHA256
7004616aec4ffbc27b940b0d67bcedc331becc44397355cad4aaecb02116bdf8

SHA512
b90a03849d64d85c5c730c0ca31996ed99861c142753523daeced3e26f818f01bf5cfdf81d9bb05e2ae2e93dda040a1e487db408cfa4a66e06a799414a3ce9ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\IgoQYgkw.bat

Filesize
4B

MD5
c6a2af2f8c00fd39071007bc7b23addc

SHA1
795897c9504797c08f3bffe42e225417ccb859b0

SHA256
79f2338920e9aabc69e2113f22af1c25915017370a6f80eb875b2e285544bdce

SHA512
feef12d7be51a50000beaa4e9834b8059e2283fafa43bec5e600d60bea8948397c6684e7206e21c3da0148015cef41af11479e156c6f2a95a73d8c6b8a3fe69a

Download Submit
C:\Users\Admin\AppData\Local\Temp\JSsUkoow.bat

Filesize
4B

MD5
acf75b76f48cf8868260939a7dd8c312

SHA1
a13bdac74f1703ae54e95146744f4d4fddd4539b

SHA256
b09c8b446f9550c51525c7d5a946b80192492f65c7e1f6696e41672865fc3439

SHA512
2715cef7ac756ff338908924ccd06eaa5ff57dc9efa2c28d603aaa635807890ffaaf26b1ef1e1525b4e72a5e540a21516f6fbdcd6a2be6b8bef92616d2c91de5

Download Submit
C:\Users\Admin\AppData\Local\Temp\KAwo.exe

Filesize
343KB

MD5
ae5a8f17f2bce19f8a1e057ade49cb46

SHA1
b4df7166ae72e052836c2ecaae9bbe954f59c4d2

SHA256
73a291c4ff85bd1a41a2fb5b24113e12286309ab6dc61e63a5711e69cca78299

SHA512
48be4e7d9fad09c92ee1e201c2820ae2ebe90e78ed77fbf2cc8d929ec2cc62bc9662f819058e050cdf0324b216efe8e7e5775a7417bd0e1c96922f4162ae167c

Download Submit
C:\Users\Admin\AppData\Local\Temp\KEwM.exe

Filesize
181KB

MD5
e8f00fce3425619935e29a954b08d4f9

SHA1
806f2465db04609674fe77e4da0edd3cc3c104b3

SHA256
0d31ca3cabc7875b734cb117956479c046d1e120a06830ac50dcf91913070676

SHA512
f195d34c6ec91949786fb74330a6c67a83bdedca4144d82e4aabee798c53126d0383b9d45e375ddafa4004632dc1fc61bf46b4ccbb29895cbd6b9f4fd193b08b

Download Submit
C:\Users\Admin\AppData\Local\Temp\KIQQ.exe

Filesize
471KB

MD5
201dcd772598a520fa500dc88ffb8c14

SHA1
6f9de027f61fd0446b7e99cfe0cbda38c4073b81

SHA256
7ea86e72ff112ffc54ffe8e986dc03a9648aa2bd00e835422e5cf812a4fd0cbf

SHA512
11ac6b076614bb3c4d47bfbf1d4dfd3c8db4647ab783f9f1f3eed9622b32a22d1dbf552ceda12d2db83e61a8f6d4ff34659150797858fdbd2e4ccebd7d0b0eb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\KQoY.exe

Filesize
324KB

MD5
75e84521653e65d5833b37546d3b8fdb

SHA1
cda9c80d72bf171ebafd0ea04f910ff9ae25c362

SHA256
b0fecdd9024c94e952dbcb3f22dfda2da0ff3e070339f70581b12b9e57bcf4ac

SHA512
d67ff2170d1743bf71cc4299955cb3a4b9f0b13e618a098b178445eb4342e22410f110557721768bae252ccb84ad90498cfce8449a9c78786ca1ac5ad2b411c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\KYUw.exe

Filesize
229KB

MD5
a01021cb80c3df767e779950a74d6949

SHA1
2bb455a399bda0bb384542dc29cf0b1714c00088

SHA256
c7a59965c16a49be0e0ba5077ba7ee943cea79bba41dec07e9163c1aaca79976

SHA512
07079686ece2b35ff76791b52aebe30c4bf40450c07ce1a72b21b8837b593098a3a8fe061451cabd35d4507ab316296c5bd6f0d7f7a583fa2104992953553811

Download Submit
C:\Users\Admin\AppData\Local\Temp\KioQQUMs.bat

Filesize
4B

MD5
d4e94b2bfb9e4ab2a42493c7e88d2ec2

SHA1
45b6e62a1c6ea734e400af8c3552a233156cc912

SHA256
4e134507e9a4a47c6803c18433379136b45e26d81dc81e1306aa31b2d1980abd

SHA512
c21b4e33e4faceafae370edf4d48b8ab788554e94da35d7ea2fe40c25627763e0da5dc25af6ae7363c3d9e242eb6f88d461d5b28deee44ed1b72d19cd1ba0a41

Download Submit
C:\Users\Admin\AppData\Local\Temp\KsIu.exe

Filesize
242KB

MD5
4c887179f6130bb732a1cbc840fd7991

SHA1
a58d0a57408d8cf69cd239c789662dd9ccac1027

SHA256
522d2de83016a4a6e27bd163e0be54a6121569b7557b9c812be22f1f00b16638

SHA512
c698ee8a0f907dc6b67a515065cabf6d3116f26272bac4885edffff390518958ea9547b7ac1a2d2b4bdd396ac1b911d0447cb2177f947ae18cbf1ab71cd3353a

Download Submit
C:\Users\Admin\AppData\Local\Temp\KuskMQQU.bat

Filesize
4B

MD5
2fe966d3a95ef0f5c2fbd8bac5f73d26

SHA1
e357b740618d42a4883cced873867aee64b4d6fa

SHA256
2b72ae319151c0427012ecab46b51407e6a58182ed2ef96a82c0c515a6ff37cf

SHA512
f5ac55ad1ae3823352ffbce08eb96ce5a4df9a40c2006eace90db85944b5bbf9ae01b1ece6c92c8c9195ff6b63c308cbc37ec40934fbc8f885c00205d2730cb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kwwu.exe

Filesize
362KB

MD5
c34147340663fa71a51dd8f77244f69a

SHA1
66d9fe4cbe6f7f33fb2a16dd12073f183ffa1575

SHA256
6b9120384db2daa36f375e526928f944efcd39675c6ae3416d5c24d719c2e46c

SHA512
09d669af9964ba93988e541541226d68a67215103b7ad1c140c99accffd68135185c0a088d27b84e03faee9101472c2d928209397d6e8357006dab7eef9c6896

Download Submit
C:\Users\Admin\AppData\Local\Temp\LEIQEcUw.bat

Filesize
4B

MD5
0d051245eaf4fd99ed3c6185a2c535c2

SHA1
3b3a83c02cf4f9cb4a530e5bf23a162a076d1db9

SHA256
aa2fb919ee0f6f7407ce59f63d294907f7a92224285e9d8938cc070e6acb7114

SHA512
4d2ca7c6b866af62457e287448987bc79848fe4cd2b81bb5c539e499711a15124c20e67fc9632845f5439704a7ae9334d3b15bd024994809fea8fbeb90fc7c23

Download Submit
C:\Users\Admin\AppData\Local\Temp\LeUAkkEM.bat

Filesize
4B

MD5
f54ca5cc511f4403360e6e1d4cc4a86f

SHA1
d43be6c0721d8dd9d59ab721ecc74a60174b6801

SHA256
54937bb34f954de877cbf5d7ab0afe7664702a907734965c41de6d83f7f179ed

SHA512
2d8326e62c4d1ac50debbf0feae16528eb7545d716c79e17b71fd8f9aca690be439e278f865343f435670e09c7c0f76d4fb0aa6668210ea96941f0e357986504

Download Submit
C:\Users\Admin\AppData\Local\Temp\LmkMcwYY.bat

Filesize
4B

MD5
3238fbfe17ac75215dc1010fb88f7578

SHA1
ba3db1cc8842d9b5cbe268a88df45eac78906afe

SHA256
8ac121efbab35f64593c8b347ca4b9c5448cf112fd41254a180ae82bf9e39379

SHA512
1bc975c4f4dad6a4b0ea91dc246535383866159ee1d2d8d33f5209dc66cd34361e2e5940c092c6214ec76e1d2c8763f0e24cab4cc3a5ac717b141c0561e13da3

Download Submit
C:\Users\Admin\AppData\Local\Temp\LusAsgAM.bat

Filesize
4B

MD5
230fe641d5e892207c34cb9bfb919fde

SHA1
9bcd7a23a1ca879553033ee344d520edcd8169b4

SHA256
cf1f40ded4842bb9d4d25ff73bbd8dff6cb735490fca5430f0ce8dd705439d81

SHA512
08828fd656b7650a34484b2af2fd7be809d3e067cd64d2019ea77259519f130c32a375267e099ad6de5d5248fdd523e2b432884076522452d790a37f32b070c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEIw.exe

Filesize
230KB

MD5
03f051609bff61407fb41fb58e281c17

SHA1
dc40524684da6a63190f72746b55c9da4a38f0af

SHA256
2b9812d62875b08d463aa5aafb27f51a1bdd990da9e4221c604d6c4c035cef9e

SHA512
7af3710d66a265678cb929a7063491d9c4aa2b03bed3a62774d092c9a47c04fa44b8b6d87fb8f17bb13bd29180d355fe053b325266f1fa3bb77c660cb8b1ccb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEkC.ico

Filesize
4KB

MD5
f461866875e8a7fc5c0e5bcdb48c67f6

SHA1
c6831938e249f1edaa968321f00141e6d791ca56

SHA256
0b3ebd04101a5bda41f07652c3d7a4f9370a4d64c88f5de4c57909c38d30a4f7

SHA512
d4c70562238d3c95100fec69a538ddf6dd43a73a959aa07f97b151baf888eac0917236ac0a9b046dba5395516acc1ce9e777bc2c173cb1d08ed79c6663404e4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\MIAy.ico

Filesize
4KB

MD5
5647ff3b5b2783a651f5b591c0405149

SHA1
4af7969d82a8e97cf4e358fa791730892efe952b

SHA256
590a5b0123fdd03506ad4dd613caeffe4af69d9886e85e46cbde4557a3d2d3db

SHA512
cb4fd29dcd552a1e56c5231e75576359ce3b06b0001debf69b142f5234074c18fd44be2258df79013d4ef4e62890d09522814b3144000f211606eb8a5aee8e5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MYYu.exe

Filesize
227KB

MD5
cbba04f32a43a7909b9bc33a823dce3d

SHA1
babcaa3803537c185d19b462a9c08425417b4c25

SHA256
797834f5a5ad326c937aabf73b039de399a33f12ec6bfd6f7d4cab6a3f3b996a

SHA512
427da2c25eeb65d76ccb2b1d8a61032102b8d7da257e71b96ce3cce5ee5fbf62760e64c18a21e06fe83004af78b134afc6668a67cb47473e4468123b3cff7100

Download Submit
C:\Users\Admin\AppData\Local\Temp\MkAI.exe

Filesize
228KB

MD5
e9c136e42d29e615b3ba8f07ba86e285

SHA1
e03cc81bb584b3f7debc113ec6f2259603adc082

SHA256
9fcc285048cd5c6696c8e484a461c98c8da63ffcc175bbc0c3970bf2a5369dc6

SHA512
bbedafc09403816540e72e11777cdcca9f1e4dd5130c53abc944ed3267e20f40ae5d7cce61c2e3035a7a11a7dd86331f425aabe5baa7f2b0bffb91929596fb79

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mokk.exe

Filesize
223KB

MD5
b82a4334d7970e44aab0782451ba249d

SHA1
fdb45e93b3f4b0d924387b72be13b6fc267e1845

SHA256
5db3f150b92f8a2561a21c5714c857a097e7484bc44c765e9231632a2f64c973

SHA512
1e44b1d5d9f5031021d3887adb1211658933b8927ff195ba3a8dbfaa6d5d8e89297c34c42d9297dbcd0a0e92b7c4169925becf4866b5825fd9195d887482d7da

Download Submit
C:\Users\Admin\AppData\Local\Temp\MoosIMII.bat

Filesize
4B

MD5
34e34331d3c1d3a3e3e565c2f0a05986

SHA1
e8082364a48588a991ec833c68c8281af571ec59

SHA256
aa5938302e66c4a155cb3342bff87b6087894c7e127691706e683fe79c8cc160

SHA512
7f2793c86207cac15218d536f7f999e07a883d886d88adfcae81907de79b366881ec179b7ea32010417fd4bc852504f72108f7c5af2dcaa3117968c491e9f965

Download Submit
C:\Users\Admin\AppData\Local\Temp\MowU.exe

Filesize
252KB

MD5
c6a558311456093c2e075d3296dba415

SHA1
37c3b63177e0d77fbf9c6299dea0b8eeb208b273

SHA256
a0db98a3cdc7c0e666d66a7ecbe72ec61bfbafd894ea62c5e6cd278d624a7b10

SHA512
6e4bd5112dca37ff7bf394ff25a0de1806595625be50f823f41aae04906fb339aa7d1c8d96221db79cf0729b443b134ce65c5797ff511c336ead5cb3dd104ac3

Download Submit
C:\Users\Admin\AppData\Local\Temp\MsgK.exe

Filesize
233KB

MD5
d5747534f518cf70fbc75fcacb93d569

SHA1
95dd34d6d2d8cda08ea5c9a02031bec4a2906423

SHA256
680e7314ea813dfd071580981de2253d43ba36df4d94b488d664a6dfb747c3c6

SHA512
ba21b3247e31ebb0744ec77e3e6e588ec888d20538d3e45a43fa4851bb98936aba2b8d7366cae891a9e5693026e9d3d797908fb407a5668996cf116adaa6083c

Download Submit
C:\Users\Admin\AppData\Local\Temp\MwQe.exe

Filesize
228KB

MD5
536f0eec0cd5ba43e3344c9bd7844422

SHA1
c1d1149ca9a07e9cb127053e53502a7ba7904e44

SHA256
e7d112b25a200db0fd304e6e15e11948543c956b1a9fbbb52927d70ea7812c5f

SHA512
4e060eebe728393395293f26dec97fc276c47d9cf028dc50155914fcc85e4a2e00ef49b7826627a9ec47d6f6e7df37e15cfe331a552edbc48b1f17757272e9d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\NGIwIgYk.bat

Filesize
4B

MD5
aac03865c8200dbffa1b03ca8ba65b7b

SHA1
38c2694898f8f525ddf9f3d81c3fbd22727baecb

SHA256
4c386dbb6c922d61d24806e5a467c792a70b59a2a139ef1b3b3a25a4f6f33fd8

SHA512
3f017c5d9afa03efe2a804755ec85feaf80ca2c526f8bfb17519d9048b09de1186b1cfcf424a89239440c3375b4b069ea6cf03e7c02a05f958f2b94f2e14233b

Download Submit
C:\Users\Admin\AppData\Local\Temp\NosMcgss.bat

Filesize
4B

MD5
623fc94a2d43881325ea26891adb83b2

SHA1
1c3eb05d9dc5e508b79a651c99db3740f5fbb280

SHA256
b4f8cc676952ce2c9ba739ff63d16988b37f960a63ce49fd5e367551ba4b9d4d

SHA512
046e7defbcc4706ecb9f9217b30bf9deac8eede44889c5b6f97bb7ed54840a873d29cfc9d4cfbb62557a8556f182936bde944220ce81b57cdbe5133387afdacc

Download Submit
C:\Users\Admin\AppData\Local\Temp\NyUUgwkE.bat

Filesize
4B

MD5
5b4b79d208dcb8e8f0319e6bbf39b21a

SHA1
901a26ef74e2b562673ec421739c7276d4d17180

SHA256
e6d986c5c5c76445d8d80f2f17e39331cefb9d1278dc3ed06b7ae31fd1a9f76f

SHA512
d90e23446ee9362dfd7b2130cc22860ac61eecf724a6b4a3209327a2bf1d951f0c5656083a46669220f7d025a53103fbc38ace8d5ce8f6e0721f12a7d727212b

Download Submit
C:\Users\Admin\AppData\Local\Temp\OAEM.exe

Filesize
227KB

MD5
0b3e859ffda0a2fa8011fbfb2149a7ec

SHA1
c0b7912cf62810ca92c0ff6756fac1d4e8b6d8c1

SHA256
fd425b506b96a9a097e02f7bae8238b2ea03be0191eb4930a4a527b5b257656c

SHA512
7b18a4ec1830ce3bd2ce4ed172ec5d4c8239997fcd0e5d52267dae59e210390626e19f0de79d4bb8dea547847462aa77224ec17a3aae54c8de46b0aeeca9f5fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\OAQkkksM.bat

Filesize
4B

MD5
1c79bc4350fbbf6c18bcdd8c41842fca

SHA1
19ae23b6fcca686eb5cefba084fde8f226493e81

SHA256
daae06258f54216787882fa116b5ef729394ff8b75dc9cccf7608122c918b91d

SHA512
b89e4621be6b50dad8986cc208040e79aaf8859ba1b1471ea8b820b9b2a85bb79c1dab836d0dc8bfba95e6893c981571f227f773abb34fc738d7c8f7ecef2ea3

Download Submit
C:\Users\Admin\AppData\Local\Temp\OIUA.exe

Filesize
246KB

MD5
afbf4471ded56b450b49b8b1657b6504

SHA1
fb506a62d152debee39f49876995936ab6cb030f

SHA256
1810a3ad66b46cf7f0f3369d8d55d4e72b234752c0528c850db8190da8134acb

SHA512
8534cd2946e0b36bef31eb72139bde520168c9f760eddbe3f440e5cc1cd67b26030fd0f8eaba72d7b7ef3c8ba63dad9cb4acb28509a760125ed57ca08d5a52ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\OMoE.exe

Filesize
202KB

MD5
653a1c3b2821dfe4d18dd40460df1578

SHA1
471a496354e35aaac62397c5ae37ca509b8d4467

SHA256
7de4a2274a1388317ef5784f2d6ef464f9377fd73141ae4c88d3e87c5f717b78

SHA512
871178a277dee3597af83a4065e73f38a8ec1c639316d3381bd27505d8dffc1970eff557e582e3c6f637cc34db418a3b3ee933e84b4bf1ac9c63086c0734707d

Download Submit
C:\Users\Admin\AppData\Local\Temp\OUMIkkkY.bat

Filesize
4B

MD5
e6dd6a54fcd55b92ceed0b20bf04adc9

SHA1
9f33a89c621b6855904ebfecfa3f691119374a53

SHA256
2feb768d4517a48fa87b07f94f2968333bc0ecb5d790381a14c217ca123e4741

SHA512
15a2dfa4f91b2045ae1da6df8daee2fb38398920949b6759bd6f7a565666b2f13e8b53b2416b60e15eb79046023fb33dfd0a774c720c1635612bd623c7938636

Download Submit
C:\Users\Admin\AppData\Local\Temp\OYMk.exe

Filesize
207KB

MD5
56a1180bbb9a5f720df98568c138faae

SHA1
c6ea992efda010e1ef4ea77bc74599bfd61701b0

SHA256
768ffeee2ca82973249c107f0fa974a852b67d15642292ea18a0a8ce218b5f2c

SHA512
27c48d950f6b160a89cf97e7d1a6d1e37032d22f610ee1ead0ac19f8d26185d5c85c7681b19df27ec616bae4e2b672f87a73f7b2cc88032d0074c1ba77079dad

Download Submit
C:\Users\Admin\AppData\Local\Temp\OcQskgMg.bat

Filesize
4B

MD5
f688f5e9bf8bb5595b04472d15b9d781

SHA1
a50598e44db84651ca21ef2fe8946d8d8f7854f4

SHA256
3d5b2fbe792fbc752d4e80efad60667958a9e68ba726115959215591a3b1a0b2

SHA512
17b5c0ef157fe19c83e10c5d227e608393ff54ca5770397159213ff557850ab1904bb6ce56f07d7cb46469a7a0d0f973d9f86c99fcf602ba8ec248d103f36e4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\OwwA.exe

Filesize
246KB

MD5
0a139b0a5a5c6157a2716bcd07afe6ac

SHA1
d6713db09e3af91ac371dcb1a3ad3b2d74ba6095

SHA256
eb2133ad590f2b6480abb348cb571f1927223a11fec9869036977b5dc41912fe

SHA512
35cf849b62f89dce11a6b0ac507e8d4b46e0215e651a4333f2b61a66d56ddb6415725db15975ec7d36f78115d741ea70aefb5836974a283a4377d2737acdd839

Download Submit
C:\Users\Admin\AppData\Local\Temp\PUMQUoAw.bat

Filesize
4B

MD5
c0f0f4d33bac847fe10c054c4b8f1cfb

SHA1
84d9aaecf1bf29ee8a93bd4f1e83540b8112f63b

SHA256
ffd52afc9d0fbc743b13b0d5519ab3ea7a46a1b7b19242a7ad1a81af568fbec7

SHA512
a42a7016bf71df26ff926cb21976009ec8865cff0bbd83f50c57cbd8c8d6c3967f853967b32deaf0bcd32c2fde715ae4d71a9ab66360ac910a76399dea3a430b

Download Submit
C:\Users\Admin\AppData\Local\Temp\PgAMokUY.bat

Filesize
4B

MD5
f13d65ae720990131335993712c670d9

SHA1
05eb3385c505efa881f52b6d3b508e7abf14ee54

SHA256
95c1243fbf7d98664be3259440419e1bc3dc429df93becf518e85cf770e35bf9

SHA512
7ec4084615a40162841a87078de952c7745348b1168d25d29871fad0342ad8fcd518f9d11825740d525be83f1ae5882a43c76d2f72115afe954a7fb0f65d6212

Download Submit
C:\Users\Admin\AppData\Local\Temp\PgkQIMUg.bat

Filesize
4B

MD5
29f4d6aff1d950e69130ac604d50c1bb

SHA1
39cf615f277f2a2e1f0ff10286a13252ed063684

SHA256
0fe094d1f29b809d1cf242b358889bcc844227896071022c569b526e6683a262

SHA512
f518a4d8707671f12a0cbbab01d44fe1cbd4c86a8695b0397b74753d369ff3149ed0fcf240ea1df0ecb07a0c7455fd4e4f5f2e40d8a83c5be04d07000dc1b414

Download Submit
C:\Users\Admin\AppData\Local\Temp\PwcEQAIg.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\QAss.ico

Filesize
4KB

MD5
47a169535b738bd50344df196735e258

SHA1
23b4c8041b83f0374554191d543fdce6890f4723

SHA256
ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf

SHA512
ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\QUIU.exe

Filesize
232KB

MD5
3f24776b1b679100b818ec532191dc08

SHA1
ff3f730536c406b9e63d6b65bb03dbbb96878725

SHA256
634711ed64c028193003c19df7697a6cf1e99a9c8b3d991bf122ccfccc60f1b9

SHA512
7b91255b42aeee3f8ab7973eb56a2f8832f34353eb34fbf2a50d52d09ec10c290d33e3ba3ca140ab1b755b9c3d40843802e43a68b45896eb2ab1f78e4dbd316e

Download Submit
C:\Users\Admin\AppData\Local\Temp\QYEc.exe

Filesize
767KB

MD5
f62dcced553c4aea7eb9c15d2f2f7762

SHA1
26d5472534e50c6b141be62094782fd4ed6a8817

SHA256
38e4efa0c20ef35c6f88d02f6750fe00a2f41a9c4074ae3fad37b7e3f227e50c

SHA512
33bdd945a60575581256e1bfb369e96d761af4128e6a67d0b2d6b2325f19b230ffa079bbc63a0737c45eac31b95ad69f0cd127d417deabd086748eaab5c45e32

Download Submit
C:\Users\Admin\AppData\Local\Temp\QgMi.exe

Filesize
248KB

MD5
73a1d0ab377c692fa0510e9e2cfd0a68

SHA1
7437ba7fcac3fb3dcd3d69c80e78bf3337242743

SHA256
e56bbe41180e8be3c6815b139a6552f5daa593adddf7dbf5d6c088ce9a5c902f

SHA512
bfa59aa53fe78f3a7cc51b04468eca83523a5e7b454197b8dda93297b23a119a05177268ddffb3896fd2fc5c5e19b48fa55fdf6b95a315226cf8fbb0575357d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\QiUowcEc.bat

Filesize
4B

MD5
87620a68960c3dd1db21cdc2aa20d9d6

SHA1
597a03744b568ff9716fd3e18b5f6d9c7515f225

SHA256
27b852feebbc7c2a116ba57ab8652edb08bec5e8250dac14a427ea83abc86f86

SHA512
a6038b2d6aff1cc07b6c1c5271d542cfcdc5e2b7558c4bf781f7c5a723f29265a6c2e000c02eb9384c349c81ff52e006ff3d604a54552b86e6012e33711bbd97

Download Submit
C:\Users\Admin\AppData\Local\Temp\QqUAQcAw.bat

Filesize
4B

MD5
cb3af92ea4c2fac53d7d240b7d3ca465

SHA1
a5987295c54f7238e6d850032d4a7f9a75c1ed65

SHA256
136933c2ede4c0b73f1d5305d8593af82e6042ed9ba4939f1ab3b5aaed2c6b16

SHA512
2fc37fe4a5a601ea0d953ee791f702662c10f8d3df22ce5ac7586d0866b942fa7a4da96626daa96a4557f9ca552fa1fc240976d815049ae3dc949c7d9ea2ff97

Download Submit
C:\Users\Admin\AppData\Local\Temp\RQIIAQwA.bat

Filesize
4B

MD5
8a5f087a5f3a8e15421fb36ee24bb6d7

SHA1
2c5994734d840921110ab3967e41a10eb5ae1006

SHA256
466024911772001d63609aae7f997e1838e055513dbf5943c583d2c3cd9098a6

SHA512
6392a2048d8217b1c468ff6bd3066f0e7a417614e2b32cebf08fb18f68dd172c58896cb284ba810fb85f290ec87e2dbd464b1a49631ce60a9dc0391abf121a56

Download Submit
C:\Users\Admin\AppData\Local\Temp\SIgI.exe

Filesize
961KB

MD5
f632761c6761186d397b0d7c42088208

SHA1
0251addcd7f6e5811b2bb64369659f2ee9d05c24

SHA256
99af4bae2d18b8d58a036c2d9440dd8ce6551c4ec011846e8b8a11b9df0c275b

SHA512
20e2c39bb60c85bd0f159e6cc71777ef1612574ba944a55ba9d061b186b83a69fc1da416379787d345a30f67270a4f44f7affa9df6863d536ead0d407201151f

Download Submit
C:\Users\Admin\AppData\Local\Temp\SIsUscYk.bat

Filesize
4B

MD5
91d8a45f55f1e9bb016c1c84edda3deb

SHA1
5566836ee9c8728ec5c2adf44278e18d8d516f48

SHA256
4c89cdf9f135c4489e51d80194a4a013e0efbaf83607d1de9f7eb007a7a92aaf

SHA512
a65f7762e085e46a14979db4e5780213a6d116d73afa2731ec06f286add200cd481ffa6947fb95e62c471b9be73ff5d6a2c2ef0b845e6a299f78aa41deac2208

Download Submit
C:\Users\Admin\AppData\Local\Temp\SgUI.exe

Filesize
238KB

MD5
7b656d0d24a4a3e120b0a43a858c4d71

SHA1
2513fa5975ad139fe97d9dd83733f8053b0394e6

SHA256
1c084b91bd7d5f53e6c7cac369ab36a152109cade46268619b6ad903f9890f9e

SHA512
384de65b7cddbd23b757b8075ea1b04befab66627c46fb75e5bc3b6757450fac5f7f628f9c360a53ddd99145aede9bf94b54b69b5b4cd14ead7da62fed3e0710

Download Submit
C:\Users\Admin\AppData\Local\Temp\SkgEwIco.bat

Filesize
4B

MD5
0f130e92c631c3f54156ef25a896323c

SHA1
4655d4438147263466ad7be873972c8cc451b215

SHA256
2ffe969cae6dd8bb76f37b61c1fe9213f2557cb7f93669e769ef8d794e421b7b

SHA512
0d98e7c50b883f4bd49773bc12ee85c7d95f9241c5da1670fea31355ac0aa8460c75acb4e9a93b5f566a529da8b4fcb8256ab6ff9190e900f8f4b39460f8ab97

Download Submit
C:\Users\Admin\AppData\Local\Temp\SsAI.exe

Filesize
245KB

MD5
cea511c1f8c564163f8711db4902486b

SHA1
61715c0272bcfcd2aa0031dcb8e3ae78afd39aa4

SHA256
f2839550d7165d55218a23eecbddb3553fade7859e038c165d7a290493b63948

SHA512
feb9eef1a80199dfade54aa55001f84ff0dc8e94122fd7855e8e37bf7cff7709f7c3f9f1a4039b5dc40667c859ece6ebbd38be383b133eeec633492676d88794

Download Submit
C:\Users\Admin\AppData\Local\Temp\TSQIsgIU.bat

Filesize
4B

MD5
57cb96e0cc0b1766c23d8cc1ef5f28fd

SHA1
7bdc5316a24f80eeb36f313626647bf29670f4cb

SHA256
51e3c613968d858975e4c4248a6243494dc0cef0e44bc60571b96a3651ab217c

SHA512
f928c592bdfac6eb26f2358ce4cb96c145ebd8e6cf9f45a7f4b8be0d4ccfd4bb351cc0c03d32a085ba18bb75e9ad5986026db7ca2fcb19a20335f75cb308ccb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ToYwgMos.bat

Filesize
4B

MD5
1acad6d52bca70da070b6bb68c6444c8

SHA1
600b4a782962bb637cfc3a63ec1ba21a00f2333e

SHA256
89d60ab722de988fee3f9440170f42e5c73226b7c099107103cea9036214c40a

SHA512
04dc10f478d6b55cff82241fb4beab2120f98c6c8e905b15d09047182e58b9605f167fb56dc1856eb640f11981d56f2abe62c94fca2a496223273e34ae822810

Download Submit
C:\Users\Admin\AppData\Local\Temp\TyoEocAQ.bat

Filesize
4B

MD5
14f3bfd005fd8489cb109f21e530a5ff

SHA1
41b1a63c29f022e8b8013fe7e4892e0efb2e36ab

SHA256
9eb526380d7f703008bf8fbf856b2055783be40d125f8346e25b3f939d294470

SHA512
ca0c8f2d07314ec1c9d05eef66e2bab71dcd73a864c2e427883b3e2ceca1b877460b1a9ba17f3a4e574143f7538bdd72ed9e927e663993f2a793b3a85bb80bbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\UAoUIQIw.bat

Filesize
4B

MD5
156539d28dcc10239f7d9590f620eb69

SHA1
e954928c7ba12357dbb184c47559a7407408b963

SHA256
68485dd14f833700b878677041d1f78d8884a72821b72b08a12c15d6dee1c1ba

SHA512
4c4316c9790805d9881a2f4bbcae30de539912171e8d71ac9a59430123ea33bbc0ff4cc094050d400dfb14bf7564c96121e050649b97b813333ed9d82e8c6ff3

Download Submit
C:\Users\Admin\AppData\Local\Temp\UEYi.exe

Filesize
4.1MB

MD5
2e1736c3209e8e9bf0f16cd7a88097a1

SHA1
0a1892a58a5ca29d2e465017216883b27610cb21

SHA256
a5a441b8d42ac25f936ae712d673d35a96412e334be37d5cfd8b5b1c17095a9e

SHA512
0949b7dd95897ab85cb0364f14ea04310549503ae6033b196d01cb9b6e61fc8fac52e3795035a4687eea9a5bf2b6f0d2398a5befef78e1681c8eb5826dfaa47c

Download Submit
C:\Users\Admin\AppData\Local\Temp\UIsMoYUM.bat

Filesize
4B

MD5
63a20608cfde60a039abb119f710b162

SHA1
901c735b31f7f51128aa5c89606c8dbd50cfdecf

SHA256
3fd48901fd2cecaf5ec081d0f47e7db24b09aca639f3489f83d6d1da702dad60

SHA512
5ed018a1c0a2cd0c26373835c273e37059b91670d8e349e78ba8ef70dbfb3a6feceb3dd0695e89f7b53659ebd36c5392b5593b4ed56a461d36afca7612d6ee5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\UQoa.exe

Filesize
244KB

MD5
44f638f15f295a618079058f864922ee

SHA1
d44c47ec1592158f99b6f8a568826f5cc5b8f1ad

SHA256
5042c818e19252e48e3bdfc88fbbf167b8e41ddfbd1d9bfec72dff72aa3f2c19

SHA512
24db9f73d74d993db759d9a846b65d2c60a2d14a16bbb9a8f670267b063d71591bfa0a1d5fadbcfc1fd8c4ab4ae98748aee19787f25df42845f3332500291bae

Download Submit
C:\Users\Admin\AppData\Local\Temp\UYIs.exe

Filesize
243KB

MD5
e1a065ed7afbf610ae236aefc7a8499f

SHA1
57eb093038f58720823af7aeb4dde3f0262eac7e

SHA256
4ef498fc57578e2b5a138ca98f3803ef3513b656593f1edbce106ed45ce9d863

SHA512
202fc03ba8899b13b87f3a277615a451f3ab6da895157ec73f4f1cfea0ec65b4613b227be52c8daef7399e3f24cb863c1623432e36f00e5aa5c1808e2458d1b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\UkME.exe

Filesize
228KB

MD5
4f72926b82765a1df946617d41218ad5

SHA1
9c264c1cf4dfc91ee55845eab1d8a601e0778cac

SHA256
1c4957ea52055dd3466c82f9093e66053646beedc789f97fdb53b4841e6b68b5

SHA512
f876e81ec9d2cf719db001630f7752e3a0eb998d5c0c110fc9a5c6937ad0e91258702b4bd301ac15ec9ec9824aac8a1b797af7cac5f26165484f3e4fb219b058

Download Submit
C:\Users\Admin\AppData\Local\Temp\VoQgQUsQ.bat

Filesize
4B

MD5
f170f3208c5d0865531833497cc60d3b

SHA1
8be1664d7c25bc3dcb8098a2d5b0e161de5d8f1b

SHA256
108b1dc11604237f88e79108e22eb3dbacd0d4169043435b45ca9cfe04cbe201

SHA512
e131502f892033909282db416fdbc2855ba796fb118a6b23182c91c1cb75ab236d77b009ad0b026fe970c88fa73a50315f3f3536c851e79ace9f9f25c99b30b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\WAUU.exe

Filesize
639KB

MD5
881d7e8df2bb85561e0caf789eb78ee7

SHA1
1d2371b165aca1ecb464ecd118f15f787bfd490f

SHA256
a3e8924e8a4bc2e622e83413418515020c958ffa4a85b8b37b72e52a0e7515b5

SHA512
4a3fe652f95ac9d8bc32c28033f80c81c55066111aed7eb3086a96184b69fbf6ddb00eeda35faaef7b1b0400d87073666b9ca7416c667ba78150d797f8185639

Download Submit
C:\Users\Admin\AppData\Local\Temp\WAcG.exe

Filesize
236KB

MD5
babd4c2071e15a07bf5ee3c019fe3539

SHA1
4b9ed6838b925ef0a7c36443fcea3bb31e13aad3

SHA256
ca0e6e1249f5a68242ed9be31e7b1d4a052dc2608d418321ef8cadc4a94d2c54

SHA512
0746344a4d6e65baec9e37e4443e804e1c391548390181708b203a52654aef13582ae280d123aaff8390d01509359542dac0ff4465c2667d98583ea3af8bfe5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\WAsu.exe

Filesize
374KB

MD5
ed923a98dce34924e5bfaa35fed6d989

SHA1
7dfcd049cabcebdf0fc6b6b896fa6f5f70ab1321

SHA256
df819496efec2518d5d250bc8f57270bbe44b86f8ad01885e174edee4950f6b1

SHA512
ea2d062a315734fc8bbd0471155bacac22e892d7aac6528a1b17de5e17872ccb53d7deedc204e0caf8dbb57bcbbbac6b953ce3434fa4f8c7e99d9b12048e68c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\WIAksUgg.bat

Filesize
4B

MD5
94df280991c6c5b08243d34a96467fa6

SHA1
d82947cdd7efab43d6083f2e449727e2ea4e2674

SHA256
df159f49f0eb474e5c1d0440e31f121297293eceefb7cd01dc733dedca75cbbd

SHA512
9687be753668e953a5fd525bb69185923316360d47a2f96aef028d17fa5cb6192819c148c53027d1e2be8b6f1712044f59811bb237ffdc0c4a95c1b50054b9ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\WUUc.exe

Filesize
233KB

MD5
3b8a22cb36d9219e1612d6a6f397d9a6

SHA1
dd4daf122a92cd7863e9cd366ab46a7c8d575de5

SHA256
c79545765b61983f114082a70723299216cf5f5c1a44c3dbb3462053569dc888

SHA512
69ee5084d62c5b97325cb546311d40cc2adca1010113ae49cdb5db242b1222460b5e2e7b602413c6d51ad3cc9c1aaa827595dfee372cdc590912654146fa4ddd

Download Submit
C:\Users\Admin\AppData\Local\Temp\WsYS.exe

Filesize
201KB

MD5
9a5a4a957deef307c9b0d4109fec830b

SHA1
f69c8cf1e2db4981a6f61cde7b2538d6e1980b22

SHA256
8fb7c134a91bd1ad5b23ca6d3ee33196380b65bfecf3deae6feb846cce787fc2

SHA512
9ad9191949e082ba860708fed22650e3d1231743a844a0c3493e43c511073289c22e857f9655f76708cf99e3e34b1f58e1bb2edc7cd902c4b7ef187485da3ffa

Download Submit
C:\Users\Admin\AppData\Local\Temp\WskO.exe

Filesize
243KB

MD5
68ec095d3175c0f025d59a377a26baed

SHA1
491b48525fa4b8061272cb2ee45ec8b1ee1c5c31

SHA256
6aca2603310897daf15b5101edfb3c0690f97c76856b9d321a5256bc0695a715

SHA512
facfd4bccde41d975de2742d3b76b9c0b39310cc50cad92bb5bbc11c6005bb98671ca72b826a4232979aa60d6165e7b1b192c2834e4ff65f457104e9ac7a318b

Download Submit
C:\Users\Admin\AppData\Local\Temp\WusEgwQM.bat

Filesize
4B

MD5
b684ccfdacdfafdeeeb2f9fe9f40e7f0

SHA1
6c654d4c6fb9fba0e328233db452f562a2bef1b4

SHA256
6335b0b40137e61295458b4e9e5f3707eb8ebdb13ef746cefb443a59dae8455a

SHA512
45be22f42fbca7d1fa5a29028114de7863c2a85cbd0be559dc28efb2ab9ee82adab7d445d14ce9def12202a2b73a62972b9aba9c4ea83f5793ed026caf97a4b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\WwsM.exe

Filesize
230KB

MD5
511a2e50ea8e1122592af8c25018feef

SHA1
b63b7dacf91efdc3453010d165f3d2a73bcbbd40

SHA256
734935211d8b053a20672becdbcf82df8db0991784d411ae800e7a4b387493d0

SHA512
45f2d5fc161f26fd524bece18e21026a11dc7be4a1af33e24af0b11d6b868e84b8381587801bafb84067cd862e2078b79ca3c1f497149827895bd5ea5968d635

Download Submit
C:\Users\Admin\AppData\Local\Temp\XGgsMUkY.bat

Filesize
4B

MD5
0eee15c38bd5500064209408745731f3

SHA1
52038a2876bc0023139dfce7172fa1f918adb111

SHA256
c5b912ee017a6a7e76572a729eb76f9619eee9b61010e1540bb44e3514da99b5

SHA512
f54546fcda96c8d4b0c79731b593d38f45d678a5d9db463e41e2a6e985c0e6e39ac752987ab2d9667d67a11e0379c9f6601ae450fbed84107ec69d88309a26b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\XcsQoQsM.bat

Filesize
4B

MD5
3aaafc54e98e41b7c3383e903b70d69c

SHA1
8a8ec381fa0dd76540c5e44d57de01f49d975561

SHA256
8c3b51c2232e8cb03b57f95b121942af62c4230e2ba980a19c66909877cd57e3

SHA512
33d73b0144de3e1614c9ec60e5d1d6bdd6e56bd2e7ad5c6b3f3f8c2381ad9834a5c5de9ca54a69c0250111ff46d2f3d7ad4f9d5998b36a50cdbce786779119aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\XoccoMkU.bat

Filesize
4B

MD5
61a15dcae726f1270c6484b626ab4081

SHA1
1f5dfed2fb70776f51de70979ccab8fdfae6e925

SHA256
37110d3e9f71014800f162c295c518edd5eac28f39716f2ddb59734d7862cc52

SHA512
7489b35092442faa51c239eca42ee9704739c1691dc7f153c9a38df522b940624957e243efd520d9a7fca08771dc2e7a621fa232939b9b0a189bc701e6d21b1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\YIQy.exe

Filesize
485KB

MD5
8d61c155981a2ef39f14bb6b7a74fc1d

SHA1
c9a10a4ff48e414cac83765a480e83e9a277c2f3

SHA256
8a2d5c96689a177de46b1be17d4beece29810ad6f5c430a6305a9735f9de7bc1

SHA512
624e948f1a44a4154cdfa70de1698b90ee24dd1c0274959c04a938810c202b30575ff743c3fbdcafe2a0dd403f23ac8924912f4d2897e1203a60b24ae931ed9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\YOosEUcM.bat

Filesize
4B

MD5
c83b6720b4c0634066515e1d44326250

SHA1
69d16e69d628673963209fe7371bf7e9e2901c74

SHA256
7cc6af5870f0935b3a9dc79e0f61d198fbe9e600dc33ea6f05206e928fd8e2a0

SHA512
d823a10c1b4c91875a42d2a250c31cb8f3d8e0d1abc7712be6f233b1fba64a3d28298c6d77bf49ca3f6684343dea5d9815983dd28b6c8b0f3f06914f0cdb4de1

Download Submit
C:\Users\Admin\AppData\Local\Temp\YacQkUkY.bat

Filesize
4B

MD5
321f609e0bc0a38f4b6d9a52fbfb6b26

SHA1
1dd0edaf891aded6ece6ba78a3dad37a81446fa1

SHA256
89d7fcb6412c905eddffbfde63dc2af633baff192fa5ae4a8c2400a210dc1e2d

SHA512
84d1fa0beb7dabbab1c8d69a5506fb3e9fc7dcd08606a95b0ff88a06599a4f1dfe038dcfdcca6f529ddd403af0b87be58290fafa45147d17011a87cfdd477cc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\YukcsgYE.bat

Filesize
4B

MD5
f71af561edce9e53b22c513a2ff64229

SHA1
c8e2b50ac01aaeb39a7862238df77cfb17aa1f8a

SHA256
ff8f9eb497cd9f11cd584c9887a785dbcb07b3b8f9047f703781f9de8434a7b8

SHA512
bb40af62697d3fbd6f94f8a60cef301cc09aeb3b3419ea268919acd613bebb0142299b40d4ddfbb094a517ce2071dc304a7b90327720520a2abbb0eefc53e372

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ywgy.exe

Filesize
226KB

MD5
0eeb4bc81e78b4c487469afc39d15b27

SHA1
db57e54720f1a07e1be39bf11d3a9d4a3810faa0

SHA256
b66202e1d96319a5d91bc6df4e225968fe81df4f8337fbf50f4f34287da2c51c

SHA512
f18b8de366ce4fb92920aa2659c5e6a29317aca2c7965df6018d4baabb1aed191de37f13431efb602455f1305a12cf59b60bd05f67351396992d82f03d613b9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ywsw.exe

Filesize
245KB

MD5
154644aa9110cbbcd07fabcbdab943fa

SHA1
99b027391e4b613a0b6b6f2f30613c7ef39f6e09

SHA256
36ff6748c1d5414b5874f06e72a71865dedb46581ba739a8b22f33453f1f2b0d

SHA512
3fc6772f79c8017b47ed72e8ea74748c2437d7b246ed5d27b850ebbb4b661175401950ce93577620e0d12bec9a01fd19de20793359c7e7f347d86d85f805f6fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZGgkkYgg.bat

Filesize
4B

MD5
a87597c99e375ecba2114e26102d97ad

SHA1
26364fe1e6542049a2598ac4c67272c91858c59a

SHA256
e274c1b91638a4d1b82c53449334d6dac249f291d862de959f36774f571edd36

SHA512
ddf9781504836a10a41263d84dd83677584dbed65b32bbf3016229c3e4169ed2a89054171add4fcb427a7c5191573bbd578e1aafbff6a6a2997e0aa3d0816d3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZSwgMcMA.bat

Filesize
4B

MD5
62b358ea4de60904e5c4077cdcff2ea6

SHA1
72f05d35d7ee80c15d74b64bffa209de6ff12f88

SHA256
6d504a01b97aa6c1916501174f0ca4b08866269f0b2b2efd2e50c19cd9c7d981

SHA512
b0318c34585368fdd314525e944b44182dcd925a5729acf7f0cb40211b91e66b6f3e59fdadf5632997acd3c3ca680a6e9a60baf01450f8ea4b4345fc69c33b7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZgQUsMwg.bat

Filesize
4B

MD5
ed452cda1eb7d9ccea4904f3dc0f9d64

SHA1
0648fa9c08503a3ff3c216d8a7d15912312f1e9d

SHA256
959fc2369f57a7afd7549af0aace2372f11dfd92daa1e793c163d9be19cb59dd

SHA512
52c2dcb01dcca652e63ec2c60742a220885bdcf960dc35ed657fc8b3bc899c06ecd09dd60561c630a7515ffdc33d8c149ac7c12fe1b51781317bb777cd045aa8

Download Submit
C:\Users\Admin\AppData\Local\Temp\aAEm.exe

Filesize
222KB

MD5
bbc3581e3b2518cd2a14355c5cfa5bd1

SHA1
0f905736264989e9abe06ccef207f33cd7e0a0df

SHA256
35873c1fc7f9e5fa6422dda41ca98aff816c9cca152710bd601ddb8af8cbd4f4

SHA512
72e2bd9932c2ed3ecae7a639e7dda292782938356b3abdfebc7f4c811fa4424101c30a0ca69c26eeb47b59e0b7e3a333a9c367b8f899001620a0f97ab2ffab26

Download Submit
C:\Users\Admin\AppData\Local\Temp\aAIQ.exe

Filesize
243KB

MD5
017259ce7e76a0d27a36eb2d26644562

SHA1
c055b8ab0d0d47726a0ece5acca380b698f81ce1

SHA256
f8da2872524907ac939a28f3910b74cd9568644e8606091f6fc0abf81a3108ca

SHA512
dc5d4fcb4d7ac343fdc8cb0489fcd3b60e201d101db0b01e844c2c8059033e60a69efebb74813fba9f88565aeb4a2cb080cc866bbc463981ba6f7ac8a541eb00

Download Submit
C:\Users\Admin\AppData\Local\Temp\aCMsokYA.bat

Filesize
4B

MD5
97855767007a262150e1fc36b09105bc

SHA1
7f0732802aae2f7a102fdbe8799e4bebe2508d7c

SHA256
11f5ecbe343b12edefb813a7af93743254c98221426911cdec4d5f0fe87cec7a

SHA512
dcfef1169b6d121c74228ca8d75c25f1135dcf4e02259c583610a5e95062643ee4b01bd6c20d76959973f5e41bb9c9c7670edebe9e599d2ab29fdbc46ccbf5e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\aEMc.exe

Filesize
310KB

MD5
18645c923474188681ef702b2ae243f2

SHA1
bec4e29e5708c93b5224214b591794f761b4d0b2

SHA256
a3fd7347e4852282c0d224d470cd9649e55771d6fb5b6380a4bd0b2f821f66af

SHA512
fd7df166574f8f341a525addceccd09f7434f104f09e21e870fc189aeb34612a480d335080297cde4bdddd0897736c8a7237ea13559937f610a515633ae6c264

Download Submit
C:\Users\Admin\AppData\Local\Temp\aEUG.exe

Filesize
180KB

MD5
ee149babb62f768d9fe4e9d9c9b15446

SHA1
b2aa436eaa92d28fea64aa6d50fdfef04b134c2e

SHA256
75dff339837acbfda1183442abbeca7087d4f238cb1c1ef65bd013b528b1a7fd

SHA512
58bf48a998e097595445236ad50b8c4e2759466aab3320ba62bc252aed60298bc5333d819e4a2f3855a93851752af89bff576e3c0eaa5ff947ab213b4b4017b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\aEUy.exe

Filesize
185KB

MD5
cf2b0433ae34644ddd56d7a4ed6ce49d

SHA1
09cd3eaade7fc94dc14fbaf17f0e00160ce77438

SHA256
eb7ae417bc40c93de3ca1d5242d5e144184400ee6d17196e5aec1cd72f46b1a0

SHA512
7cf562b04a1bc34497c22939e8921336a66e60cf328ae1ac3436e6a39d521701c1f3741c007057e215e40be08848511623338bac1166f72dd1432b6558ca6863

Download Submit
C:\Users\Admin\AppData\Local\Temp\aIAi.exe

Filesize
229KB

MD5
feca5eac6db8305544c99fb0b44500f2

SHA1
89a66c0af4f115bea0ba9e77a5b998299f552697

SHA256
9e6e93d08f4b7f1ab79e21604ac524f6bff2883f09fd56bf19f4158c7971b69b

SHA512
3ed8263a5438e95221576fa3855797d393a7d0bcff50834c350ba97290bf55470338aa2739f2f56158583cc5ae213f01f4383dce38bcea706629a899cde895ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\aIoC.exe

Filesize
237KB

MD5
41f132a4c75f4f77400948ef4b98e672

SHA1
04271980b998c9286fd3c290d2f7913c7b0123be

SHA256
5113bd7e037d3fae6c580865e7467a6990391ab060b60253b87a67f89e146d79

SHA512
c3f5739b5a44a28fa43c520902558030b39f72063155c8073962e8f232d55939d3a8bc2deb1d2b0d8ce2b97bdd95a6e220d45a7ccdf70729b2808ac875927b61

Download Submit
C:\Users\Admin\AppData\Local\Temp\aMYMUwcA.bat

Filesize
4B

MD5
539070cca292df15ca304a37f099ab76

SHA1
fc058effad38cb8947c881f81e9993e569a63a76

SHA256
ea6c25cd0ed1b5fa77602624f8462cbb7eeeed67d41a59b94fb817537baa6572

SHA512
238d690f64ebbe115510d47fac3936b49c7fac78f9a8d48e05d38abd314aaadba718393356b85ec5545ce190148cf06172edab472733906ba3d7afe1e5f7ba80

Download Submit
C:\Users\Admin\AppData\Local\Temp\aoEE.exe

Filesize
365KB

MD5
4dabb12906ac09805059a8751a74b560

SHA1
cd3d28ee0d1ec70dafb221f4894f43cb5bd59399

SHA256
77bb59e665f328e40ff3e2aa8f50160865950579c46682b65ff60878f9c1c47f

SHA512
744f3a89fb19b88c05271a861e45bdd7d2773c0e21d5bbddc23ff4840b760aab305c12b4d98421fd41d084ccfe30f3f95107d72b5dd09ddd42e6c4bf4a63efb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\aoYAwgUg.bat

Filesize
4B

MD5
02980011cfe756ea87931ed1a1a0b0dc

SHA1
2b7d05ec8f2533e7dd58e4b43996750cecdb114c

SHA256
089865143ade9e219400336985bc303e23b3dadef8924bec4fa9b624747323a2

SHA512
df1d7b4d60afd1988d780c9e6c226700eaabc86d7dbf34c3ff2210a9c1903c77b089f2e166360761bf3cb9cab1dfee0b0f6e1f3826199812724924efb34b0f71

Download Submit
C:\Users\Admin\AppData\Local\Temp\aoYk.exe

Filesize
237KB

MD5
b4998acdbcd2a07f80a6cf8c4dc47686

SHA1
8b2c10f39028129160e36684e1a96d803d533adb

SHA256
925759e8a8f0d96fb520d988300e9aecfad2cea967fc07df575dd5987d0f831c

SHA512
58cffd6e9fbe4144e054b83fd85a544777d44ede76ca388b9ffe2b7c061c4c641ac90203414e889117048fb4ef9a13d5ef290fbf16735123ac552eb41c9a20d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\aowE.exe

Filesize
207KB

MD5
4fa876fc8bdf710a65cb5f78b0ce4c33

SHA1
0095ff7eed802dde2f19825a2929701aa24d4d50

SHA256
71271f7d2c7816615d523f9bcf4ddba2a4c1d1bdfb262677083f4b2e1144c457

SHA512
607f27b1c5affc3476b9004fde4f4556079cd7ab26c4857bcbd0ae3386bb5e3c57b570ef58f06f9d845a4cf312ac512c0d60c2338cd1b74cd98f8f217d27c1bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\awYU.exe

Filesize
204KB

MD5
10de1003ee8f8c1a03075e49286c3395

SHA1
b1c68cac10a4d7082f6c6ed422ebe9c9785cc5ac

SHA256
3a4a3e322f06d0b7f8bded8526c8b85692aafcd58bca9b2ada441507a2500bbe

SHA512
a856c3e18aeea12529c529789bbe01eb28db9f7a0945d2755313a0721b8fa3ac45cfa770cf9cfe7e729b4ba2a15fc0d9cc073a9794b10cb33e15ed2534adb507

Download Submit
C:\Users\Admin\AppData\Local\Temp\awkMcAAE.bat

Filesize
4B

MD5
b0fca05292a7ac0e44018349ec4a5a8f

SHA1
5514e76d963b05faf5e0e61ac8a6c98fba7e78fe

SHA256
65a66848a64af62065357786927d9a5de77bf2a7b02906e65ae1360a74781299

SHA512
9bdd7b8a7fa91d3789ae0154c81203cfd5f2a5e640a03c5a593d526e0d9441c619478f3b78c4cb5148d86438438a9261213f466fdcf57d096407ff45205d88c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\bGswocoA.bat

Filesize
4B

MD5
23ed59ef4c8a65e86f4f2ec1ab70c153

SHA1
a252b983d9b649b4b40d069d817d88aae99af96d

SHA256
b5f84c143e8c2ec68b638b280c37205642b0c0e6fade386b1a2c1855738f4c4d

SHA512
1f72cc84832b7113ecdf1c1caf46062e3ef8dacc09b8e39db52309bc54e9f1e904f27f67f8e338c6f9f2e9d29e7963612f3470418e7c3750eeb81b42ec320163

Download Submit
C:\Users\Admin\AppData\Local\Temp\bSsoAMUU.bat

Filesize
4B

MD5
487186cf9489b391ef53af8f7d6cd0f5

SHA1
8d14bcb63bac989d2bac100d890002103163bba3

SHA256
42ffca0bbb974976e9c6cece3035e82711b85517fdc668b4148c147b824603d7

SHA512
8e011fc82f8aa530c48581b52ec16b4ab2b3e670dda790cf084b58b326c749e3e9db592002d31eb484414fccf9d1affe07625adecb8f8440395e990e574e1d63

Download Submit
C:\Users\Admin\AppData\Local\Temp\buUYsUss.bat

Filesize
4B

MD5
a05b1e9be69675dabddef1a2f4c9924a

SHA1
0e308276e152a8f7bbd4309fb402714d17361e71

SHA256
7c45ecb7503edb5476c313f934539a616d999bbb7a8f25d61dd964a9f30926d8

SHA512
49a309f534a7fd338a04038344e59ef67de1304863e5996717acdf2b3b9ab81f9971e61660afe981c5e395863310e3ad60de213792aaec9d56a60481db4e26f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\cAUS.exe

Filesize
187KB

MD5
f3dd9a66004a7ad27474d27014f85910

SHA1
9232dd4b3fa551ec1e342e8dce7ef6b4bb19555b

SHA256
3519a2e96f4b01054c05bd498d10d6a8ea384846950e72a8376b1447283b6d56

SHA512
b341425b018db8f925ff19b2c2f9f60001a2c8c80ad2248901b2f40aca6749e9f63ce507fa68611032cc24dcc6edada296cac03ae4e2a8c53e55cc519a6d4127

Download Submit
C:\Users\Admin\AppData\Local\Temp\cAcw.exe

Filesize
229KB

MD5
d4e8c15f0522be134b39ba0fd0c5ae5a

SHA1
a69b6ab3783f9a860bc26621f46e729c49b0045e

SHA256
3bcbdad7e1a0b18e124e4aba605693a96d421b4aa344c8c4176487c8e4c12d05

SHA512
38b9dfc160494eb1d9f25e4c0f5a686b8f1e4c3d450b41fac41e33f67200919bac7f5911f1e0e0d89ceacbefb4ab0233fb24fece04a211bae7d298695f3f3ba1

Download Submit
C:\Users\Admin\AppData\Local\Temp\cIoK.exe

Filesize
334KB

MD5
d9b112c4572b1fccd6b19eb22dbb1cab

SHA1
3995f943a62471beaac995e826728c18f70b551b

SHA256
00b4ce4981add09054fdc9f6962669f56da1006c1572ffce411a993b8725d692

SHA512
4071dd6a0d1f418690ca267806a7cd66a10bb89ec592ee1e8b9b4a299eda414c0bedba661589a78f751df80e9b87a0e7f80137c63456cce44b617402e563eca4

Download Submit
C:\Users\Admin\AppData\Local\Temp\cUIC.exe

Filesize
232KB

MD5
8fe5e4533ee57ad5a75823c623594f08

SHA1
13e326d4fb559551935502b82f1385d46f0a4bfb

SHA256
05802a58227cc0329e0474c40f4dca4a99fc77f765e23d18a34daf852a833d8b

SHA512
e7a31b9a390a713ecf892f97255e3a3d9403f5b48053fab48ee9d1428620dd961c2f153f154a443c80dbfc14ec942a5fff873916888f054f921c869b98650b63

Download Submit
C:\Users\Admin\AppData\Local\Temp\cUUMEwgc.bat

Filesize
4B

MD5
6cd9fea01409c503d3f816df46d505a4

SHA1
1ed06ba834ccd85bbae6dbe25b8ac59c22d0595c

SHA256
84ecd0b180d05031a951df9ad2e8305eb04bd05fac7e00aaeab27de3962e2bb1

SHA512
2e1c19510b1238173ea52cb2f06862b98f3874a843b9b2245d1cf93005f7edfb4401808d1859ad43b70461b1dbd9fa39ef7a32e7a4b12a2e11d8956b3767d7a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ceccsQUI.bat

Filesize
4B

MD5
54094871bfef4f4d470ec37be5ce3ca5

SHA1
cbf1abb075c7b21d8d806ffdac5b02caee3e95c5

SHA256
b4a5314351ed9ab6f2923c9094e072a59d4ec6c597e9129284385d7551ecfc87

SHA512
4c744dc0d78f7809271ae5b05434418a98590e8ec3866b448cdbae96e74fb27f25c7f058e707294b9310ff484d59d424832680d509400e2340ff9cd92e8d5a76

Download Submit
C:\Users\Admin\AppData\Local\Temp\coEm.exe

Filesize
242KB

MD5
fb6ff6222b06f098bb7611dacea28ee3

SHA1
ebc7972c3063386eda0301b75242a7c8faaac063

SHA256
0c44ee9fc5a0e03d858d43669d9113055ced1b017d945393361b1ed143c4519e

SHA512
5db366225a56c313d6e657be2fa96563022a517cc84deb13ac56c7e99b93318d55bc96ba1a2ceb8335d4995f630bce4855c2d773bc958d489723fcb1eedc48c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\csos.exe

Filesize
241KB

MD5
cb25c54669e46fcf0ea0eb158ff10aaf

SHA1
ac1304e0fc738753b7bc434b5d905fdf15d12585

SHA256
9523dcfac5d3efb0e50ed42674e02f7ffd1b21d6e15017dff374172b9cbc894e

SHA512
1766afc7b9c523488b3c1e402ecbd8e8541fede768136ae81064eca80bed6f11f50c4f58e37a6f03ff4ea05a45f4a2793b08b1344a0b599b9a3a851fc1c55c3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\dMYsgAgg.bat

Filesize
4B

MD5
551d729d40646b3af039621b212eff72

SHA1
e99774dc436be14e46046406e5acc3cddfea81d6

SHA256
29445152aac0e2561a33959571052b12b5fe2f7b017d00d74109ca782fd88664

SHA512
fd5fe25a29cbe3abefea61a7c31921a9f3c6bc94d8725587026009ccd7bd91bfb946a81fe624c12480de32268ddac2f8158365c014496c66b1762f9127d8057e

Download Submit
C:\Users\Admin\AppData\Local\Temp\dcMkMgMs.bat

Filesize
4B

MD5
96746e082a7c6ffe05761241be82541c

SHA1
6bd1b17a302ff68ecb5264f4cc743026044b99e6

SHA256
d30e3461a1c4049328c8592e6413f32c7357efee9e5d3db9d632c9e3869177c7

SHA512
d206a275a86fba7076cb578ae06479708643c52495f891b08c82956deb4d9bc65b6f5cd22155c8f4807540d651d0a3c54dd7d04b6953925c572c62bef3419144

Download Submit
C:\Users\Admin\AppData\Local\Temp\dmAYEoEw.bat

Filesize
4B

MD5
2182317ac9623ac963ba777caa9f703d

SHA1
ddbc0184a7cb4d876f6ba4c43ec624768f11782b

SHA256
c1b42671c181ef5342599510a78c9bc5be5e91e0b243e79ab6ee7253924ec0f6

SHA512
91f9ed946a63a06c1cc079f891284962c63894f90c968de43a50749e58b0748ff82fcd5f97a6ab55d9a0868c301effdb6f24e1b366f707d8355e8f4c1901e302

Download Submit
C:\Users\Admin\AppData\Local\Temp\eAMUQEIM.bat

Filesize
4B

MD5
5c376752f0cb8444d85e2ff6f5a4142a

SHA1
be18e156fba4c944f18f4e4d70fe3ea49becb3e0

SHA256
31b6f490e623e5d2bb30fd7520204a7ecbef77dad10c2834c8903913441be293

SHA512
2d3da4f1fa0e6055db3824f2a8c1e4c52e641df80aacd0599672d9a2e14e7f8c6a04e5b264d53468a8c543ccb3b7eb50dbd41dd57749f860537a73e018213576

Download Submit
C:\Users\Admin\AppData\Local\Temp\eIQQ.exe

Filesize
316KB

MD5
489d73fc224ca9efdff9b514a2e0e04e

SHA1
f90742d238e5d75bf143a27f6fa5ac4f077c076c

SHA256
b7db4cdd0892e99875599045b990e0517b5b0bb7395bc58231e31005e3dbfd6b

SHA512
6dd7c101fd3dbc9aa4f23e6000756a95a553c99160e4d19914788be60a2432c5f7c08e7d51f385e9d6ed99bf437a04e61413327f0820bdd7b3ff7fd098f527cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\eQke.exe

Filesize
1011KB

MD5
9c6670259b8ec6f7d4c500eaf5711be8

SHA1
a60d75750c219863418a4530a8af88b2699b5942

SHA256
d8aea857cd80b4e2f42074aa927fae4584eba353b6071552a0742dd68285130d

SHA512
2c4264ee4b22226c925e48ef174e3a372921d89861a7110f1fc1a362cc6f269b3fe381349a96bc1f0b3c42108e26b74eeba01bb51e486878520db89119460e5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\eYsQQIkQ.bat

Filesize
4B

MD5
29f42ddc78c1df4fd0bcd32002db28e5

SHA1
580380e0fe6c4a8fcb492bf19490a2dfeb29189c

SHA256
dfe78092d4a82fa46af8596a7ddb51b2da65b1b9edf12b7df198ab2ed0de0e73

SHA512
16f5701c1597fa2610b14297e635388d2d172e83a5843c167f2e27b660cbf1a1e3cf61ceb2dbb0ed19cb8d5b4b3136973ba8d401ebfba9cd8d9c330fc6dcba35

Download Submit
C:\Users\Admin\AppData\Local\Temp\ecIAIgQw.bat

Filesize
4B

MD5
287b43a54698c8c9686f3c494751f4eb

SHA1
2c3913eb7de2b10757fe833ad7b47f4e4e49e297

SHA256
b20910f4f1a7f38bc4ef1f47f37bf4010a53b9cdf8f2b28af4014d92e59920e6

SHA512
fd00bee7815ef51eb7b82546aaf035020e06a37d914b992f88c1750b89f6dd4db8c3515cc3d6e938e1476995cd67d7d7151542c93819b559e4e1b34deeabbd1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\eeIMIoMY.bat

Filesize
4B

MD5
a386183c834a6e7afd02b04d0ee55960

SHA1
2d5af7f5607a716ff1ce040bbd6b1498a92e1dc8

SHA256
93b27063ee39241d10b18039b25b922fea5a263332581ae58a87689cfa05efe6

SHA512
cf92d5e51ec2a9ea193fe227afa864a8071bf496ae1c49089de60e994676c85ada92a7cd31e1337083b58fdb63b3a38e55790b121e1461bbcf5ca6e2aa4eb100

Download Submit
C:\Users\Admin\AppData\Local\Temp\ekkMkQoI.bat

Filesize
4B

MD5
59bfc9c402889c818d47f57e9e74f09c

SHA1
6022299bb587e4653a9b78d25144f6d5b05ecdc7

SHA256
f218c81c5dbd083eea79a4bf6b2cc34ad3d8ddfb23edecff49f523a79fc6ac69

SHA512
74508c587ce5342d6a6d13e78bbe529c1643bc288fd3e55fcc5f18429d098f37205426c070381576ad379ec27d4810cadaca8e08b6caefcf6827c73515845789

Download Submit
C:\Users\Admin\AppData\Local\Temp\eoMu.exe

Filesize
185KB

MD5
0fc7ffd4bfc96028df7d42b1f9801776

SHA1
88897e0955ee9948f69630a84de1e0b0930b3dfd

SHA256
be6eee575fd8bdff86b0ea8746e610725f8af1571eb7c4c8e555e4d56ce78527

SHA512
4822aaa0e382563bac6aa75900db5edd4e6926c42127d04ddde08afaeb64d0c94edbb0435813aca313788cd2c07bd86ad6088fe42c2a93c7112cf079aa1b1ab2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ewIMYcIU.bat

Filesize
4B

MD5
9225fa328487070ee1d7beb0f25e0db4

SHA1
07e40bfb532bdfddaa14b79c707613e9e64b10bd

SHA256
1be34804b0a5ef736f9397abdcd732915ce95cea4f49da4358ad52c8a232da97

SHA512
abf68631374545d7bcfdc754dca46701ab267bd30c867d2c76edc2f4eee91eddda25b09f19845679c3f5c71d4c52d78e87ee29e2708c49b0276a0085f35c68fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gEcg.ico

Filesize
4KB

MD5
6edd371bd7a23ec01c6a00d53f8723d1

SHA1
7b649ce267a19686d2d07a6c3ee2ca852a549ee6

SHA256
0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7

SHA512
65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\gQgu.exe

Filesize
187KB

MD5
0b5e015c6ce2386f2182fa17558b6db1

SHA1
971a783b74198c95158a538b0fc07bda780e7fbf

SHA256
9026e08e5aedbdb0320e12a1fbb98865e8228e55f41ab41a021dfd347196f306

SHA512
72e5b73371bf37a5751535013ac2da465c16cdc1dcdc99313cfdd7f23c55643ddd602b9ac525ea892668edf65a5fc38fe9cdedcb157717548c42c2808d072f23

Download Submit
C:\Users\Admin\AppData\Local\Temp\hIIUswws.bat

Filesize
4B

MD5
f3b779c4329513db29b06ae5d524ae2d

SHA1
b5f62bd9264195b67cfe88e89831b3dc8f177c87

SHA256
ca67df410baa1b02c8af9c857dd9406821e710c7eb6d36669d368b0151582d7f

SHA512
27be4d1be5c809484962c7eed605df9129588f7efb5242b24f4ecaf4c92b8b7d38cf35b661cfc41f2b9cb9c2b99ecf8b994891f9db42e71592bf9bcbc3cc60b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\hMwgIAIc.bat

Filesize
4B

MD5
986a2c82eef880372962d1fc1ed5f8ab

SHA1
57d3a565726b211be70ffa7c700bd3fa708bc06f

SHA256
b5b7b4d4a79368292eec9d12e10bf2e1026cbf24c1c52e43f326d740e39eb0b9

SHA512
0c4c80f4d00119b187feeb990566d85d1e104f699de4a18c95d9648225a69ebfc4f41a2e9b9810524c982b095954a6eb3b793b81be1e597f0daede1439440914

Download Submit
C:\Users\Admin\AppData\Local\Temp\hQQkcwQo.bat

Filesize
4B

MD5
84837b96cf63157ec3207d6cf2e49d5c

SHA1
f1d7c42c986751508c56555b3f1f7963912e1b5a

SHA256
9193bd02d083f107575d0579561074e39c49299f5d2fdf13726f9224900dfd8f

SHA512
26bdd3189d7ee21408f457bcb60ad1d595ec4bae27a4616ab204d6b70a1622d0cc94580ed6db9a195de10ef735d7a74ab41465b8654ee76c521e607c0cb579f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\hcQUsAgk.bat

Filesize
4B

MD5
96c54d35943142841769764a7c64c4d8

SHA1
7e63d28eafedcba1cd163b09813baf4ad9f05ab1

SHA256
3ab325f4029b190ceecb73c6878ad04d336f96f5712631d91bd256353643f14c

SHA512
69288ce5c6ecd7e18f784e1edfb714ed0c1156c2809881567780813231ba85ebffd36770cce55e242958e2d3e981a9249e478d09fffb9b86f1fe390e7e73e816

Download Submit
C:\Users\Admin\AppData\Local\Temp\iEUm.exe

Filesize
239KB

MD5
da38ad23bb298bd9474b16921c590b79

SHA1
c9b4d3d772c7ce42cea7b3c6b1b595863c4673e7

SHA256
7e0ba751a78dcd31f5d06af26079d07f1e17a3d9e6d3a5c36793090823276ea4

SHA512
442f4f941e0530b942ecf5a4f8cd4d2f439c3ed11f09e3822af2ebd1d3b2c2ca9e6742f1212c832d3619dea07d90852def27974bf4baf35f13fd3b670c97288c

Download Submit
C:\Users\Admin\AppData\Local\Temp\iGQogcgs.bat

Filesize
4B

MD5
337c4b9d9a07036ee0e11bae681580e2

SHA1
3c2a9e90647ba6ee67482507bf2aef0a0212547f

SHA256
009f20c982ae0ce5efdfba6e5b609d5ccf5b642be93e675bb2b8fb9fa33bd4dd

SHA512
776e6b88c6d0fcfc4f42e0c301d9a8e832be2f65d01e3174c9fa3bf2961110faf01543f0a16c31bd17c4eac772a278df4b8cb82eec55da65d23344c425df4df9

Download Submit
C:\Users\Admin\AppData\Local\Temp\iIAcQgEQ.bat

Filesize
4B

MD5
3c5fcb29a1aee0c3a78d28da713c11c8

SHA1
f8ec544a7a3e9c03d2c7cf3c26499d83d9798abd

SHA256
3b0c9a3a321e251ca5252334dba0d456df42e9e5fb447b693f0e2aedf35e7b73

SHA512
75f5bdd418a5b308f60a2e5313c9de3769ff869da76d6a222969bddf293b5b277797df2a28891a2c426639ae0b937d27b5df7849fa431aead209de23e6a7b8fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\iSMQsMoQ.bat

Filesize
4B

MD5
4034da3d6be1cd1eb8c641bec7c1f871

SHA1
8e1a7a97b0600b6926c8aa859bed9edf74360615

SHA256
3788e8fa76779252f522743516445b629e9886c9426a274a042bf541c5fdeeb2

SHA512
9fbff4c6ca315c0b62b7ac39e4f43f8720a822c9a39171e9404b60aa0106223754f11808753615f34310b981e4f9bbe9577913e22d23a859f89aadaf219ed4e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\igkK.exe

Filesize
233KB

MD5
ef0f1c2417e34b58cd56626c11b7842d

SHA1
6e28828fa5ca8fa2bb4e376871747d8ac325fb49

SHA256
53cffb814427596169083700930db4e39d2442dad2547625fbe54e35c9913679

SHA512
6d78b14349bf0233ab8582f810f2a8c036c2cec75116a52a45c9e3445a02408582da78feb9488c74b105a13ad9a47368d89ae5648c2744ca4730a2e3a405bc72

Download Submit
C:\Users\Admin\AppData\Local\Temp\ioQcIMwA.bat

Filesize
4B

MD5
4ef8228850d53213c5000b76fbeb49f7

SHA1
1016eff95cb9e4e3f1ea47b5a904d3f614a2607e

SHA256
3911733a6c23c9dca341400ba3a54578b71e99f7538e77e2a22ec5898e108817

SHA512
c645239418872f46ab209b12331130b188dfa322c353d9fd12e585e0463d7b36b66e7363380e68ba35c673d16c7588ca5a386b843a2d4729ca1eb02febf69dde

Download Submit
C:\Users\Admin\AppData\Local\Temp\isAm.exe

Filesize
739KB

MD5
b346a5ece5ae42cf1626b7d1fdb4ee29

SHA1
cee0789e80a7d12eabc26b647eddfa70b250ff9c

SHA256
7442ff8249cdaecf97c8fc7c7469cb9a031ff43967549752cb38cb9b9d9fc232

SHA512
8099aa5adaf2372d5058bf9158b24a0110c3bf77325fbf18d6baeaea1ea562f7fd9c2c572ee88c944b5b633fe1e242153d002e8e553a910e66b3df84687c6499

Download Submit
C:\Users\Admin\AppData\Local\Temp\isQU.exe

Filesize
228KB

MD5
b9d09e9e6e76d2456632d29c9ce04412

SHA1
d26e3f63e2f53292a95727ceb1a8bb97202ac2d9

SHA256
6b83d3bfc4ee8560277ed02fbb3fc6922a00db86a70b532a715f0c8e1a630e72

SHA512
3476225f18060770392b527465a2773749f3e40dafcb6fbea0fc3aa86cf17c9e9337f2c2272e9e7dceb2ad34c6739d5ceae9355535ef9e9eb6d8d56efe03da1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\jKMUwQwc.bat

Filesize
4B

MD5
3e685ddca6e834d5ea6e68a505b1a9c6

SHA1
04178f48a02d592f71dea56b553413388e1bb2f0

SHA256
5104a498aa34a8d12d325e84cf5b663820e48e626dca336bb0891eeecb854ef1

SHA512
2d9b13f23a5fb2db7f2992531dc196b4e8ac930094b757b0f3c1d82cbc775bd7743ea2a58bcdc7c77a43dbbada9e27a7832868c68340567d857318f9e77c4da8

Download Submit
C:\Users\Admin\AppData\Local\Temp\jkEoggwc.bat

Filesize
4B

MD5
2d124864b9da8c4029d91869ad274032

SHA1
730408fe59e84c44a46fe18817a7d25d11a3d721

SHA256
d9a56447b32f929cdea124a173e6f5bdd3fb04603a90538b1b64dbba5987b258

SHA512
6e1e2cbfe5cccc8f6f637da04e3e0e2d6c5668f0ec1472174099c42dee3928212943bbb2749115b155197f2c280573d4fdff18aa7dc5f9b96ddccd7692a5b5b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\jygIgUsY.bat

Filesize
4B

MD5
624b496da43f9702b0594248fdc88d69

SHA1
3445fe8167df9c6a12ae467057ea7e5f7c40e039

SHA256
64f192172aedcbe2351db3e1e102f859e6c46de902cee396b4405ebe97bc3c36

SHA512
1ad9fe4f6da5b722d8e1737489b4babccad60aa95c715e674ad4000a26b1ba01983655faa1b47359fdbb109a5284b25d09093adb8989561b54556eb551faf250

Download Submit
C:\Users\Admin\AppData\Local\Temp\kAoM.exe

Filesize
682KB

MD5
8dac0ff92665070788670ac93a373ae8

SHA1
2e83883dcfb03e5e8a4450fade610b49c0ff3cb6

SHA256
d3ea34acf90a32a0c9edd363bb0316e85a53ee188daaf19bc8370e51da1c1461

SHA512
ea7284040d68d9faacb2fcd0d533a5f4a7d4cd945d49b34028a20f2a2ef17fdf5c4b419f2840a99b46641d8ce044fbf638a05a15c426b65023a6624cd7b62665

Download Submit
C:\Users\Admin\AppData\Local\Temp\kKMcYAgg.bat

Filesize
4B

MD5
c12c64e80925191a7952a98f9e5b9dec

SHA1
e17dd9ba08cd060e773112ee0b8fb564d192e747

SHA256
74a1e2682429a0a443aa09b585c4cd2c2e99523d2732ebfb6e3bd628d865da64

SHA512
791c89f7469e1d60e45829c8e18daaeba738599ea649bee3685a26d77d7536291546c38ea686293c9d1d00cf97368ab13deb615c43930d8a5dd7823f30419035

Download Submit
C:\Users\Admin\AppData\Local\Temp\kKkkcIIM.bat

Filesize
4B

MD5
4272c9ae2343bf3739188d98830f0586

SHA1
a73db672b12538b13e139bae3e89619576f0a88b

SHA256
100a7b075cee5e514b88797393939e90d9ac5f46155ae08f74184657028f0085

SHA512
8e13121d73cba003499907217aae33de63a8a86818d873879e5b75885a08b053813d03eae5cc1c3f969263bcd3b44122129b07e1aa2939cdecfa1b4fd598f525

Download Submit
C:\Users\Admin\AppData\Local\Temp\kYki.exe

Filesize
204KB

MD5
72bd24b4c31baa0fe202d3cb3325edbb

SHA1
95321d444b2eae6b16a93afa05388bdd2493bbda

SHA256
dbf9e9fd5ccfacedd38d83ff29f2832dc4f12f55179d8eea8c586c86e2078c83

SHA512
84521e335eea9561e4420680d84410eeb6fe5fef570cf2563806c3be3b3882e71edd1dcc8305c7e79e110ba3a09b79fda4c71ec1d6d22a6a78e526ae5f1fd587

Download Submit
C:\Users\Admin\AppData\Local\Temp\kcIA.exe

Filesize
242KB

MD5
1ece62fb020f41ebdbaab843f06cd195

SHA1
9df348ad1b3d78baa4afa833c811fde90b190c88

SHA256
178ed8fdca2b7eede3ff05737cefa03b3cdee18db982760162cf9daf64ade604

SHA512
5aeb76b50a262e75d088d46b6f8a133fdcb2e19741bb9920f8ac059f257bb4a2d2fe217f26554b1aca418db2550210bd659f52143558cd3e3603f050ece51406

Download Submit
C:\Users\Admin\AppData\Local\Temp\keEcEUAQ.bat

Filesize
4B

MD5
a4ea08f91974f93a3a39ed4c9373d608

SHA1
e7fdf06a12c482c60af3a5fc26470ad883f95c25

SHA256
ca8eb57af5dc7c461bddb1806fe96cbdd4856abbbb38bce7d3e87941dc3b334a

SHA512
33a48b2f6b959c2832464da20802d7ddd3474244248b9e95b3ae7a26b7dcfe2edc62de9df668ac39c0d98e1b53f1b1fa9288f72e398b08bc737535587b43d368

Download Submit
C:\Users\Admin\AppData\Local\Temp\kgEQ.exe

Filesize
231KB

MD5
bd34a9602721aa6ecf0f975daf6979f7

SHA1
0d8693bdf27926ce5a4fe6d1d4f301d3dc337f7f

SHA256
de09b1032fff5485dc7719578e60243ef936ce7f2c2881eb3d3976f3b78f3afa

SHA512
ca41f98afa5f83f90e680c20a8abcc5789b1adef92e9d7a8a6800328bf035923587ade7f30ee400639ef6343110b5a61345128b1fecd33f1d6cb195aa4c6de6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\kkIm.exe

Filesize
955KB

MD5
6bc43d1e5d1624ceef301526d01bbc72

SHA1
4a19e1ef282d4c2d1ca3117d2927dac3f79a9a34

SHA256
2da9d98e7dea3c0aca8b4477799c0206350295301499b33603cdd0041b73c6ec

SHA512
673b655c42f69f9e567a0053efe6831173ef9d2762bc152df4172f8e3d5672c760350d07d17e078a376b83336aaff0eecf92060edf9e6d112e00dcaa17d09d74

Download Submit
C:\Users\Admin\AppData\Local\Temp\kkUi.exe

Filesize
187KB

MD5
fe58a5958a30aabd567256dae6cf75e9

SHA1
1f138a0727b87153b1b0ea3284d7ecb8e40c4ef4

SHA256
7ed71fa7565232da43777e29c2ef6d4abfd3fa340cc913073001f5b175fb7cbf

SHA512
d1f3ed76dbcfe36b67a4f146c0370ef8312fe045eb124585d07980553a1d17eb548b27c86adfd43762f6698bb8d244de4399e283d89750652422ae8f9dc46cb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\lCkkYYcQ.bat

Filesize
4B

MD5
d50e5b6c3040e032d0869b9c2e67b775

SHA1
2187e7c495726d7eff86679f36814d514947b115

SHA256
29353736815a181a57b74bc9ffb590d1d0beab348dde264bfb03bfdd261d57f0

SHA512
94af26c0c6719d5b99ec696b6f66c8c819b1a87a7493fe032819e6085e0a016f3807a65707b238ae390d7eeff8dbe054e97caf4cb249438a2ed2f6ce9137e14d

Download Submit
C:\Users\Admin\AppData\Local\Temp\luMwkQAg.bat

Filesize
4B

MD5
8cf7e38d0b2772dceef77ddcbda000d7

SHA1
e6c06f2e9e096bb9d1631b257161ad82933c5e8a

SHA256
26ae3759dda0133041f5a2ca0ab8a3dc183e52a7ed7dfa76ee6739e06cef568d

SHA512
56ca679c8380796479aba8d65a8e1515651b90abce0e1eea8f9af7c6396c8322f41d4e486fbd785b2a963bd9911771e472758b047b1292006bec5006a20732be

Download Submit
C:\Users\Admin\AppData\Local\Temp\lugogIok.bat

Filesize
4B

MD5
53b3afa5264ea4db20f822976d53742a

SHA1
050c590ccfb125196a895121fdc0cc2f9eb1c1af

SHA256
531e3d45a1e20cc9c5afaab26ecdaeb518cef77cefbd3104aa9d9be6fa8be6f8

SHA512
823ce44b785c0f4488915aac0be1e36378cc3c324bc2c86b7e0243b8e2ad6e4170ee166650284f372bbcc74e1e4e167bc3856fc56ad8ae7c9bce9b9dcd981595

Download Submit
C:\Users\Admin\AppData\Local\Temp\mAYckEsg.bat

Filesize
4B

MD5
df82b9d0614a91bc4a81a3c4878873b3

SHA1
489f4d74459ccaef64c50ffe0577e3d5d0980158

SHA256
275279e15ebeba7b1f6459a56f84b1aa4c9f17442ea417025003292d8815b553

SHA512
a70eb398adf671b8d8efd442d5e6a51e9b1f261175537b1d49ebea988011e681f12cad4d68973f749cd67c02f007321a6d3c59af8eeaf395f0a8fc485fc2dc67

Download Submit
C:\Users\Admin\AppData\Local\Temp\mAgw.exe

Filesize
237KB

MD5
8e1912f9b2fc0c17eee0622f34a7b7ee

SHA1
817bc381ddafa1ad43154f61c597f4ed77df6921

SHA256
b7963d77ce8cf8a33e4fe25041c4e2dc45494b9392e4d9e28d475d17cecece63

SHA512
d441e00c8fb845c84789d29a63b14053a1d8d64ba5a052acb7c0093a80b0a29346b0eb4825a17d6340d0800d60604f81e356890539ed76f476c3f90a739e535b

Download Submit
C:\Users\Admin\AppData\Local\Temp\mQQw.exe

Filesize
235KB

MD5
e05ca880886d82526efe69dbb954671a

SHA1
53c88aad05cf6a30d925f9204dc06bd39de28efb

SHA256
221d5e7da84037334a85eeb4d23d83114a7d586766fb88e779cc0f73f4db36be

SHA512
1f33a503931970daa1ff2a7e6394d978a2764286787da32c49b72a39a1dd4663d7dca36bf63a8a9d7b136d37ed8b31a845756f18b6c90e91bd583173d6109ef0

Download Submit
C:\Users\Admin\AppData\Local\Temp\mQsE.exe

Filesize
226KB

MD5
50f571103ae5e0fbb04188239d9ac21d

SHA1
ee589b3967b7260dc78c555c561ded4a2f863906

SHA256
891b318a6d80a85f211dd31bcfba4dda33e0a7c53a0eb312b5bb597e00aae426

SHA512
845b9c1340519e2139bfbb9f48d9165afd8b42488190fa2d92fb09e339f1c0142a5dfeefcf45b63926c4e92f2e4ba46b3ae580346df4d830c347cfacac1d3a08

Download Submit
C:\Users\Admin\AppData\Local\Temp\mUQE.exe

Filesize
231KB

MD5
ace7daac9004c1e18cbb6c8c05413cb4

SHA1
6cea87ea25bc86b370efc5b308755a9abe4bcbb7

SHA256
c78bc544900ed6340863aded042be4c4f29ff5b80a47f0bb7592085520e09736

SHA512
61964ab5919c9efaa9960b82407c082bf68c4ddf92cfe7410ffe629a5a1d649e877bf5c29acc6cd9b8f7ddf20cc31aec7128f510d12e077739dccf515f48649b

Download Submit
C:\Users\Admin\AppData\Local\Temp\mUsAsAEo.bat

Filesize
4B

MD5
641dd0163a8eb5d435bca69783f90d89

SHA1
4c20af0eb03d2204060699b5521bc16d4e5c6002

SHA256
618272476254f824e216e24810c87ba0a0e424a19c85b4c96ccc505a0c5abc6a

SHA512
772d8ff0020a0064d19c4ef453889cc89519a0439df376d6673763df74599f9c254f6bd7dac39e6e63d927b3b55361a4492fe951f0a4b7f5b266f703a7544951

Download Submit
C:\Users\Admin\AppData\Local\Temp\mYkA.exe

Filesize
192KB

MD5
f17928270d74a4879673d9235950c091

SHA1
fc3b0ee41a0e353d7ffbce9835dedee19120fa0d

SHA256
8b300d27ad5c10d0cf3385052b0bb25be3cbbb5af18753c500d77bf2c2df3f1e

SHA512
5ccb743f3c5e345d32f4ef6f9489637e27860596e885fa09ecf2c2e1d58f543250fd96aab5e3c15a0c727d47523e6e4a78cf5d77300b11e6a0ee54bff8efb58c

Download Submit
C:\Users\Admin\AppData\Local\Temp\mcQQoMAQ.bat

Filesize
4B

MD5
05e885b1508a1eaa3da5307ae921d607

SHA1
5750753f2e4c5e063c686030427302a3233dca58

SHA256
d69519bcef35134eac9a8dfb40b4004c6f74a357bfd62894ac1ff16a33528add

SHA512
148d75774d87971b353f43778fc01e779546bfee6808dcf7d9fd854d5c6fcc8f7db6b9d7bf2fa7981122a506b8e1e0b3f69d511bc53dc81f5b928d891e6cbf1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\mcUW.exe

Filesize
234KB

MD5
47041561cd671a20c7482274e223a842

SHA1
903a80227f94b256dbc82fc895a9670d2ecf5bb8

SHA256
ba220befca7a5c7e132c2f7fa2668d808362ef3a1d825962e0d3187920eedaf3

SHA512
a3395912a0287657787c00c87d68f00d5385bb30d8e61661b8c7c12c9d4a63d9a2e9d83d0bf4bda5f6f5ff18f1719233b7ad494e3557f2789eee9b7dfdbaf0cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\mcUw.exe

Filesize
239KB

MD5
446d9c634c5f0d0ed49ed68e066db71f

SHA1
8f3e85a3e1d6fc486c936ffa7648f9a7c8577c0b

SHA256
4ea8f82b82671775dbf9d565b1c34fd15ef384da06f53ae165718673e9ac054f

SHA512
cef19a6caaa3ebcf3d946f6170dbe736add9ecb52fed61355894f6feb3a7e94406da782816f527ee90d6d492a5a416a5a94ad9f65b097348397ba23c1f698ff3

Download Submit
C:\Users\Admin\AppData\Local\Temp\mkYI.exe

Filesize
245KB

MD5
dc8b9c15c2795a53ddaedd2500fd4818

SHA1
81618e816c686ffd6241680d1377e01de82a75e8

SHA256
a3af2985331c01e597d77777e8ec1053953f16b1f0ce4b39457c93ab6ac7627a

SHA512
ca23dd7819421130d59cf559ee46379e0fa56db511e8062d219f510c38434d346e68d7dba806fe461976c2b78e9d37db10dcb9ec914f8757f40e80d10c342b48

Download Submit
C:\Users\Admin\AppData\Local\Temp\oMEe.exe

Filesize
181KB

MD5
bfa741bb3f1294067d60cd2bc99d2c0a

SHA1
45af0967f56c3a5238224fc2f64e6a5d366f2d5a

SHA256
99eebb8a47bf5c9243421b58e34bbaa4f80abd8fff39617ea345b73829103dbf

SHA512
fb3954ca49d94082f95b08eeb1c58ae724062fb409170d078cb5cfcb067d5e7a1e5ab2a50cd0e6151cf816c14e0b941aa6242403dca3b6ce38a4f5c3de0c02c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\oQEQIIYw.bat

Filesize
4B

MD5
5d58c9511802529c794a4908f47957cf

SHA1
d19c75e64d015f1e4c86f278c0e7dc251a4e0660

SHA256
a277e1731780a5f32e55ef29fa9a628e7e859bae741b0e515132eff79bd51da2

SHA512
e02c1f224220b8dcb4127b686326f40046451c2f2ab3a55fe2a07ba0c93dab7cc9528b01bd505ee3f2ff0f73e85b38621d6bd85b1d4b0e067453c30ba076a70d

Download Submit
C:\Users\Admin\AppData\Local\Temp\oYUO.exe

Filesize
623KB

MD5
cd5e9f58b797c4fbcb57bbd5d5ec8817

SHA1
5cd49756109a3883019aa11b6e12bef83062251a

SHA256
6898c1cc0fe08c1674b26475d411f83f004284199b3ac556eb7abe8b7b358561

SHA512
897455be2a614accc166a86d3880031614143ca3728f9b4095fd13520f340e18f237bb31c63530d2001e7fe41cff1dccac33897265b874af912678b102384e65

Download Submit
C:\Users\Admin\AppData\Local\Temp\occI.exe

Filesize
194KB

MD5
ee83bd656ca3a4fc3548af6c7dee3484

SHA1
da7a519dcb66be44e8587d70c3bb225dfd4e52b4

SHA256
854163e5d869aecf5053267ab60e27fd6957c562946bc1b39b2e9fa83b1f30b0

SHA512
b20a5ef2f0047b186863b25fc45e788bd901af4c0cd61181676e24deba383ab9a80ad323ac8715481c6893ec518112c8bf04051978dd0ddbd22ea2e8aeb61a14

Download Submit
C:\Users\Admin\AppData\Local\Temp\oggM.exe

Filesize
236KB

MD5
cb04a8f66b589c37f5242618302f2947

SHA1
90d6379485050e49212aa3dc44b9a937be23a625

SHA256
8d75a2c88d7bcaf95b2f93c6391b66ac9f3f8e54de1202ba223b5f0bdba6e53b

SHA512
7ac1dec8970be4a64f54c351851e20cc7044de434b6a59ae3f8ffb0db5a825c31f924968b3b0dbaf8d172ece356c1ce48e0d1179007e8263df748c681cd105d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ooMo.exe

Filesize
180KB

MD5
c4380de36f64f5eb54c6e7a8ce8f7ae6

SHA1
e58f3f4c5f9563fbd251a011fefdf5b3ea07d1ac

SHA256
e4629ecb337e8e17dfb850ec226b604c8b1a48b3b87aa67bef05e89335d1a2b7

SHA512
977f31cdb05c6e0a48aef4a1f16d6513cb3621f1d1ddc68709764bc52c8a649c6d108bf8382c4f893257737e8735394349614364370b23ace82986590a82293a

Download Submit
C:\Users\Admin\AppData\Local\Temp\osUO.exe

Filesize
233KB

MD5
7255406d2d89d1c36844018a73d15c3a

SHA1
339f4c232ad7a836a24599172172a8cff79cfc1b

SHA256
4519130e3b2b776709f254201c3f1625ff4b725e935bb45458c1948fd98d844e

SHA512
f41f513461277accd63253f4b721fea46ff91ade20b1c721d17782d1027234a4c9b7ac01de987e81cff66082e3b86356f62f0a01f1db20cd51ce701389fb7f58

Download Submit
C:\Users\Admin\AppData\Local\Temp\pKcooAAk.bat

Filesize
4B

MD5
e1b7ee3b21b882070b9180e78ddae43f

SHA1
9004c851173f5fa280bd38a95ccffa173a2e032f

SHA256
c24518db88df5daa89b01d57df662a9a79efd57891ed65ae3eff9365643dc2e6

SHA512
50c10f4c1687b5553faa9ab6adbdf6cddfc0418dc62003ed9959df761021e91df389c9ee2d5a800863772473c5a6a726b6ebb40165cd870083471273a0e01e29

Download Submit
C:\Users\Admin\AppData\Local\Temp\pskYYoco.bat

Filesize
4B

MD5
e441c72b08240ffe1f39a5d92a9d5094

SHA1
6e735e4b19a4533f6dac390bb36e7577fd460ad9

SHA256
0ef0077f8379da308301427a4ba992ff427b2da2650a45c67f203f6e4dc41f65

SHA512
ae55053a651b6f5033685e5f78a8a3367f1441f01a8eaa517eff0afaa5c7718ef8ac96d67535ca210fb40dbe06419359ec8d583dfa98e165b94445a3c0674580

Download Submit
C:\Users\Admin\AppData\Local\Temp\qUAo.exe

Filesize
544KB

MD5
d60c847a857c8a9b46a2637b374d3ab9

SHA1
9287e19c3b5708ff771a384d757be34f1e387207

SHA256
0f225acee62e1955a13942d2eebb721e2b52902a1a86e0dfab13d995f125fd7c

SHA512
036fbe0062f4dd67da01e4a4109851aa54ffe77063822da308dd3e682661703e9560e5dd14fc661482529d3addccea7940021e91c54d28531116ec34d9487e0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\qUki.exe

Filesize
239KB

MD5
ad818ca26f15931c9985992a5220f4b8

SHA1
9fa236bb87590aae17e366ed76adfbe5fb979c42

SHA256
c3720e66a358dc0fc5459ec71e8ee7902839bf10c9e09481eb35b85b30a04b3d

SHA512
32118caddf431e99215dd6fdbe8ad37136ea5dc7fd7ffcb135ed54489920878556b66f8116a2ed7b254adb0f2ac1fd4b6ca78c981f2fff905916ce164d409a11

Download Submit
C:\Users\Admin\AppData\Local\Temp\qUss.exe

Filesize
206KB

MD5
5243a1eca175c7620e575dad8bfc8da4

SHA1
1da65ef29f9e91cc176d602066e06b1510b62914

SHA256
517e149db4cd5e56bd45f55b4446574810f7a7af661f9c1df36f5f9ac7782707

SHA512
614a6f4bc2b9d84ab9a1d5f8de97c0023cab5e799bbfc65c405e5d59b521030c963e8f8140fde91516ee0373b9e5190173ca3c48fefb44e48a4982c55f53ee20

Download Submit
C:\Users\Admin\AppData\Local\Temp\qkgE.exe

Filesize
206KB

MD5
b20316caf481a2d1b57c0cbb625cdda0

SHA1
a21d17ddfd3f30f1888b0551826741ea6c002e76

SHA256
4bfd720b86778e92794f850cd511cd76fcd0f913f4e3fda70295378a4af381b3

SHA512
1f26fb61a7d755f53a9dd90ad9544a304debe92632f9ca8e4f5f2a3a70b8f9c24d39c2d724fd4f1c26d90f270c8eba46d85530636e4b33319fae177c8eafb1b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\qoYy.exe

Filesize
234KB

MD5
c5d3f4a7c610b7aae0851b66cbf60657

SHA1
b3ae1734a39c1b45b45affb9997536ab72a0cd9b

SHA256
54c8dca8edbbdc411102b1d31d3f9ad0191c477653f2c889e9aa982b6ac9c404

SHA512
92a76d96dd5f3efe59342ea619f19ac6f06635c3d62850347cdbbaefe4bd58a093e5d82b58f803091fb24a0d45bdc3973f43fb06970cdaecbf7217071adb9a6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\qsIk.exe

Filesize
203KB

MD5
2a5ac412ef1d15b98446a0fde344bdb1

SHA1
a8cbf414f2489e738fd5d15518d337f6ceec40ca

SHA256
1a4eb61c8a128f4c0f4addb39aba7545d21fc9d16ea89adcf4396ff9f99859c9

SHA512
80316695d6d8304762baeca632abdbbc496e096459a090ca0075e6db2e905f153cbc5347252295f56838d32d474136ee7d5d8779e953c6f85c899643c87afa8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\rGEoEUQo.bat

Filesize
4B

MD5
001cdd43f8b0dd5b657637cf7c774e6a

SHA1
6cd3b2a7869475af9044a4cdfb2ec4fb7de39504

SHA256
743745251520fcbe880a18992482982a2925a95bb6ba5f514ec4aa9467f4e460

SHA512
79291806b03724fd0a9ac4c33de505da4cecbcd32625e95daa2c11738f38c7b91a0effbe6b69bc3cb984b2673c8e77174efee5a1d52e853fd4bc4fe3b69ca2da

Download Submit
C:\Users\Admin\AppData\Local\Temp\rSYQkEkw.bat

Filesize
4B

MD5
1046c89ea23912ee29fdf2cbd5c4cb97

SHA1
840b56c79041cba9c7e5287b1c4180ef6fb7d76c

SHA256
bb0364256504e76fa373f71ad5cdae6758f4d92aa2ddf109a20f01560c2ae81a

SHA512
e637748dc624701a0a920b574d90d0a5051b6986531638676a2a02f7b4ab7cc88d289cc4fe7bab2c90d11cc3cc4b0fc68428c50627c74e36b6e273fe8d7ed911

Download Submit
C:\Users\Admin\AppData\Local\Temp\rgQkUkMw.bat

Filesize
4B

MD5
e9d9c81aa35239582c4a402f8c9b972e

SHA1
5f4f1760ddaa99490752ba111a538ea9dc83d3ed

SHA256
91595bf52687f7fd218893b3ff42ade8ce21d8138c8ce918d3392a4b549e7198

SHA512
ec01e28ae2603e5bdfbceee20242c5201ed726ba37bb0002a5a403d5588a517c528017d55bee33f620dbc96b6b349aea9cc964d27f15ca2c21ab4de8cb7471e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\riUEcYIU.bat

Filesize
4B

MD5
3318ce72fa918c2c0c413c696d8c3076

SHA1
f43f881b73bf2c1d24d44ab1a63a2fa37643f6d7

SHA256
e118a5d092ac404ac1dddd271d79bbc15b2d93735f87e5240f3c8ab313de3337

SHA512
7884dd8c32e8caba7d559e9b459b0d66e7e21d6f0695f6dc0f8282c249b684931d48a36d04712073db23ebef670605771d4a86528713bc1bf369d472a1465cb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\sIQE.exe

Filesize
214KB

MD5
ee65b3358b92e5fdc152f5a6c3b81838

SHA1
9eb7b6784bd173963ed6174b6a2039375162d373

SHA256
e3df019285d27b227692c4d6c3c580720a1d94957355405aa6c24ce27ef8c6fd

SHA512
1d241358d327db8792114b9a12c7c09bc5389b5649269cc3b41cd15f8e803d07c5e8fa04bac1926c2393eec55b53b7a96f007d487f0125123461e4ea6b4c08f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\sMoC.exe

Filesize
830KB

MD5
ebc0108af795e000ad1d75b5808c8519

SHA1
a2565cfcd69c75f84c861d9884941bcce79a170a

SHA256
d88bd2b783df008d16899c5f448453760480904a56ccec4c696a27cc11624683

SHA512
37543daf521e5a2ac4accfdaa3d6b917a30707f110af9e3647a6b00790e7969770578f6a0f5837ab61c0494ce094fda1e9507ff2770eb291c4e829e5db852b8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\sQgq.exe

Filesize
1.2MB

MD5
a1c81236be80f7c1d42f043e70ef7dee

SHA1
91841f7449f1ad530afbf9b9eca7941fc8235e84

SHA256
bc4228a74190a376acf9c42f6d970f3343d9e5b2e73a054398b661314ba4bedb

SHA512
ebb7b786f1302b422a4d9ee36297a2fb64a96501f0de110755fecd03e8b1efeb1e26c9b9241070b2a629cc03b19526d7c9f6e6af18dc28b9e08a3c42d1a9ac58

Download Submit
C:\Users\Admin\AppData\Local\Temp\sccg.exe

Filesize
224KB

MD5
61be26204f93246b04e2e33f821432b4

SHA1
3d86c8fec9e489314354c2dc1c0b4b26c1b327a9

SHA256
48eb118a9da5a53297303b766446a416085839c2d6f94292f991b7fbf3327419

SHA512
0248b5717893a22e2eb77e1832041c9b9bafb0b6361696934b24ee64a3831a9918a5c562717459a8603de6996321f1358f371a7522f7041fd80627bb8afee0ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\sckQYwss.bat

Filesize
4B

MD5
71b2bddec72c13c5995d7e86d5cbe869

SHA1
48915abff5065e4785af3643ef992f2de5b86cda

SHA256
559344212de249771acc1313c51fb1ce3c0366c9e909aff00990a73d54e4d7b5

SHA512
11e8c8ee716536ce2747b805ab857f3867bffccab74ee9fdc18cd1460becadb255b81c5187fd210b97124b6fa3dc58c77fdf892ea90a8dd2e46390b8064e95c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\seQMAUAw.bat

Filesize
4B

MD5
e27ec28543ad8248bf42d069b615d85b

SHA1
c66c9cd9c6a34140a6b08c30b8ba0aa6dc0230df

SHA256
527c9ff3ca0e8acec24e4588a8314fc653cc75f664feb335787c71d5a4182b04

SHA512
aae79ef1ed8cfc1a55f0ed8f83c8897799835175340cc01e841577e78aa540fe483f5e62f987cc441b7241033b86aea17cf9f760921b85d408a559d7744719f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\skwo.exe

Filesize
240KB

MD5
3e92c28a58bf10d1e4935f653fa09b74

SHA1
856ed81a74ca1e5f7dd01eadb5deebdd8d8705da

SHA256
6ad05fdd965a39e45e1d8f096440af491838b10c832cfd279a9504aaf799032c

SHA512
92e6471b69a1ec3d2af01bec474b5e86f04260837c332d2a9c5f7d0691c5cabda7c1d3fbc38fc2beb430b2af9b3b7ab2be71ff2b7a9d93652e3f731864e7eb15

Download Submit
C:\Users\Admin\AppData\Local\Temp\tOkUwggM.bat

Filesize
4B

MD5
0dddeabf2261cc9cc3fededcd7014641

SHA1
a750973a143ce1f2e1e79eb2cdde817520e7b063

SHA256
105ceb2571e47a3d94832a711177656b3e94812027c7463bb00bffc56ac577a3

SHA512
74e6b75111c11e880350878f9c566e5fab2660584246088d2cef62ceacc3b2bbd0d40a785bc2116bde3c093495fae3d83ceb1021076a9e5448ad623241a0993b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tSMMgsEQ.bat

Filesize
4B

MD5
d3b1ad86ec34739cfdd6fa5812623b13

SHA1
cbea0c37ee4d50dc3d95b430c0ed3acc357b5c84

SHA256
84d89eb3463ad545fde7c28be61a9b9b06ca776051778c859fe71adf20828a76

SHA512
673bb77be6945a949b6f12caa2fdb6e42a2cbdc85f264fe4410a14f8dc59c5b94b01852201034ec7f9f3446348ae3a4661bb8b4466eed3cfc1054cd6d2fdecce

Download Submit
C:\Users\Admin\AppData\Local\Temp\uAke.ico

Filesize
4KB

MD5
964614b7c6bd8dec1ecb413acf6395f2

SHA1
0f57a84370ac5c45dbe132bb2f167eee2eb3ce7f

SHA256
af0b1d2ebc52e65ec3f3c2f4f0c5422e6bbac40c7f561b8afe480f3eeb191405

SHA512
b660fdf67adfd09ed72e132a0b7171e2af7da2d78e81f8516adc561d8637540b290ed887db6daf8e23c5809c4b952b435a46779b91a0565a28f2de941bcff5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\uIEq.exe

Filesize
239KB

MD5
6849b615eee9ffba38a7c262abdcafb4

SHA1
2daa4987ed1df2fcbcf6137affd20545e6be36aa

SHA256
2970e0260a82f8ffc3b86431dec55f6129670d3d16cfa23e5b7623143b059f19

SHA512
f5984d9f4603b5f323197da373ae07d1edba0e70fed0734ee5d0e4a77fd51d5e285d9416a6ea7e59d37db19643125b24e88c00b98ac8a0c7d3eaa21f8df31f1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\uIMYkUMI.bat

Filesize
4B

MD5
d39b12af3bc06a03cf6f839f31114f12

SHA1
fdaa20d289e37dac97060d729737bff0ae7841b8

SHA256
a2200f0ad8887e5d784876d7824064bfa1e68e1a006d622fdcc4a958cec01c90

SHA512
063f84a56f1de5d3084f1653d7ca3b5cc3be59625abf51a8d442ebcd29383386c2dadcbca36e6053d83593f31f64d456264b2bb5ed55ee4d64979936e6dbe0e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\uiMUcYAM.bat

Filesize
4B

MD5
56adfd0ed4449c0a3cc2ccb6770ab6f3

SHA1
f9531974aafcfde06b294d2abe7ed90d8ab600db

SHA256
1cb2f80e3bb49a369cbb1e03dc4a54895b7da50dc62bb17ce75aafe98b90c4ea

SHA512
0d7efa4550bebfa6445b6fe0c44998f9f6d7cb992c0dff1afa6e3ab21705ce2930c162efbc41ea882ca1300d2f6aa252e1552a7f2c37fd77c57e81a2ff8d2691

Download Submit
C:\Users\Admin\AppData\Local\Temp\uksq.exe

Filesize
240KB

MD5
2e0ec3af9bb2202682ddfd9820a65999

SHA1
3d6a6b2fc152288d9817dce792d674e66d7931fb

SHA256
8456ef2a0c2e97b3ce3041f9fbd717caa4425956f75531841ee45cca07b7b5ae

SHA512
31fc3f4846dc29e1436db482f863ea435a3c250d06c0c0a4e221a13414ebe4b5f66bd79f0c183f6d06a768063218ca2e6f556702c315cb34e7cbb6c842e0d1b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\uoow.exe

Filesize
245KB

MD5
d39e1051d1ca27f68f8e7521073830cd

SHA1
36701802321313c21ba6a2fc643ae60cb7af1007

SHA256
f7e2cd58f7d8794fb84ac6f935d288b93d4c40f93828193cdc718e8599b79174

SHA512
e60836f8be654abb2bfc4bfddfcb7d6f628494ebbc743d9b3b353de55f82a510562848c13c944beb3921fd70728d23f590951d76c1311d30d10ee376c61e264c

Download Submit
C:\Users\Admin\AppData\Local\Temp\uosa.exe

Filesize
238KB

MD5
f7a28fa4a89ba0a189b477797dbb1e64

SHA1
ff89fce891ebd07c89b0036604471c4eeba938e1

SHA256
ddabcf53a7a7e8df42c4ef56436aae3c0410f9b61e07f5879aad7de1f44da998

SHA512
26cda32cecfa088fb9e97f7f22c4cb3dc5326cd72ec092f94d28c30fea9b88bf1fb75a51ad0caa95fce946dfc7da92e306da6c5a6bdbc492e643ecc2d47b2a64

Download Submit
C:\Users\Admin\AppData\Local\Temp\usYk.exe

Filesize
245KB

MD5
b55242dfa37409caf60507851b14765c

SHA1
3c7f679f2d5edd340166a2c0e85bd2f0f40e0d47

SHA256
ac663163921a408225bc8427119b9ce3bfd82d8ff1d5bd95987a312aa9fc209d

SHA512
76c00eedef3bc16e932481955f2f265b9ff7ef21a1c24ee55db32eaa9b829c00a1c6801ffd31c96a87177fab2bcdb9a0c0af6218564918ca7366d8a34dbf99de

Download Submit
C:\Users\Admin\AppData\Local\Temp\uugsgwQI.bat

Filesize
4B

MD5
1530b673733329fefe5b2874c31b04af

SHA1
9230107882f0113398e5da7337db51ee00abc28f

SHA256
d5fb7ee4d90df8b49f1a3383a471db26ab6198ccacc754332d8fef741532106c

SHA512
d2ba8da27fa677f6fb72e901fa479005dcfae30b609ac6b1172e244ac0baab2d414ace61850c6af329db05b7d0c94747e7ffc6d8956bda9e3127dff6fb0c091c

Download Submit
C:\Users\Admin\AppData\Local\Temp\uwQy.exe

Filesize
205KB

MD5
7bb684fa452b417231a112ced584b50c

SHA1
ea0a1e006302ea8379ecf27ec9b2e06ceb0d7324

SHA256
c0453093aba4f253e4c75c28bed653911edaced9b5389e4b28ab43a4ff3dc5bd

SHA512
3f9dabfa622914b9863525fcd9b6cbfa77c9410c23c3988b2d2d6c16aa52033569dc950f1ef02c31dd0e161413039827fdc1139e1786917a8730ff81545df679

Download Submit
C:\Users\Admin\AppData\Local\Temp\uwkA.exe

Filesize
558KB

MD5
b6529960a7b300b909209ebc2d9fa3b7

SHA1
701e3f1a6dbdc7ce83fa7a79d378285dda872f40

SHA256
f86d27535666914b56659dc827fb2ea5fd59ead3b53b7da6833dd8039d2f612b

SHA512
d2ea0b916af74586af6e1ee5668f13cd3ad2b6c6e860ab39680490c0f50ef392924d922d3d4a016170f75e43c2ca199c59ee3dc3844bf9ff23999b354188f037

Download Submit
C:\Users\Admin\AppData\Local\Temp\vgkAgYkY.bat

Filesize
4B

MD5
4b8d507597d5d0218dba1959d434d166

SHA1
ba867f17aac1fff6052811e2ee950144eb380ee9

SHA256
047f643be0eeb00118dff830227415247cf8eb3d46f8d5be2b6c1fa5dee23485

SHA512
c4790d24e20feb1af6a6c2288210fc5a5675baece84ca131c67ddaf87563dcc62969fb6b59b0179ac720bf01a4e317850206bad78fdf98fb1667be3a3dd4340c

Download Submit
C:\Users\Admin\AppData\Local\Temp\vkkIssEY.bat

Filesize
4B

MD5
ccccb01aa712ad3822f8d65e6208e307

SHA1
1c49d888aa7a5140fb17f6699ad0d64c16b9df54

SHA256
51fae83ca726e8162368b7f55e67523765bceed393016212d1fb890554f0652b

SHA512
2bba85c1d4f4f575fa3e40d5fda789b124c9fdb7a893d98a66cf7fbbf953faaff8111352b3edaf2e624695587e71c7bb7364e90ad5ffdebb0ae1e3583fcadbb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\vwoAkAkY.bat

Filesize
4B

MD5
51b040982b3003352461e5148965efcf

SHA1
f4a055190afad5d594e28dba84d6881cfb64d2e5

SHA256
02e4484c819a4c1d451f782064f1fb564c7b5c30ab5236404f7231d4cba298c5

SHA512
2743d25343372e9079d770999fe58c5cae06cfd65a47e5c962ed9c025e089b40af28824e7d3e60ccf07b2b2904e40797e9f010f5052eb0b30981ec5733605d85

Download Submit
C:\Users\Admin\AppData\Local\Temp\wEYosMoI.bat

Filesize
4B

MD5
03d89231767fe77a2f740bd7cf52caf4

SHA1
6be0dbcb4ead1cf24e468d177609713edef2c053

SHA256
b611d3388df54363e34998d654d7c3fd64571dd85236cd340e2ed9e85cb69ebf

SHA512
b798999a1e1e7046d3c5d4d379dfd36816b94682802159b283e2996da19dd507ac3cb14dc28c12ae98c734099f097def8bbd9e9d5387cb1e6f954a601f526610

Download Submit
C:\Users\Admin\AppData\Local\Temp\wEkU.exe

Filesize
4.8MB

MD5
85d4f8ca206f6238d8d560b36e8c7d2f

SHA1
1edf6a1d8ebd5330f2bfb7e2496c00ccce723de9

SHA256
65a1e231c4a1b41a8561d3d99333dc23a01e1df787e41746e3d7bd7b2005454c

SHA512
a51cbcb0cef4e4ed964e03618d6cdc914ae10bb1a838fd67ce9e9e079063154b060bcbf627c36527257fc3591a7b824e8560607b9450a65b4f96ba7307649110

Download Submit
C:\Users\Admin\AppData\Local\Temp\wMUs.exe

Filesize
206KB

MD5
39d9235734ff4cc066fd0d5b4f930029

SHA1
4bc09d846f741cdb6b23886f0efe08895cf2a450

SHA256
5b24c3d8f1fbf3c21ce007065b0ebf4642ef737a1fb1d7a0e7c8931bf6b52659

SHA512
f373fafd951398c4e0ee2477a4e2414e7d4dcbdc5c7d2691c8fea1d91feb4bee1a4d0cd1e423dbc3be0ffb5a3cd40c5e0a8fe5ddc0769f8bf519ec012e096a7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\wUEC.exe

Filesize
247KB

MD5
bc6fd1a9589d98c5ba5f107a8adb63d9

SHA1
c4198c1d68dee80e8d8021925a377ea9295d4b36

SHA256
e38a2176767e1f009cada004aa7d4d90e3e348b5277e5b1f72b72b4f27afe459

SHA512
83826660b86c00cfb48bf042f3929b8200a8c51ed9d3bff6c9b9856963836d867ce26339519d305e117103519dc8c86cffbb6c1c88b174cccd5187f511e4abe3

Download Submit
C:\Users\Admin\AppData\Local\Temp\wUoa.exe

Filesize
311KB

MD5
1a6ac1b13d2ae0029a1b0c302f539969

SHA1
ad87bcb6eec1d36fa72a3c5c36f5beb15d7c5c09

SHA256
a2f3b7cc5147c37cd416c30c492cd8ad895fc2644c6bfcd458f57d0ecb09067e

SHA512
d1834a3c960596cad051d0222abd06d03c42494160cb95e994d8f2135a3bae4011adb4752b9a43c37608538b848b4bbb029572ac9d3026c6b291fb63c3eee2ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\wYMS.exe

Filesize
496KB

MD5
3e9ec61d0a2c9a3fe23e13c89b9dcf18

SHA1
5019e7711d5888f1327c5cb846341db5e9fc5a13

SHA256
0482c6fc8a5db24dd114481fc5e640a3d695b28a9e77c6ab50042ad910cfd835

SHA512
f043b1bbd49d93ffa7b48828b89c4b9c9b01136d84d01aaf14e6ac334ab9f0f8b2f823679c272a4993063df2f05944c55bfb0f2cd6e03b477d4bf8adbe13a301

Download Submit
C:\Users\Admin\AppData\Local\Temp\wgwu.exe

Filesize
8.2MB

MD5
144fab4e6bdacd131bb8c15d6f08ef9f

SHA1
28c571da6de26ce0592669b358bf7f668bb31a93

SHA256
fc0d49e3622c6561d1cc05cc3a3dc951620fcc26c6a35411e118285cc1c786ee

SHA512
4cc36e2b17aae3fd3149724610123e23ff4e11ad7821ce8fb47a00a4224ca85ebe46696439a3fd3e9ae0e57f7d1728e2e43c5a726154393c8e74c44b6ec49739

Download Submit
C:\Users\Admin\AppData\Local\Temp\wikYIAYA.bat

Filesize
4B

MD5
f2a67e9270462625a27aec7285b20954

SHA1
4d3d39f47c29ad3f5517971f4af81e7ecfece717

SHA256
3d6e36603fd9d5408074c89e886cff65fb1740ed0c927e53103c7d251235f199

SHA512
29b051909be75e41e5195c0196e32bbd4f9325c300fec1abdd93b1868bc8c4fc8d145809ace14054a709d68b5e6ecf1ddf3950345e3eb55344453c76c7d36158

Download Submit
C:\Users\Admin\AppData\Local\Temp\wogw.exe

Filesize
239KB

MD5
73b1cf5018991afb012dde2407aee4be

SHA1
83f0b2bd9ffdc5967a89d19d6009231afd865f3e

SHA256
53785cb286381233d6441f269effa1f8ebf54b132ae421c2620491ed41b3f5dd

SHA512
3e92bccc598c917f82aeaadb528017434fa695cec889d4ef67d560d6772c26d038426ea7c8ad1f42a49cecc38b83acb7642fb0c9e9547c99edfebbdc83531017

Download Submit
C:\Users\Admin\AppData\Local\Temp\wqYUgMwk.bat

Filesize
4B

MD5
ae0354fa23db10cd2b1628adf6cdbacd

SHA1
22d62c67319ff37cf87a75ed91294d01d714943b

SHA256
d7c5e00a33469249c0ba844e447a8a6622477e9417b9cfc40895be096ea96b76

SHA512
6c6ef6fc8aad144e67581132b01da390dee9d86f990cdfdfe60beb60509362a342233c6e240b1b500b9780314987b4bda3bb61ff15b729612199f3570e721b0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\wsgI.exe

Filesize
1.0MB

MD5
d391ab1fae6a631f8ea3990d8de3aa02

SHA1
dd592b93acf44c90a2ea5d16ea7c05a1507e4a45

SHA256
3d70226b5786b20f8add3692bd81d9763f2f0d7d85eacda2cbdcfc5212116123

SHA512
fe89cc174dd49277effa46c7e97973899836d904f07d858979e02c1bd2cfdc2010bf6ad186e54d8944589f0c2e6f41fc954f39bdf1d2ba1b4c7b4737230ae08a

Download Submit
C:\Users\Admin\AppData\Local\Temp\xksUgcgk.bat

Filesize
4B

MD5
6061258077cef6bbe1ed8ae858655d44

SHA1
fe9f1fdc57c67dc07740675d4e9d6de7b852e745

SHA256
0771de0bd0cad7e0d5f48bcf72e59af03d9981c4c6ae9af5e765776fc87431c6

SHA512
12352176a653d83f91607c71eb226393a35756e25bea148269b8a7529b0871bdabe3a56a2ccb940eaaad5196109047e05ffa97340945c36f36dfae88279e3bf1

Download Submit
C:\Users\Admin\AppData\Local\Temp\yEkQcIUI.bat

Filesize
4B

MD5
9a5645d18095c88bbab474496985a119

SHA1
f2d2a35e9dc6d472c42d225b4ef8ce03846a5f42

SHA256
b8e6809ec6833563c1ab838965da29bd5943d4e837198b401a30ddd76250b685

SHA512
c1818438b318ca44383c40db51ebc92205836816518ce34ceb7e7b0c2766160333c71a32db53e7a20af9713d6501075d9ffb1b2754d5c93b8807258a5f49e87e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ySIgYAEU.bat

Filesize
4B

MD5
1926496fe8a69cbf4b2e9281dbc69501

SHA1
c411464ae43a114c70bc10c8aba5bbfc3ec000bc

SHA256
c9ceaf585433e034e37749c386418d370e1cb962a01383c756fe4610e0512b34

SHA512
a1753d57dd8372924ef7c95ad393e64e413213422390872ee22dd6ba0479b07062688cd72ead7154e1fcc7e6d765ff1fff7cf06653fbb579600aa6928ddef03a

Download Submit
C:\Users\Admin\AppData\Local\Temp\yUUu.exe

Filesize
633KB

MD5
c974d96a61845f3b9e18e24fab8a71a5

SHA1
9ba15a0c469b7392c796cd10236be1c85d330e33

SHA256
28cd8f9634561e22c5ff25e5a3d8d6de9264817a1dc6e5093e37f6b702f205d6

SHA512
fcb8109564b4f0ae29c18e26c343df45af32f3bdf5d8cf2c17d3d40aefc67e7ccd12a7bb64ce6ec35aabf8c75193a50b3d1f7e01e690d2fc4ab18a4f43198073

Download Submit
C:\Users\Admin\AppData\Local\Temp\yYUkQQgE.bat

Filesize
4B

MD5
0f5468317de16b246508d80d888a4ac7

SHA1
91c69bcea17256997310981a976bda294ea323be

SHA256
192037a1689f54b3430ec18a4be149ee923aedb3cc45d4d8bc53fbbfdff0f324

SHA512
723ca507a88850ba2a8fc4ec4fc57eacd461d1725220cb560e5127af895cf5f2dd44d41172dc3da2321209bb4cadca435467500b8d65b46f10a9416e0a7c7520

Download Submit
C:\Users\Admin\AppData\Local\Temp\ygAQ.exe

Filesize
233KB

MD5
d4f597c8ab851919e2ca0ba4fbdb3395

SHA1
dfe2e2e37ad0e5a512f099135620f4483bf65841

SHA256
0bd67728d48dd3eb70442e536aca7d3d12fcdbe154d7277e400a6b228f57d63e

SHA512
cbefd8cf51964cfc8252ca5e4efb8cb667b8194a959089f5c0927a6e82b82db09c61778a2f64eacc7edfe222cba318ab40ebe8fac814ecadb46e012efef70ed7

Download Submit
C:\Users\Admin\AppData\Local\Temp\yogK.exe

Filesize
247KB

MD5
35b5413e95419438bfd0820cffb90e61

SHA1
ae0a8bc35bc797a79775a855fcf2cd651723d848

SHA256
8dbad621a9f671a8eed783367d32b9210f6455a5702434a0e1cadd3ce20cd43f

SHA512
95fe7146b7ef4f6f740961f1aaecd1959063d567d8bb2fb775dee4a6f3069b49264fa58acd04eaef6366ca2a2281fbea96e01eedae940c719e970e4356d715fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\ysAy.exe

Filesize
243KB

MD5
32ac9d8fd140c195352bba90a530e232

SHA1
2bcc6342922a31a3304546a6e82efa4733820e4e

SHA256
407b4676cf81cc19871c11686ac142f5b241316b6d00beee17100da4f9d9f955

SHA512
4afcbf486fcdc149d6f321fa056806844e3f81d5b59247e0bf3bc206e9a2300fd0b51f0ffe9479c18c0b8fe918286de5e0cb650b45c5858a3be3c53465f7c800

Download Submit
C:\Users\Admin\AppData\Local\Temp\ywsa.exe

Filesize
193KB

MD5
02c51529d65cbc87ae129a42a5b8da4b

SHA1
7d8da7fb83c838be4da1e55ff507e9af0d21bebf

SHA256
2001d08493d7e90c638b3c764a424bdaff66cc9414dbc8c437e9d2af5cd499ec

SHA512
238844e4d950fb0e5da3d04ec8e63c5377adaaec2ce389a285ccc3a206bd00a7c81aeff172e3c48b6515d844b14e71c2de4ec65ba91b16b6be1b076360a251d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\zWIkkYcM.bat

Filesize
4B

MD5
0965f0ce930357bb784d6b75ac057cc5

SHA1
0698b1afbd10bb74f97548e95eabff8d13abb7ca

SHA256
27a9225376d6f7ae23cd28b93d82369f6a29cc4652d6e7a0a9ac19dc670e05b5

SHA512
3bf348b4d6f5fa4977bd923015ae0f334d0a8c4a6f13f9b5c016e70554192e2ef3ea47a0d91b81431a2e53f5605ee89eb0551010545263278a857138c9382360

Download Submit
C:\Users\Admin\AppData\Local\Temp\zwwcscgU.bat

Filesize
4B

MD5
8b43d421079bd85d5a7aebf9247d7816

SHA1
511684749c7606c42b714d2da51a59fe52df1156

SHA256
53a8917ccf46e49c0628faed460b47be9c3130b61bc9c07b17bc2415281578e6

SHA512
b318b00c5c4d74bd5bc8eb22eb933e76c4654ad221144c0585d7c90e7864aa1d48e231ecd8e528a8388e7b08d6c031eb7dac2cf0a9c11edbcffe7ffd05bf440c

Download Submit
C:\Users\Admin\EWcAkggE\cKowcAQc.exe

Filesize
190KB

MD5
6b67f49be6f5b19128d1f20370a7c7a3

SHA1
919e5a0b21b359c3d56b3f746bdf06d94265a4d7

SHA256
f1efe668c3e2c95339d6130f9a8d351319d28e66fc028cc8a8605c5dd8eb04c2

SHA512
1dfa252c2f713bd3d1cae0af8c3d429a77d3fbe054199f1ffbfb405534a2fd96f506467a682611a1ee3114a7e0f707f1c45fa1f2e1a1f6fa27916ac189d9bf6c

Download Submit
\ProgramData\SwcQUokc\BMwoUEsc.exe

Filesize
195KB

MD5
30f277cd2488fc12c3eb8744b4987729

SHA1
d5f5b33a5cd91fa6410b434f709257a719381aed

SHA256
693ec3a6804efdd0bf5daf4994364b87577f8e769c58d0e319f377fa92296133

SHA512
2e44565d3f2a88f450f6174015b6ebc0a056da04a52477d261fdf2c8883f703351e299fdaf2fdcadd4925d346e4b2afa2bfd0e68e75be5df50726d073cceab07

Download Submit
memory/300-114-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/316-242-0x00000000001B0000-0x00000000001E5000-memory.dmp

Filesize
212KB

Download
memory/568-490-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/592-521-0x0000000000110000-0x0000000000145000-memory.dmp

Filesize
212KB

Download
memory/760-340-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/760-372-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/772-530-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/772-502-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/776-573-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/776-541-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/872-624-0x0000000000510000-0x0000000000545000-memory.dmp

Filesize
212KB

Download
memory/960-385-0x0000000000120000-0x0000000000155000-memory.dmp

Filesize
212KB

Download
memory/992-243-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/992-646-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/992-276-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1020-418-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1228-407-0x0000000002260000-0x0000000002295000-memory.dmp

Filesize
212KB

Download
memory/1228-408-0x0000000002260000-0x0000000002295000-memory.dmp

Filesize
212KB

Download
memory/1288-220-0x0000000002250000-0x0000000002285000-memory.dmp

Filesize
212KB

Download
memory/1300-229-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1344-457-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1496-291-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1496-325-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1504-481-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1504-511-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1544-160-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1552-614-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1552-585-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1572-562-0x0000000002260000-0x0000000002295000-memory.dmp

Filesize
212KB

Download
memory/1572-563-0x0000000002260000-0x0000000002295000-memory.dmp

Filesize
212KB

Download
memory/1660-83-0x0000000000170000-0x00000000001A5000-memory.dmp

Filesize
212KB

Download
memory/1744-540-0x0000000000230000-0x0000000000265000-memory.dmp

Filesize
212KB

Download
memory/1808-196-0x00000000000F0000-0x0000000000125000-memory.dmp

Filesize
212KB

Download
memory/1876-43-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1876-44-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1944-105-0x00000000002A0000-0x00000000002D5000-memory.dmp

Filesize
212KB

Download
memory/1944-104-0x00000000002A0000-0x00000000002D5000-memory.dmp

Filesize
212KB

Download
memory/2092-676-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2092-647-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2128-182-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2156-14-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2196-667-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2228-550-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2232-634-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2232-605-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2236-128-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2236-127-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2240-409-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2240-444-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2288-625-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2288-656-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2296-479-0x00000000001F0000-0x0000000000225000-memory.dmp

Filesize
212KB

Download
memory/2296-60-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2296-480-0x00000000001F0000-0x0000000000225000-memory.dmp

Filesize
212KB

Download
memory/2296-91-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2304-174-0x0000000000120000-0x0000000000155000-memory.dmp

Filesize
212KB

Download
memory/2316-183-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2316-205-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2364-13-0x00000000004B0000-0x00000000004E1000-memory.dmp

Filesize
196KB

Download
memory/2364-29-0x00000000004B0000-0x00000000004E2000-memory.dmp

Filesize
200KB

Download
memory/2364-40-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2364-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2364-12-0x00000000004B0000-0x00000000004E1000-memory.dmp

Filesize
196KB

Download
memory/2388-300-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2388-267-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2444-31-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2468-289-0x0000000000260000-0x0000000000295000-memory.dmp

Filesize
212KB

Download
memory/2468-290-0x0000000000260000-0x0000000000295000-memory.dmp

Filesize
212KB

Download
memory/2480-501-0x0000000000160000-0x0000000000195000-memory.dmp

Filesize
212KB

Download
memory/2492-604-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2496-394-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2496-363-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2508-686-0x0000000000160000-0x0000000000195000-memory.dmp

Filesize
212KB

Download
memory/2516-4527-0x0000000077A40000-0x0000000077B3A000-memory.dmp

Filesize
1000KB

Download
memory/2516-4528-0x0000000000460000-0x000000000048E000-memory.dmp

Filesize
184KB

Download
memory/2516-4526-0x0000000077B40000-0x0000000077C5F000-memory.dmp

Filesize
1.1MB

Download
memory/2516-4530-0x00000000004A0000-0x00000000004F2000-memory.dmp

Filesize
328KB

Download
memory/2516-4529-0x0000000000460000-0x0000000000491000-memory.dmp

Filesize
196KB

Download
memory/2604-69-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2604-45-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2648-431-0x00000000002A0000-0x00000000002D5000-memory.dmp

Filesize
212KB

Download
memory/2648-433-0x00000000002A0000-0x00000000002D5000-memory.dmp

Filesize
212KB

Download
memory/2656-252-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2788-466-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2788-432-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2828-594-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2828-564-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2832-584-0x0000000000210000-0x0000000000245000-memory.dmp

Filesize
212KB

Download
memory/2832-583-0x0000000000210000-0x0000000000245000-memory.dmp

Filesize
212KB

Download
memory/2864-666-0x00000000000F0000-0x0000000000125000-memory.dmp

Filesize
212KB

Download
memory/2900-266-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2900-265-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2920-362-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2964-313-0x0000000000190000-0x00000000001C5000-memory.dmp

Filesize
212KB

Download
memory/2964-314-0x0000000000190000-0x00000000001C5000-memory.dmp

Filesize
212KB

Download
memory/3012-139-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3040-58-0x0000000000190000-0x00000000001C5000-memory.dmp

Filesize
212KB

Download
memory/3040-59-0x0000000000190000-0x00000000001C5000-memory.dmp

Filesize
212KB

Download
memory/3040-339-0x00000000003E0000-0x0000000000415000-memory.dmp

Filesize
212KB

Download
memory/3044-349-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3044-315-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download