892c81979c510816baac1fb06806dfbb310976b7258d591e7a5c9ef5c730b4ef

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20-09-2024 18:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
Size

326KB
MD5

80e72317721dd6d5a50e52da6cc2113c
SHA1

3426df0c5e67a4cdb8973ade4d8530000808c49a
SHA256

892c81979c510816baac1fb06806dfbb310976b7258d591e7a5c9ef5c730b4ef
SHA512

c139f38d2ab2fba7a9757c9e2eaf5c25fc17a0484a7b4a36962dd5ad8d9fbc43c3a1a302572aefe1674e05e60f01633dab249317732b8e99fac47ec4fe4368e1
SSDEEP

6144:zxcBFEGDfWhgerC8eenWJB129tOoxhVqFg+vEEzBiJDySBfa4K+N3z3obq2:zyEod6BoJB1I/4PETDyLR+N3zY+2

Score

10^/10

discovery evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Renames multiple (58) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\International\Geo\Nation	YScsIEQY.exe

Deletes itself 1 IoCs

pid	Process
1644	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2740	YScsIEQY.exe
2744	cyYEcwMQ.exe

Loads dropped DLL 20 IoCs

pid	Process
2316	2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
2316	2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
2316	2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
2316	2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
2740	YScsIEQY.exe
2740	YScsIEQY.exe
2740	YScsIEQY.exe
2740	YScsIEQY.exe
2740	YScsIEQY.exe
2740	YScsIEQY.exe
2740	YScsIEQY.exe
2740	YScsIEQY.exe
2740	YScsIEQY.exe
2740	YScsIEQY.exe
2740	YScsIEQY.exe
2740	YScsIEQY.exe
2740	YScsIEQY.exe
2740	YScsIEQY.exe
2740	YScsIEQY.exe
2740	YScsIEQY.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\YScsIEQY.exe = "C:\\Users\\Admin\\gMUMgIgw\\YScsIEQY.exe"	2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\cyYEcwMQ.exe = "C:\\ProgramData\\oYQkoskE\\cyYEcwMQ.exe"	2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\YScsIEQY.exe = "C:\\Users\\Admin\\gMUMgIgw\\YScsIEQY.exe"	YScsIEQY.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\cyYEcwMQ.exe = "C:\\ProgramData\\oYQkoskE\\cyYEcwMQ.exe"	cyYEcwMQ.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
3052	reg.exe
1708	reg.exe
2756	reg.exe
2688	reg.exe
760	reg.exe
2364	reg.exe
2964	reg.exe
2324	reg.exe
2056	reg.exe
2772	reg.exe
2016	reg.exe
1544	reg.exe
112	reg.exe
2848	reg.exe
2552	reg.exe
1720	reg.exe
2380	reg.exe
1940	reg.exe
1868	reg.exe
1904	reg.exe
836	reg.exe
108	reg.exe
2912	reg.exe
816	reg.exe
2944	reg.exe
988	reg.exe
600	reg.exe
1648	reg.exe
844	reg.exe
2704	reg.exe
2620	reg.exe
2216	reg.exe
1272	reg.exe
1860	reg.exe
1212	reg.exe
2860	reg.exe
2736	reg.exe
2852	reg.exe
2612	reg.exe
1004	reg.exe
1088	reg.exe
1620	reg.exe
2696	reg.exe
2608	reg.exe
836	reg.exe
2132	reg.exe
2196	reg.exe
1412	reg.exe
1440	reg.exe
2556	reg.exe
396	reg.exe
2904	reg.exe
2292	reg.exe
2292	reg.exe
1980	reg.exe
2540	reg.exe
2736	reg.exe
2536	reg.exe
860	reg.exe
964	reg.exe
2488	reg.exe
2796	reg.exe
696	reg.exe
2340	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2316	2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
2316	2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
2176	2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
2176	2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
1764	2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
1764	2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
2008	2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
2008	2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
108	2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
108	2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
3008	2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
3008	2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
2880	2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
2880	2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
2288	2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
2288	2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
1372	2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
1372	2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
1596	2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
1596	2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
832	2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
832	2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
1440	2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
1440	2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
2848	2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
2848	2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
2332	2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
2332	2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
780	2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
780	2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
2732	2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
2732	2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
2676	2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
2676	2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
3008	2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
3008	2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
2896	2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
2896	2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
1244	2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
1244	2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
2828	2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
2828	2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
1924	2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
1924	2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
448	2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
448	2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
3068	2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
3068	2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
3052	2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
3052	2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
2640	2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
2640	2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
1196	2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
1196	2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
2536	2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
2536	2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
1584	2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
1584	2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
2864	2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
2864	2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
2664	2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
2664	2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
1876	2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
1876	2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2740	YScsIEQY.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2740	YScsIEQY.exe
2740	YScsIEQY.exe
2740	YScsIEQY.exe
2740	YScsIEQY.exe
2740	YScsIEQY.exe
2740	YScsIEQY.exe
2740	YScsIEQY.exe
2740	YScsIEQY.exe
2740	YScsIEQY.exe
2740	YScsIEQY.exe
2740	YScsIEQY.exe
2740	YScsIEQY.exe
2740	YScsIEQY.exe
2740	YScsIEQY.exe
2740	YScsIEQY.exe
2740	YScsIEQY.exe
2740	YScsIEQY.exe
2740	YScsIEQY.exe
2740	YScsIEQY.exe
2740	YScsIEQY.exe
2740	YScsIEQY.exe
2740	YScsIEQY.exe
2740	YScsIEQY.exe
2740	YScsIEQY.exe
2740	YScsIEQY.exe
2740	YScsIEQY.exe
2740	YScsIEQY.exe
2740	YScsIEQY.exe
2740	YScsIEQY.exe
2740	YScsIEQY.exe
2740	YScsIEQY.exe
2740	YScsIEQY.exe
2740	YScsIEQY.exe
2740	YScsIEQY.exe
2740	YScsIEQY.exe
2740	YScsIEQY.exe
2740	YScsIEQY.exe
2740	YScsIEQY.exe
2740	YScsIEQY.exe
2740	YScsIEQY.exe
2740	YScsIEQY.exe
2740	YScsIEQY.exe
2740	YScsIEQY.exe
2740	YScsIEQY.exe
2740	YScsIEQY.exe
2740	YScsIEQY.exe
2740	YScsIEQY.exe
2740	YScsIEQY.exe
2740	YScsIEQY.exe
2740	YScsIEQY.exe
2740	YScsIEQY.exe
2740	YScsIEQY.exe
2740	YScsIEQY.exe
2740	YScsIEQY.exe
2740	YScsIEQY.exe
2740	YScsIEQY.exe
2740	YScsIEQY.exe
2740	YScsIEQY.exe
2740	YScsIEQY.exe
2740	YScsIEQY.exe
2740	YScsIEQY.exe
2740	YScsIEQY.exe
2740	YScsIEQY.exe
2740	YScsIEQY.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2316 wrote to memory of 2740	2316	2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe	30
PID 2316 wrote to memory of 2740	2316	2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe	30
PID 2316 wrote to memory of 2740	2316	2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe	30
PID 2316 wrote to memory of 2740	2316	2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe	30
PID 2316 wrote to memory of 2744	2316	2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe	31
PID 2316 wrote to memory of 2744	2316	2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe	31
PID 2316 wrote to memory of 2744	2316	2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe	31
PID 2316 wrote to memory of 2744	2316	2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe	31
PID 2316 wrote to memory of 2708	2316	2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe	32
PID 2316 wrote to memory of 2708	2316	2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe	32
PID 2316 wrote to memory of 2708	2316	2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe	32
PID 2316 wrote to memory of 2708	2316	2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe	32
PID 2316 wrote to memory of 1904	2316	2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe	34
PID 2316 wrote to memory of 1904	2316	2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe	34
PID 2316 wrote to memory of 1904	2316	2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe	34
PID 2316 wrote to memory of 1904	2316	2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe	34
PID 2316 wrote to memory of 2764	2316	2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe	35
PID 2316 wrote to memory of 2764	2316	2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe	35
PID 2316 wrote to memory of 2764	2316	2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe	35
PID 2316 wrote to memory of 2764	2316	2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe	35
PID 2316 wrote to memory of 2756	2316	2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe	36
PID 2316 wrote to memory of 2756	2316	2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe	36
PID 2316 wrote to memory of 2756	2316	2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe	36
PID 2316 wrote to memory of 2756	2316	2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe	36
PID 2316 wrote to memory of 2620	2316	2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe	38
PID 2316 wrote to memory of 2620	2316	2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe	38
PID 2316 wrote to memory of 2620	2316	2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe	38
PID 2316 wrote to memory of 2620	2316	2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe	38
PID 2708 wrote to memory of 2176	2708	cmd.exe	42
PID 2708 wrote to memory of 2176	2708	cmd.exe	42
PID 2708 wrote to memory of 2176	2708	cmd.exe	42
PID 2708 wrote to memory of 2176	2708	cmd.exe	42
PID 2620 wrote to memory of 2824	2620	cmd.exe	43
PID 2620 wrote to memory of 2824	2620	cmd.exe	43
PID 2620 wrote to memory of 2824	2620	cmd.exe	43
PID 2620 wrote to memory of 2824	2620	cmd.exe	43
PID 2176 wrote to memory of 2128	2176	2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe	44
PID 2176 wrote to memory of 2128	2176	2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe	44
PID 2176 wrote to memory of 2128	2176	2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe	44
PID 2176 wrote to memory of 2128	2176	2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe	44
PID 2128 wrote to memory of 1764	2128	cmd.exe	46
PID 2128 wrote to memory of 1764	2128	cmd.exe	46
PID 2128 wrote to memory of 1764	2128	cmd.exe	46
PID 2128 wrote to memory of 1764	2128	cmd.exe	46
PID 2176 wrote to memory of 1372	2176	2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe	47
PID 2176 wrote to memory of 1372	2176	2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe	47
PID 2176 wrote to memory of 1372	2176	2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe	47
PID 2176 wrote to memory of 1372	2176	2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe	47
PID 2176 wrote to memory of 1908	2176	2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe	48
PID 2176 wrote to memory of 1908	2176	2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe	48
PID 2176 wrote to memory of 1908	2176	2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe	48
PID 2176 wrote to memory of 1908	2176	2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe	48
PID 2176 wrote to memory of 1464	2176	2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe	50
PID 2176 wrote to memory of 1464	2176	2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe	50
PID 2176 wrote to memory of 1464	2176	2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe	50
PID 2176 wrote to memory of 1464	2176	2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe	50
PID 2176 wrote to memory of 2328	2176	2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe	52
PID 2176 wrote to memory of 2328	2176	2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe	52
PID 2176 wrote to memory of 2328	2176	2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe	52
PID 2176 wrote to memory of 2328	2176	2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe	52
PID 2328 wrote to memory of 2812	2328	cmd.exe	55
PID 2328 wrote to memory of 2812	2328	cmd.exe	55
PID 2328 wrote to memory of 2812	2328	cmd.exe	55
PID 2328 wrote to memory of 2812	2328	cmd.exe	55

C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
"C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2316
- C:\Users\Admin\gMUMgIgw\YScsIEQY.exe
  "C:\Users\Admin\gMUMgIgw\YScsIEQY.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:2740
- C:\ProgramData\oYQkoskE\cyYEcwMQ.exe
  "C:\ProgramData\oYQkoskE\cyYEcwMQ.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2744
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2708
- - C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
    C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2176
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2128
    - - C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1764
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock"
        6⤵
        
        PID:580
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2008
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock"
        8⤵
        
        PID:2544
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:108
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock"
        10⤵
        
        PID:996
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3008
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock"
        12⤵
        
        PID:2696
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2880
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock"
        14⤵
        
        PID:1144
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2288
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock"
        16⤵
        
        PID:2160
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1372
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock"
        18⤵
        
        PID:2112
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock
        19⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1596
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock"
        20⤵
        
        PID:2976
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:832
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock"
        22⤵
        
        PID:760
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock
        23⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1440
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock"
        24⤵
        System Location Discovery: System Language Discovery
        
        PID:1120
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock
        25⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2848
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock"
        26⤵
        
        PID:2004
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock
        27⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2332
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock"
        28⤵
        
        PID:1924
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock
        29⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:780
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock"
        30⤵
        
        PID:448
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock
        31⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2732
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock"
        32⤵
        
        PID:2512
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock
        33⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2676
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock"
        34⤵
        
        PID:888
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock
        35⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3008
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock"
        36⤵
        
        PID:1692
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock
        37⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2896
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock"
        38⤵
        
        PID:2652
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock
        39⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1244
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock"
        40⤵
        
        PID:2460
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock
        41⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2828
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock"
        42⤵
        
        PID:636
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock
        43⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1924
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock"
        44⤵
        
        PID:1200
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock
        45⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:448
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock"
        46⤵
        
        PID:2516
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock
        47⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:3068
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock"
        48⤵
        
        PID:3008
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock
        49⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3052
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock"
        50⤵
        
        PID:2728
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock
        51⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2640
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock"
        52⤵
        
        PID:1464
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock
        53⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1196
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock"
        54⤵
        
        PID:2092
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock
        55⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2536
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock"
        56⤵
        System Location Discovery: System Language Discovery
        
        PID:636
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock
        57⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1584
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock"
        58⤵
        
        PID:2124
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock
        59⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2864
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock"
        60⤵
        
        PID:1588
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock
        61⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2664
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock"
        62⤵
        
        PID:1620
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock
        63⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1876
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock"
        64⤵
        
        PID:1436
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock
        65⤵
        
        PID:112
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock"
        66⤵
        
        PID:788
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock
        67⤵
        
        PID:2544
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock"
        68⤵
        
        PID:1272
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock
        69⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock"
        70⤵
        
        PID:748
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock
        71⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock"
        72⤵
        
        PID:2176
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock
        73⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock"
        74⤵
        
        PID:1256
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock
        75⤵
        
        PID:1052
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock"
        76⤵
        
        PID:2984
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock
        77⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock"
        78⤵
        
        PID:320
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock
        79⤵
        
        PID:108
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock"
        80⤵
        
        PID:2604
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock
        81⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock"
        82⤵
        
        PID:3056
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock
        83⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock"
        84⤵
        
        PID:1420
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock
        85⤵
        
        PID:960
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock"
        86⤵
        System Location Discovery: System Language Discovery
        
        PID:2840
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock
        87⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock"
        88⤵
        
        PID:1676
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock
        89⤵
        
        PID:1280
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock"
        90⤵
        
        PID:876
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock
        91⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock"
        92⤵
        
        PID:2424
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock
        93⤵
        System Location Discovery: System Language Discovery
        
        PID:1648
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock"
        94⤵
        
        PID:2476
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock
        95⤵
        
        PID:1288
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock"
        96⤵
        
        PID:2520
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock
        97⤵
        
        PID:1328
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock"
        98⤵
        
        PID:2396
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock
        99⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock"
        100⤵
        
        PID:996
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock
        101⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock"
        102⤵
        System Location Discovery: System Language Discovery
        
        PID:3048
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock
        103⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock"
        104⤵
        
        PID:1300
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock
        105⤵
        
        PID:560
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock"
        106⤵
        
        PID:2040
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock
        107⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock"
        108⤵
        
        PID:2588
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock
        109⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock"
        110⤵
        
        PID:1328
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock
        111⤵
        
        PID:596
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock"
        112⤵
        
        PID:2324
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock
        113⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock"
        114⤵
        System Location Discovery: System Language Discovery
        
        PID:2856
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock
        115⤵
        
        PID:1848
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock"
        116⤵
        
        PID:1424
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock
        117⤵
        
        PID:2396
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock"
        118⤵
        
        PID:2288
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock
        119⤵
        
        PID:2608
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock"
        120⤵
        
        PID:1588
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock
        121⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock"
        122⤵
        
        PID:1860
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock
        123⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock"
        124⤵
        
        PID:2160
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock
        125⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock"
        126⤵
        
        PID:1676
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock
        127⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock"
        128⤵
        System Location Discovery: System Language Discovery
        
        PID:2900
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock
        129⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock"
        130⤵
        
        PID:2176
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock
        131⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock"
        132⤵
        
        PID:2212
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock
        133⤵
        
        PID:2324
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock"
        134⤵
        
        PID:2724
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock
        135⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock"
        136⤵
        
        PID:2828
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock
        137⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock"
        138⤵
        
        PID:1716
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock
        139⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock"
        140⤵
        
        PID:1684
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock
        141⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock"
        142⤵
        
        PID:1372
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock
        143⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock"
        144⤵
        
        PID:1420
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock
        145⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock"
        146⤵
        
        PID:2776
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock
        147⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock"
        148⤵
        
        PID:2924
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock
        149⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock"
        150⤵
        
        PID:624
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock
        151⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock"
        152⤵
        
        PID:2280
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock
        153⤵
        System Location Discovery: System Language Discovery
        
        PID:1640
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock"
        154⤵
        
        PID:1500
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock
        155⤵
        
        PID:296
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock"
        156⤵
        
        PID:2432
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock
        157⤵
        
        PID:1888
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock"
        158⤵
        
        PID:624
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock
        159⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock"
        160⤵
        
        PID:1648
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock
        161⤵
        
        PID:2840
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock"
        162⤵
        
        PID:2496
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock
        163⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock"
        164⤵
        
        PID:888
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock
        165⤵
        
        PID:292
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock"
        166⤵
        
        PID:2764
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock
        167⤵
        
        PID:536
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock"
        168⤵
        
        PID:2952
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock
        169⤵
        
        PID:1448
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock"
        170⤵
        
        PID:2268
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock
        171⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock"
        172⤵
        
        PID:3016
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock
        173⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock"
        174⤵
        
        PID:1516
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock
        175⤵
        System Location Discovery: System Language Discovery
        
        PID:2764
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock"
        176⤵
        
        PID:2956
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock
        177⤵
        
        PID:1016
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock"
        178⤵
        
        PID:2456
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock
        179⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock"
        180⤵
        
        PID:2368
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock
        181⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock"
        182⤵
        
        PID:2412
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock
        183⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock"
        184⤵
        
        PID:2924
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock
        185⤵
        
        PID:376
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock"
        186⤵
        
        PID:2448
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock
        187⤵
        
        PID:2316
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock"
        188⤵
        
        PID:1428
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock
        189⤵
        
        PID:2540
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock"
        190⤵
        System Location Discovery: System Language Discovery
        
        PID:1196
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock
        191⤵
        
        PID:852
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock"
        192⤵
        
        PID:2496
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock
        193⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock"
        194⤵
        
        PID:2056
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock
        195⤵
        
        PID:836
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock"
        196⤵
        
        PID:3048
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock
        197⤵
        
        PID:884
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock"
        198⤵
        
        PID:2112
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock
        199⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock"
        200⤵
        
        PID:2512
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock
        201⤵
        System Location Discovery: System Language Discovery
        
        PID:2404
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock"
        202⤵
        
        PID:816
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock
        203⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock"
        204⤵
        
        PID:2360
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock
        205⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock"
        206⤵
        
        PID:2820
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock
        207⤵
        
        PID:2332
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock"
        208⤵
        
        PID:1928
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock
        209⤵
        System Location Discovery: System Language Discovery
        
        PID:3056
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock"
        210⤵
        
        PID:3020
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock
        211⤵
        
        PID:996
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock"
        212⤵
        
        PID:2904
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock
        213⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock"
        214⤵
        
        PID:2584
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock
        215⤵
        
        PID:1196
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock"
        216⤵
        
        PID:2208
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock
        217⤵
        
        PID:1876
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock"
        218⤵
        
        PID:2604
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock
        219⤵
        
        PID:552
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock"
        220⤵
        
        PID:2332
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock
        221⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock"
        222⤵
        
        PID:3056
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock
        223⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock"
        224⤵
        
        PID:2804
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock
        225⤵
        
        PID:1912
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock"
        226⤵
        
        PID:1540
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock
        227⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock"
        228⤵
        
        PID:2328
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock
        229⤵
        
        PID:2584
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock"
        230⤵
        System Location Discovery: System Language Discovery
        
        PID:1876
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock
        231⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock"
        232⤵
        
        PID:2912
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock
        233⤵
        
        PID:1436
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock"
        234⤵
        
        PID:2100
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock
        235⤵
        
        PID:376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        236⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        236⤵
        Modifies registry key
        
        PID:2696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        236⤵
        UAC bypass
        
        PID:2600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        234⤵
        
        PID:896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        234⤵
        
        PID:2612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        234⤵
        UAC bypass
        
        PID:2516
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\likoYsAc.bat" "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe""
        234⤵
        Deletes itself
        
        PID:1644
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        235⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        232⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        232⤵
        
        PID:860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        232⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:836
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\pWEgsIkc.bat" "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe""
        232⤵
        
        PID:1080
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        233⤵
        
        PID:780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        230⤵
        Modifies visibility of file extensions in Explorer
        
        PID:296
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        230⤵
        
        PID:2668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        230⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\LoQsUMsA.bat" "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe""
        230⤵
        
        PID:1052
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        231⤵
        
        PID:1588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        228⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:1200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        228⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        228⤵
        Modifies registry key
        
        PID:112
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\uwEoEAoI.bat" "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe""
        228⤵
        System Location Discovery: System Language Discovery
        
        PID:560
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        229⤵
        
        PID:320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        226⤵
        
        PID:1256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        226⤵
        
        PID:652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        226⤵
        UAC bypass
        
        PID:2640
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\sKYYcMQo.bat" "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe""
        226⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        227⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        224⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        224⤵
        Modifies registry key
        
        PID:1868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        224⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\uwEUQUMo.bat" "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe""
        224⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        225⤵
        
        PID:912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        222⤵
        
        PID:876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        222⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        222⤵
        System Location Discovery: System Language Discovery
        
        PID:2516
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\gsYoIgIU.bat" "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe""
        222⤵
        
        PID:1280
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        223⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        220⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        220⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        220⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:1632
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\WuIUgEYA.bat" "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe""
        220⤵
        System Location Discovery: System Language Discovery
        
        PID:3044
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        221⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        218⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        218⤵
        
        PID:916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        218⤵
        UAC bypass
        
        PID:3012
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\gUQIcMMk.bat" "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe""
        218⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        219⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        216⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        216⤵
        
        PID:596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        216⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\JOoAAYAs.bat" "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe""
        216⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        217⤵
        
        PID:1144
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        214⤵
        Modifies registry key
        
        PID:2688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        214⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        214⤵
        UAC bypass
        Modifies registry key
        
        PID:760
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\JKUoUEQQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe""
        214⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        215⤵
        System Location Discovery: System Language Discovery
        
        PID:2872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        212⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        212⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        212⤵
        UAC bypass
        
        PID:2860
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\JWIAsUss.bat" "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe""
        212⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        213⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        210⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        210⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        210⤵
        
        PID:832
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\lyssAkks.bat" "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe""
        210⤵
        
        PID:1560
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        211⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        208⤵
        Modifies registry key
        
        PID:860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        208⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        208⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\oMAskoIQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe""
        208⤵
        System Location Discovery: System Language Discovery
        
        PID:2400
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        209⤵
        System Location Discovery: System Language Discovery
        
        PID:3048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        206⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        206⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        206⤵
        Modifies registry key
        
        PID:1544
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\gGgkkIUk.bat" "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe""
        206⤵
        
        PID:292
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        207⤵
        
        PID:1764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        204⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        204⤵
        Modifies registry key
        
        PID:2016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        204⤵
        System Location Discovery: System Language Discovery
        
        PID:2040
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ucsEMQkg.bat" "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe""
        204⤵
        
        PID:988
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        205⤵
        
        PID:320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        202⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:2640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        202⤵
        
        PID:1444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        202⤵
        UAC bypass
        
        PID:2260
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\GaYMkMUM.bat" "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe""
        202⤵
        
        PID:852
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        203⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        200⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        200⤵
        Modifies registry key
        
        PID:2860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        200⤵
        
        PID:564
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\aakcksQI.bat" "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe""
        200⤵
        
        PID:1312
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        201⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        198⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        198⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        198⤵
        UAC bypass
        
        PID:636
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\lAoYQIwI.bat" "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe""
        198⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        199⤵
        
        PID:1376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        196⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        196⤵
        
        PID:2548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        196⤵
        
        PID:276
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\vQIksAAY.bat" "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe""
        196⤵
        
        PID:1436
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        197⤵
        
        PID:448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        194⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        194⤵
        System Location Discovery: System Language Discovery
        
        PID:2820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        194⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\fWscIMgg.bat" "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe""
        194⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        195⤵
        
        PID:568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        192⤵
        Modifies registry key
        
        PID:1212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        192⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        192⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\LEgkEAgU.bat" "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe""
        192⤵
        
        PID:988
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        193⤵
        
        PID:1008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        190⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        190⤵
        
        PID:2668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        190⤵
        UAC bypass
        
        PID:2464
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\UqYMsAgc.bat" "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe""
        190⤵
        
        PID:912
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        191⤵
        System Location Discovery: System Language Discovery
        
        PID:2188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        188⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        188⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        188⤵
        UAC bypass
        
        PID:760
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\oeEQIYAk.bat" "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe""
        188⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        189⤵
        
        PID:1312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        186⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        186⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        186⤵
        Modifies registry key
        
        PID:1620
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\smEcQUgY.bat" "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe""
        186⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        187⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        184⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        184⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        184⤵
        
        PID:316
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ueYEcUIM.bat" "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe""
        184⤵
        
        PID:780
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        185⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        182⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:2844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        182⤵
        
        PID:2556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        182⤵
        
        PID:1412
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\wMEQgUYs.bat" "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe""
        182⤵
        
        PID:1416
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        183⤵
        
        PID:916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        180⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        180⤵
        Modifies registry key
        
        PID:2292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        180⤵
        
        PID:564
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\jsYIwYIw.bat" "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe""
        180⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        181⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        178⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        178⤵
        System Location Discovery: System Language Discovery
        
        PID:1084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        178⤵
        UAC bypass
        
        PID:1080
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\rSwwYssw.bat" "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe""
        178⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        179⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        176⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        176⤵
        
        PID:448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        176⤵
        UAC bypass
        
        PID:2924
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\fWUYkQkE.bat" "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe""
        176⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        177⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        174⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        174⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        174⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\RmgYUUYA.bat" "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe""
        174⤵
        
        PID:988
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        175⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        172⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        172⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        172⤵
        System Location Discovery: System Language Discovery
        
        PID:2668
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\pekYwkEA.bat" "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe""
        172⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        173⤵
        
        PID:2512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        170⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        170⤵
        Modifies registry key
        
        PID:696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        170⤵
        UAC bypass
        
        PID:1908
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\UccokQgw.bat" "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe""
        170⤵
        System Location Discovery: System Language Discovery
        
        PID:3044
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        171⤵
        
        PID:3052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        168⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        168⤵
        
        PID:320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        168⤵
        
        PID:296
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\wOkAMQco.bat" "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe""
        168⤵
        
        PID:560
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        169⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        166⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:1700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        166⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        166⤵
        
        PID:2668
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\saEkkIYM.bat" "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe""
        166⤵
        
        PID:600
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        167⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        164⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:2040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        164⤵
        
        PID:1548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        164⤵
        UAC bypass
        
        PID:316
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\sEEkwAMI.bat" "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe""
        164⤵
        
        PID:580
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        165⤵
        
        PID:2588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        162⤵
        System Location Discovery: System Language Discovery
        
        PID:1124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        162⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        162⤵
        UAC bypass
        
        PID:2532
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\JcQQwswE.bat" "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe""
        162⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        163⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        160⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        160⤵
        
        PID:280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        160⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\hOYQkcYc.bat" "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe""
        160⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        161⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        158⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        158⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        158⤵
        UAC bypass
        
        PID:2008
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\nqMQUMQk.bat" "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe""
        158⤵
        
        PID:1440
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        159⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        156⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        156⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        156⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2056
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tMwcYgcE.bat" "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe""
        156⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        157⤵
        
        PID:1548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        154⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        154⤵
        Modifies registry key
        
        PID:1860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        154⤵
        UAC bypass
        
        PID:1208
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\HwEkssQA.bat" "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe""
        154⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        155⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        152⤵
        
        PID:1744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        152⤵
        
        PID:788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        152⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\oOkQgwMc.bat" "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe""
        152⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        153⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        150⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        150⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        150⤵
        UAC bypass
        
        PID:2600
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\UMIQogYw.bat" "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe""
        150⤵
        
        PID:1120
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        151⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        148⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        148⤵
        Modifies registry key
        
        PID:1648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        148⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:1428
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\cEEQIoQQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe""
        148⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        149⤵
        
        PID:1764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        146⤵
        Modifies registry key
        
        PID:2196
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        146⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        146⤵
        UAC bypass
        
        PID:1800
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\OCkgUQws.bat" "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe""
        146⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        147⤵
        System Location Discovery: System Language Discovery
        
        PID:884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        144⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        144⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        144⤵
        
        PID:376
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\BAcIQUko.bat" "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe""
        144⤵
        
        PID:596
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        145⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        142⤵
        
        PID:1104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        142⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        142⤵
        UAC bypass
        Modifies registry key
        
        PID:2132
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\rigIAoko.bat" "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe""
        142⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        143⤵
        
        PID:2576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        140⤵
        
        PID:616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        140⤵
        Modifies registry key
        
        PID:1272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        140⤵
        Modifies registry key
        
        PID:2324
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\VeEUsEMQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe""
        140⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        141⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        138⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        138⤵
        System Location Discovery: System Language Discovery
        
        PID:2880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        138⤵
        UAC bypass
        
        PID:2960
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\GuUYIAIQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe""
        138⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        139⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        136⤵
        
        PID:280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        136⤵
        
        PID:1444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        136⤵
        UAC bypass
        
        PID:1764
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\YyMAYogo.bat" "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe""
        136⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        137⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        134⤵
        
        PID:1008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        134⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        134⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\oskIUcsE.bat" "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe""
        134⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        135⤵
        
        PID:636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        132⤵
        
        PID:596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        132⤵
        
        PID:652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        132⤵
        
        PID:852
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\maAEYkAo.bat" "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe""
        132⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        133⤵
        
        PID:560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        130⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        130⤵
        
        PID:2628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        130⤵
        UAC bypass
        Modifies registry key
        
        PID:2340
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\JUIEgAAA.bat" "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe""
        130⤵
        
        PID:332
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        131⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        128⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        128⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        128⤵
        UAC bypass
        
        PID:2132
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\HMwYskUI.bat" "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe""
        128⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        129⤵
        System Location Discovery: System Language Discovery
        
        PID:2620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        126⤵
        Modifies registry key
        
        PID:600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        126⤵
        
        PID:852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        126⤵
        UAC bypass
        
        PID:1312
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\zwkQcQIw.bat" "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe""
        126⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        127⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        124⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        124⤵
        System Location Discovery: System Language Discovery
        
        PID:1196
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        124⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\UOoQAAUM.bat" "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe""
        124⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        125⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        122⤵
        Modifies visibility of file extensions in Explorer
        
        PID:912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        122⤵
        
        PID:2772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        122⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\GYgYUAsA.bat" "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe""
        122⤵
        
        PID:964
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        123⤵
        
        PID:280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        120⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        120⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        120⤵
        UAC bypass
        
        PID:788
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ykIIkgQc.bat" "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe""
        120⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        121⤵
        
        PID:1876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        118⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        118⤵
        Modifies registry key
        
        PID:836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        118⤵
        UAC bypass
        
        PID:2976
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\yiUkAEsk.bat" "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe""
        118⤵
        
        PID:748
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        119⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        116⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        116⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        116⤵
        Modifies registry key
        
        PID:2944
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\RwEwosgQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe""
        116⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        117⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        114⤵
        
        PID:2652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        114⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        114⤵
        UAC bypass
        
        PID:2100
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\fgAsMwYM.bat" "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe""
        114⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        115⤵
        
        PID:1548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        112⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        112⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        112⤵
        UAC bypass
        
        PID:1644
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\JSEoAgQk.bat" "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe""
        112⤵
        
        PID:1080
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        113⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        110⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        110⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        110⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2216
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\NSMYMgkM.bat" "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe""
        110⤵
        
        PID:2552
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        111⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        108⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        108⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        108⤵
        UAC bypass
        
        PID:1380
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\EwAEEEUw.bat" "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe""
        108⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        109⤵
        
        PID:2984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        106⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        106⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        106⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\icQIAQQI.bat" "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe""
        106⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        107⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        104⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        104⤵
        
        PID:1848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        104⤵
        UAC bypass
        
        PID:2016
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\MUIwccoI.bat" "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe""
        104⤵
        
        PID:320
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        105⤵
        
        PID:1016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        102⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        102⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        102⤵
        UAC bypass
        
        PID:1860
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\AwEAsgUQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe""
        102⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        103⤵
        
        PID:988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        100⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        100⤵
        
        PID:948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        100⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\fYAkkcsI.bat" "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe""
        100⤵
        System Location Discovery: System Language Discovery
        
        PID:2776
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        101⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        98⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        98⤵
        
        PID:1212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        98⤵
        UAC bypass
        
        PID:1644
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\FUUQQsIM.bat" "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe""
        98⤵
        
        PID:624
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        99⤵
        
        PID:2652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        96⤵
        System Location Discovery: System Language Discovery
        
        PID:1656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        96⤵
        
        PID:1280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        96⤵
        UAC bypass
        Modifies registry key
        
        PID:2292
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\lEsQAIcE.bat" "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe""
        96⤵
        
        PID:108
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        97⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        94⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        94⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        94⤵
        
        PID:1904
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\FWsQcUgo.bat" "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe""
        94⤵
        
        PID:1300
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        95⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        92⤵
        Modifies registry key
        
        PID:2756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        92⤵
        
        PID:804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        92⤵
        UAC bypass
        
        PID:3040
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\KYgIsgIY.bat" "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe""
        92⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        93⤵
        
        PID:884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        90⤵
        Modifies registry key
        
        PID:2380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        90⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        90⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\uywUcYsY.bat" "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe""
        90⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        91⤵
        
        PID:2228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        88⤵
        Modifies visibility of file extensions in Explorer
        
        PID:280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        88⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        88⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\eskcEUkw.bat" "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe""
        88⤵
        
        PID:2160
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        89⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        86⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        86⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        86⤵
        UAC bypass
        Modifies registry key
        
        PID:1004
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\REYwkEME.bat" "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe""
        86⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        87⤵
        
        PID:1876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        84⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1144
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        84⤵
        Modifies registry key
        
        PID:1440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        84⤵
        UAC bypass
        Modifies registry key
        
        PID:2612
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\jkswoYcc.bat" "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe""
        84⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        85⤵
        
        PID:1416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        82⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        82⤵
        
        PID:316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        82⤵
        Modifies registry key
        
        PID:1720
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\BUEEoEII.bat" "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe""
        82⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        83⤵
        
        PID:804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        80⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        80⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        80⤵
        UAC bypass
        
        PID:292
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\rmUUQkoc.bat" "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe""
        80⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        81⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        78⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        78⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        78⤵
        UAC bypass
        Modifies registry key
        
        PID:2964
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\YaIYwUUE.bat" "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe""
        78⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        79⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        Modifies registry key
        
        PID:2552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        UAC bypass
        
        PID:1632
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\UqIgsIsw.bat" "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe""
        76⤵
        System Location Discovery: System Language Discovery
        
        PID:564
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        77⤵
        System Location Discovery: System Language Discovery
        
        PID:964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        Modifies registry key
        
        PID:816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        Modifies registry key
        
        PID:1904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        UAC bypass
        
        PID:1784
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\OCIkkcIE.bat" "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe""
        74⤵
        
        PID:912
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        75⤵
        
        PID:276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1144
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        
        PID:960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        UAC bypass
        
        PID:884
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\aEcgwcYc.bat" "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe""
        72⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        Modifies registry key
        
        PID:2852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        Modifies registry key
        
        PID:2912
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\HsQcsEkQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe""
        70⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        
        PID:2516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        UAC bypass
        
        PID:860
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZyYQUkQs.bat" "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe""
        68⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        
        PID:1548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        
        PID:2504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:1500
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\PKsQcEgY.bat" "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe""
        66⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        System Location Discovery: System Language Discovery
        
        PID:2016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        UAC bypass
        
        PID:988
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\zIEMQsUM.bat" "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe""
        64⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        System Location Discovery: System Language Discovery
        
        PID:964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        
        PID:1316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        
        PID:1004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        UAC bypass
        
        PID:2204
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\aioQwcww.bat" "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe""
        62⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        System Location Discovery: System Language Discovery
        
        PID:624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        Modifies registry key
        
        PID:2620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        
        PID:2608
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\SUwgcYEA.bat" "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe""
        60⤵
        
        PID:2588
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        UAC bypass
        
        PID:2264
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ioQwIocE.bat" "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe""
        58⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        Modifies registry key
        
        PID:1708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        Modifies registry key
        
        PID:396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\QMAIQAYA.bat" "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe""
        56⤵
        
        PID:2540
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:1008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:1080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        
        PID:1312
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\lekcscks.bat" "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe""
        54⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        UAC bypass
        
        PID:2116
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\DsQwsoUo.bat" "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe""
        52⤵
        
        PID:2984
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        
        PID:1908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\TykIsAwk.bat" "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe""
        50⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        
        PID:2628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\bQUMowMA.bat" "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe""
        48⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        UAC bypass
        Modifies registry key
        
        PID:2736
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\qSgQkcIM.bat" "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe""
        46⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        Modifies registry key
        
        PID:2364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        System Location Discovery: System Language Discovery
        
        PID:2368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        
        PID:1328
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\oYUwcccs.bat" "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe""
        44⤵
        
        PID:1376
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        UAC bypass
        
        PID:684
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\kyggggoo.bat" "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe""
        42⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:2544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        
        PID:2476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\CoMIgYww.bat" "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe""
        40⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        
        PID:1908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        UAC bypass
        Modifies registry key
        
        PID:1412
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\TysEIQwU.bat" "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe""
        38⤵
        
        PID:1904
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\pegoYogo.bat" "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe""
        36⤵
        
        PID:2668
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:2228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        UAC bypass
        Modifies registry key
        
        PID:2736
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\bkYosUkk.bat" "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe""
        34⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        UAC bypass
        
        PID:2956
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\DoYwQMUU.bat" "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe""
        32⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:1544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2144
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        Modifies registry key
        
        PID:2488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1088
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\QUwEMwwc.bat" "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe""
        30⤵
        
        PID:1124
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:1324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        
        PID:1288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        System Location Discovery: System Language Discovery
        
        PID:1488
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\yEkwgEIM.bat" "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe""
        28⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:1256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        UAC bypass
        
        PID:1412
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\SgQYwQgI.bat" "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe""
        26⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        Modifies registry key
        
        PID:2608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\cugcgYgQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe""
        24⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tGAwQQgg.bat" "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe""
        22⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:1008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        Modifies visibility of file extensions in Explorer
        
        PID:280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        UAC bypass
        
        PID:2472
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\PcEIgAYo.bat" "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe""
        20⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:296
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        UAC bypass
        
        PID:1104
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\XAMAIcgE.bat" "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe""
        18⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\byEwkcQk.bat" "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe""
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:2084
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:2656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        Modifies registry key
        
        PID:3052
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\uWMAsIkU.bat" "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe""
        14⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        UAC bypass
        
        PID:2772
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\OWIsUEcI.bat" "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe""
        12⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        
        PID:788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        
        PID:2540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        Modifies registry key
        
        PID:1980
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\uMsMcMsE.bat" "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe""
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1272
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        Modifies registry key
        
        PID:964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:1328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\YKgYggIQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe""
        8⤵
        
        PID:860
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:1688
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2224
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:2220
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        
        PID:2424
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\BuEYswMg.bat" "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe""
        6⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:2452
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:1372
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      System Location Discovery: System Language Discovery
      PID:1908
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:1464
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\fqUAUwok.bat" "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2328
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2812
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:1904
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2764
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:2756
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\pwgwoEoE.bat" "C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock.exe""
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2620
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:2824

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1058574244-143433584619307603-149257492014135116075372685662094088952-700469352"
1⤵
PID:1640

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1112513204-1442629492152407409732394190510498423811678601312-1148863530745685545"
1⤵
PID:1888

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1932501538169409496-57135712917464761292057153140-206495113-6167271131102772451"
1⤵
PID:1804

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "15288790851511537427-1797716513174468236-1164884209-1444794619-7056949471608888427"
1⤵
PID:1860

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1078218769-6411972021230373724166612517-894818600176760113116214867461384763240"
1⤵
PID:2212

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "3952845491556199015-460327516938557635-15928607974319532841465746016-1968214750"
1⤵
PID:600

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1757384959-147935108713067347891667038057693142352162365406411667044591121359216"
1⤵
PID:3044

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-770696-1641438732-833047719-1654551174383724160-1877345358-1373127053-502692929"
1⤵
PID:2588

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1102512532-282424641305497867-325542902-13920913622108442037-20700824911099957287"
1⤵
PID:1080

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "603947487-7896564294658168-209695867512122345851174406061-759714387767853868"
1⤵
PID:3052

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1074346038-94257113712456376411584804215-131386796418862727901861476441258108930"
1⤵
PID:2764

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-453719533-131936689017916504241252389599-1286313394-1934199324-623824446-1080458705"
1⤵
PID:2700

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2947960224178012281053210543-828430897982103231-1527888281-2068763757619202697"
1⤵
PID:316

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "454592425-173664719524717267-1989684041-12051023641092427759-217875872-1756884424"
1⤵
PID:780

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "673964608-1851298755-158768438819687978561590220747-71189681-5138683771704528088"
1⤵
PID:2100

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1139728151-4902406031931297321-545991170-1855164566945700933986592991133825874"
1⤵
PID:2316

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1952327614153665057-1040865541-634082716-17781525571556336467-902830685-470512590"
1⤵
PID:2448

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1709212243-109736752540404293352099395-178232402420305739841238324642-22341549"
1⤵
PID:2540

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2090944898-117255118-12587090221103151969-724759995632793454-19125640761976083774"
1⤵
PID:1428

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-10495486681444392041462591598-647311924-2140842891907301513-18744663271183358399"
1⤵
PID:2668

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1380145217766891594-1459820085-982275123-7680682286017241527853873921865118688"
1⤵
PID:2172

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-877259487560957471774000197250820094-2013966851-1362136321638076731-883085445"
1⤵
PID:448

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2121562929-2125999515-17677527028073721311117533029224554276-1792709793-513871563"
1⤵
PID:1376

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "21344163581084995929-110408623217937990322063805887298324587-24185958-1608756161"
1⤵
PID:2488

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "126681554124067706718312910021506323160-10218761330797143-12914988241626494430"
1⤵
PID:3064

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1412023582-1657366353-106046435-8933823701758686162-1746915158-16931330241078911847"
1⤵
PID:816

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-160755273411074710272041313114209295880-1236479168183977129519693264611233147765"
1⤵
PID:2040

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-22660293018011326281419733391-428527175-545544936-16905850301574749416-268907202"
1⤵
PID:1544

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2516575451660126826-644032655-123725821-1899056265-1881893349568682501-969791633"
1⤵
PID:1928

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-4697010489032576141475186134-19875461681465944285843417845-2218941171883252343"
1⤵
PID:2216

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1700333165-1808820338-6036747661363641439-8735128331053116570-990813819-1953923876"
1⤵
PID:2880

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-864585690-2097718225290402346-943457066-1272960743-1169174096713067336-1415568092"
1⤵
PID:2072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile21.bmp.exe

Filesize
235KB

MD5
c9b19d89b177e364e3501e0602c59251

SHA1
4cf8e8e7e9899920975b4861d3987019398a35ec

SHA256
2e4fea3d8fdbda050df58880cf9a51a733a5e570e321bcdbdd0b34049f5a36d7

SHA512
f7ed0305eda8e0e00f625d3dedd132b88549f48c77b96b6afe54c06140f95924bb73c00d36cff9dde7c1eeb394367fb916c3ad5e5430b753ce830cdcf2f28c40

Download Submit
C:\ProgramData\oYQkoskE\cyYEcwMQ.exe

Filesize
181KB

MD5
c39961c45f6c1dbb31c9127296a59c27

SHA1
ee1d1e2ecfa2fd03240989cfa897fa8b54997f8e

SHA256
5befbbe8c12fc2a121bdf2605db4cbc462505f61aebc09ac9a8875dc7652fc54

SHA512
146f17be54fb8a9b1e3b813d48785ab76b6f0e8e0a2c0ef8f5309a3cee72bc6d956b66f302db724f559f486c0fd7e6d82bb5c881e41c766541628f4ab465de99

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024092080e72317721dd6d5a50e52da6cc2113cvirlock

Filesize
133KB

MD5
44c21343f98016024a887d939b9c4f22

SHA1
42ae71b6101d6f2c474b6ab817af3e4da5b79384

SHA256
b261543f310d2784e8e1355cdc41de2b9c838b87f6266295e67550f75ef63851

SHA512
1fb4e79477486464a8ad9447f07b058fab75fb6f9f64dcc7efed7cce3fd92515e91c26033069c9fa15d2331b446b5d7d1eb708a095da346cc59210e7152df0ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\AgAk.exe

Filesize
633KB

MD5
8c0f58e5b75dcb230187b31f18edf231

SHA1
817c0806a1e828d447629cd0ed4444f67fb9b45f

SHA256
a114b30a571b3f320c8c82fa9cb65c5cf8b24ca26d701b795f888954c7eaafab

SHA512
51b875fe4654d0e18953a82d81ca67b96687206686b5ed241b6a5a053bf738fbead7b9dbf05b63cbee1c3c1a407ad7312d3b115914c26949f32a01bc274d22d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\AgYy.ico

Filesize
4KB

MD5
964614b7c6bd8dec1ecb413acf6395f2

SHA1
0f57a84370ac5c45dbe132bb2f167eee2eb3ce7f

SHA256
af0b1d2ebc52e65ec3f3c2f4f0c5422e6bbac40c7f561b8afe480f3eeb191405

SHA512
b660fdf67adfd09ed72e132a0b7171e2af7da2d78e81f8516adc561d8637540b290ed887db6daf8e23c5809c4b952b435a46779b91a0565a28f2de941bcff5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\AsEwAwMM.bat

Filesize
4B

MD5
a6a7711b419992d4a3dbf19200a95830

SHA1
06369913bf39b910e50f5158f3c14962e8333ff0

SHA256
0672dc24cd1a3d512da86d423990b589ff6910eac75e41c6cee38aa5df89ad66

SHA512
ee50427e0e3862ed74281665c44dbb682a0dffe63fc22b729de2ac47b64ecd1c7904e11237ac7d32c8609340d277d35e1a7e5403cd8ac664e3db1454b4b85986

Download Submit
C:\Users\Admin\AppData\Local\Temp\Asgs.exe

Filesize
246KB

MD5
08868f37c86b7103fc3f4e4712c0309e

SHA1
c9b7b0886a57aae4fcb855e08a342c0a5f18f3a0

SHA256
c7ec0e9ba3b3f77b7ebca0a6ae007172d6831782b577cf891ee2aba94d78c4c8

SHA512
58ba444b4010665b5fd804347d5276c57863430ebe936a32d00e6e295b557bc3e4c6b12e0901ae94654d7d13248c8c548ecadc89656d54f1e5ec563cac838c4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\BCgQEkcQ.bat

Filesize
4B

MD5
223dce0c2c5a4d96489cf5308a2d024c

SHA1
0a2960f5c767b25774b68a9192e3d981a951f094

SHA256
c5ec47ee3f8e1df0da65bb9763c0d4215c8a1b204318895e6583b6fefc3c17ee

SHA512
fdf68a98ef088811a07c00410312d0af1938632dd14427c69ea2c23f55144b70253880232cf9bcb5fac21b9f29eb816927b69c347756dff55d0af4a0b55e3a3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\BEsEogQw.bat

Filesize
4B

MD5
8d63de90d962b580893c9c8b4cddce1b

SHA1
43f74c3b1c20aa2b7df484b6bba46a392e4ab3e8

SHA256
42ad9d529753560466f36461cb7499020c5ebc7e421b52e8f5fc34616bc6b394

SHA512
278af15e441a10d5eef8afc77635ec80891333256aed13ee97aafa645952c2fd8c474399b50df60aad0f9cc2a2ebaca6b8f5fa089838cefb79563c7a61c7f932

Download Submit
C:\Users\Admin\AppData\Local\Temp\BQAYEIgQ.bat

Filesize
4B

MD5
d4c7242fb575c68a7ef1b8f8b113421a

SHA1
c1fb666181787f81d6fd6fa1a4f43496174c6629

SHA256
a7087a3b632500d4ac86a9d6680c86620761e625192b21d47226df685e949233

SHA512
daa936e541d4e55de7af3e046d6eefe2d6dedff802beaf58d5dcbb551c961fa2eae75159232bbe213ec524539cc643554fefa659db9449b6f374ecb681530e36

Download Submit
C:\Users\Admin\AppData\Local\Temp\BQYIkQoQ.bat

Filesize
4B

MD5
9269d10759be290af7e7dfbb123e1fe9

SHA1
0b8ce52c31ea8e7256387ca781297ff696ab773a

SHA256
58448d912ff671ace47f45f4a4a8f6a4988cefb74a9be23461952a561af63932

SHA512
0eda899aaf6722c5fee9c6239e02d2f03c4e46afa1c8e8014d5a7fd57599d433e57d9c7b61bbcabd173e2d7ce95d63186b4be9775b160c9103a208a53ddc0f60

Download Submit
C:\Users\Admin\AppData\Local\Temp\BaYkcQIY.bat

Filesize
4B

MD5
d679f1e8eb2bc0e08da50ff5edacdd2d

SHA1
6fcf5559ca78759a78baf329637cc91dae28276b

SHA256
745c355dd15389d9f6cc6edff1e4f4455d66aac0b59fc6e7b8ae27534ed732f2

SHA512
ac7c246a26782e69fb8065d5d2b36fc3a2de5e633e8b06e0a1e241ae0ae389413b3ff7118490af062c4412508e33ce8036ec957fa850cbc1c4c2e9f8d14bfd98

Download Submit
C:\Users\Admin\AppData\Local\Temp\CAko.ico

Filesize
4KB

MD5
f461866875e8a7fc5c0e5bcdb48c67f6

SHA1
c6831938e249f1edaa968321f00141e6d791ca56

SHA256
0b3ebd04101a5bda41f07652c3d7a4f9370a4d64c88f5de4c57909c38d30a4f7

SHA512
d4c70562238d3c95100fec69a538ddf6dd43a73a959aa07f97b151baf888eac0917236ac0a9b046dba5395516acc1ce9e777bc2c173cb1d08ed79c6663404e4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\CMEi.exe

Filesize
227KB

MD5
21aa1b0f62258a197eba4c35e45ba544

SHA1
e37c9b2696a499ddea09e39e3e85f7517ab1857b

SHA256
465bd687f1541f4dafab7d600ef7e24692605390cef88337d04197ba6c546828

SHA512
6ed7b1883cc314923dda7ea23ff26fd153e8094c40683dd798b7cc7d157b44d32568896da62cfc6501a0b17132d1977bdd20ba7009c94090ef287d0cd0203bdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\CYwg.exe

Filesize
1.0MB

MD5
40cd1590fd3d0529ecdf87e4db12f5b3

SHA1
545f85023d9cb4ea6f7053b12dffe919d520cb29

SHA256
7a7ce3d5b4b630ed120487d21594610cb0c07f9dfc194ff2ac6bca4da2a3b464

SHA512
0fa28d474c750eeafc7fa6ebe219d9426297c2cb717eddf641bd47d92d5c162e7abebad8bdc3e1a98e4db13754e6f8397526b0f8790dba5363dffabd5a897b35

Download Submit
C:\Users\Admin\AppData\Local\Temp\CYwy.exe

Filesize
201KB

MD5
ac99003377df0c632a17e165e4127472

SHA1
245a8fb9f4bbb846fe881a6cc88faf02feee3abb

SHA256
c9fc12615f603b9540bfeb188e6c7a097dc867e7b2dd17174db4a95911e775ae

SHA512
3d5e65c6d0c48dda2322ed51e80ba5e24595e54161e1cc0918a5b0a1fbd293df1216362de60054dd9fc2aa406a0b523a59a9a5cd49b508c9a26134fe44cc2081

Download Submit
C:\Users\Admin\AppData\Local\Temp\CeoggIgQ.bat

Filesize
4B

MD5
74f601e66ce31684b82824f20c750861

SHA1
92ac859e5bb62c5f53e11a592a529467f77e06ee

SHA256
cc193971084e8500f74acfdb11157e15b65eef52f33228a5d209ba1510a19862

SHA512
b555d547bae06fd4946fcfa937c553dc2d464e595b53d64b575af0b604a4a812cffef135221dfad41a22204b6d424b72477be3c0c4899950250b6beeb0bce878

Download Submit
C:\Users\Admin\AppData\Local\Temp\CoAM.exe

Filesize
249KB

MD5
47181d52f94227ae9aeef2ae0d5c863b

SHA1
c6b05ec668fd52635af5d7c95ee809789b93b3bb

SHA256
8cb9313f2148c0f223686c8c0473b24130c5c1e917a62f81030559fbb551bb81

SHA512
4f7b6c6540a7a4d54ef89ccfed847eb58fda9d3b0f3c20da8bfa5bb35de5cf1f82551990515cb00bbc424866fc48f965dfaa71a63d769c6f3eea765212c53d03

Download Submit
C:\Users\Admin\AppData\Local\Temp\CqUwQwsM.bat

Filesize
4B

MD5
7962ffb31e926df251b6c85e98aa4d17

SHA1
3fd7ee3f3f65cf31afd2ae9770f229724f3401e3

SHA256
83245f188424791286119b60f03a22bd322801bdd5a171c4c085c529258de699

SHA512
654dc3f6588dd7690434309628663487e55b8d0b34fb408a5a2aae0e95bb806e87f935e396a4eff580ba90ae50bcc298c089288ae29c98ef0bc24bb0217b443a

Download Submit
C:\Users\Admin\AppData\Local\Temp\CsYe.exe

Filesize
239KB

MD5
47c3ffea464046c034c2186568627f3e

SHA1
4e2750e785d5ebca120854b217188e1579d020b7

SHA256
dcaaa18f786927fd0e0a55e2a1b1decd47fb1889d22338496472a44646012e8d

SHA512
5c144a5cd1b791c879964ea882bd0ec2f73192fd295cdcd377d22cb141c0b2bd9c9a1f2f9f98500fb32737e2853e07b2d8b19e7bc34bb66a0eb64ca9904ec175

Download Submit
C:\Users\Admin\AppData\Local\Temp\DoEckMEo.bat

Filesize
4B

MD5
b6945c73c942cfae68d9caaf27de7fc0

SHA1
ade87f81b847a3b5d4263ac27206bb5afa8b9a24

SHA256
efc96795a432a440a41b3579a56f20adc63bfc0f307026dd8b0bb611bbf50ada

SHA512
1c10e2644c9dfdfa95d8d4f65577136fbc80b69c881282cdaa58eed38d277b6302ace900f33c0e112040795fcc5a8d63adfe40ac737d7de3b32d150435236726

Download Submit
C:\Users\Admin\AppData\Local\Temp\EIYAssgs.bat

Filesize
4B

MD5
f276e4bf3a521bdcef6c9154d80cb502

SHA1
d19d0bb491c87045e55c8f877ef8ae4c3a45fe39

SHA256
b26600e496251e2f8732e811dd07d43046edd63a0c19598419ce3ee693169ec7

SHA512
d5af1302bbd6b5feb38ab551a41a4728ee3dc0a5531fbfd39a1b66d110cce0f7e2fc95ea835e05b2d2ceafb035937e4db9bbff576f4e180ed223284dc3d6aeaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\EMckkQoU.bat

Filesize
4B

MD5
cb12e407f7b0e0b8192cb46d7911009d

SHA1
3e060bb0bc2d7d0262a908c4c4fd609fdd94d74e

SHA256
5ecfc461ee467f7ff39233ab43ac9de7d8f4adceaaea9ef226e9b9f6e0b9e2f6

SHA512
6fa96d9634424af90e21f1585aa05be83294dfe59d56d1909032dff0f8b1f5a1bd123fcb079a3f5e161944d1abb06eeb1a87436c1e1cb03fc30541f2f2f39fcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\EOsUkgAc.bat

Filesize
4B

MD5
9059d6487a45d76b125bc2bcfbe9b9f4

SHA1
4103109fd3239ac8981e3df75c530f48ec798eaf

SHA256
4926a70ea29931f6ba7bbe39f72a376785bad82d3c8798f6a53d07c2df747d0c

SHA512
690b657672f4eb96afc330da135261ef1d912777e1c98f99354cad9215e3832fcb2b0dfa3f55a186e68db9bfb0f806eb9dbf69a583e989aec33a84cff412b3b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\EUEw.exe

Filesize
247KB

MD5
123273876892f7eabb037f190caac7fe

SHA1
f2e82f1c6436e1cdceff31dba7f529cb7fbdf686

SHA256
4d6b2283b8b151979e9f42e38b14de60d5cf1d21edf711f73ee5cdba8560a6ab

SHA512
416e22bebbc123a5f9783f787204bbceb946584734f6deaff17c35a01dae275f76d33e0afafa920f51a5b8b6bf790959c2cebf291669d8808ba357a0bf0bd31d

Download Submit
C:\Users\Admin\AppData\Local\Temp\EooO.exe

Filesize
240KB

MD5
eb7e79693df01cd6581dba43721b4377

SHA1
eb938eed3182970b8ea0a10e22471e749cf9fe1a

SHA256
63940d1a0919d65daff41443d1beaf9cd7ef2a7686b5803925977e8b6372bd30

SHA512
c7a92f5b6a7dae06b23001e6735a89e26ccc3899964bb0454f2e0e8a9983a96749e069f997a245aa9f4a46417fc29c1a76dbe612857eec55152cd0a19210f957

Download Submit
C:\Users\Admin\AppData\Local\Temp\EqUQsAMQ.bat

Filesize
4B

MD5
889baf9b8caf0de5b0f0efa560ac3219

SHA1
e4674cbe6a60e248a3958180a0c5fcb9cb4690d2

SHA256
abdc6eb65bf59af81992270f2ebcb22fdfba19b407d92bdabd447852ddb2237b

SHA512
fe19b32db2ebc20bbb351367de4e4e04e4892a31226c5573efc6ae282489098deed477862a02770840687eee88d2f58d24836fc114f0aa01bdc178d6f1361504

Download Submit
C:\Users\Admin\AppData\Local\Temp\EuoAEEok.bat

Filesize
4B

MD5
35a9e08ba63bccb809ef7b2cb2c12ea5

SHA1
e43e1a562925c1e5594ec78ea658d2b80881cab1

SHA256
98b21b673bd5c15d9efe01077fdba7682ef6f15bb6984fbcb51b0110f0a816c4

SHA512
3d4c76e4efebad53ade01b8641190d164f8b8502a3b6d4a3669fe31f84cecbbce665fb2e94572d1084eab6694df2302c3c2fbefd88239169c82da08d2e011bba

Download Submit
C:\Users\Admin\AppData\Local\Temp\FGgkEcYg.bat

Filesize
4B

MD5
08b9898a37e0af072ad955a8717b74a5

SHA1
fc4729d9351fbeea6a03abe98187e3f2dadf4f36

SHA256
93c1fb31c1a375a9de348af56471c72d73e9cb49e1a7871636b436fd7d3b61e6

SHA512
65e511663b2fafc9db48b680061fa780367df068de7e682250131d932257ced28a40893031afc130c10940930f777c455f901233e2e27f7770ae7cf4de354543

Download Submit
C:\Users\Admin\AppData\Local\Temp\FMwokAQo.bat

Filesize
4B

MD5
8131e4cf21399471874345b692802d04

SHA1
3bb4637ab4a42cf78fe0f463c29cbf04a345806c

SHA256
5dfce7ae1b208f8e93dfb40448d867ac5baf96c4cfed8ba70d7ee99939619289

SHA512
82843aefe930217b6d45d3b52e0627f6b2d0a8e32b22958d91b14c044e7025a322648ae146a81b8750837f1b22f40274b6216144755d808f0ac805fefd04b57a

Download Submit
C:\Users\Admin\AppData\Local\Temp\FcsAoIIE.bat

Filesize
4B

MD5
ff027894ee46bc1c28f60bc4f3864267

SHA1
100f43d5b989cb99c07c15fda8665db007599e99

SHA256
e51a4fcb8a7652ca38e9fc0117c28903f4c39aa5c16e84025db9d8eeb43f6b8f

SHA512
94e78d255875319561f187e4d37605a3cafc153488f777c850296c5ac850ef9c7029cba7999f6e7d25dcc93c5e0b603d49acdc7b0939a1e6467271523e7ffbb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\GAMc.exe

Filesize
241KB

MD5
f5d132289336816179f9857dab5ee47a

SHA1
0cde43e161faeb755abd79e82b0da6df9f5647c6

SHA256
a49a7f044914a8db325e98af9b9cbacb220b3672b8d41e9c45eb2ad8a2703b5f

SHA512
681fbfde5803ec1313c77580d7b6b198caf7db7e8fa5bcf99d6e64466c4f5bcede66a7b18b44e77a00cee4b6754c2ff8d92ae8d170e3e949a8e2930dac984e80

Download Submit
C:\Users\Admin\AppData\Local\Temp\GEsE.exe

Filesize
239KB

MD5
89f6230f847681a42e79fbae77020d63

SHA1
cf117cae53472ce5e1ef5d468fe777beefc19a94

SHA256
bda9520e4b1abea25eb82b6d67c941e3a2a1303fb01d4b9348d1d35593d98678

SHA512
bfb7f210468f8549306f18cd166912c5961c9c6161dfd5f6225ddf55958752416f567f96891fae6e6588f2ec1cb7f53c3f6edffacf897ba3b6a1cd5049b695d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\GQkk.exe

Filesize
189KB

MD5
5483c75ae51a9d86678596d8f5a08d71

SHA1
ccdf5466895af5583b7790dd24a47f5dce737981

SHA256
689e840b89c68131a51910b8ed4cdd48261528b1cad9a9fafecf2d4e5a2eb271

SHA512
da6ada8c3be21f30164f747934b8c06df3a5474dd8684d8a303f8fe6132cbf9fe3365261ae5a823c23f3be7b75d88436fd76aea45585188d0c2758dd4a11178f

Download Submit
C:\Users\Admin\AppData\Local\Temp\GSYswgAs.bat

Filesize
4B

MD5
d3ef60179ef29a56640ffaed7d24b557

SHA1
c9a02e3da2fc29088cb13db0d3b89fdedc2fb98a

SHA256
fb7f8ed8d37a6441ae5983f1d20cc1bb6bf5f24b7360ec9e2f9392552f2dc579

SHA512
6b689e164204b40a7f461a5244e70ee9500b175f818c76964b21c412758ffdb88a440e1d7deccbee8d3011ea6e322f77506d7977764d9a98718ef162f333bbf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\GYsU.exe

Filesize
239KB

MD5
25441ed2f21ed743d390ad1d905ab8e7

SHA1
d377523b195e4e0215f705a1ba6533e9282d3783

SHA256
f718b64880e37610d87b1f7e9c98854ff0ecb82ba753bea46a3c6680ac413869

SHA512
01ea7f4ef3863154465cb67d3cb0497c93ae8fd8203cbcdda96ca0bef85696294657a7b5a0b75dc689b516e9738136080b06f1b647f08576f6ba9c422e1fb0a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\GgAcIYoU.bat

Filesize
4B

MD5
83c57510d7eadcaf956840d2e44fdad7

SHA1
01a02cb95efc2b5bd7418007ea71d2fb87b21cbe

SHA256
dbb18b2ec378455031bf30914eea95f385561582161f6f93a203028add7e0e29

SHA512
734e51b580b0503816c1550852e6942400ef08caff982c5e2ec5639e0e8e3677d2529e36c262cb4fc1654932d912acafd918a2baeb70894a19f7a31c26af1f57

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gkgi.exe

Filesize
199KB

MD5
b7afe1a68e9fc51233b80c5bad811283

SHA1
c6938f80f991f7fc2e87fd68d92443689f89b42d

SHA256
51d23195af4c1ca426744c36299e0545db2d82de93052dc4e41cde79d444afe8

SHA512
549ecaf313f6977e5194ba30ac349e6cc3feb41dadcab490e409ab86ad758c54f127ccd570fc01eebdc87e245d609e9dff28e28a11c430318f9eea435464ab7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\HWswAwgo.bat

Filesize
4B

MD5
c87142cde2cc2c4490ff083e0e335f14

SHA1
8e8b4b28ae4d9980ffbb96fe0507e6f0bd75cf39

SHA256
64154f9cedef9eaf5a77e9894fa26092321098f9d8b067747c8293931940cd02

SHA512
cdea3812f0152ab888cd0d6d72830af196e50449e80bf20185c59c43404f8159da3a937ac86ae102cef160d0d108d4aa300aa231a82b48db6a8520b3c5868cad

Download Submit
C:\Users\Admin\AppData\Local\Temp\HgcIUQIk.bat

Filesize
4B

MD5
a582a0312f26eb58f252ec6544a78019

SHA1
17cc6d5987fbd1792e6410bc2537eb20509acda2

SHA256
d8df0a773fb16d20f4853bd56875974e34956c8cf2ab5bab26b6e479a3252208

SHA512
473e230041f484eaec94ff5af7cd8be5b93e8a40202dec31bb45221a2cb50eff60cc8985fb788054170bbf2ef5cad1e6219d94521996ab92dcedaeb5f6c2ad5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IIoa.exe

Filesize
233KB

MD5
ff0d29b64f221ef7cdcd644fa0aed317

SHA1
8b6c08e7fe7619c6aa060bc06361e49b8a15bbdc

SHA256
e1398fd28948e234e6651a407fb486eccf2d35cc5f16f9230c70fa3b9e754e18

SHA512
842c3fc610d7cb7464f06774748d4fe81ebcec5ec2636d0b66905f724e0636907085b382e5c09a1f1974ec7176bb8406cfac0e14908d8d996bbadbcc4020437a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IKokEUEQ.bat

Filesize
4B

MD5
52d6395955ff724993c51d3239c1b121

SHA1
373788ae2958563e6b5bbda63c8be45efe303ad9

SHA256
59306b626137c70a18577aa50ccadb6ec7f72f5bdc400e28b81d4941810b3c6c

SHA512
2ce79a8fdb6aae751c3174cbdaf5d69e2786e7c32eaaa2a14f09dad3a2f5e83c2ccd173b7929a112c6d218110bbfa724460bcdb6dc37c4dfe105eeeaf3f50cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IQky.exe

Filesize
192KB

MD5
ce23c29c826a7fdd96a2d8ce5cf4a452

SHA1
235e9a111516d86841f39156b16e43a6859348ad

SHA256
6e3f6888ad5679bfd359d80b31f3e8f4397822077c9a650b31ef115f29650f78

SHA512
af8f4a57432f6e96bd7900f7cad652b05df099787e707d55c1a27c2b7be0b9e42d583faa1304a1de6ae1717ba74bcb19f9ae5a5fe6baa9634be16d5d94b926e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IUMY.exe

Filesize
1.0MB

MD5
b07c3475d698372889db258e104e3bbc

SHA1
c3cb999a938203bcac987ac3ec118532c6c876be

SHA256
a238b8f2d9afbc1b840a429a05f44739e049471d282956c4fcf91a762e8ecae9

SHA512
29ba8ac81db0ab24b42da0883cc5af2b43263ed84330af5d6dbcab593d4ea7497109a0a6fe38c4038586fb5fb015eaee304307a33dc29fc7616fa070f169f557

Download Submit
C:\Users\Admin\AppData\Local\Temp\IgYA.exe

Filesize
244KB

MD5
f8fa70f9495e632545499b151e5d69f4

SHA1
d923a40d54c608eeeb6f13bcb0913f367a0c71ec

SHA256
0a5f0bf2d5e1d11cebdb8f4c1213a96e8957ae69be9fed452e6a6da18b2b4f8d

SHA512
6767689bbaa41c36cd919890107e3bfb6223f8faf13354e6e2a6faead5ab7d0b0c0247070696f53005ceb51f3b1f37c6fe3b08986fa79987f130a35a5e8a5604

Download Submit
C:\Users\Admin\AppData\Local\Temp\IkcS.ico

Filesize
4KB

MD5
5647ff3b5b2783a651f5b591c0405149

SHA1
4af7969d82a8e97cf4e358fa791730892efe952b

SHA256
590a5b0123fdd03506ad4dd613caeffe4af69d9886e85e46cbde4557a3d2d3db

SHA512
cb4fd29dcd552a1e56c5231e75576359ce3b06b0001debf69b142f5234074c18fd44be2258df79013d4ef4e62890d09522814b3144000f211606eb8a5aee8e5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\JGAgMwYI.bat

Filesize
4B

MD5
4679efc29b7ac0b8259743907aec83aa

SHA1
374e95502664ec03a176640a3392d974315c5e6f

SHA256
8ed7b67dd2baa759c141880e3fa066f0f6c1b2869fdff934e1db840b0ac779d4

SHA512
6c84970083bd06ba771a522d19048f46f6bc48e1e02cb92fb67d41ba3ba616de1cece03526f0bb057acc954fd57b189f473184d85c55d9c90ef6b8e0b5548cf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\JmEwsUwA.bat

Filesize
4B

MD5
638c3ffa283c119326a5a5dc32123368

SHA1
8904024add1a73f8385eff99ffa90235c1d53fe9

SHA256
1b5726462c3bd879a4c3f26c19ee123a05d00e31ddaed76b5dbb72577ffce700

SHA512
48ef31d78cc387d4f7a805b3f10c6d57b10678ddd9ac3bf0363985e6cec7f78924fc0a12aae87f561c22bfd94c554fba84163b419f8fd638b0fac756d4f3c569

Download Submit
C:\Users\Admin\AppData\Local\Temp\KAgC.exe

Filesize
182KB

MD5
0d24bd80e6ce71d54d7519b2c9270b0e

SHA1
149f70b88ead6dc7ceee85ee48806018e7b8276f

SHA256
9ee09f89c723f0add7a8e6f6036cae04cffd77476879601552dc78d4dcaf882f

SHA512
48ea63292f9b284cfd33efb4b02f548ef9f810c8dffee0baf6f301e766e8662087293f3a0144167fae552d9dd788c182ec74dc58f34a7d9f135aa1b9668321c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\KGYAYkMg.bat

Filesize
4B

MD5
0008627621faf7b47b2d36bd1f313e05

SHA1
7dd74970eb7dea8f1a4e65370444c8ab7d1bee81

SHA256
0eb3837884f47bec6e98519d030923d6e2086d4d81e0954817f9015dda942a35

SHA512
c208c8cd8442db8fab91882f677502d0ddb61356170613693eb7078b900666cdd04fc4bff3a22848c81467634573aa4544071df169c6e647cfe129f9e841f7f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\KIES.exe

Filesize
747KB

MD5
7ac4f2725cd91a8a458a0a0b6ab9bf7b

SHA1
bbda7d3b9cee3478b4571ea12c2cd24148114b57

SHA256
a7266862b9efc9c2eb1deec02dd18c7ee53ea9ebe8ac5f84a8bca7bb158e8d8c

SHA512
51c5a6d590d4d9195d7a2b1098720e03a20097b874b264352a2732b9710d3f7931bc5c35005905e6a62475a20ebce6d858f9807df203f83342f10fee7855471e

Download Submit
C:\Users\Admin\AppData\Local\Temp\KMUa.exe

Filesize
209KB

MD5
da07c1c32daafd3bf0b85cc91f6119f5

SHA1
cc38c4129004e9c4f3984f88f4118c1a07456d40

SHA256
0f33f2e745678b25cfd7ec74a2c40b275265ec20c0ee59e6644b5db5102695ce

SHA512
781e45e784673328ecbfc659f58508059199f71f8ba0508eb56bcda15d1e6295830141cca78774e07ad86a9f4e1602c3a993d1988745ffab4757f7a55bc9226c

Download Submit
C:\Users\Admin\AppData\Local\Temp\KkMo.ico

Filesize
4KB

MD5
47a169535b738bd50344df196735e258

SHA1
23b4c8041b83f0374554191d543fdce6890f4723

SHA256
ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf

SHA512
ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\KkcIAcsU.bat

Filesize
4B

MD5
68c153df7ea50cd7882454e6af0ccb8a

SHA1
6dadabe0713d83dd1d89c43f843843c14f7183e7

SHA256
f6a3896295d3d46a8617845720d7868d8fc1edbb1c60162df82662a829032df9

SHA512
ed209dcddcbaf3530a99630d28ce41ad4096b0fb036f45f04b1b54606389bc7135480b4b33a4a287ca5c1dbecdd76c5426c67202787c3a929cb25afa3a89b47d

Download Submit
C:\Users\Admin\AppData\Local\Temp\KmUAMsIU.bat

Filesize
4B

MD5
ac8553dafbf07416ba1a308102d96df5

SHA1
31f91a95c94dbe34eb246510a91990c71aafd54c

SHA256
e5927e0bfafb7f55f64c8f157be5d6e48c8fa9923658b8b56686e605198a1ae9

SHA512
febdacf3db897b1f7b40ba807dba1d3ab3fbf12d4dbc190f4a9b31c7f114ad4a6be7c21d7b706774a4e4c82221422494e0c71bd47b9124b1e9e11bb7be24d634

Download Submit
C:\Users\Admin\AppData\Local\Temp\KwoK.exe

Filesize
8.2MB

MD5
b2a08795a373fbd513f7c7a7bed0ca43

SHA1
feb7ec5f1ac47c7b5e38a7dfdcc066bbf44cfa86

SHA256
1162a4c797c802202dab1f032a52bd9b58e9c347a2f807d83ca672cd3da25b37

SHA512
fd05e4c59c13d0a53673c2905d3231995b446334061379d2712b9b9b5c8a6724153700f487380599880a0d8e146da628e942c89e343aed7da4f511337d8d010e

Download Submit
C:\Users\Admin\AppData\Local\Temp\LCIsUAgo.bat

Filesize
4B

MD5
04a497c9e71a98d7ae26f50be34f6deb

SHA1
76788a7fa67071f0dabda9b494d5adf5e2e4f03f

SHA256
0c6c4172f3dd6242b04a0240e3b9f744c06fa35b0ab34400c8b696bb206d5bbe

SHA512
dd636489f9ce7608802142108c2841bf85fd5d9fe4dbf87d3dfe8076d3c1ee1b108f86d9294683f433e5328f743562b6da8f7f1f2b390567261e1fd25e53390b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MAUy.exe

Filesize
201KB

MD5
ed5381b18bd75044ed3b23025a4a86a3

SHA1
f426c394736ce8efe7193a51e53638ee80dcf077

SHA256
b557edc0b9b00349d1658b25590e7b72f64994c8346a6a3ca6d959777abf251d

SHA512
5266ca51a5f8f36dce6413453374658399580544bcdeafff1e22dc39d34fc67963acd0cd3bdc42e170e568c5ea44274139f19e8598c5e8e487e51b62401d337f

Download Submit
C:\Users\Admin\AppData\Local\Temp\MMcs.exe

Filesize
248KB

MD5
bdb99935d181668a9b066f36aca01605

SHA1
e70e89981723cb5b4bc3c1ebe14fe32aa4acf818

SHA256
1674aa2748d6f2492b15ad84606cfb4864d5a7c7e47936755befa2686a514e50

SHA512
756316716291226771af8ee71127cbc4e5690a0b980edbb7ba2264ee586daec3afe6bcd18ff197586c89f19687c7a852f9add498cf375a30d66c3c05151c7e2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\McAEwgQo.bat

Filesize
4B

MD5
9659a3bb6b3503467bce5f4a61a6fb37

SHA1
7b0fde7a75a6e1162757b432aa49154854bcd848

SHA256
bb06c142e0159717e2cb5fc430042d9af3c501cd1464a4fa18b15abed37d28ea

SHA512
9cb41fa61719ac9ee8497eb89d1b1b55ffd0e67964916f4adad2683d83fcda80b546856352a7e7be85de854e639b5b26b9f3bcf4581b80e201ab071dda3ce497

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mcsk.exe

Filesize
237KB

MD5
79562975270cb0dc82b44098918c0ea8

SHA1
34d916549469b5ea91c75b68c2039fd0e89a4d91

SHA256
00e6e76e82f4db1d00e3ef5338d7df6a4aa37d390e0f027340b64c62cb8f23c6

SHA512
7d3635d49576f201f6d910a252f0aabd1f2427eab9bcac52fde9db540694c07c10208c9175b5d5363755adb5d60d107ff86bf95445e0379431ed1438d1cdf21b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MsIS.exe

Filesize
231KB

MD5
bc5ad000d51f8d3c557ce512fd2aa2db

SHA1
b6debadbd2f401c9034c0733a68b57a0a14ea151

SHA256
9728b59030b4900530adf07b200071e83fdfc8fec85f9e2c9dba1a98d7e36f07

SHA512
852d15a8a731e29613a31f2a35456461484b4bac8d62ea56c15bb57681106899b54ffcd570461188d3433e73531ecf558d434bcdbd0694b38de8e9251bae2cd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MuQQEcgY.bat

Filesize
4B

MD5
92599a47fc0a3c7d8d063b6de4c6f3c2

SHA1
8a2a595c51fe3c977f71feb35d7d895e23d8b6b7

SHA256
cc0f46899a4ce87c6efc734b0742f3d24149ea0876bae6b549e0a86763b28da7

SHA512
25dfd9533a0ca35eccca58366d21602446921b6e432740a1f99ce4df38bfff060d8a13b55b64c6a5836b9c6b7fadbb5bce377b5fac454802ae922d05dd4b1271

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEgsooYo.bat

Filesize
4B

MD5
cb714460b468db5b70c3a8ed055f6d2e

SHA1
8ded80f75346ce2c25526ce592771714266f10ba

SHA256
b95f714a431b03ac88cc6f11a9895a5ccd96f826e3d5bee469b15ff308901564

SHA512
9eb5e0fddf57d21cbfd9b04e50957ed4562b6873b958354415fe8f2b11dbc53d18fe76b70c107f75b2cf443ecac99ff16138a4890c08541f58d05c278b6d4db1

Download Submit
C:\Users\Admin\AppData\Local\Temp\NWcwMMcc.bat

Filesize
4B

MD5
8f913e0e039c67b3ac8f7995f4d32845

SHA1
aea51817ae2e1ee64c4ff1c57242a44c19729c4c

SHA256
58e732c066c5bfe7580e0ce49ffe4591bde701a6f1d622485f186638a81dbd80

SHA512
60d809a86278fa571a68c92c701e1b57f0980a81d1fc8b212ec7bc24f7804d82437bb190634fd82784e8d4a83fda2d782e45697abe4125169a020799e4299e07

Download Submit
C:\Users\Admin\AppData\Local\Temp\OAQs.exe

Filesize
498KB

MD5
05e58bd1910152df4ca8840392b5814c

SHA1
68f81923da18d369001a0715da075ba4d9430a78

SHA256
0d55e51f525014688eb872fd965f07f9b32077ae205098cf0f1846bd16b92823

SHA512
9058bce11e67d0741da7cbfcb975f2c59b29a0190b7f78fb8a67610bfccbadbc93d7ad2cb0f8f835151f1902cf3fe7d132ff2ccd6e1d85b6cb1de9899daab982

Download Submit
C:\Users\Admin\AppData\Local\Temp\OAgg.exe

Filesize
241KB

MD5
62dc2d0769b985413b019248047b8590

SHA1
062f110566961abeb81c6eb3012b521d3ca01904

SHA256
92e7ea39c901e30ab1ab2627dbaaaf7ee9468104ec59a91c140a5534a234f94b

SHA512
ff1701854b80c92f8655c8915dae2a81ad0c8f0f6dcbde7fd47d1f6ffafbcc71b104a260ce07291b44950241b555a4345dda706e66d2c4d253fe178a38bd744d

Download Submit
C:\Users\Admin\AppData\Local\Temp\OCEEYwkA.bat

Filesize
4B

MD5
322e09c8dafa2c0c7f2a026e100ab25d

SHA1
56757af80644af951d0ab90299275c854ba22fbc

SHA256
936d741ca32483d20f5b0e319cd818ef5f88d46db087dc59637994ee040a9ab5

SHA512
8b658843c2c892bac6005a302fa14fa967db9810b0022294aa74c3188a8e8b8f9d7741c603b23d79f6532c93e8c3e9c523632f26af560cb0cee83d49636778ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\OIAQ.exe

Filesize
228KB

MD5
8870713ae410aa2d6cb31389508e5891

SHA1
f5058ab0d078b9fda6954d2a319f060a8ad2bfa3

SHA256
94d76178288f6f7f5d03fd75989cd3b8b03c5d5777a7b0b6d5c7c1a508704505

SHA512
a31537b795e93cd5badb2310e7d03c2979fb62529093823b5c8d654f166e563803e85e725ea00010961854fba5184b209ffda22b17cbeb013a423a8c423453ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\OQEM.exe

Filesize
231KB

MD5
96114b5d4f94e7f1a6ed17b190286053

SHA1
2d286feb82e1a64781b7b698bddeade311af5c4b

SHA256
67f67e7e0ae610b812ce400aa4e85689b72208eddd38b56743f866a6120958bc

SHA512
d28822dca32acf58a74d058ecb094cd622e4d942f319e8e6d913f22879cbd5510398611be891603eb2a4a718760840bc3edb882a7258a8364412fc33052c4823

Download Submit
C:\Users\Admin\AppData\Local\Temp\OUUI.exe

Filesize
234KB

MD5
dab1018796c003b50e56fd884c8a97c3

SHA1
8eb5e83e9896ff49f7e909aa2452ab0254f6bd99

SHA256
880445b92bb178b53e4174d3768996b7e9ad67e152d48d1854a405207e602a07

SHA512
efccee00986eb575dc006954cb6621475b7158ee23eb6a1a355eb4f8e4e29f30d254f06d56c5ac65b71f54043c79e04b941e628d4de1e66a7962ffa4fb726771

Download Submit
C:\Users\Admin\AppData\Local\Temp\OaEgAokc.bat

Filesize
4B

MD5
b56ef882c37122e1ceafb10871773dfa

SHA1
7c3bcd80ef6a1a6c42a93b6c14e3d77a5a787f2e

SHA256
e28806d301db8c4657c6da30b0493cb06944b7cd65871fbd5862f6afc9bd7da6

SHA512
7bcca78b5084d4bbfab198d9933c50d5a2f9d0f51c0d6af6578680b7ac6572dfb5eae94b19df2906ce5283284cfa71fdcff4ace6e48ebcbe53c830ed11472d15

Download Submit
C:\Users\Admin\AppData\Local\Temp\OcUI.exe

Filesize
208KB

MD5
cbe46b9bc8bb8c3e7884339c212836b0

SHA1
674d40e360478da9285335352a6fb1a77d06e645

SHA256
6df2db57883ff55dc71a3e7fe14f36a07bd631137228d3d4de3cf98b91a1268d

SHA512
6de885e4733be25aa3cb2c3cd02f0b092337f9fc0be5b67d5e960a1b92fe474d1f23903acb0dbeeaaf0a6b06301b0bc9df5976a4215cb408c4ef4c9cf90110ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\OisgAQQQ.bat

Filesize
4B

MD5
4595d8dd00034d450cc7f5efd579ed69

SHA1
7bb2af3526a6e1d8dcfa0538be5b07029354e08c

SHA256
887586eb2cc224b142d1990927ba6acd11a3fcc2eeadc5e662a6055cec285faa

SHA512
358aa4eea0602080560dc255fbe570fe1dc38230910a0096460cf75a1768ffce899082e702e8c7fe515a428da3a9a21725e00370cb6de217dbe9db024afdd900

Download Submit
C:\Users\Admin\AppData\Local\Temp\Oosm.exe

Filesize
230KB

MD5
488de9288db3eca3513902f41b555b24

SHA1
94a575941e93e52fd210a4c77269b454d7b0aab8

SHA256
2574fcf8841adb8386a3d51a69807db96db77b8fddafd60405108316797efab9

SHA512
bd656bbfd62866217c4d1a27c5d729dbdc39b48af97692610193e34a0433253a23d6631b23bf868cd712bbc5e607ddd4e0efc674cb34b7395c26b04627a7bb79

Download Submit
C:\Users\Admin\AppData\Local\Temp\OowM.exe

Filesize
645KB

MD5
9f98d4c56e0a9c6c75864cff6e25b1c9

SHA1
d07e9a28517c70634c4a68b99ba2f2a0d1ae5bea

SHA256
7ef79cb32cea129567dc848c14d19496360bd6977eafdf76dd1af795358592ff

SHA512
0763f2aa34cc8ac9da34ebc6a1d1fe52d446d55e84f79966fbe704cd3ee3087a27c4470db280c2650409bcbeaebfadecbcb402508f39abb2ae16ebfcd764fe4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\QAQgUcQA.bat

Filesize
4B

MD5
3cdb4228b74cd5965dba36f666ebcef5

SHA1
842e4312fce7a34d5bb759ffb7dd2499bd6d5ae5

SHA256
a110f77e7c460485d6d494d47d7f52a034db3bbe665fab855e7e978943a5a060

SHA512
7aa5fc1a4ef70c681415f44579948dcc599f168e4277d70802401d688e85a4270eb575c187a2eee4e548a75a751106f7a319f1c443fa12c9d0630c6e63d2b58b

Download Submit
C:\Users\Admin\AppData\Local\Temp\QEIUoYsk.bat

Filesize
4B

MD5
75d53a6782894767e5034f7c8984a876

SHA1
86c9075cf8fcf90355e8d4262b98bea90f4bdcd1

SHA256
e7e71c9f04f54d367c85fd5074ddd0a620610f9146362305b70c2ef12ae074cb

SHA512
44d9c363547e1e71404f0ba44163e5d4c8d7d17553ceaeeafdfbf0284694bb5dba5773a669503a5f1770864ded2793a2af59fba70316fe6f8e1b6ed6066dde25

Download Submit
C:\Users\Admin\AppData\Local\Temp\QMQI.exe

Filesize
229KB

MD5
8ea07f553fedc48ac5c1fa9749d2d2e6

SHA1
4a0a0b1d78eb3b85f34f3f919afd312a453c65da

SHA256
b3691b5e80227507eaf4d194057337e006bf16e7c44d167d08d6dc98b3596aae

SHA512
92c45c03cd0f70ba1ef45cd857dbdac126c3a9d7ac7cb94c7dc84cb8999b000c0c47c12cd2b97d4adfcb5d4325fe255a91d1b874d58f919dea3b888910ebf4f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\QMwu.exe

Filesize
230KB

MD5
e38292b5c051263cc40085788e00466a

SHA1
3e9660698c7c60a067947120521cf0b6af77730f

SHA256
9dc6cb5aa384104eaae1cd5de5f025c7127513ff706e85899ced7267b9b92b02

SHA512
37dc221f04368b566ccfb2d61ca186d06b246a52e3b752aba34e44cbcd0fb11ade7d4659f5745274058bbf24e08cbaae7c138f740890f9775fbe3175fd04da93

Download Submit
C:\Users\Admin\AppData\Local\Temp\QYgc.exe

Filesize
241KB

MD5
886afbe68b8ff04c5043658bb228f1dc

SHA1
fe7027d3710d70e6536a3d714d4df23fab895507

SHA256
9409eb0f1809d4517125497540c5e848a768890f7b4d14f76dd07e5febec3c6b

SHA512
86436fcfd101221b2272726125ea0f9a06d390fc05846a0dc2f46df2cf02ba50bbb9e24b2001a0eb859ebb168b27b47c8f0b0555532fbc51280bc458f0db1a87

Download Submit
C:\Users\Admin\AppData\Local\Temp\QcoY.exe

Filesize
771KB

MD5
e4147ff0492e71b51ded4b4cb44b970d

SHA1
bf6fcd6eba93197e4b27a2ba6dfdad4b2ffc58d2

SHA256
0e7e7253547f88648722a9958c7705a8afe12c4f8e52ea6c79ffffac0c37ab2a

SHA512
70f14a5ae8f46825f3c2404dc3ea38130f772a200e8dafd97d61cc8d0c46b4e3dccdf448b2151c204e4e58d8ee61641f2845a9c18a78363271ca11b3d4ae3d3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\QgEI.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qoca.exe

Filesize
313KB

MD5
9d406148b6a9e67d9294bea613b7adc7

SHA1
7ca035e7a911dd02912f686db6384c10b727e180

SHA256
24cff8e2596043921d072155c755dde01b8b5dfcd720f68b7636ebd9b6f2b38c

SHA512
09009a19dcce13f224f26dc04229ee588e0afb12662fe608b91fa13a9d3acf0ab9d552124dbdcf28b77b4e0bb6c11e84000288cfc8cc8840d7dddb90a80d3888

Download Submit
C:\Users\Admin\AppData\Local\Temp\QwUi.exe

Filesize
950KB

MD5
f06dcffb2aeeea5d850f92ff406718ab

SHA1
51677a1e0e97f5612585fc49561099db8ba4b21d

SHA256
bf2087330f7d5e409ce89c8b4b9b939570c444d3659a15a7c61f90b9d277f189

SHA512
9e27af20adaca50ee560a1951a634ae570ed35c5b442c557c531c4e091a61f50b73cd3f9ad569f4707c033607f2c61a26326126eb187dd8d87df637fe40bb60e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qwco.exe

Filesize
247KB

MD5
25aef78251e625e6b4f2b8312b7c4106

SHA1
88dda742276e07b70f4e098653f3538dc185704e

SHA256
1addcad2690a896d2095956be3bdaf2f81348e584c8255917075e6a608db53b6

SHA512
0931931f7a5036e4f677bf83e31e4dec85a8c7a5f497dfa3601a4ec066eb9e60709a7611b64b7343365dfcbd2e6aef08c0d4436a308220fc51fa9af5ed897f8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\QyQUIkoU.bat

Filesize
4B

MD5
2012838cac4e6ffff3fefde5ff083905

SHA1
9957726bbc477ef07edbb5c30899d382fe532afe

SHA256
f11998c017d4697bda2bb4971f6b3aa66911f6d44f5355922f417a8bc4be43cf

SHA512
3708442d71139eade049377933045437b14a723dd8f4cd7b31de683e368861642794e5a37307982d9a8cc2cdd22caf2dd1f5631862de0cf5d182200d4f9c2bf9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RQEgMwwU.bat

Filesize
4B

MD5
bc335180923b9788cdb4a4f8137b043d

SHA1
007f74453d0bcac25654da01358d463b2274731f

SHA256
846d0b31c54a0c2b18b9794c2c27ee6d4eac76f3a2d2e3b478f47975c23ba65b

SHA512
b5395c24c24c240841eb04aca383f65ce65234d938c2102230543e8b7b235243ea01f14c30716bdca615e9b044d4032e1b3c9103b1a41fffff8d2814770f8c53

Download Submit
C:\Users\Admin\AppData\Local\Temp\RkkkkEYQ.bat

Filesize
4B

MD5
f26fd780a75416e26d4fc4aac47136fe

SHA1
bf4bec664c09061aeacab7ad63347d83f3725c97

SHA256
ae6536671f898cc6a59215ab7b1fc9f5e471855bb271410335a68b392df9ee54

SHA512
53f247066c4e30665e25687fcbfb12de67de341ac4bbe3f09293c5caa6c5f6f4d29b2489db80043ddca352584354fedc73f4129159954d6535c1f486f0e52de1

Download Submit
C:\Users\Admin\AppData\Local\Temp\SAIYYkkg.bat

Filesize
4B

MD5
1f0eee76aa46c3fa24c56b9a868427ae

SHA1
ab412c4bd81ac4d9fbf2d183c6330cd1218bf035

SHA256
35dda3bda109eaa04e8c0df40c63c5388afb50360195e50836e191d40e3559a1

SHA512
9bdc31154cc3e9180cf5ea2a4027d526db91657fd85422e3625814b19d72866cfd25d9df374a892cdc309f505edbd10455babc79e3e652a2cdfe3204b608e659

Download Submit
C:\Users\Admin\AppData\Local\Temp\SYwg.exe

Filesize
234KB

MD5
af57bf7faad78446920602ae4bbc2889

SHA1
3cb342eb5a133c95225c4429e21d89715655c870

SHA256
3f65184bcecc7b6d4cc72913d2074cebd99cde629206c323ceac1e11ab026cb0

SHA512
2d2ab3f56ea028d55726285cecf75297513e5b286e19fc235b617348f51fcfcca825278bd4d28a31ed337f9f34c8e3e0da10caed0ad3246c1bf713a90d9d115a

Download Submit
C:\Users\Admin\AppData\Local\Temp\SgAO.exe

Filesize
240KB

MD5
faac6fe6b027bc8357dd285eb198233a

SHA1
21989335d1611822703ef6b714a0f8f111012789

SHA256
4be59162bca1f379c32612a6f6551a77fa735dec6285365c70ef6c0a09d06cca

SHA512
f90ecb0d5a3431a69341bae0f941ca12908e9289ed22f1a9e40d7c5753213285c97317ebbca7a0bbb90b1fe36ba86e7c900962ec74ac6fd212c31a9df5fa0f80

Download Submit
C:\Users\Admin\AppData\Local\Temp\SgAq.exe

Filesize
233KB

MD5
84eb0dd7b071d386033dab315d3cecdc

SHA1
0de3da33055b37457343dffb9a51834f6bbcd0f2

SHA256
e896a0ba49449773146de78e9f48c5d21290fd8c8aa6bbef3a87838d5e6de384

SHA512
4aa99f9c82e99007b9f30bf02a428621ba1f94697199204555486d6b337b06cc28c5e11db1234129bf19fa9cdac6d7e37646e6a08582e2b04043f99bc15798fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\SkMI.exe

Filesize
192KB

MD5
282ff4b558fa9cc787381df2e889b80d

SHA1
7e10ed8b737be8c7d7a4a2aea837fd7a8a2ee508

SHA256
6ac8dc430a8962f659df674e917c5f42846574011965bcd24dd50891298f3611

SHA512
8e15f25e42e66f017fbc7d694d443dda4c1bd8aaa24f559a09e33f9cab0e1d91f879d8f97668846c10bf2440342ebd9bc4876d002ff790f3f5bd0aa8815c4fbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\SwwU.exe

Filesize
233KB

MD5
00645e399d5049747d1c0c22a11a5f46

SHA1
21729c8547b28a7b60c740b5b476c49ccf63ca88

SHA256
24decef851db1a3119cf681708f78d79838a1851a72a5a54fd02acf6f06a0cee

SHA512
af99781775bf1159b7e6841c1f7c69c8e6faaa58ea347e6653a6549b4ab52c0fe542bc6ffc888d66339b24e9832801645cfbc37ef7d7c37c788f46992b1f05db

Download Submit
C:\Users\Admin\AppData\Local\Temp\TGgQksow.bat

Filesize
4B

MD5
2c44f12922e610ebcb36a2f2dc8ddc8d

SHA1
5f9c6597511b7ce4ca533fadad367de0478f040f

SHA256
a648e76c699a641c6cdfab162158086d4f7ce0ea659401e76b32144d22dda4fd

SHA512
8dc783e1624979ed2ef0894a5f5ad31c9d804e3dafab0ac78a5c17cbd9e8bbf8e6341ebe7f37e3a452dfc2a2ef0ef6e4f076c748221ad5218d3656ed9b4a9c64

Download Submit
C:\Users\Admin\AppData\Local\Temp\TMIkMQcg.bat

Filesize
4B

MD5
326d4acc68f5c9996951b328025ed406

SHA1
1b9bed988e056c5a4fc0596b9d6969ab4699cda5

SHA256
5d981a58c58640a06c8ae411356e0548d003c3e7f27795604e7eb8b58454489d

SHA512
c1ca3dd03079a58200ba257405e83dff29ac98f25504bb346815e290e34d6e4e62dfc899f5cff527859866411fe474b076107e3ceedef8bea724b98b5d59321a

Download Submit
C:\Users\Admin\AppData\Local\Temp\TMswgUMw.bat

Filesize
4B

MD5
71a96a1c79de0090effb7004111bc370

SHA1
5eca5a996da502f09496b5dce7a3def0aef7dde7

SHA256
bcbf138ecc1dda2ba64ece317efb05925e75f797ef1b5eaf4c33b2cc7a619b01

SHA512
0e222e3e4990a32aef18c34c92950abdd857fa73f43ba2c379fe1da45197411f12a7fdd660265a59c02ac0215e86c892d42738329ef6c3673cde8b7a5d9d2a08

Download Submit
C:\Users\Admin\AppData\Local\Temp\TcAwsAEc.bat

Filesize
4B

MD5
aa196a997905afae72362d693619fd1a

SHA1
d932a4a807121448dce8fa5f059c70c3c8dcd3f2

SHA256
432d1f3123635873191de0e6aeb3597957a709d330ca21b570df1eb8e99a448d

SHA512
f0b3023e720863cad6fb62cf686e9e2f37ae2ff4765c077b6f8eaff256e49f1ba96caca4e372506395929d0364bbb876172678f0d308e5daf894b1f31637093c

Download Submit
C:\Users\Admin\AppData\Local\Temp\UIUe.exe

Filesize
225KB

MD5
e4484f971c7512afe035ed3e1035f2a9

SHA1
6a03aae244cf18630a8f1fd2233bf805652f83b0

SHA256
538fc2c592c5ef4ecb7e8726af7591acded41f27892da4454b7ed72b200e6028

SHA512
0deb1c781e5f9d9efc5ca41062c4158c19309d3f3f23f67702552a468c1bfe4bcbbea3513e100e56b9d1b3bdc5d49c68972b68b9b9382c5cfb38331dac036087

Download Submit
C:\Users\Admin\AppData\Local\Temp\UUMu.exe

Filesize
249KB

MD5
e600e327172d1a91c0bf071d0e59a6ce

SHA1
becbe0844f6f13129f90b19b0b2558bd97e68310

SHA256
82a3cdc6aae56157b798b61c3907997851d941cf759c80b8ffaa9998f45a69af

SHA512
2b0d19a5fec318c43793973e88ddf7962281ccb7527171ed8a09bec0fee6ca68d0655df58d1a79fa2adc797d43c78c7502cc81cc324140c2983d01e3fc339174

Download Submit
C:\Users\Admin\AppData\Local\Temp\UYgYEwsQ.bat

Filesize
4B

MD5
047a8ba4bac48236c6e321df95366478

SHA1
81bb11ac440d6778142a995a2c336fa7c2b66078

SHA256
3ceb22aab5d61291ea42027ccbff9539eb248b069d7ef6a591e008fb25133731

SHA512
48f05ad85f2f22d04ba9c7ad8740f8034c94f1556c3e589ceb0f39ffa3392048d77f7506b1bd57b32a0142e1b0e2bf5749ea07375c26002c5fcb3fbf07f8e923

Download Submit
C:\Users\Admin\AppData\Local\Temp\UoAUMcYM.bat

Filesize
4B

MD5
3fd29f9ee610ab3a2698d5dadfb4e786

SHA1
97f58f6ee338dfac87636e5003f294157eac42b4

SHA256
38567f800afcdd6d5f7877f6b65e413a32b8666f6979dc4b0ab7538187764203

SHA512
1c7f7bc69198bc57e5c8ccb0e3038c4aa8fa3c622e04fa9e0d26fc6e7db8f2f813d46b8ab35c79f88f0aa1d328a2ae2020c07763b2d7240c036bb23a5e0f7836

Download Submit
C:\Users\Admin\AppData\Local\Temp\UoEy.exe

Filesize
228KB

MD5
1b21c6851fa13019b30fffbccd82dde1

SHA1
18f2331f5d169ce07e5c820dd418229cff79f005

SHA256
baa528fd06fe66e333195c359a21071440d40493866cef0892232c2fc8f048f6

SHA512
33c3d51d7de7338489e03771918ae9b13804ef247cb49738038365d9cf12dc48b3d99cec0780ac7d85a072b373d0db61d9d717c3456be704ce8c55474191521e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Uoos.exe

Filesize
206KB

MD5
dfd8f0b28016fc2ede562dd6b805d553

SHA1
f2679ca2daba3f7838fb9b20f8413aeae9824c0f

SHA256
af7a32a25c090ce6366f41a4989b9d30d37074f5e02ea29afdcf3d494824290b

SHA512
fae069f48ef3561116a683762981bdf5542dfa5caa952691cf6b5802f38cc4e02d9618979c7c96dcf098e5ecf3d5d84905a563d3164dfe5231a4afeacb38ceaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\VesMAIEE.bat

Filesize
4B

MD5
fa0e067f1601bed9adf435dfd1fd7d91

SHA1
ba85da767f6ecfc9d2a5561fd2c3f2de56ec416f

SHA256
d79d5e6861c358dc4bb46b9cd0e592da11acba25a513a05c6527546c6c1fef64

SHA512
76f2fc644d43b02b813f5434f0d47d5028a464ef454dc3bd17b15e0592a03891c308f207118368eb8517f7d0310cca342b49f3c69721a03d8b80d09ba876e811

Download Submit
C:\Users\Admin\AppData\Local\Temp\WGEwQsgw.bat

Filesize
4B

MD5
73c897b0eb6ddd195572ff4c8205f9fa

SHA1
2ab4f2831458f6a39d594f5a8fd1db33ed98b18b

SHA256
8504fd508861c6cbfd82eeb7361224c270778331791ed0a54abbe69c0349c17e

SHA512
e290ef620aad607850c49cadd0ec08367f03c55d2bbbe0e11b09135f75f14ca5bda6d66e4d12bff68cc60a78794d45b959b33bc186bdc8dedcafeb5d187c5b5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\WIAW.exe

Filesize
207KB

MD5
1b65483822087c23740f936dd30170d9

SHA1
29eea2c34369293af935354258f09d998caf4b4c

SHA256
1fd47b310f817a8577d4ac53e83ede8839a185371f75a703fc7ba37fd2e18ee1

SHA512
042ab9bf9725a4a35539633643832eeace144d31a0593a980df5a5fd9993c11e8cd94d988e32cadc69f821f1830e5b4c01ef50392426c434ec6197da09a7fc01

Download Submit
C:\Users\Admin\AppData\Local\Temp\WSMcsoME.bat

Filesize
4B

MD5
e40a0883c7542ead0de0a0dfd2cf21aa

SHA1
2cf8eb4011cd5bb148491692db80adbfc2380a1d

SHA256
3910568bf4cc2ad4265463171114e1d24c74d52fea3777859401a42540aea8ad

SHA512
3a0b22b303a725d18b4c3b06bfd2f627ed98519ba1c57ff3bbbb8154eac744ca22ef593feeefd80b52605eade368076c54a3592e3ad395ecf0cab11b21eb4d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\WkUY.exe

Filesize
241KB

MD5
ee2d9cdc761ee1539aafc84da73150a7

SHA1
d3ece4458c038320369ac6594aea84f2df0d62cf

SHA256
307ebe7aa5b239bde6802b89640bd73b6b93d31adf48d4d8bd5116871ac47223

SHA512
9845c8092a7b550061513b24ca0ae49af3f0e2edbab15eddedbd0f3e14cd37c9369741e4df981edb350eaa978a627170ef876560596a8a167cd24afda6fe8285

Download Submit
C:\Users\Admin\AppData\Local\Temp\WsQO.exe

Filesize
236KB

MD5
f82a1239288fcf28e81854fd350814f1

SHA1
732dc18de9f09fd77ad9c2a6cceea18388fe2d0e

SHA256
2ebc1b29da06c79010d0cbdb620592db3fa197a8706a0943fa9ad9ef72cb10a9

SHA512
3b32318232fd1b167a0f0d02075dc6739e6aa4b874e077a7ff3133d9d38bd667b2aaf3467c4f4424f04810d7f606a31ba150451986938a9a6c9eee8dbae96b90

Download Submit
C:\Users\Admin\AppData\Local\Temp\XGskssco.bat

Filesize
4B

MD5
4a00b159a2c669b2ab25bdd0dc5a2af0

SHA1
ed16a018cd5f3119f8f4ab83170bbdbdec8606e0

SHA256
0cb5b983c442719ed38657ab96b402f43795b912f617f6393532de71487c8435

SHA512
5ff53f7c87d4388b7023a1fdaa5f8764e149f113bb868d9b27d13ddf200559ce6d67ed55ad3c270121a450b165d0dbeac8c38a1f62ead8f1b577c430036e732f

Download Submit
C:\Users\Admin\AppData\Local\Temp\XMgYQAso.bat

Filesize
4B

MD5
f0d55edf6724d464b8e76e0b10885094

SHA1
a67acbf9ea32e53779421177a61dae5e814a83d1

SHA256
824abf5dc8991c96ed7ca74d930f78e66342ec5754e10dfef83c2da001a93ded

SHA512
419384f9d590cd7237de2e956d4c8586d6dba742c7b242fa8c11b46aae9b1f546a6a69da46df56d0fc47b8b6daaaf6103d0acd3373f1bbb05b99c8e0496ecd56

Download Submit
C:\Users\Admin\AppData\Local\Temp\XaUAMwkg.bat

Filesize
4B

MD5
3b77d5fc73cce8ed5d7c50eef702fe88

SHA1
0635d84c022d1513fbda7d805c922794f7618c1c

SHA256
ee8e5c72d798c2fec06df04efb6b0f5cf377579c3e31ac4042536b6da2b27c47

SHA512
34fd8996598ba745132c0f849852d1a55eb64e595cd37173ab468946d6d7ab6e05a6f614c116e76c829930555c318ca65bcf0013311920df88fc14d1ad0a1a90

Download Submit
C:\Users\Admin\AppData\Local\Temp\XmUgcEMQ.bat

Filesize
4B

MD5
4b9924657ecc300b97a96b3d4e3d98d1

SHA1
e83d43cb7a96c7f658b8454396aa38c7a5f490e2

SHA256
4712c6157e47b12a5c7d106dff02adfdd521b666d14cc765b2c9fc5d098e4669

SHA512
adf2ee194d58dcb4e9324f9ff959874fb1781cd60aae7cee5cceba9dfa37fd009a3c360124683f285d1768536cd01c774e99bee993f5753feac02d8255dbe9b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\YIYG.exe

Filesize
244KB

MD5
d721f6b6ab8dc56dc01a3992a879ea8d

SHA1
b33c09ac31825bb23e69364f0abe85eb7c808f52

SHA256
47d00f2c09d2d7109852ea3d282249baa074942ea33cf8252dd15f6440c6b9ec

SHA512
b8d7df6f224567435cd611ba15c1878568c094d753591d54262f0456335496d74afa0b7e5033e5ee53a97ac8545c491d45e052ce4140a1ac3779824dd01b643e

Download Submit
C:\Users\Admin\AppData\Local\Temp\YUQk.exe

Filesize
231KB

MD5
df6bb4294cfd3def51dc50fe7a38a088

SHA1
33c5aad20e232c76319833444ffd65a9fe66e4f9

SHA256
d063e044775765208953a7c791d4fe1245976f34fe3000672bbfa9e75a50265e

SHA512
bf95766b09aa9254578dc885e08ca3ba2ce0abfe80334ad1d3a2554dc8ce3cdd155667743ecda6704ba667e324f1333b355541302e4efb803491fe0b830fe54b

Download Submit
C:\Users\Admin\AppData\Local\Temp\YUoi.exe

Filesize
238KB

MD5
f019349bf46718d0389ef0b66d1a8d90

SHA1
a6b6a7046626195948ebe024aac1f1d606e025b9

SHA256
e48a6107200c20eb1470c9f6695a9654c60c4b7147101c7b51f72a441bf7752c

SHA512
f265bc712d487a808be4a250bb78c88ddac1d9aff9d0359329be77b7d993544b70168ce154bf611c228544585651e484e35118571cd016c59bdac809636fba57

Download Submit
C:\Users\Admin\AppData\Local\Temp\YoAW.exe

Filesize
231KB

MD5
aeabcdd9ab355d6240d84c672d4ea916

SHA1
c86f9a356a21a852679b98c539f94144725f30b9

SHA256
25dce499a5c0c6987768bd56450d227cf9d1e81b79124535f59edf9f111ee2fb

SHA512
f7f28e06da7a731fac5bafbb869f9e3237464306a30da28dc4c09450c36fab50983b7f544a7cc821cfc426619e65404ec5fc5d390f291e663d4e17ed16f31892

Download Submit
C:\Users\Admin\AppData\Local\Temp\YsYW.exe

Filesize
233KB

MD5
4161a5f242f46464e0373c702114ff9d

SHA1
1617414ef2d248f385b47a10991e62b26e34d3b0

SHA256
a87dea390156f0fd2f46464b6cda87f973c47210dbe5464dfd61d635d162df12

SHA512
7a015f3188ac0ec43a2d3f10f237d5f091d34a4d17f1203546d0ee1bfa4ce13b29e505eeab60718ba6ad58adca428f81abe0d601747324bce36940bc146fb5a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\YugEQkoU.bat

Filesize
4B

MD5
d9b5169ee2b217365e23466535471d3a

SHA1
d1b8bc8dd0081dc93158fa0778ac5c204543926e

SHA256
9992966353adb402d8e4afd6343f0d31b8d02f1282fd457120de69b42dea3844

SHA512
f92a81ea6aa843b42f9b24c9a8ce782a7e0f1563fca3dea7c107004bc8a1614904193a28b26e4808db4dfa7aea5f9bfcf4669a6de18985ec842efb5fcc286b2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZmoMwsEk.bat

Filesize
4B

MD5
6c4c32795a3dad079e71994192e03de6

SHA1
c2ad412798902f61487ed1b64a5b279ab8c09768

SHA256
2066ebf935979f339549da8f9d7a4007eb2e15a9ba65ea733de8bd03f53b3f96

SHA512
070369f12fd9433d438a984bf9a06cf87fba88d83971020c250b01f3e7d00c83f82888d6864274db2765f5019fa8d70f16ff7997ea1ced70212a6213f8ab2f58

Download Submit
C:\Users\Admin\AppData\Local\Temp\aaQkYQYo.bat

Filesize
4B

MD5
3e8309782c36ad76b3f079f915ed3bc8

SHA1
4b5c9ff6d87966d18cb5a173ac4980a0c9006693

SHA256
3d7dfbaf5ca3ed537149af9038fa2cbbd8f7feb9da673933c3902f9196cdcb26

SHA512
06bf85c73fae971888dd6309dc90487cf2c265fe7746cc7fc0b2eb9e3035c2f82e40a918c8d3b9620c31ca652dfb388b3924df101b95dfb869aa6c8d602ef7d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\agkw.exe

Filesize
627KB

MD5
c9c7b34b8c58986d25d4926251dad0fd

SHA1
96e51dd8ecc266e9c5d05276762e693ced8705d2

SHA256
5cc59eb0b4745910401fb713e1254a8103faf2ff23a554563c613d671b3ef3b0

SHA512
4c8332f186c4f1c76af2f3680318f15280a3daa3772894df84da6f5636f642e1c385849f0d8aa97a3e9506ec3c442b055475f6282fec9a4560125c77775f6af4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ascIAIUo.bat

Filesize
4B

MD5
3206a3489d965fddc27896984d320dc7

SHA1
7c9488abbfc3f8b869846527177e5f028cda22a1

SHA256
bac1f54495242a81a8ebe82d4da7008284bf78515c08cf43a98971ba7c864ea8

SHA512
942346ec15085f53f4ad6307c11522d34e2eb4ba1eeae425e2a9872397c646988f129186bb20381700eebdba77a98c4bb2a22583c15d0c4cc0c89f6a5c66cbd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ayoUQYYc.bat

Filesize
4B

MD5
423fb6adb3ca36a58a8678f34bdd014c

SHA1
c4828e0040dbcb8fd2fb83616902f21d30e4ea39

SHA256
3eb6be0e6c6d4252948e6bdf3889cdc11ec4c37c0bf7752cd02b0f1724d054dd

SHA512
ab6faf5e60361e3e733701ba291c43cd8dd42470ae897ebaed1f196383ca5916e7fea7c479dd90b25224d4f6275ee4d579b3a1127cca88b8c783525f5be86d7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\baYswYYE.bat

Filesize
4B

MD5
10e714bbe79f873fb90953e7c691b104

SHA1
9efa1168852cd226b40ed1f2c105867a52d4f280

SHA256
f2ecdf08cfbf8074fe63fbb395da8f3a028dc266c2278300e349fe0988be50ee

SHA512
1b625fa402d7a7eef96ff09b428f8980a6538b99d020444351c189b5b5238ee16b5160a97ef62089913d37954ebdc715187395af2d16353fb8ad2d045c5e86e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\bcYMMAws.bat

Filesize
4B

MD5
f8d0b426bc18e854f0f908bdb9245c19

SHA1
37321a4c0577e703de51a1d1ac575949b1c16e13

SHA256
573b69538403f9f02334072643e98f77d50008feaf0ad061780f617d4ba03d1c

SHA512
8aa97a81f71dfbdc0f28c5060ef989b036aea7990b7278659147583fd6649b75464e3ba66ccb9a00fc647c547a8ac398504ab597120dcc4b3659d4f8afa373cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\bmcEQgcM.bat

Filesize
4B

MD5
013f0d07596b9bc97920152cf52174f0

SHA1
d1f0692d7ab5f8b558025ab98b0b404f8a1334ad

SHA256
da0e3184ce7950c176f442314eb4d9c5bd627fec20067bf2fcb45bcd8d7cc10f

SHA512
2fd36a8f15ce75654cd98471d991bfdc05c5d14345e7c936ccecc989bfca5b7564cb84b367241a704af7963570d1b4e052c7f73c5fdd5e141accf355df5fc02c

Download Submit
C:\Users\Admin\AppData\Local\Temp\cAAcUQoQ.bat

Filesize
4B

MD5
1bce6724b6ca203bff6bba6305abe994

SHA1
b51edbe49b37ba1b085f02e57cb29c648dcc3d59

SHA256
0107f905207efdcee757443b6ef72a08763a6c51fae017032e821de38b7cadad

SHA512
8ee38f2b39041af610b40e65c601faa87ce11327241471821cc2a681a61f5e0d5e11f7db17a1638c465573a7dce4b3bb005192db5458889295a12de6204018c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\cIMm.exe

Filesize
240KB

MD5
4ea177228a9d0d893049f05ab152e67a

SHA1
5fe88a43846054492093d692294be33cefeeb246

SHA256
9174df28010cc097f7a719523cf9493ad3eb8a44edd0478ff8de7a69d1ef4898

SHA512
0bb0070821c77ade943a247c128d5451995d4054ec7e4472a40173cb2d5c73e3b3265fa9775b5fc6b8dfd8ced5d95add56181c20c900adc6690a29165c77cb9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\cIcM.exe

Filesize
242KB

MD5
9bc4e4c42eaab3c8df05bc86b4d47a44

SHA1
d2147ab944e720c4458c7f9ecde86ec6e0751a1b

SHA256
d3a8b945ffd159193abe7458a2b695ffda413934708627c6ff03397b49ecb538

SHA512
e7770c9a32b7522f509313e1d38111e1c1316259547277b9a605548ea820dd5c2dfe2b30a20ca152439aa973b53f191b80787405a0460d7e8cd5794648747546

Download Submit
C:\Users\Admin\AppData\Local\Temp\cIcq.exe

Filesize
199KB

MD5
6c69239daa054ddb0da6e67ad9cd93da

SHA1
45c3efa4e697334f9583191f08356e2153835338

SHA256
5e5ca63061c77a1d31cd71ea981c21bbb0022d91e457fa37aacd85f88d74ee55

SHA512
a2a8dafb6136584a5d81ca8f5b4d7ce29b0350f3aefbb84d2c50d7caeb3fa782d66b40730a4ab084a3183573fb3b087847d8444455dcf46b5a90f833fed921a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\cMcO.exe

Filesize
1.0MB

MD5
ed417bbef0524ebd5eea9f2200df5ebd

SHA1
d3ef676a5dc9dd6a11694c2dd08194a8c220dcab

SHA256
75640de58f79e99a05d7f3c4e79d4d07accb1435d642b03a0503ea5a2585a444

SHA512
54d25b53def1fe94329f4faa01c1f6767df6de7571ce4500c9d31201c5bbb3cc161a36f0db8c5dbb314876f0f5f3f8d8fced9b9800ca102af262dcc9f6302cc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\cQEAEgwo.bat

Filesize
4B

MD5
c3d2127760533526c7a0286d8ec6f388

SHA1
9f528d1430ff44369e450c6d685001b386b4c931

SHA256
ef28965235973b27181a412543c3fb8af0ec03f6252f7d17e3c3957c9a326dcc

SHA512
3abe156fe70674ab4b91d23762f2e4f1cc868f41a31bff02e1e3d44ab66f2dbe4296311085db4e84f11fd88af867305f91d1b7b30ba291f1c3f63279b6c7c258

Download Submit
C:\Users\Admin\AppData\Local\Temp\cUUEIYsA.bat

Filesize
4B

MD5
3efd5a2b063b08f31970f8a686872268

SHA1
6e364300ca29cf5bdccf4529ec82cb7701554797

SHA256
0e992f99c771d1a8a752af5b6b73196df0860b4ff6f6e35e8e182917e1cf0ea7

SHA512
fc655bade6a6332fa8e55e8f676e0513d67a8f5b993dfb53bdfde35e7b6c60e59f9e0a8b97455b8baf16b9ff893af00061f9fcd6034c2360d2cd9ab8ba1fe765

Download Submit
C:\Users\Admin\AppData\Local\Temp\cUgS.exe

Filesize
237KB

MD5
986d11e3ee17e765b8633f58aeabec7e

SHA1
9157f0ead80a71780bca8cc1d42a2559706a3702

SHA256
441cbf3858c2c1e5e8ca9c70433073ea25a19bbf6e1f852869ffbcc794313fab

SHA512
d80cbea6fd125ce8e9daffffb1cc72537c67f5fe6af80412eb7124840e61557c5a94091c4551a58b8d8323fafb96834b3d67a5c8c4a44517da511465b7bdbcd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ccAq.exe

Filesize
236KB

MD5
d16bea6769eacb1c0081d1bdfad43ff8

SHA1
e10e3b00bbe1ea1f11e3f680b5ab8aa677c8f9b3

SHA256
b0d06ecd3ede3f1c95f7764c92a6c66f1944ab91b9a2b5c917f7b646d7a3aa8c

SHA512
cf3b8477b1d941ba8e3211ba6928faafcacfce6fdcdaaf07aabf53dbd67238848a7858b0db603aef20aa38565e73af09353aedb55221d7710e27364d2a6e2606

Download Submit
C:\Users\Admin\AppData\Local\Temp\cwMQ.exe

Filesize
216KB

MD5
ed1794f1cd5182e647e987f2fdaca28d

SHA1
ab1a97de44af927a93320002247344b06d618958

SHA256
3cfe51650f9b5d3d36a02b31ed9f0bbb540d391f70ec5faf547bb9e0dae73727

SHA512
bef2b8057e6df89e3f82c0e86f29d54b4308282fba2c54a8dd36a634cd674fa3dec7fa01a1e13d00fe9bfbf07fcb155e9fbc3bab99ea69fc875bc603984d832b

Download Submit
C:\Users\Admin\AppData\Local\Temp\cwkE.exe

Filesize
200KB

MD5
a1677ca611010b4f42f6505e5be9aa47

SHA1
0a1537cb0a652bd1b59cf518df4457db661ac066

SHA256
1fdbe097b0f040f97577fbcdbbbe7d54fe7fe25f5f068d69a05706cb87b4ffc5

SHA512
c88cd84965a33fc1fb5af0f1b2947aa94c794a4eda73aa5ddf94438be3e9dd0146e3e13cba11dc54984800445017d7a546bf3f203a08f8059dc28fa3fe8e5c46

Download Submit
C:\Users\Admin\AppData\Local\Temp\cwos.exe

Filesize
247KB

MD5
685b0d254520263061bb3e382d87cd85

SHA1
ed06456ac70665d9e458137ad8055619699eead0

SHA256
c9cd27a65ca5b291dd03bd9d957c42feb2e4afcdbb8ef910a70963f12bdf9f01

SHA512
749081801cfcfb193cd6276046920070b8f6dccb48d6e8c521b5c980329e36e2a3b6626f81e0b1ff3eafa0a66f0c3e59b511e7cb61733132dce17e9626f53b48

Download Submit
C:\Users\Admin\AppData\Local\Temp\cyUsogoE.bat

Filesize
4B

MD5
8cc838fa4ead9b2c248c1b9df26b1928

SHA1
9a57b3dd88fb9876063b60cbc4942225502c55ee

SHA256
8a43344f03e67f17e944022dec5e43dcd46a9099eb810e1c9adee6f58894f0a3

SHA512
649f680f21709d7df4ed51e588f2e581662dec4b5ff7cc876a1482024b094c4914ececcd9aff870f23e3e0a57f31144752f8844b196dfa8ba44f92a8cead56cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\dAYAUQAw.bat

Filesize
4B

MD5
9b7cb39be251b998e90d5c9fc9886fb8

SHA1
a9e7db04a53fb5f66844a9ab879648d7d8568317

SHA256
47b1ce557a5a0c26c665766dfe0a0b015094711f9aab9694a3553b9dd3485709

SHA512
c05db338be7b65b9c58eb65f19a80c9c4b84388e716943c073fc509c47797bd33f0de15408195b2be95a2f11114a498430578e9e4130e1862624aee6d4db4d3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\dMYsEQEI.bat

Filesize
4B

MD5
551d729d40646b3af039621b212eff72

SHA1
e99774dc436be14e46046406e5acc3cddfea81d6

SHA256
29445152aac0e2561a33959571052b12b5fe2f7b017d00d74109ca782fd88664

SHA512
fd5fe25a29cbe3abefea61a7c31921a9f3c6bc94d8725587026009ccd7bd91bfb946a81fe624c12480de32268ddac2f8158365c014496c66b1762f9127d8057e

Download Submit
C:\Users\Admin\AppData\Local\Temp\dSYAkQAk.bat

Filesize
4B

MD5
45b7eff8b50e3edb57b81f6535b62dde

SHA1
ef3e7d7c3ad802aa82edf42debea5dddf6a39e47

SHA256
5bc11c0ddf8b6176b0bf897f373721ccac5a2d51b9465a0e7aabffa8f107426b

SHA512
dd808c2b3cc6c112bddc176f2f11b54048252a2023eb3240612a47c8917eb64523348193fd793d0118ca351cab5d79d6fdd138d9454ceb8655cd4b8fd22a3619

Download Submit
C:\Users\Admin\AppData\Local\Temp\eAYq.exe

Filesize
544KB

MD5
333dc74930080fbff07da62de9335515

SHA1
88215ec8be60231fed79a68431943b61597b8fd4

SHA256
389ae36a9c6c3449d62bc3d29e32aad5a4e8a92de81fe29b8ea5d9129c7bfb52

SHA512
cadb1528645ebe56851776980ee2d3d65e14b46f91600eac9f15798cd2d3bd1382981dc1b87719e99e0550dd8e5ccc024bc1812d1f3a655d7da292b97d5e36f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\eEIq.exe

Filesize
517KB

MD5
7788c593425d22cd46a0e3a7aa830ac9

SHA1
5a110e852e333f3614514cc1c1a7ece31afe9b3c

SHA256
a114fba468245493f6c7ea06ff7ee9fd6d50249139c1110254c14087a462c188

SHA512
e0d0f6d1bc85223e5c2895be77d255449867370cd639bb05239f40c2eeb44f7cdd18bcdbb4ddc0d4d5ebdb5fe6adf58c3232d9512bb86d0a4b7342e70f9a3212

Download Submit
C:\Users\Admin\AppData\Local\Temp\eEsc.exe

Filesize
228KB

MD5
40ca28dba4bbf42c8a08e80f9c4fa815

SHA1
308d9909a77a61f64815634a2749e4bf445a4faf

SHA256
ef0741b6682b1a946964de1caeaea50770d7ce0f42b24b7a4e580527113361ff

SHA512
57ced2ffa3b2684237d1ab4793c72fd0c01635a1fabaecb828936cee5a0772d772900fac8243045b0c67aaa99acd9b6efb91f9a3a94f8c1f2d38013308d5c690

Download Submit
C:\Users\Admin\AppData\Local\Temp\eIEM.exe

Filesize
324KB

MD5
85d1502bbd2f154f267495d54532c8fd

SHA1
d17a949f23e86021fce5b786a38019ddca2cbd5b

SHA256
7ad85a64210a478f93fe8652291ef644fa218f84d0a268548173c2a7b99dde4d

SHA512
f18c0c4746af50c003f559de52395f111f836861c8417aec1815663e043ade4994089f056e09a70bc97725afe432c1229236686f5e2349c71280e37dcbc0a7bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\eIgQcYoU.bat

Filesize
4B

MD5
d4271ed88bc1243d3318815774e163b3

SHA1
d3c214d566000c2dabc374e26a519bdc607f1139

SHA256
cd43e9e6dc015df5d80f665fd8a1aa1a68956eaa7093b28ce12756d849b5e5f5

SHA512
25475441cc8236dd2b3c4eb4513b7e55226e9b6a3aac7f860352bc4ce59a55ba8065da0a02bc32b549110897f6234c2d447ea918149f7ff3a2d9e5d22fef7015

Download Submit
C:\Users\Admin\AppData\Local\Temp\eYMo.exe

Filesize
1.0MB

MD5
abd5ac594ae43b67114ebd37942f14b3

SHA1
aaa2263cd985abd6c9cf62115426687187edce0b

SHA256
ad79ac9c449a744997463b615ebb1a7613c7333f9022c1fdec2e832401caa2fe

SHA512
54a604470736ad32a55b904383bd32ec550fdc0bcc82f97c8c7fd677086e93a560d4137e41219add2afc27778206c4ca6578864c0f5ea848e9f17c0484a28494

Download Submit
C:\Users\Admin\AppData\Local\Temp\ekMY.exe

Filesize
191KB

MD5
1e59c5549118aec4b3b70c25860557a8

SHA1
3ce913b529c54a83332572fbd3cf095cc7657455

SHA256
7e33c95acf942f9360e96bd94469030a7f920a2695f6f14cab980281584cc978

SHA512
8cbdd42c6ffafda13923a4588fb61023fe32294040be39c4f95af71daf0fcda458c82754eb849433bb16cf4cb092213cc839c53f17c51ca1ea96751886bc3e9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ekgYMYYA.bat

Filesize
4B

MD5
242fd2cba2769896287b49ff28dc85a6

SHA1
a3745875407792cf0936d046070e1d5502cb89b1

SHA256
6bcb5c45616c447a5f357db1d65c5c518d16c58b877e4dbc2a1743a4b0fdfc44

SHA512
02e27a7d8065993cf1d564884bb8f2f74264a193d4bd8af09ad8e8f22118fc29fc7360977c47cbeed16bce459b79359e6f4d710900c0e37bf3209c3b21079b31

Download Submit
C:\Users\Admin\AppData\Local\Temp\eoQc.exe

Filesize
241KB

MD5
5804f7f1ecb46ef71a6d932bffef2fc7

SHA1
f743379470f21948e0593f566fd8b1111bb4a746

SHA256
f3e67d3fd374f224754fb4463ac1f07350a23f8d86fc82bacac40ea190425e6d

SHA512
4c0d737d418ad29f83d18b98762389e2de7edd0107871601b49b5ca2ba87f15beb76ebb2d5691ed3e8e9114cd75be2e4cc79d1653713057a707d961bfb422f7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\eocK.exe

Filesize
247KB

MD5
d3a4b1f3fa5e5ab0008cb477dd9838d6

SHA1
9830ef4cdcbc9b81a57319cfaf735d2077684e6b

SHA256
c02d68930f8686cca9dd09cde81759468be918a78be454cca65b8f172ae2ebd2

SHA512
501d669e2a31ea1a30cd196b9f4c5cae76d16765ddc724ecb0d08f4d5e5aa658271eac0cee2854e8545567f56f4e100490c95c9e963dfaf22cc2841bd72bf7c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\esIG.exe

Filesize
1.2MB

MD5
c1faebf2fd8a9a413c184e9bb70327c4

SHA1
d430e8d94ed6f512d89f2992b723e570b1d7acb6

SHA256
c8bb7f1869b30298c55ec689bf50a60932bf033f3a8b7c467fab230ec3ac15f2

SHA512
dc745f2a08fd0a241b2263a6c6f65ab13b21146c182ade977af60157469bafe900a9948499192bd8e94431ea679d158db40bfd258f6be8e7ee688eef4900e2b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\esQo.exe

Filesize
236KB

MD5
9d4f9f915563aa4dc9e7ed055edbe8fa

SHA1
aefbefcfae6909abfd2b2ac5c9ff29b5d880cb7d

SHA256
5129bcc816e1b5cd0825acb0567eaa3879e4e9f030a0446faa4dc35ac0f5486f

SHA512
e65db417147b31e3fa057783ac4b7e8aede4bcbc9301d74dbc1bc129b60b3ac5ee4c47c4d3bf6f1cb2aa635a64f94fa625ef73eb3ed1db2ae074cf820ce73c4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ewcu.exe

Filesize
468KB

MD5
b314e60dae31cb6f3005d099fa69cba4

SHA1
b95457e9db6af01ec6cc21affa696288c1b661a1

SHA256
b6903c3455854d1d18952579ea4ee1625236537322a19886741c2f7ae6d634a5

SHA512
87a4b43b1a0a3a87ae09407e655a5e565591b99c705db2ec96867afbe55413572e9af649e970dac7e2a9651d4badd4d001bfe9e78eadb1f7639ed19c65be670a

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gIUq.exe

Filesize
236KB

MD5
675431a68a528e1c0714fbb3aeb2c53b

SHA1
d12f2818c6d458dcf65da4825203e97acf7c5f23

SHA256
10bc82fd48441aa801e5ca3753085969be5fe4bf8c69d09aec1fe97f317d7003

SHA512
2524a922d8c622eaa34f89d8ce85029cab8f093da81a873328eef325706e33e0b26c264efaae68a49c616a50aaef09fd417a4e12fd98458b4bb5c86a1f8fd2ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\gIwS.exe

Filesize
2.0MB

MD5
123906cb4309a9074a06c7ae8f457115

SHA1
a5faa1d64717e07aacdf0ae7883743d808a8d79f

SHA256
d969fa841903c2a50b90947fba959acb027d6c78f2e55081eae69a9eb81acc0d

SHA512
42f63f1a3f16d0de726ea9ba54d25b627444eaf8078920e751d072c457ef21c8a6af5ac5ec211fe03f06ea4805a5e9d361a5c88ecb0b656c6de2bc1f3745751a

Download Submit
C:\Users\Admin\AppData\Local\Temp\gMMQQkMo.bat

Filesize
4B

MD5
5cba1a2b65d3dd7950f0f45e243f1f12

SHA1
946bed7ba4701cd101d78a0b19a34472a0fa5401

SHA256
432c53317269996a8c2f78b288b2f7039cc6bfefd570ec230580d3ce52c64698

SHA512
2bcb503d5dd22f873f61b32f9011817ea45db0acde72040cb988ef7c2474c5ac8b6220e32fb24ffcbb656807b632c9bfa1bad66f8d55d4eec2535c045f2aaf97

Download Submit
C:\Users\Admin\AppData\Local\Temp\gYUs.exe

Filesize
1.5MB

MD5
47813d2831bdc3fefd034f7b01598c25

SHA1
ca8f4ce2164fd07ea53748153fc5eee57ab13ef0

SHA256
639f08d313d71aca006d02321798832ec95918df5a9a0840abb4b7ea7dcb8224

SHA512
f756b011571fc4d5b123272848788ed2f70f5254b23f7f9cd79aea1373f70c698ee94fe89c7101e5c946aff35e8c96441e3e64877637bf102117e3279b5b6eff

Download Submit
C:\Users\Admin\AppData\Local\Temp\gsEI.exe

Filesize
230KB

MD5
8cf6f21f3f22186510fdeb1a0950a8ba

SHA1
57514d321e10cfe563d0403b7b2de73f0f1acec7

SHA256
ab18bd95b92fafd482a23300b087110e58e5d2f22b0dc3ae3e70f104b5adc8cb

SHA512
0d2cfb65bdf34c0c0fe07e9a40f1d4c7503272f9f3774b99f7beeb49205b8f005b7dfd304cd1c1152179efe61491a01d928cfb234e9d52a4a55c609e8c5380f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\gwYYUQUg.bat

Filesize
4B

MD5
deecf18ef71182ca7ee8ccbaba61fb06

SHA1
e1299a32d7d8722a8297693afd7284a9d95b5d45

SHA256
5c17b7eae21590f38b913f085633c84b49fad01571c20270349a4bc4638c76e8

SHA512
7ddf7af89e0eb70897ebaf20ecc87473b66cc6f9208fcd42db233a2842696b3b40ba188aa8baaae6864b3c2dfe1e4c35b25e71843a1d36fe8eb2d11284e5af0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\iAME.exe

Filesize
184KB

MD5
baf348a414ac3cc05afe5890ebdb0b66

SHA1
8644db998952c062a3fb4313cc0d611025374e16

SHA256
8367912f50321ecc2e10baad77098e6898432a934f740a93a9b5443512708140

SHA512
fe9c50f19f5e8299d7d4a955eb0f962e4f055ca2f71baa96ef7f61930cf04e07666308c0a34b37cbc906d76e3b9e90a8c199e24712636d4df8ce530b34aa2691

Download Submit
C:\Users\Admin\AppData\Local\Temp\iQEM.exe

Filesize
250KB

MD5
7125484a20517e437c5f6cfdc418e39f

SHA1
ec44d7e66535adfb4dbe8693f6dbd34983818c9a

SHA256
b0b096d701a9fca3f24bb82b5ea8a2da6ceb23a61542ad97798d7022a3fac237

SHA512
49dd73a178d0319b3ee7e14bf6993708a5a263af6b7d6a6cb52fa05aa164b215b3059b9645c129ae76d192dd6a2a8d412f0aee196a37d753d547f9ebc48a326f

Download Submit
C:\Users\Admin\AppData\Local\Temp\iQMm.exe

Filesize
235KB

MD5
c180fcf7cae283cd97eeaf1f60ea1b79

SHA1
25e39bd1c3d777242e30973fd080295e47685ae8

SHA256
d2a2a9f8c7d20b5c404a552d6f13f5ae6a5b207d6331a522989d03d7865eef45

SHA512
368fba066b17ec100a72d475e548c2d9a09382c2e5f2226ba36ca64898c0b633e88de8e50e0372c9f56a2bb19b55d4cc86118c2368100aad717cb95cac95306c

Download Submit
C:\Users\Admin\AppData\Local\Temp\iUIu.exe

Filesize
187KB

MD5
be1e8b3579293a1f92593cfe6628df51

SHA1
01aed0b06e6fa88befefb1fee08dbd58cc12b38e

SHA256
414fe7275c4bfe2702193046403287f298817eb60d7b29ae18cd20ccffe7fdc3

SHA512
6110f6ef4f9f30e56a2962b4b4a86ce782b1a30f58038c5f7f1be54375eaf9fb49a499e4426e930a710d19fa3a5e977f9c87cbc5767ec234278e66090c1f7f6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\iUowAsEU.bat

Filesize
4B

MD5
bf847f4d7e1de6186af273935ded9409

SHA1
45bfb7ad0e45571239099e45afdf55c33b45d9a2

SHA256
fb12de6093c5784a06fad2a0806ab36fe7883e2f933258776e3bcd8fdfc8a615

SHA512
6ba15f615a364e1bc98a1f80cbfc474082c8ae2d01452a0226c45f596afdb6f7f9d11e2b1c0a91a88a13fe88cf61f1a3289493c61e742068534ba91170fe17ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\icAw.exe

Filesize
251KB

MD5
b8f2a3c42fcb70cdf3e72d3e9f6006b9

SHA1
908654c847458db17c373501a7c0cabe8121d0fc

SHA256
639c9b47fa41d0b9678d423071a4e100595bb1ce5dfb0abb049326e645a3aafd

SHA512
0cb5198666b6ee710671d4d0ebc67e5bd3a670fb647007144f9dedc50f52743327b567c4ebe0d235530ccd8c2e5e2fef870b7ebe944f8ec7c0e689f60993afcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\igoY.exe

Filesize
249KB

MD5
3272df842fe189d29d7a55673672d7ba

SHA1
50ab0dfcc34b3875ad8791f09f8cb6ae3eb7cf6f

SHA256
a0e7a2904818f379b0b03e1c3a30718b39f1739beae9563ea4ee8163b363d2e1

SHA512
1f3ebaaf2093efeaa6cf337c3eb4475b29eddbb14861474e5e4b59f8ce3d820d786f4e470de2a42aa40d5e84abdc2e635a91c6c88abcac171e1a2393d1828ad0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ikow.exe

Filesize
240KB

MD5
7e9e81827437f41ad0a849afa639ac83

SHA1
e99c3160a045ab664ab1f6662c4c74af19a91a36

SHA256
53b52005a95d8ceaebddff1de0b1584558e6c7afb3821c7584f00629bf94861b

SHA512
29a973513cbec0688e15934e5f69113338428664640e6b17a7caa3903552dbc360ef97ae37693abb455932b18d92f4bdff0ce875cdd368c5086c67b481f83225

Download Submit
C:\Users\Admin\AppData\Local\Temp\imQsEkcA.bat

Filesize
4B

MD5
9d3df0328e3fab66fd2471e794855cb3

SHA1
b523ca9b4f2a8885af05038ad444e157225fd3cd

SHA256
95ded9e3b14ea42f2929eddb9e73fa0c5de9b77fd6154d3a18b25d7ad48159ea

SHA512
27e8e3b54f518b34becea70c65fe02e23ffa4b970fee0251cf7f0ef1a229a796918dda3cf7d2ee8d2257b8855a29578042c1713ca2b031d0b04c44a57d4e33f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\iskC.exe

Filesize
242KB

MD5
ccdeb284f1b4899618f98bc9311ca661

SHA1
f365a1b1f4701b71da2b2df14f2ee1cdd007f242

SHA256
6f2454dddd9f89bc141ac4d7a64bcaba2f6e548a23dce3931110fd69326bf983

SHA512
d6df059b813f611a208e82ba49df5c0ce5d9a19f832131f4734c06eaf8e058a31ed1929e5ed45ccf22eac63fa4defee8f8acb84bce7ef9532869879a74864819

Download Submit
C:\Users\Admin\AppData\Local\Temp\isowokwU.bat

Filesize
4B

MD5
6518dc9b3f96f1c548cf4dae5e01a11d

SHA1
76c672d527f88c5678446b698d0128d9645cd846

SHA256
a14693c663e6de7c513cdbe90247a981147bec86d29cf4f2896f8ce236562416

SHA512
2d63aa120a6fbfc96ec0643d9792de4c154fd126202b5042af588972157ebc379dde0b5e95504d8ccb37db3022040ed066996830bc9f0cb9634ff9f13a09c99a

Download Submit
C:\Users\Admin\AppData\Local\Temp\iwAAwMUU.bat

Filesize
4B

MD5
fd716f3e2a909727dc24006b8b23f483

SHA1
e0d70c715e32c209a2223162beafdd88cda2c473

SHA256
aec4847227898e9cac11a0efd3412b47a70d42b5434e48981dce9d3f9215d463

SHA512
34d9bb32a3f7156b573dc1e9449897b1774d9fff4ce40ac0b348f1620d790e7974d497d453a96c06c726129df7126e7c3093f1bfce0eeed607034fa7570349bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\iwwy.exe

Filesize
234KB

MD5
b61d2bf3f1ad85881815c881ff96ef10

SHA1
2015cacd034fb05d21d7d134e94613cbb6f6a599

SHA256
9dc56f83b697c9e7da1098d6696346a8d2af62eb1b0a05690eefa12e28fc0d79

SHA512
3bb92c12574913a51454db79f76a8354521d0a24b2508bccaf2a0077dac366351f1a3374cc8cea92645c7a2c673f180d9f51413607dc6948d20318d716800ef9

Download Submit
C:\Users\Admin\AppData\Local\Temp\jCYwIoMA.bat

Filesize
4B

MD5
36e01b476e05a81068bc22cf2ae5ead4

SHA1
824c87b37a728575a63b0d6c3d85c48482d5556a

SHA256
4a15c35af23f944a939adfa405b1322785871d0e69f5c1dc187d6bc2ad64e1d0

SHA512
5dc7788e9d6b008a56119aa94072df497b09b5ee2a47aed9393f38c3de97d417ee6ee977d61cf50931690e42ad33f1d4fe296c7a72bc7676c1cb1fa497b61df6

Download Submit
C:\Users\Admin\AppData\Local\Temp\jgIAMEsw.bat

Filesize
4B

MD5
023b3866c85d8f0d488ab58c40cd65f3

SHA1
e9a794579cfde9a8e2d4826bc0e8bde5ab210241

SHA256
fa8b0dd63fc90e54421d372fe8510f405c86b1a738f709755a8ec3613782fa07

SHA512
3ed92e1be67f5a1004fee066d3cee03ab87c9befaff81ff3d0f3e31cc44930f2e31d01031834ebc496133a36edf2b8ed5b6a136bfc64959b982e37a58de888cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\jiQQgYos.bat

Filesize
4B

MD5
d70be772df98700a2c30d178fd923b76

SHA1
f7e2664a234b1502ca3a1589e00e56e589e0fdff

SHA256
05959f89dee2d38913b477ce1ae4292537ab6d57c1d1b5cb40efc4dc63ba39c5

SHA512
64be5fee10c8768c16991229efa33a943bc59d6d27ba69b6e98cf49a1d30e4b733c253af2469cf6fcf9c974db474fa2bd95de8433c85e0e9f619a10c75851971

Download Submit
C:\Users\Admin\AppData\Local\Temp\kMAq.exe

Filesize
324KB

MD5
2a3262b4a8f0a07533a531e7755e1f5b

SHA1
4e873702a163e583360bec55b5f0dd663e95b795

SHA256
4ff42b18076cf51de3cb0465bfc4175be95fbc9332ba9349cbb6a751ee4b7a52

SHA512
c7a13f8a60dfc07d35206f462b4501b5908319efad4b65908a4d5615b77bfb142665b686b494fdfd172de677d1b87b78949fc3858c810dd06209667c144bb3ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\kMoa.exe

Filesize
246KB

MD5
9c31801456ee543bfbe025a1cfdff9c0

SHA1
6df9e8595472a171ef6009b83e70f8cf4785e22c

SHA256
ba5cfa90abc51c673d7e7576b76ba2a83812ccdbba49ef242999f0dfe5325fc5

SHA512
45d8f6091e64d85cfaaf5f977e9c22e6a94d5eabbb1aa5d1884ccb70755421e7cc43ea49d8fbcf937f3ca0520e02980b58aae713ce6d018ceefd8933c4c1a2f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\kMwm.exe

Filesize
795KB

MD5
1ec405d0771a7dc04897078dcf5733b1

SHA1
efa49a884a88040c6d4dd4564626c385c999fc32

SHA256
f54b0f4a1571647f23bebbacd0b90e0f9824f75ac9505c66f64f625d9fefcd03

SHA512
787571194f031b9fe28fc5f75caf7490525fd43b56c27b419fe195e01ec278f11bc70090aa48cb327deed95d780f5b105c0775535cdfa3123005026ead977e06

Download Submit
C:\Users\Admin\AppData\Local\Temp\kOkQQIsk.bat

Filesize
4B

MD5
5309ccb25d7d510e28dcce7015ad9c1e

SHA1
8b880b90030d5292930e216cceefccf530a60efd

SHA256
92a5800b997bf80f9da13ca4d6f712f2e919ef65341ca3a7ce934aed57b3eec5

SHA512
302c1d397b711b52016734436f5bb5d028bf993765672e5abfcf0579947df1c0fa8c2590cab505d9a10cb57ae5cafc50ef010da5453cbacc7c186b5ee5c2ed17

Download Submit
C:\Users\Admin\AppData\Local\Temp\kQcY.exe

Filesize
624KB

MD5
b5bd368d167b220fb41ec9c3f632c14b

SHA1
a15a08518d4660b636ad50373f6985e229b39ba9

SHA256
3102c2a58e691ed95b2fe216dcbf83dde4e5215e31e56e22985e316deb85b559

SHA512
c7b7aeff2a32036e119cecc5bd46fb5babccf471fe3ca62de149e23449b8084c22be2911aee33410b0c89d14f89377e68f593f5f3c2597fec29a73a4f2eecba0

Download Submit
C:\Users\Admin\AppData\Local\Temp\kUQg.exe

Filesize
199KB

MD5
7e708d8c5fdb089ac10d775bece0a1a7

SHA1
795835e6b7ecc31f5669e80140373f61dc201b93

SHA256
14e35272dd6f24d5066bf5c92009d12080ca7badca53d2fdf04b625aaf39c786

SHA512
2ed79298db94edc7d589bf6294d5a4155ab1631c127fc194f82f1bfb51cfea513f0eb62ca7b6b088b2d4aed46b6390d31c20e7d38572e5af8db36794fca0e443

Download Submit
C:\Users\Admin\AppData\Local\Temp\kWUwskoA.bat

Filesize
4B

MD5
ba8f956296637983e7c1f519292b77d3

SHA1
334afd26c6dee17b0b1ead7ac2b7cfb81c249833

SHA256
ac2a5e98a293d1e23bbca235ee6920140dc8b7125966d6f552520208588c1979

SHA512
9635b4e88dc113fdffe0b063ff30e863b788f4721924cf3f1f34776848b873c39f707c94b7b13cdd4c6bea91574365d7209d798c3c6bbde99cfaaf1b78faf3b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\kcUIwYEk.bat

Filesize
4B

MD5
5e45f1cb44c8627f69cedd6071e04d68

SHA1
9643a4acb7791a833f09c6834c59261d14240a46

SHA256
8758656f4053d9344ef6db7f12a2a32aef58fd83975c03846b6a952a6bcc736b

SHA512
e91b881c7e446b1f9cf463dfd5dc12be2dc83a931ce6c9d8938f84d4e68c85446ee25b3f0b2223cc57041d1ef3d794625e0f4bebe7ad6f795151b3fae155aeb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\kcgw.exe

Filesize
192KB

MD5
e242731383f5a97ea292a0b6a62894ba

SHA1
4b03025661ca0c758a8d0b06928cd24ab1600c12

SHA256
f103af6aacdb2dca6e36f32d75a1305914a1a4cb2ae6f5d1823f4e56caba8261

SHA512
5adbd36d29862d62a5007bce18245cbb1798f2e952efdc3345d92d88e9fc7bd94cd58fbd5d8e40a7007a81d657f77587ffb78a4275fd2d8620352b15415c5fb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\kmMMYYMo.bat

Filesize
4B

MD5
67dfe05100f5434af651092d881ce9aa

SHA1
5606e81d4fc9339a521d80673e9869bd7478662a

SHA256
30ebde4be3aa378b5141ccccb1567465fb9401d7c40f3e607a334957eee461a0

SHA512
eaa28b82ed6830b9a891beb483dfa3bd549917408132c670615dfb049d9e02e333159f72ca1be13483f4b284180daae48a1c7753ee4f5a1e36d557b93b76d1c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\lAsscooU.bat

Filesize
4B

MD5
22c989d708d7781daf0c1a5324476619

SHA1
2b7ce6ef055765055dd8808578e260716af9371f

SHA256
400dfc72f2e55d1af5c15774259bf035b82dacbe81d3dff04037d590186182a4

SHA512
a98a1312a63dce727013a0bcee4425a915e0ffe1fa86dc4ea871c3cd79366af955e2f3d64e29f58e6f9f43b6e78de2b01c4d0d77f596461f41b41dc78bb8216f

Download Submit
C:\Users\Admin\AppData\Local\Temp\lCIYswcw.bat

Filesize
4B

MD5
096492dc597ec92d3a4042c0135884e6

SHA1
d25655dca86838f5c55edc659d335a3bba5527a9

SHA256
0da20eb16b410d2647a731ab17e0fb2f7fb07faed1c961a068a1fe2d5b6c969f

SHA512
9fd82ded7f108f160d748ef3a7d3823254b27529c3b92e81a011ce68926a8a94341e3f97b25ec6428353262eab3862a60b2b4edfe43f8df6874045fa18acc33c

Download Submit
C:\Users\Admin\AppData\Local\Temp\lacMcMQk.bat

Filesize
4B

MD5
033190854001e83312c5eefdb68f60a7

SHA1
b507b88b5072526e4f8c3e3c2e6af352faf3a92d

SHA256
72b70d8a1dac86dea9ec259568060ba1940a91a87019db9b2142c181d14b3446

SHA512
af969136ada7375669d8e326c09d5ecb266be8100a6b39184cfc3ba59a85cc8ffcdf0154cb5eab3520caa818bf8622134ec955bbfc1a10a286e7c12d9490b895

Download Submit
C:\Users\Admin\AppData\Local\Temp\liQEgIkI.bat

Filesize
4B

MD5
03594e0701fd00f43a2c6afe24cc562a

SHA1
ed6db834fad96832423d8f4714e58b389c42dad0

SHA256
9e92ce536f18f7d4dc586dfe63f823c059523190b35b3a076706089b993025b4

SHA512
293c6f9ebc2e809eebed418b3b8328397df353ce2211cf2e3e2b2c3267bc7770ab136f3249ba65fcd6c2935625c38520387557d97035feca83843781e34f9bd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\mEIA.exe

Filesize
239KB

MD5
050bfb540d18047ff8e8cfd1d2535c20

SHA1
7464c4e6a7a2ab6f4daaa5258f0feca1ed228025

SHA256
d30bb852853a32c02d532a8ec9570065d8c804b4e00fce02b41d2c07a9322995

SHA512
dac57f52b1a7f8415c7dc936fa7e8cc2c63de043c84e65e8cb082f7bd703577428038cfefc300fd190f07b807d387fe7ca00f9c502b52373fbd1ffdf54f87d4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\mGsAMkks.bat

Filesize
4B

MD5
4cd783e5d6bd75802c170cffebc720f1

SHA1
52ffc3e2e53caba9a77701b89e43f36b21051a27

SHA256
6574bedd9728e8d9a9117f24dcca56d3aa0068b3cf25e4ab35c166af0872acdd

SHA512
a6b4c3e73e8cf34df846bbd49e39fa120ae1d9810637f73941eb165839288e7f62e0b71e52e49809c9e50a3bbfa6e4f60c5dc559c5582c193cd01ce2fb70db20

Download Submit
C:\Users\Admin\AppData\Local\Temp\mKMoIgQA.bat

Filesize
4B

MD5
4e498fea98a5880fec9d5f21953a31dd

SHA1
13fd44f736cd230ab0ebd5b3a0f36f18f3ce190a

SHA256
b270db337f58849b0adc9b3593fc95603263f4f2cc93fc6354f758fe58e95a42

SHA512
4a34b549d75e72151166dca0999ad17d842dc84be6b97da0d21d8281643671ebc4f8d9b683cae36a64c854299e219b5e6ab7d2692cdf697c8cb41e07470b952d

Download Submit
C:\Users\Admin\AppData\Local\Temp\mogC.exe

Filesize
218KB

MD5
f95c3627266f15fd077c6ce78bd28dca

SHA1
3a9b355687d76332a7d3069a6c2b4e4e73ce82e7

SHA256
473bfac42097e1ab5cd1b48d3196d8d896c76f1c51bbdcbb4da87d5452639ad6

SHA512
c008086894fd5d5605cead066099f065aaa8a1ebb6f3a6063abe278af677de214d2649c3a26063a31077a7c33eab13f44823661ef36d97f3504c6e9cfbd16e1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\mogw.exe

Filesize
201KB

MD5
6b01c3dc1454959faad7a7997c5f4f51

SHA1
474496e336e92146058922d458fb3202cf9b4a84

SHA256
9c80d5b6a07d358bcf379c335e809e9a46a8b65aea9067a524118a2f3e46e995

SHA512
5b028b1c3a55587704b9651e4c8e0598f8cb748042ddf71858b79bf6e6fd6afc2f3419d2c49e1ec7f1a89e8ab108028e5dc67cb8b9a4dfae1318c1c16261dc46

Download Submit
C:\Users\Admin\AppData\Local\Temp\moke.exe

Filesize
206KB

MD5
12d2d3bcaa6110fd7e2e669a16c18366

SHA1
21c4666813dd21a9d8510e38c1c0e12999adb82b

SHA256
28bce7449da8ed5fee4c7e48364f909dbc4bf8e8c748ca1ae3cd31b301232ea2

SHA512
f3e045bb2179edf63a1571cf7534d151a54c3d5b38715e66028f42454c59c3786f6df86b5018c3fe24b9b840a590b2d7019e31d4d9f46d767e7e8b2ea6d8c92a

Download Submit
C:\Users\Admin\AppData\Local\Temp\msIa.exe

Filesize
197KB

MD5
4aaf655f8c6289cbaf9008242b763bb6

SHA1
9cdf482b1cfa121210f8c1edfa772cf24e28bcfb

SHA256
073a44c0b74ba0056fddcc25083bc9f209a612b2e3a53226e375aade32859863

SHA512
396de1f167a39a19ed956e4c8a7fa8d4c0f1170b3ed9654eae12b7955958d3c14e33a8bfcc70ba08cfd5fd0cac74f9affd2a71765877c9aa4a8f594587a6f96b

Download Submit
C:\Users\Admin\AppData\Local\Temp\mwgI.exe

Filesize
872KB

MD5
d6e115f81267615c7fbef34b0319f48b

SHA1
eb93203c12a3dd727f397c07af317a7d1b11ab37

SHA256
3461fd1b9d4cb848ec255a9e6bed87b3c2c7077d97014a499ca6cb411afefd69

SHA512
459fe567473254bd969193a98bdcbc5244291e9b2619736698f1e1eed0cefcfed169c9fe7f7de93dd0eada6adcf95ac5b7239b933598099eefbf2484d713f3b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nAkkEQYs.bat

Filesize
4B

MD5
c1f2c5e6a9a9a5bb394ae9b65417554a

SHA1
e4bc6bb887a528d851f3d7b0bed7458e8034ba69

SHA256
b13305bd800d4f74b2c03cb29e90f7b9f5113b3fcc102bd21c98589288d6fbc4

SHA512
cf9feb4192ee5f7976269602ecefa66fd4bd4c4f959f297cec0d98a93dcb81682d6ddb589b0feb88d086b00741cfd1c8df8296527715a9a602917ea3ff85292c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nYQkgIcg.bat

Filesize
4B

MD5
004467e6b6c766251019b2a37b965d3a

SHA1
b2c7472f2789e1f79ee46ffacfe7f0c8d1a38030

SHA256
c71b9a402044ab249edb71d570068461b9970970378fb90ca499736da06de0ee

SHA512
f93fc7666a894af871d41784855b5bd0561e8c244151491b2cc08fcdf622fcce101f7f0d6271222916094959295d7019fee57a30f118b61b97051fcc296c7e32

Download Submit
C:\Users\Admin\AppData\Local\Temp\nkckwsEI.bat

Filesize
4B

MD5
a90e783889fa7e6cddff5a44399ab217

SHA1
c4dec6f8a6daab2160b7c1214d9aae400fac8edd

SHA256
5644a0a2ec70658fecda32e4b340c8258d1c77acc9ef826b47f43062275e4017

SHA512
ddf01b5d5f73c50d35d4ac61d7e70062342e482705bd7d12c6b09bfe93061383c9f6942260eb8f981b55a67d390b2258077133008f90396fcee91f5faf1ae6cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsgkQQkM.bat

Filesize
4B

MD5
21bee0526263d11dba7e9c1367f552ab

SHA1
b8992e18a5a863643af6f84d65dcf07ec444365f

SHA256
3a45b52a054ccdb34980614e75b422662f32bfa11b6ee8a1ff204e980a6d60ed

SHA512
5121b4b35e90d275de67137ff73923089893b27e658350f7719bbe248c815692dddfe3d8329cfd31a37b223420f0f6aae532a335bdfb5803b8ad2f4c6f0dae42

Download Submit
C:\Users\Admin\AppData\Local\Temp\oEkq.exe

Filesize
205KB

MD5
ea28f6026d3d1433e69242061bade304

SHA1
abca4595fd311b072ee6094ffad4ae8e79f765b3

SHA256
28beaeef869c16400e24548d9f65ca6d833937d7040626baab1cdfbe3fb2033e

SHA512
61ebf67886564894439709db64ac61921dcefa9f7166736edb1ccb8970713d5a9c7b552016fc563f4a6d62d1cbfc5615bf9fedfd5f6ad1bbb061be5b5903f7db

Download Submit
C:\Users\Admin\AppData\Local\Temp\oIoa.exe

Filesize
242KB

MD5
309d2087e88622260e3d6a681a66d594

SHA1
b6278c4f114ad9046e479cf9b8e85d229a541075

SHA256
4148fc4aa34e4e9f2d78a9afa8680283618b5bb87bd05787016a14396eddcb63

SHA512
9e85873d80ce154d9a638693b58a1cabc12785135803397f46425dba27840b2ff120088c50e0e91820ee89355eebf3d6c049d1e1ba09a498a809cd4a8e748768

Download Submit
C:\Users\Admin\AppData\Local\Temp\oIsu.ico

Filesize
4KB

MD5
6edd371bd7a23ec01c6a00d53f8723d1

SHA1
7b649ce267a19686d2d07a6c3ee2ca852a549ee6

SHA256
0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7

SHA512
65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\oUUW.exe

Filesize
697KB

MD5
1c03e7bac3c1e823f8e70c663e79761a

SHA1
c728ecf448a152664b565266dda7039028b58997

SHA256
2e74c8f5f1c2edf6d7a25f49e03bf1d70743cb5ab56f10c5e6f2c87a084146ae

SHA512
d40f74d09e1d44c899d5552a98a17ba76c94272e3e8b9bc73218866fd8ff8eb7472959ddae25034e914cd574f1f14c14143bbec9eec70de494ac06dc59657bbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\oYMY.exe

Filesize
218KB

MD5
744f48d00a095d358d7c6aec3c68b2c3

SHA1
032f0bb1e3254e91259d382319d9c2a39de47435

SHA256
5590d57e9a5230deda118ebfb57db81440f76d12870b726a6ca259237cee8ace

SHA512
0e0edb1b827d70ed2aa24b9dc880fc9693d8d8efefe11462304c1bb96cf1396f9ff68ec4879fe0572d7d02b59bbdc4730bd7a81d067e2c710dfb27cb778d26f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ocAA.exe

Filesize
244KB

MD5
03b2246739749b1821ef095eb8c2400d

SHA1
b74b76d276dfca3855be37b21a602d6b7872839f

SHA256
58d8754f894d5b140eb95724c6ea7cb19ed6bbe80212c815a036ea4301f7c237

SHA512
53d678d33b5393902fdcb09512d1d54f9248e80306a2ef05d81f1579294768ea1587a1fa73d6bd6735a119e43e16e5b0bf5a109b320a644799c847f97c3fc822

Download Submit
C:\Users\Admin\AppData\Local\Temp\pYcMQkkc.bat

Filesize
4B

MD5
2700f45b8fc2035a29d237ed5e0d9734

SHA1
7e2378e98ee28cc486283e86d3ce2b28f9c62dbe

SHA256
e69e0f1b576fbd9f5e7c3d7224c7d2a3b01d0162c6ddafbd847e6822074ab29a

SHA512
672fb05fc36b2aa4dfbce904a276526f30e0ebbae8adf78e4c9cf1fad7448079b7895394aa6006673e92dce492589585719c89b08047a1fcdf2b7fe3f5fc1e8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\paYwcgsc.bat

Filesize
4B

MD5
b381fdcbc450b0e1871ee94d65778f0c

SHA1
56f83a51511930715cd1ac1d42f96d6451d54f01

SHA256
a01609c64f89fb2d31b48a71936eeab7fa58a01faf0abdb2ef90374bbc743902

SHA512
a5ddb5a97180130f9badbee2d7cb9d937899becf0ffe23fe3dcc26ac01ff77592d4c05e76d65cf0c384432e76358f91eae8bec246338e60c45d5b35c29b4f0a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\pwgwoEoE.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\qCwsIUAQ.bat

Filesize
4B

MD5
a933af9ca6890cd825848874c3beb2e9

SHA1
8b31c46fa83ab5490bcf5f13254a2d2c4e2b3ff5

SHA256
c8d73a66a8f28a494995fe7d8f0ac9dac6e070a01dd299664a02d6bb1c573a65

SHA512
d611e8371b5ebd2a52e08750fd42812bf9e516475229f71005066f76a47aab8530053ac16fdefd48af1fbcce55ee9073a5fb6e0c6fbc3102866aaf3e91ec578a

Download Submit
C:\Users\Admin\AppData\Local\Temp\qEkMocUE.bat

Filesize
4B

MD5
3d738d4e063148713ba9b367c9a7dd83

SHA1
7a2ad842162d7ee341838d9cf27b6135de5f990d

SHA256
3978f1dec7021cbc7952199bf78142c43a6aad8dfd5c967f2c4872e86f1bb56f

SHA512
2b2ebbb16dcd4be947fdbc55246124b445b6ee53b824bcbdd1fc93c1e2280898da0c9b6f0d1483cb2ee894d62cb1d987e4982662340864bd837fff057741e8ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\qEoc.exe

Filesize
228KB

MD5
426bd8cc9b96bf0fb879cb747c23b0c3

SHA1
992d873aee3eaf4c8950fed2a13e557821dd9e53

SHA256
eeb08a05743b5965aba58beb9f1af6d91934a70e8692a572b3fea2b80315eba3

SHA512
b56736c9259f908ca5280b263d162b15bfe4d24cf8d23b67de2f9c7aa6ca9991b43e17f9bb33bf7a8ad16d03ecbfc6d9f2893573aae914be07952ea2ae7a50b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\qIka.exe

Filesize
825KB

MD5
df071d717ec71dfc203b42c539869a81

SHA1
bdddc636198cde711952e3b60145c445aa0aa88b

SHA256
4e408e62adceeeb845b2a3ebb07ee117371232e91f451ee49a6a7eac7128fc97

SHA512
a4174e1721c86017c7caf99814a7a189f98c849e2691c71dfcaa30c608b8de57570b9167dac8679b07db3e43dfd68e1ac88556f5f6daaed0c60fcf470eea018d

Download Submit
C:\Users\Admin\AppData\Local\Temp\qUEU.exe

Filesize
223KB

MD5
acf29e8319ddb3f7ffc3c87519293a3b

SHA1
c39a95a038de6b510218c3ad034714abb6f41aff

SHA256
ed09d8bdfb066c8f3c4bf45e7e383caa67b85d99c2d2789d355db8382dba9f53

SHA512
c74337c4a8e1c98aa61c4e148520d0338524cf388d36c1a58c7c514aba57f84c77013d76dd74ea4e42539e078f98e15fb78bab8b0052b1ee5d18a44bc14ef4d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\qUoW.exe

Filesize
238KB

MD5
37bfee866f2def84252d07801ac471af

SHA1
d9b5b3e70b57e834f0fd10777a9a5812ad46a33a

SHA256
daba4b34df493ba0f1d5f6328dc87f12b941c34bced7b3994ebd6dbd5eddd716

SHA512
cc2189b27287f2082a12caca934fc1c2b3fe576698ce6b8705f9deffd74d5f60a7a76e938a454ae37974cb29b6fbf18d5f85cd005918695d7972bf1f0e5d5e55

Download Submit
C:\Users\Admin\AppData\Local\Temp\qccy.exe

Filesize
239KB

MD5
5652c186ec965c447c965e5e704f286e

SHA1
3f5247af786a950008335b2bdad72bd9359d9b65

SHA256
9c68b631dadc0b0ef70dbe4ab7e82e0fb62168848bed34ae0f85012340a07616

SHA512
f3965934d633f7441b834d4f24713c4e33051b151d641059c205cf569c2a22d830ee01573fe14e3164d720dfccde28d664880fdb69c60510066ff43c7e136cb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\qcoS.exe

Filesize
196KB

MD5
f494aded1b41a0eb062fa41d77d5c075

SHA1
c57c7b57f63b717be8897ab6608c27005619ce48

SHA256
e03d7d141998419d6f6ac757155b14aa72f194f73d92e9aa3fc4b0db7c0a5e57

SHA512
763a795f1fb009c139c923e6628ce821285f7b1690440aee1b8dc60dfae1559d45b1f3907dad70fc4affecd89dfce6f2f69bdcfd082ca7063a8970aab4711f0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\qgQk.exe

Filesize
228KB

MD5
23cd88fb73d1fed9992c4e02de4253c2

SHA1
ad21e37285154923e463bc601479b4822c213e47

SHA256
4fccaba69a75130789f8dbabeefcf168645c2bd6c568bb9eb5a287977fb073d0

SHA512
565d8d0592fc1db21d643d70ac6307dca3c5bca32fe6279ee99d340d1cb97a7697c7190615991715df78684cff2f83123d6d11a85dc0c8b719b19ec38bb16c8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\qgwy.exe

Filesize
838KB

MD5
7df27661d24473caf6a01da145a89f58

SHA1
4e395fc1532b0fd13bc2ec7842b4db6bba40664b

SHA256
4f819c0a5a5ff6315af331d14dc9b7eae5a318b3da5408acb92895a4b06e9ff2

SHA512
3384de3d2a97ae655df51fb8abf37597f6c438df38b71d9d74cff04ae5a0394b7b51ef2dd28aef9c32735f5ed7ca7d9c497b729c50e23436102fa74fc210545d

Download Submit
C:\Users\Admin\AppData\Local\Temp\rEYsYMIk.bat

Filesize
4B

MD5
5867f7fabbedb65ac56100f8a547bebe

SHA1
32dd2cd92f219159677f2a0014f6a1a296e20d14

SHA256
cf504c8bea2a991ecfbd3c62f7c2d0dd63636ee2af69218a15ea4dd666062d4e

SHA512
3a326bd7c633fafdaff97e7315a694aeed8ca873cd1572ae7ab519ff35cdf9435f5581503408b91ea9f660a8e5c118cf620c7e4d378d98b9e2316ccf9b3f6e61

Download Submit
C:\Users\Admin\AppData\Local\Temp\rEssIwIw.bat

Filesize
4B

MD5
6fd62624a9e135609aeb6a3649dd81e1

SHA1
2f60398f211c458ab5f4965874ed91d63cee34ba

SHA256
fb4d681fdb1f444cd4a4afe5e605241c028fff26447bd36f87c7c8baa5c3f127

SHA512
1dee75f924e3f2a8cd0832a009a84fb9c466e81ec4f3d162d1361c84891d467f23283c2936a8a5933464f04e471fdf9729d9a9c2367771cb756ad24a5d12f015

Download Submit
C:\Users\Admin\AppData\Local\Temp\rIwQYEgs.bat

Filesize
4B

MD5
d989d04300ef4a6caa80783ff422193b

SHA1
63715e323ae9b8098de468254b2e0f4af37bca7d

SHA256
58b1424f43eb695f7432c597f717c9c851bdde58b92aad1c9701099941026395

SHA512
cadfeefeced07096ad8f4b42bc5bc7fa92e6355e1fc7836ee79925cdccab21bd07ccd01744a01d938bf66dfdd0de37409c3bc65fc8dfb53737f227a9e70c3bb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\rQMwswgg.bat

Filesize
4B

MD5
ae58d1f861056d9009b94233e2da8b2b

SHA1
90874863c4d9ef9bcd5d0256160d61152719da17

SHA256
f0c0e5403bb2299d45a3c549bb411a666de74d2952dcfdb12b4b4ede84978611

SHA512
d4158c5d5ce115656c5ad19fc1cb9518cd720a0efbbd9f09aa6320d187c51005efe78a6b814ca2ae80c206875ed5bb8860f6c0d13db69a5e67cac59bd35aa97c

Download Submit
C:\Users\Admin\AppData\Local\Temp\roEEgAcM.bat

Filesize
4B

MD5
8df0910e81576fb8cb38f63d2cd3b84c

SHA1
173e6fb48c5513c2641c6fd7aaf0d9cc069576b0

SHA256
3caf5c11e4662acefff15d4c88eb906b22b4956e2d7037c9307daeb11f605d37

SHA512
f94ce931b7a697108e010c3c906a73fd2272c7c3bd09e3b4278cd7ca9dda87cb70c41bd836b7a58305ae3ce8fdb271e8febc5eddbf78fcb9ac1a3ff62c7edf37

Download Submit
C:\Users\Admin\AppData\Local\Temp\sEYW.exe

Filesize
187KB

MD5
af6e919e101d46be8b9a4a3343524eda

SHA1
d851efd661d101d5d57ba3a0eac477b523897a87

SHA256
a21d963b869685621fdc0697d6dc7f37242e5637d6a86e7651f14e95e5963dcf

SHA512
71a827bf21fdfd0a71fb59682351b68752061ae70f0c5a687659e9ff1f85ff98f3eaafb15244577fe1ac83a1bac1d9f8474b18866277bf105498cd46d218c895

Download Submit
C:\Users\Admin\AppData\Local\Temp\sIEy.exe

Filesize
628KB

MD5
1b6abaae8f85231132fb19da88d2a18e

SHA1
985438cc34a9514c0d59e34856d3aac9c1e7ca1c

SHA256
4a4ae539d55e02dbcf3b5702b1e0edbb07bc01708b6a73f53d0d541e34cd22aa

SHA512
6b13cd29637c036378c6a8d0c168b9206b86126977e5d97433b8cabe8c58c2acada5debd08ea8d409f8bb21c3de83ea2f626262731d900e155b4c39d48349905

Download Submit
C:\Users\Admin\AppData\Local\Temp\sIgC.exe

Filesize
233KB

MD5
5b4bb8d224698553bdfeff91ba898963

SHA1
692b1db0bcf1397e465eaaf082bd0c30c79b68ce

SHA256
bde448a1373a4695b7a486fe32eca91e1ce528d0cf04ac555f62bb3ebcc05f85

SHA512
6742ebc67e60efe9e5763cea90ade9f9efec30ed7a1f04e4c74689699cb2cc804b4ca297fac3a1246ef6d1347693c531cceb0578d7ea59ac33b05829b3702aaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\sQkoQAIU.bat

Filesize
4B

MD5
086401e72142c56ed64b4a611177f850

SHA1
d8c2935ea3aad16a008fdc788cd3880f3a7769c1

SHA256
c277f06e5c4dff9c280903aa5e5db723530a731340e3f88727eaedf38cad32a9

SHA512
56b88c849cda0304fae746d4c9cd192ceae861bde8d843c67bd2f4b27ce68c17d9f811ac6b3deb332658415fc1df5c68d15aad39e327a0504726df212601b5cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\sQwy.exe

Filesize
189KB

MD5
de1bea774e2ef2ef064615e1f99de1fe

SHA1
fa7893755120f45ae84beeeb76db05b7a1a6aa2f

SHA256
f0f91709f8dbcac922abe5035404b7ff26f4c723cc4d73caf8798bd1c772ee87

SHA512
19cb9caa8d567c6682be1de8a09eeeaa09e12ebece460d85eb7f867ae9c2f2e6a9535d374f8e437740b008edf287477e855ef4a7864a3cb6a0f04a1869a3efa4

Download Submit
C:\Users\Admin\AppData\Local\Temp\sUci.exe

Filesize
246KB

MD5
0aeef7b0b6ef09d1fabcab4111eac23e

SHA1
52a4dce278cbbcf861bde98e803bd8383ab7d9f5

SHA256
7656124ca19aed9f1b2067328f4b03d0485fb40aba7bb1f5b517b0773ba422d3

SHA512
8ed13b4f56606534c9f2927a4bfef23c3628c428f06227900bee65e6b5761135ca8d479e6079e5dd95c3b5d89a4f841e62fb153daa99145738dea744b96f7440

Download Submit
C:\Users\Admin\AppData\Local\Temp\scQg.exe

Filesize
252KB

MD5
3ff7e323a684a0cb0ac0305ae3e5b071

SHA1
7830892858c6854b8acadb29a00cf8c3dfbe0667

SHA256
853ea06f3fed482928ebc0cb612820c837be517414ab16228b89a5f5d1a4b6bf

SHA512
8fac74a7973c22254bf47a3eaa2ae87b91e7d5de136048ccc961ffbf8a4b1310e6f786171ccbf06f9e2d1c2bbf6d470ff761a6f22530f13ba04e685f93362c2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\scgG.exe

Filesize
241KB

MD5
a28d51af7a499c95114f8c4a31d606d5

SHA1
749816a5751b707d0f0dbf98dc14ee601e86feca

SHA256
43be8ad62895b2ebbc57eb9a2fb93afcc510d1e4aa88e3654465f54313adf22e

SHA512
5b2caa5c9b4bd436d87e842d4bb5d63bee01012580e492fad3490223a0225a4ae164b525723bd5fe5d8eab264a4f823587557a5bf529a653db1fe064d161ad73

Download Submit
C:\Users\Admin\AppData\Local\Temp\sgog.exe

Filesize
1.1MB

MD5
7f36aea69b98ad3f741b0966550ddca8

SHA1
02a5d3f3281f81830d9085762cbd8b6a72104075

SHA256
4a1814933940c070469f9f73c19ba5f7d3a77fba971b2989d1ab49ff2b8c044d

SHA512
efd9949607c7cba6b21de32642c453c78cd06f3930c09701c333adb601e7a05d3394813e90753d87b1f55898503bc52a68c6efae10f2bf0d85547d3534e3adf9

Download Submit
C:\Users\Admin\AppData\Local\Temp\sgwg.exe

Filesize
254KB

MD5
b1058d3e36094138eef1193bd2294e2d

SHA1
ebb7bf1d09d3f9cee7c0db06c3fcf9cfd7ca83a4

SHA256
142c728cc23b211daf1a0e8236dd7f0274232d04621b04403c164e1d263a2f43

SHA512
b3b1d15aa48d2bde54b3e311392b65f955f96568d096457b8c237bc3626ee89d4e35a2889bc5c4e4fbdd873fa97baeee7a0537df4bf7e27bf2a53b971275cd6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tAEcUswQ.bat

Filesize
4B

MD5
bdb8bf55cfc26c3552ae1f85e9a5bbab

SHA1
8941fc14f13532896dec627ed8f86e1ba219e844

SHA256
5c1d23946bd23e8a294f201dbe8cb85fa9038ae2342cf1f8ac85c2b4d704a18a

SHA512
3f891be2508c3a37b2062202a229c176a700e38f32cd3bf91cc7a53502090ecfe0b4532c69d4d0588a07fedbcba6843b03ea612ec9f3a2a5cabbf44ebc517836

Download Submit
C:\Users\Admin\AppData\Local\Temp\tAIcUggA.bat

Filesize
4B

MD5
a246803c5783243489cebc727a3fff61

SHA1
83093ff41e8185a74a2f415304c78ddd6f044c68

SHA256
6d162dca93214148daa0222d3e4469aecd6041ca6d219bcc8d996b0762c10f19

SHA512
f70999181bcbb5c5e58f526e664bdba4c0d829e9e87ba734d6d6f8cc7f8b7048ca730a18046c4fb7b4136cc5f4163a2dbfbd3b488659ef2a6bd135e8e7884d48

Download Submit
C:\Users\Admin\AppData\Local\Temp\tAswkYwo.bat

Filesize
4B

MD5
b6c030335c0655062a244818a62a0d89

SHA1
eaa57d324f046e83e860469e87ea0fb53ed5bca5

SHA256
923687f8b7987279a91f49ccedd29a067d6eb3fe47532531b9b90158d63be909

SHA512
2e87d42a1d22dd4a60842267442696543c49cb43dbe50e8a755fd223abecf91edd18bda9940ab69dd17ee519deed5921346593b9fc10638ac27a8bceb5f62bd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tUYYMcMM.bat

Filesize
4B

MD5
dfebc9fe1df7e23142409e1ecca41655

SHA1
1f32222857e57027d086cd0c4e2ca7e2c2d3c265

SHA256
ba64e6ac0046a58a18cb2a057fcd0feda144a689e392f83187e7fb2510bec55c

SHA512
216a6a951084f8f5b20fcbd071de6e42accea29f2a583f06d78f520b34982a585926a95d0941a0d823469c4038368598c65029fa7bd3e9510583f0ded547ec5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\uEQk.exe

Filesize
228KB

MD5
d5edbb435f46fed6e467096ffe69405b

SHA1
ee850e9f2945208e4dd1f9c246869b36c5dd0e82

SHA256
1c862e8ad3ebf223d5555073f584399ce031c00feb0ac64b5c5ff824f4a2cecc

SHA512
98f1052c2713b4207b47a337622ebf9c523c0f69670839edbdd850bdc84600f8903c5da99ab24da3847f30a88e0ca5c0527d1d0cf8018adf314be4bc679a9aca

Download Submit
C:\Users\Admin\AppData\Local\Temp\uIYg.exe

Filesize
955KB

MD5
cda61251446f34c681da0eb9e1fad708

SHA1
f56e7dc3b799c63467abb574e4864cc8e9564134

SHA256
5ea022586f5004b212ee225473f99b592ab7632b92940ca6cc21d44e6a5bdbbe

SHA512
b70ccd7bdb3381697d58ce72b010137b9bc5a0d2b822892ec8e72bc994d3373a587c6f0e748b2dc9346de05badfbf17042a807b7decc69c371a75729681bb3a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\uIoy.exe

Filesize
234KB

MD5
1bd5ec1ed6de186e0e735e0276fc37ad

SHA1
09373fdcfb2a64322dfa7c5a1093ab91efc7205c

SHA256
15dc23d2bcb1f41070c151ca8b07df1409e16d5522970ff9c24bc61e8c5c4d91

SHA512
9bc1e3c8eabc3bcbcf1bbcafcaae75b65ed8096b6306e8d6da674b8f0627e9621b53a17fd1d7e4d25519d85dfc8895591db6acfa39fd31204c9cd6ab909b3dab

Download Submit
C:\Users\Admin\AppData\Local\Temp\uQIIIwIA.bat

Filesize
4B

MD5
48fbf9371e5cebf0a4ea8343bd69ceb4

SHA1
a52d6da11da65b12849da46cd5319af639193f7b

SHA256
0af4774ae1bb8550e1228135d89635de745ee5dc3d07e1e6d7d364eb4a4165fa

SHA512
4f7d32efafe80b43155d9e61e4071a0ce1d135e0b33057a450038f60ea294e483828da779ffc178fdfaebeb4f203a225d0273963e8388468854fcf6d43b72d4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\uUUkAsgE.bat

Filesize
4B

MD5
cee1ad2da170baad75f90bef4a051290

SHA1
d04d99765d220f34f2fcb79d94c9ba6696171c4a

SHA256
4676808c98f36380677af98aa1cd27da173ebeba39a1a29b0a1c123b87aea71b

SHA512
89f89166ae801b32c808461446d845a32f50099e978808f860ed15672694e6d21679026dc5e281048cdab4baa0877e98425363d0fc2cc5ed7559a03a248535f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\uUoe.exe

Filesize
649KB

MD5
a7f68bb7ac6c037e0f86c48ced4255cb

SHA1
d517ab68ba0abe48c1afba86434e5c884919f5a5

SHA256
3317e2317fab1a4f96a9ac4188270998b3ede25ab5dafa91c248c4220ae0dcd4

SHA512
e6d41f44a3fa4ebada116ec895cd9c91a1f6a7f9f4e80b1bf561441a6d61f5faa6d8ce385fa51a7854f913c354d50dde1fcc8b27eecfe5c26aff7ab8f124bb9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ukII.exe

Filesize
235KB

MD5
9daee1e168386939d5bdfc8b35731e66

SHA1
4e0e28e43275d93b5c2de6e53f010b08bbe14171

SHA256
5e30f781d6ad0627ac965a50d63ea04e15bd6e82d3e2d9b06f16e6959baa28c7

SHA512
454d050b9d004f75dca1cc0ef277711301ffe7d7bce69d260366090a034b7a54874868cc09630014d887f224b257fd0cfad40bc4817e11b97b0ada8b92386b9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ukkw.exe

Filesize
227KB

MD5
8d2f950ef96074078abafd9d0165fede

SHA1
15eb77d9d9701bdaad4ce1315aa85058521c343c

SHA256
ef97ea93fd078202683d465832517b07c9e82aa2764b829e1db4c9c711012dba

SHA512
5299e5f18e241aceefc54187f878f79c67bd43a71dbe9d0d66e388147101dc5e9f0903236d4d7d3ec4133598398155ba686bfda52c6afb016b82a37a22026eed

Download Submit
C:\Users\Admin\AppData\Local\Temp\uqkQwIEw.bat

Filesize
4B

MD5
1b204c0e53cb7dbb9b6590ee294d44ee

SHA1
7f17998d458d9435574113645288a57c2b80be2a

SHA256
95e07f3a91951b0ca96558cc8cd360fa0a9d95e9f90dad6d00b575f3c072fb8f

SHA512
fe3c327804883cb3f08ea8220c4dc0b88affe012962d637040a32f7b838d0389ed043222755f90fabc01874f92d785f44818e248c6e7875ddbdf0cc3be3a0f12

Download Submit
C:\Users\Admin\AppData\Local\Temp\vGIkYcMA.bat

Filesize
4B

MD5
5a6a28c8bb2354b39e44a1b214fabea4

SHA1
6e8f4bf470035d2ef0e178bfe53f61443ce82392

SHA256
9dc395892c857b82e3fe3bb4e1b3eaf9b9afffe2e8c85a34a0c4a50a054f0fe7

SHA512
11c4f3ca0a37fd976c551df010bb106e90c3c916fd5e51749e7263a1f640cb20dc4073490f88d8f871fa04cd1436b7154b3baac22b73d0da82fdee897b1a7f25

Download Submit
C:\Users\Admin\AppData\Local\Temp\vSgsoQEA.bat

Filesize
4B

MD5
59517f036aeda1ae96b138bb6cff8a43

SHA1
1745d797ad9d48419b79e31ee49388c38b63eb97

SHA256
58f077352827c9795de70fac69c37f2bb310ec68018f5a3b3f9ce9efea3a5e84

SHA512
5fa621648803945a790db315f86ce5f3761c2c5b2b6703adeadd01e81dabfaa5aa0be7eb66e619ee3b008a50469690aff949efd9b6e4dfc2aa688baae570365d

Download Submit
C:\Users\Admin\AppData\Local\Temp\wAYK.exe

Filesize
4.8MB

MD5
7e0c2b8f734142edd2c84c0d39394322

SHA1
5e0def75f7303e5b33901fab4c1d43c95552e5ed

SHA256
c99716cd48dd8556939f7043f69f160e7475eab106814ffe5515b8844a350190

SHA512
0274adf62369d6dd903d3b6c0c98cc1df33d9474a661330edadb0b5e528108c1c03b36a432598895f1b0211911deea1ebb8cdf29bf2997b9cdf9b81489548d47

Download Submit
C:\Users\Admin\AppData\Local\Temp\wOkMQMIs.bat

Filesize
4B

MD5
6b52b5952582b6517bd9d296fb3565db

SHA1
413e51291b9b8cdbdbb585d3384486e809501287

SHA256
c5f05238de8ce1fd69a622ee9a2b11c0164bbfe83afba19d6ea24f8aca23b73b

SHA512
f1af1a901a556e7cacd315701c159bc689846f0e39795c3bff7d8b20d9b24b7d5c25f7a2f58faf21b0948b03d20fd8e4dfd9d4ae8947fca9a59dc6500af19f89

Download Submit
C:\Users\Admin\AppData\Local\Temp\wQUk.exe

Filesize
245KB

MD5
ac1898b999945e7145ba71b931d6c95e

SHA1
77a37443346e47356a0348f0f0df9513874497aa

SHA256
87f27534d6e06009c3668469d948875d1a1d66b2a75b1a7968d78510c5471c05

SHA512
69eb0bc61ac5fb41cc2514707bf41374f29696dfc6215cf25643a9734598f57356f1ed2a54c3d285b4a3a6ddca93a7e6dd58536fd630ff499dec14228dc7a69f

Download Submit
C:\Users\Admin\AppData\Local\Temp\wQUq.exe

Filesize
218KB

MD5
7a8067bf1bd4264f9c7e678a2260c5d8

SHA1
9b2f18c1bdb2daa764ace326b511337184180919

SHA256
442bfac07ec8f7e9aa959733bb64cb92dac6fc064e69d1f77b3a78659d5e0ca6

SHA512
231439b20e5be327c550ec79a749d1c9c8007a0578ef435a11f9c183b1c7c61d0e857db92c3405b4dd4cf5a783574f20abfd2b3833e6fbb4faad6f2e1bc457e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\wgIkYkIc.bat

Filesize
4B

MD5
e66155a5c01c5634f441294202c681c8

SHA1
997520184ce38f5dbee0297c3a5b6b159680d9e5

SHA256
d78516fdd0ddc3c6d1053f29f622967c174dcb09ecfab4036876020ee7607075

SHA512
07a461f532a3ea980fa8e04649ebd2a48f04c0c02687bad00e2efa936c7444e6d8c777ff07da52971d83230ec8e679594f7e2c406f25917c62152b785e8eccb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\wkwy.exe

Filesize
822KB

MD5
69ff86e03c6f63cfbcc7813053c5563d

SHA1
977e7074b56269bb014e36eb516b2c597c8aba9d

SHA256
94b60fcc8de604a4dc2b6a930c82d1abe8224cd5be13e6e6b7953f2d8997b3f7

SHA512
d36aa62c4700f36ed2f54ced2d591986fabc8a6c9c65599674e55fd10c01b8d58230794742b731d74aa95a296189a679f1d9718d0f99fb5ff90daa863223ae5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\wuMgcIUQ.bat

Filesize
4B

MD5
3f7cfab7e826d2faf9fb395e56160918

SHA1
97d0decb72153ad7d206333c84d1c4edaa30cf5d

SHA256
452bc32fd9c36c2eef46404a2e23bd84c5a29159923f3ae0c81b38b4efed47bd

SHA512
40b0db560862fb08424dae105ef2e4d3d2e5d9965750ae078df388c06d4c9ed50c1d017547586c920f33efd8091650e358dbba4dea9c5cb30a71863dc0b747b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\yEAC.exe

Filesize
227KB

MD5
bff46f67a363a0ef297d14ec6011a5c0

SHA1
596ea926314166dc0fdb1c4b1e162ca97b86cb4d

SHA256
ed6bbdc573c502dc1e1a97c128187f196b2be216b0235251e107fc5a68ba489f

SHA512
e5b4f135b0d489eea5eae81f4104496d2306aa83c53420b603aeaf25444b9cc9366ae2d7a569728b45dbba6590e93e00b1edb980733d6c67cbbf17a513ca536e

Download Submit
C:\Users\Admin\AppData\Local\Temp\yIAK.exe

Filesize
651KB

MD5
98c98d7cd0f20df9adcb9737e6e29c0c

SHA1
f2a7a63903d3d9f6da768959f3b433e2880b884a

SHA256
5b8c3e54b6ada3fb8f0a27f671a04e8a836999ba0c2a1e146892ba4639e48fcd

SHA512
6d2168b8a42991533af9d84cc6f571890b00ba3cfed539663c9f679d19826b4a117f7c5f324d06138aadb8e8386af576174e2b505b66a5c2c46ba8359c172da5

Download Submit
C:\Users\Admin\AppData\Local\Temp\yUUy.exe

Filesize
191KB

MD5
13e66480ec70d005c58dfa09fdd347a6

SHA1
f89479167fec0d76fcb08c778a29002b596e252a

SHA256
e412aceda067165dfb85d581512b9ce54658624d79153dde3f0938497622171b

SHA512
ceb76444c47911064f2480e8252aaa43dfbf28babb284fab7daf1618389001f80ed308985b5b3778dfef7635eb1eecaf7fe40565dbd8a480b568d26ffa85013a

Download Submit
C:\Users\Admin\AppData\Local\Temp\yYAc.exe

Filesize
238KB

MD5
833222ba42bcff6abb5d4d5ae1afbca9

SHA1
34d7ed681d304beff63b0704c769a05636c5c8c3

SHA256
e1fc77eac223056269510f6a8b6519e179e2455a7a08e4afc7ee1e6587824cf8

SHA512
547140a74bae256d52c0d69cecf33ade3245641c6b6d32006d81eb57fe36d0da1f9aec5402ca596c256d7d5e4363fb2a64bdbadfbbe4c3bc13a38fa74f0fba48

Download Submit
C:\Users\Admin\AppData\Local\Temp\yYgA.exe

Filesize
903KB

MD5
ec2f37eeb0d746d5f5bdf10917035dc2

SHA1
954561de5d0ff0b62cec0e70e401361c787d6678

SHA256
c9b55f15965c893774d4aef00a9207590e20985f08e056ab0afd71d981ed4cac

SHA512
f2aec5494daf78c9b409ba3fd62c18eb8d68f0da2b05a407663b3236d5ff23415c2cb9a93f8a121b8858091773e839c9b52f49cc538fdbb7c810e9c1376c9b86

Download Submit
C:\Users\Admin\AppData\Local\Temp\ycYcgYMM.bat

Filesize
4B

MD5
b3a42f0f395aa46751be9b11db7294ef

SHA1
5fbe27c39cdac1ca8f8e490cc5b644f148d5cc1d

SHA256
90ca64fbcd8581bbecf734645df8d711a5357f6627ee3512d19ccae4342a6cb9

SHA512
547c9768cb864567cc65b03f49293f9b62d3b04b368dcde2cd2c8f96b0a932f5a8422f12d6406effa8bf506301f559534575523a6557b2dd44d5a2c15cbe4543

Download Submit
C:\Users\Admin\AppData\Local\Temp\ykAg.exe

Filesize
307KB

MD5
7ae031f4aebc2c5becf941c988c581f9

SHA1
c9768413844c924789ca84eacd68e9b7c7acc0e8

SHA256
837d501035d252da7b703c83d1ad4ed7eb2b7e00780e255c39eb9a75716010af

SHA512
ad41efc7f8d9f19228727876840af5b3b9a34117171f09febf4b104d70566b8a19307575802d2d8ad2c9816b6fea56e8cd80ab93ba02194052a1f94657c847e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ysoU.exe

Filesize
232KB

MD5
c0ed0f6505c52893f3528edd355a9162

SHA1
a84f37cc1a8fbeb77a4d51434c949995a09d1206

SHA256
4f620e969b41677541264610fb1aae134044991ed8dc58e7b8f0097edf909e5c

SHA512
535e5ffc08f8673e4b5df41f5d7c4b80666b1196fffc441f5d26c0769bafac542621dc8b44e59d34656683d97e1962bd9bf094e3d9e55b6f850199ca72a1b002

Download Submit
C:\Users\Admin\Desktop\SkipUninstall.wma.exe

Filesize
960KB

MD5
36c9118f47f969398e830d85fd62561f

SHA1
cdecf99318a20f51a62719f2573c64becae7c027

SHA256
35c7739fb49cc264130af8fd4a824b6cd2fc9f422894e0563c5c3e4adf122134

SHA512
1649429a2aa27d5d8b497fba40e1b49888037253e62ce3639ea192f72b632218a2bdc7dd97f244c25edfc4b7fe0a52af326cb0f9bc5573f4bd265e2c2b410016

Download Submit
\Users\Admin\gMUMgIgw\YScsIEQY.exe

Filesize
198KB

MD5
ee119cb8168a21488ef516c85fb779a8

SHA1
dc0c980f8d64422c62559fe70d89e0f0cd7d0230

SHA256
4fe73ec26901484a92f3ae06a1a0e705d5e20f47b808b34dff9b610e948e3e76

SHA512
77322e473e745d2ebed555b6588e2147e4647560ce76a8cff3ddae7d3c64bbdb8f811a31ddaf5a1b0262f7c0e253390c4537116f5403e8860cb9eaf64a0ef527

Download Submit
memory/108-133-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/108-881-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/112-712-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/112-743-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/320-853-0x00000000002B0000-0x0000000000304000-memory.dmp

Filesize
336KB

Download
memory/448-528-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/448-508-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/580-81-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/636-616-0x0000000002250000-0x00000000022A4000-memory.dmp

Filesize
336KB

Download
memory/636-478-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/748-771-0x0000000000280000-0x00000000002D4000-memory.dmp

Filesize
336KB

Download
memory/780-354-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/788-733-0x0000000000120000-0x0000000000174000-memory.dmp

Filesize
336KB

Download
memory/788-734-0x0000000000120000-0x0000000000174000-memory.dmp

Filesize
336KB

Download
memory/832-268-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/888-388-0x0000000000190000-0x00000000001E4000-memory.dmp

Filesize
336KB

Download
memory/1052-843-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1052-814-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1196-605-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1244-466-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1256-813-0x0000000000170000-0x00000000001C4000-memory.dmp

Filesize
336KB

Download
memory/1256-812-0x0000000000170000-0x00000000001C4000-memory.dmp

Filesize
336KB

Download
memory/1372-192-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1372-225-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1420-913-0x0000000000120000-0x0000000000174000-memory.dmp

Filesize
336KB

Download
memory/1436-710-0x0000000000410000-0x0000000000464000-memory.dmp

Filesize
336KB

Download
memory/1436-711-0x0000000000410000-0x0000000000464000-memory.dmp

Filesize
336KB

Download
memory/1440-259-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1440-289-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1584-662-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1584-618-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1588-672-0x0000000000560000-0x00000000005B4000-memory.dmp

Filesize
336KB

Download
memory/1596-246-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1596-215-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1684-903-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1764-90-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1876-722-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1876-691-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1924-507-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1924-479-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2008-111-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2092-596-0x00000000022E0000-0x0000000002334000-memory.dmp

Filesize
336KB

Download
memory/2100-834-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2100-862-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2124-653-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2128-59-0x00000000001D0000-0x0000000000224000-memory.dmp

Filesize
336KB

Download
memory/2160-190-0x00000000022A0000-0x00000000022F4000-memory.dmp

Filesize
336KB

Download
memory/2160-191-0x00000000022A0000-0x00000000022F4000-memory.dmp

Filesize
336KB

Download
memory/2176-790-0x0000000000170000-0x00000000001C4000-memory.dmp

Filesize
336KB

Download
memory/2176-44-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2176-68-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2288-177-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2288-201-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2316-0-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2316-41-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2316-31-0x0000000000490000-0x00000000004BF000-memory.dmp

Filesize
188KB

Download
memory/2316-30-0x0000000000490000-0x00000000004BF000-memory.dmp

Filesize
188KB

Download
memory/2316-12-0x0000000000490000-0x00000000004C3000-memory.dmp

Filesize
204KB

Download
memory/2316-11-0x0000000000490000-0x00000000004C3000-memory.dmp

Filesize
204KB

Download
memory/2332-333-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2460-455-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2460-456-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2516-529-0x00000000001B0000-0x0000000000204000-memory.dmp

Filesize
336KB

Download
memory/2536-627-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2544-761-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2604-872-0x0000000000430000-0x0000000000484000-memory.dmp

Filesize
336KB

Download
memory/2640-586-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2652-433-0x0000000000270000-0x00000000002C4000-memory.dmp

Filesize
336KB

Download
memory/2664-700-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2676-398-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2708-43-0x0000000000260000-0x00000000002B4000-memory.dmp

Filesize
336KB

Download
memory/2708-42-0x0000000000260000-0x00000000002B4000-memory.dmp

Filesize
336KB

Download
memory/2732-375-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2740-29-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2740-615-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2744-617-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2744-32-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2764-823-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2764-791-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2828-457-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2828-488-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2848-312-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2856-922-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2856-894-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2864-681-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2868-800-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2880-176-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2896-442-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2956-780-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2984-833-0x0000000000170000-0x00000000001C4000-memory.dmp

Filesize
336KB

Download
memory/3008-155-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/3008-420-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/3052-568-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/3056-893-0x0000000000120000-0x0000000000174000-memory.dmp

Filesize
336KB

Download
memory/3068-548-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/3068-530-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download