7f89c34f98ce21ea18234c4e5c0fb83274cd63519b630d553bb6751b0b6fe4e2

Analysis

max time kernel
150s
max time network
117s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20-09-2024 18:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
Size

208KB
MD5

006fbb7a7a5386fe5629f895d8969b45
SHA1

0241c9d8234e6b31d51f70a9df97dfa700a73229
SHA256

7f89c34f98ce21ea18234c4e5c0fb83274cd63519b630d553bb6751b0b6fe4e2
SHA512

995542437cca9f18a56a9a51fa69a01da784d7d8be277ab2e6be83fd2d162ab3761992aaaacb93e337de4a70aabbcee0e4068dd5632cf98b9534fd836340cb84
SSDEEP

3072:FRyqCshdxLZhd91BNskwIBnvy8VLKYl0XMKvWWFDTJOQd2xfPmS:HFHfdbsJIBnhVLKYlQRFDt5d4

Score

10^/10

discovery evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Renames multiple (57) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\International\Geo\Nation	FOgMAUko.exe

Deletes itself 1 IoCs

pid	Process
2444	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2176	FOgMAUko.exe
2648	WcgswAcU.exe

Loads dropped DLL 20 IoCs

pid	Process
2232	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
2232	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
2232	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
2232	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
2176	FOgMAUko.exe
2176	FOgMAUko.exe
2176	FOgMAUko.exe
2176	FOgMAUko.exe
2176	FOgMAUko.exe
2176	FOgMAUko.exe
2176	FOgMAUko.exe
2176	FOgMAUko.exe
2176	FOgMAUko.exe
2176	FOgMAUko.exe
2176	FOgMAUko.exe
2176	FOgMAUko.exe
2176	FOgMAUko.exe
2176	FOgMAUko.exe
2176	FOgMAUko.exe
2176	FOgMAUko.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\FOgMAUko.exe = "C:\\Users\\Admin\\LoosQAoY\\FOgMAUko.exe"	FOgMAUko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WcgswAcU.exe = "C:\\ProgramData\\tQsEoYYk\\WcgswAcU.exe"	WcgswAcU.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\FOgMAUko.exe = "C:\\Users\\Admin\\LoosQAoY\\FOgMAUko.exe"	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WcgswAcU.exe = "C:\\ProgramData\\tQsEoYYk\\WcgswAcU.exe"	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico	FOgMAUko.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
1948	reg.exe
1376	reg.exe
2088	reg.exe
296	reg.exe
528	reg.exe
556	reg.exe
1144	reg.exe
2088	reg.exe
2232	reg.exe
1328	reg.exe
2856	reg.exe
1144	reg.exe
1728	reg.exe
1488	reg.exe
2420	reg.exe
564	reg.exe
396	reg.exe
1724	reg.exe
2184	reg.exe
2720	reg.exe
1148	reg.exe
1304	reg.exe
1552	reg.exe
1908	reg.exe
1032	reg.exe
2872	reg.exe
2296	reg.exe
2168	reg.exe
2856	reg.exe
2768	reg.exe
860	reg.exe
284	reg.exe
2912	reg.exe
2292	reg.exe
2684	reg.exe
1984	reg.exe
2276	reg.exe
1952	reg.exe
1916	reg.exe
480	reg.exe
2872	reg.exe
2384	reg.exe
3056	reg.exe
2672	reg.exe
1720	reg.exe
1880	reg.exe
2352	reg.exe
2332	reg.exe
3064	reg.exe
316	reg.exe
2864	reg.exe
2188	reg.exe
1780	reg.exe
2368	reg.exe
1460	reg.exe
2780	reg.exe
1952	reg.exe
2692	reg.exe
2068	reg.exe
2772	reg.exe
2252	reg.exe
1280	reg.exe
2840	reg.exe
1728	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2232	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
2232	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
2784	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
2784	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
1108	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
1108	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
2020	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
2020	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
316	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
316	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
1048	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
1048	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
2236	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
2236	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
3044	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
3044	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
2656	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
2656	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
2968	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
2968	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
1320	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
1320	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
2420	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
2420	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
2332	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
2332	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
2704	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
2704	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
2396	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
2396	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
2380	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
2380	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
1032	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
1032	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
1652	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
1652	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
2832	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
2832	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
2716	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
2716	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
2124	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
2124	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
296	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
296	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
1584	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
1584	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
1764	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
1764	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
2556	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
2556	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
2388	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
2388	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
740	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
740	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
1516	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
1516	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
296	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
296	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
2776	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
2776	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
2840	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
2840	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
2704	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
2704	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2176	FOgMAUko.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2176	FOgMAUko.exe
2176	FOgMAUko.exe
2176	FOgMAUko.exe
2176	FOgMAUko.exe
2176	FOgMAUko.exe
2176	FOgMAUko.exe
2176	FOgMAUko.exe
2176	FOgMAUko.exe
2176	FOgMAUko.exe
2176	FOgMAUko.exe
2176	FOgMAUko.exe
2176	FOgMAUko.exe
2176	FOgMAUko.exe
2176	FOgMAUko.exe
2176	FOgMAUko.exe
2176	FOgMAUko.exe
2176	FOgMAUko.exe
2176	FOgMAUko.exe
2176	FOgMAUko.exe
2176	FOgMAUko.exe
2176	FOgMAUko.exe
2176	FOgMAUko.exe
2176	FOgMAUko.exe
2176	FOgMAUko.exe
2176	FOgMAUko.exe
2176	FOgMAUko.exe
2176	FOgMAUko.exe
2176	FOgMAUko.exe
2176	FOgMAUko.exe
2176	FOgMAUko.exe
2176	FOgMAUko.exe
2176	FOgMAUko.exe
2176	FOgMAUko.exe
2176	FOgMAUko.exe
2176	FOgMAUko.exe
2176	FOgMAUko.exe
2176	FOgMAUko.exe
2176	FOgMAUko.exe
2176	FOgMAUko.exe
2176	FOgMAUko.exe
2176	FOgMAUko.exe
2176	FOgMAUko.exe
2176	FOgMAUko.exe
2176	FOgMAUko.exe
2176	FOgMAUko.exe
2176	FOgMAUko.exe
2176	FOgMAUko.exe
2176	FOgMAUko.exe
2176	FOgMAUko.exe
2176	FOgMAUko.exe
2176	FOgMAUko.exe
2176	FOgMAUko.exe
2176	FOgMAUko.exe
2176	FOgMAUko.exe
2176	FOgMAUko.exe
2176	FOgMAUko.exe
2176	FOgMAUko.exe
2176	FOgMAUko.exe
2176	FOgMAUko.exe
2176	FOgMAUko.exe
2176	FOgMAUko.exe
2176	FOgMAUko.exe
2176	FOgMAUko.exe
2176	FOgMAUko.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2232 wrote to memory of 2176	2232	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe	31
PID 2232 wrote to memory of 2176	2232	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe	31
PID 2232 wrote to memory of 2176	2232	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe	31
PID 2232 wrote to memory of 2176	2232	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe	31
PID 2232 wrote to memory of 2648	2232	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe	32
PID 2232 wrote to memory of 2648	2232	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe	32
PID 2232 wrote to memory of 2648	2232	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe	32
PID 2232 wrote to memory of 2648	2232	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe	32
PID 2232 wrote to memory of 2676	2232	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe	33
PID 2232 wrote to memory of 2676	2232	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe	33
PID 2232 wrote to memory of 2676	2232	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe	33
PID 2232 wrote to memory of 2676	2232	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe	33
PID 2676 wrote to memory of 2784	2676	cmd.exe	35
PID 2676 wrote to memory of 2784	2676	cmd.exe	35
PID 2676 wrote to memory of 2784	2676	cmd.exe	35
PID 2676 wrote to memory of 2784	2676	cmd.exe	35
PID 2232 wrote to memory of 2772	2232	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe	36
PID 2232 wrote to memory of 2772	2232	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe	36
PID 2232 wrote to memory of 2772	2232	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe	36
PID 2232 wrote to memory of 2772	2232	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe	36
PID 2232 wrote to memory of 2780	2232	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe	37
PID 2232 wrote to memory of 2780	2232	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe	37
PID 2232 wrote to memory of 2780	2232	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe	37
PID 2232 wrote to memory of 2780	2232	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe	37
PID 2232 wrote to memory of 2816	2232	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe	38
PID 2232 wrote to memory of 2816	2232	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe	38
PID 2232 wrote to memory of 2816	2232	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe	38
PID 2232 wrote to memory of 2816	2232	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe	38
PID 2232 wrote to memory of 2168	2232	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe	41
PID 2232 wrote to memory of 2168	2232	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe	41
PID 2232 wrote to memory of 2168	2232	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe	41
PID 2232 wrote to memory of 2168	2232	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe	41
PID 2168 wrote to memory of 2944	2168	cmd.exe	44
PID 2168 wrote to memory of 2944	2168	cmd.exe	44
PID 2168 wrote to memory of 2944	2168	cmd.exe	44
PID 2168 wrote to memory of 2944	2168	cmd.exe	44
PID 2784 wrote to memory of 2392	2784	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe	45
PID 2784 wrote to memory of 2392	2784	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe	45
PID 2784 wrote to memory of 2392	2784	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe	45
PID 2784 wrote to memory of 2392	2784	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe	45
PID 2392 wrote to memory of 1108	2392	cmd.exe	47
PID 2392 wrote to memory of 1108	2392	cmd.exe	47
PID 2392 wrote to memory of 1108	2392	cmd.exe	47
PID 2392 wrote to memory of 1108	2392	cmd.exe	47
PID 2784 wrote to memory of 2952	2784	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe	48
PID 2784 wrote to memory of 2952	2784	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe	48
PID 2784 wrote to memory of 2952	2784	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe	48
PID 2784 wrote to memory of 2952	2784	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe	48
PID 2784 wrote to memory of 2628	2784	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe	49
PID 2784 wrote to memory of 2628	2784	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe	49
PID 2784 wrote to memory of 2628	2784	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe	49
PID 2784 wrote to memory of 2628	2784	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe	49
PID 2784 wrote to memory of 2960	2784	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe	51
PID 2784 wrote to memory of 2960	2784	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe	51
PID 2784 wrote to memory of 2960	2784	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe	51
PID 2784 wrote to memory of 2960	2784	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe	51
PID 2784 wrote to memory of 2856	2784	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe	52
PID 2784 wrote to memory of 2856	2784	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe	52
PID 2784 wrote to memory of 2856	2784	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe	52
PID 2784 wrote to memory of 2856	2784	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe	52
PID 2856 wrote to memory of 284	2856	cmd.exe	56
PID 2856 wrote to memory of 284	2856	cmd.exe	56
PID 2856 wrote to memory of 284	2856	cmd.exe	56
PID 2856 wrote to memory of 284	2856	cmd.exe	56

C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
"C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2232
- C:\Users\Admin\LoosQAoY\FOgMAUko.exe
  "C:\Users\Admin\LoosQAoY\FOgMAUko.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:2176
- C:\ProgramData\tQsEoYYk\WcgswAcU.exe
  "C:\ProgramData\tQsEoYYk\WcgswAcU.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2648
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2676
- - C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
    C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2784
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2392
    - - C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1108
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        6⤵
        
        PID:2948
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2020
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        8⤵
        
        PID:2416
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:316
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:280
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1048
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        12⤵
        
        PID:1680
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2236
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        14⤵
        
        PID:2780
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        15⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:3044
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        16⤵
        
        PID:2892
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2656
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        18⤵
        
        PID:528
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2968
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        20⤵
        
        PID:600
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1320
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        22⤵
        
        PID:2492
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        23⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2420
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        24⤵
        
        PID:2660
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        25⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2332
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        26⤵
        
        PID:2884
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        27⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2704
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        28⤵
        
        PID:2956
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        29⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2396
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        30⤵
        
        PID:340
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        31⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2380
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        32⤵
        
        PID:1772
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        33⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1032
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        34⤵
        
        PID:2372
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        35⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1652
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        36⤵
        
        PID:2388
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        37⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2832
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        38⤵
        
        PID:2756
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        39⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2716
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        40⤵
        
        PID:1516
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        41⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2124
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        42⤵
        
        PID:680
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        43⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:296
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        44⤵
        
        PID:2360
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        45⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1584
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        46⤵
        
        PID:1472
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        47⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1764
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        48⤵
        
        PID:568
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        49⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2556
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        50⤵
        System Location Discovery: System Language Discovery
        
        PID:2976
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        51⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2388
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        52⤵
        
        PID:2756
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        53⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:740
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        54⤵
        
        PID:2076
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        55⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1516
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        56⤵
        System Location Discovery: System Language Discovery
        
        PID:1948
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        57⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:296
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        58⤵
        
        PID:2812
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        59⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2776
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        60⤵
        
        PID:2576
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        61⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2840
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        62⤵
        
        PID:2864
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        63⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2704
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        64⤵
        
        PID:1304
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        65⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        66⤵
        System Location Discovery: System Language Discovery
        
        PID:2368
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        67⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        68⤵
        System Location Discovery: System Language Discovery
        
        PID:972
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        69⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        70⤵
        
        PID:2036
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        71⤵
        
        PID:1048
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        72⤵
        
        PID:2292
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        73⤵
        
        PID:796
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        74⤵
        
        PID:1604
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        75⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        76⤵
        System Location Discovery: System Language Discovery
        
        PID:888
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        77⤵
        
        PID:740
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        78⤵
        
        PID:1688
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        79⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        80⤵
        System Location Discovery: System Language Discovery
        
        PID:676
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        81⤵
        
        PID:1216
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        82⤵
        
        PID:3044
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        83⤵
        
        PID:972
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        84⤵
        
        PID:2372
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        85⤵
        
        PID:1048
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        86⤵
        
        PID:2388
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        87⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        88⤵
        
        PID:1488
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        89⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        90⤵
        
        PID:2704
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        91⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        92⤵
        
        PID:2644
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        93⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        94⤵
        
        PID:1308
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        95⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        96⤵
        
        PID:3044
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        97⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        98⤵
        
        PID:2372
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        99⤵
        
        PID:648
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        100⤵
        
        PID:2444
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        101⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        102⤵
        
        PID:2964
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        103⤵
        System Location Discovery: System Language Discovery
        
        PID:2472
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        104⤵
        
        PID:2232
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        105⤵
        System Location Discovery: System Language Discovery
        
        PID:2204
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        106⤵
        
        PID:2920
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        107⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        108⤵
        
        PID:648
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        109⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        110⤵
        
        PID:2512
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        111⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        112⤵
        
        PID:796
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        113⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        114⤵
        System Location Discovery: System Language Discovery
        
        PID:1572
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        115⤵
        
        PID:2160
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        116⤵
        System Location Discovery: System Language Discovery
        
        PID:1580
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        117⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        118⤵
        
        PID:2988
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        119⤵
        
        PID:2840
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        120⤵
        
        PID:2360
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        121⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        122⤵
        
        PID:1564
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        123⤵
        
        PID:2652
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        124⤵
        
        PID:1792
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        125⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        126⤵
        
        PID:2788
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        127⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        128⤵
        System Location Discovery: System Language Discovery
        
        PID:1832
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        129⤵
        
        PID:2840
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        130⤵
        
        PID:2852
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        131⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        132⤵
        
        PID:2916
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        133⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        134⤵
        
        PID:2608
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        135⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        136⤵
        
        PID:2652
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        137⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        138⤵
        
        PID:1792
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        139⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        140⤵
        
        PID:2036
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        141⤵
        
        PID:784
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        142⤵
        
        PID:1616
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        143⤵
        
        PID:1788
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        144⤵
        
        PID:1960
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        145⤵
        
        PID:872
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        146⤵
        
        PID:660
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        147⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        148⤵
        
        PID:680
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        149⤵
        
        PID:280
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        150⤵
        
        PID:2376
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        151⤵
        
        PID:316
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        152⤵
        
        PID:264
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        153⤵
        
        PID:1912
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        154⤵
        
        PID:340
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        155⤵
        
        PID:1264
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        156⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        156⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:296
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        156⤵
        
        PID:2332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        156⤵
        UAC bypass
        Modifies registry key
        
        PID:2856
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\QSQEoIUw.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        156⤵
        
        PID:2440
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        157⤵
        
        PID:284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        154⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        154⤵
        
        PID:752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        154⤵
        UAC bypass
        Modifies registry key
        
        PID:2068
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\cuoIwMcA.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        154⤵
        Deletes itself
        
        PID:2444
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        155⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        152⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        152⤵
        
        PID:1460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        152⤵
        UAC bypass
        
        PID:2904
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\yMUMsIII.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        152⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        153⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        150⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        150⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        150⤵
        UAC bypass
        Modifies registry key
        
        PID:3064
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\WcYwgYYM.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        150⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        151⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        148⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        148⤵
        
        PID:1044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        148⤵
        UAC bypass
        Modifies registry key
        
        PID:2692
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\jSsksUoM.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        148⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        149⤵
        
        PID:1128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        146⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:2672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        146⤵
        
        PID:528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        146⤵
        UAC bypass
        
        PID:340
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\jagAAYkM.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        146⤵
        
        PID:1320
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        147⤵
        
        PID:1420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        144⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        144⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        144⤵
        System Location Discovery: System Language Discovery
        
        PID:2368
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\HEkkYYsg.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        144⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        145⤵
        System Location Discovery: System Language Discovery
        
        PID:2180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        142⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        142⤵
        
        PID:852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        142⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\pWogoMYw.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        142⤵
        
        PID:2772
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        143⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        140⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        140⤵
        Modifies registry key
        
        PID:2292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        140⤵
        UAC bypass
        
        PID:2988
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\mYMUkEck.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        140⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        141⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        138⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        138⤵
        Modifies registry key
        
        PID:2352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        138⤵
        UAC bypass
        
        PID:2548
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\SywAUoEk.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        138⤵
        
        PID:1472
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        139⤵
        
        PID:2984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        136⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        136⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        136⤵
        
        PID:480
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\gAIYsIAQ.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        136⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        137⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        134⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        134⤵
        System Location Discovery: System Language Discovery
        
        PID:1532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        134⤵
        UAC bypass
        
        PID:1880
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\YCEQgwwE.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        134⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        135⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        132⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        132⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2168
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        132⤵
        UAC bypass
        
        PID:1840
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\uKMkwssE.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        132⤵
        
        PID:564
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        133⤵
        
        PID:944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        130⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        130⤵
        
        PID:1836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        130⤵
        
        PID:1140
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\JQoAEIoQ.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        130⤵
        
        PID:1380
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        131⤵
        System Location Discovery: System Language Discovery
        
        PID:1428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        128⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        128⤵
        
        PID:2988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        128⤵
        UAC bypass
        
        PID:296
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\VGwYsYMM.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        128⤵
        
        PID:860
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        129⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        126⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        126⤵
        Modifies registry key
        
        PID:1488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        126⤵
        UAC bypass
        
        PID:2384
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\PGQAEQAM.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        126⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        127⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        124⤵
        
        PID:760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        124⤵
        System Location Discovery: System Language Discovery
        
        PID:1008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        124⤵
        
        PID:740
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\LAocAYQo.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        124⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        125⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        122⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        122⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        122⤵
        UAC bypass
        
        PID:1508
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\eIYIQkow.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        122⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        123⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        120⤵
        Modifies visibility of file extensions in Explorer
        
        PID:864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        120⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        120⤵
        UAC bypass
        
        PID:1480
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\sgAgkIIs.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        120⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        121⤵
        
        PID:1908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        118⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        118⤵
        Modifies registry key
        
        PID:1780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        118⤵
        UAC bypass
        
        PID:1264
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\WokMUwoo.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        118⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        119⤵
        
        PID:860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        116⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        116⤵
        
        PID:1904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        116⤵
        UAC bypass
        
        PID:2240
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\QKkUccUc.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        116⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        117⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        114⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        114⤵
        Modifies registry key
        
        PID:1728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        114⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:1584
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\XIgssQQU.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        114⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        115⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        112⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        112⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        112⤵
        UAC bypass
        
        PID:540
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\FisowQMk.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        112⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        113⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        110⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        110⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        110⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2184
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\vasskQMk.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        110⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        111⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        108⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        108⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        108⤵
        UAC bypass
        
        PID:1676
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\HUIsEUIE.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        108⤵
        System Location Discovery: System Language Discovery
        
        PID:2060
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        109⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        106⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        106⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        106⤵
        Modifies registry key
        
        PID:2672
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\lgQUUsQs.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        106⤵
        
        PID:1372
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        107⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        104⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        104⤵
        
        PID:1472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        104⤵
        UAC bypass
        
        PID:772
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\KOAEsYwU.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        104⤵
        
        PID:1412
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        105⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        102⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        102⤵
        Modifies registry key
        
        PID:2296
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        102⤵
        
        PID:1516
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\gmQcowUg.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        102⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        103⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        100⤵
        Modifies visibility of file extensions in Explorer
        
        PID:880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        100⤵
        
        PID:1780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        100⤵
        UAC bypass
        Modifies registry key
        
        PID:1724
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\gWAwoIEY.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        100⤵
        
        PID:480
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        101⤵
        System Location Discovery: System Language Discovery
        
        PID:1952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        98⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        98⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        98⤵
        UAC bypass
        
        PID:2652
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\eQEwUwAM.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        98⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        99⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        96⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        96⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        96⤵
        UAC bypass
        
        PID:2896
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\NawIAEgI.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        96⤵
        
        PID:540
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        97⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        94⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        94⤵
        System Location Discovery: System Language Discovery
        
        PID:2492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        94⤵
        UAC bypass
        
        PID:2592
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\vcIIQIwc.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        94⤵
        System Location Discovery: System Language Discovery
        
        PID:284
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        95⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        92⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        92⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        92⤵
        UAC bypass
        
        PID:1552
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\JiowEoUk.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        92⤵
        System Location Discovery: System Language Discovery
        
        PID:2096
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        93⤵
        
        PID:1216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        90⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        90⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        90⤵
        UAC bypass
        
        PID:556
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\FCYMcIYo.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        90⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        91⤵
        
        PID:1128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        88⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        88⤵
        
        PID:272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        88⤵
        UAC bypass
        
        PID:2972
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\lGoQEIYk.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        88⤵
        
        PID:396
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        89⤵
        
        PID:1328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        86⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        86⤵
        Modifies registry key
        
        PID:1144
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        86⤵
        UAC bypass
        
        PID:1420
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\qUAAoIIk.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        86⤵
        
        PID:944
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        87⤵
        System Location Discovery: System Language Discovery
        
        PID:2540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        84⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        84⤵
        
        PID:1372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        84⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:1628
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\CGwMgksY.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        84⤵
        
        PID:1460
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        85⤵
        
        PID:540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        82⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2184
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        82⤵
        Modifies registry key
        
        PID:2332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        82⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:280
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\YWEgQkUI.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        82⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        83⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        80⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        80⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        80⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:2808
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\QWccEQYU.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        80⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        81⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        78⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        78⤵
        Modifies registry key
        
        PID:556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        78⤵
        UAC bypass
        
        PID:2472
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\BCUksIYI.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        78⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        79⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        UAC bypass
        
        PID:1768
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\LWckkIAA.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        76⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        77⤵
        System Location Discovery: System Language Discovery
        
        PID:340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        
        PID:2652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:2960
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\NSMsQUIo.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        74⤵
        
        PID:976
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        75⤵
        
        PID:660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        Modifies registry key
        
        PID:2088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        UAC bypass
        
        PID:2852
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tQsAgkcA.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        72⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        System Location Discovery: System Language Discovery
        
        PID:2376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        UAC bypass
        
        PID:2184
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\GSskkwkI.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        70⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        System Location Discovery: System Language Discovery
        
        PID:2776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        Modifies registry key
        
        PID:1720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        
        PID:772
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\yQgggAMM.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        68⤵
        
        PID:2928
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        
        PID:600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        Modifies registry key
        
        PID:1952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        UAC bypass
        
        PID:2100
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\iyAcEcYA.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        66⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        
        PID:1516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        UAC bypass
        
        PID:2964
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\OsAIMYEM.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        64⤵
        
        PID:2432
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        UAC bypass
        
        PID:2108
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\DAIAIIgA.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        62⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        
        PID:1244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        
        PID:2668
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\FusEYAAI.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        60⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        System Location Discovery: System Language Discovery
        
        PID:2860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        UAC bypass
        Modifies registry key
        
        PID:2188
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\zYYwMIAw.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        58⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        System Location Discovery: System Language Discovery
        
        PID:1680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:1656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\HAcccYcw.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        56⤵
        
        PID:1032
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        
        PID:3000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        UAC bypass
        Modifies registry key
        
        PID:1328
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\DKAQUQwY.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        54⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        Modifies registry key
        
        PID:1304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        UAC bypass
        Modifies registry key
        
        PID:1144
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\OmswgAsk.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        52⤵
        System Location Discovery: System Language Discovery
        
        PID:760
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        System Location Discovery: System Language Discovery
        
        PID:2540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        Modifies registry key
        
        PID:2856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        UAC bypass
        
        PID:1996
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ocsMkQgg.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        50⤵
        
        PID:264
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        
        PID:1244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\IiAoUwYI.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        48⤵
        
        PID:288
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        System Location Discovery: System Language Discovery
        
        PID:784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        UAC bypass
        
        PID:1464
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\gCcookgM.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        46⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        
        PID:1216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ByAokcgw.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        44⤵
        
        PID:1320
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:1140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        UAC bypass
        Modifies registry key
        
        PID:528
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\XQUQEIUA.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        42⤵
        
        PID:2548
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:2500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:1144
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        
        PID:1756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        UAC bypass
        
        PID:1600
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\dMEsIAwo.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        40⤵
        
        PID:2540
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        System Location Discovery: System Language Discovery
        
        PID:1424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        Modifies registry key
        
        PID:284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        Modifies registry key
        
        PID:2864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        UAC bypass
        
        PID:1744
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\zcAkUMsA.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        38⤵
        
        PID:1376
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        Modifies visibility of file extensions in Explorer
        
        PID:744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:2728
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\mMgIYooU.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        36⤵
        
        PID:2740
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:1732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        UAC bypass
        Modifies registry key
        
        PID:2276
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\WmEcYYws.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        34⤵
        
        PID:1048
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        Modifies registry key
        
        PID:316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        UAC bypass
        
        PID:2416
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\WwUsIwMs.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        32⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:2436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        
        PID:1420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        Modifies registry key
        
        PID:296
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        UAC bypass
        Modifies registry key
        
        PID:2872
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\SuwsQwAw.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        30⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        Modifies registry key
        
        PID:1280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        UAC bypass
        
        PID:2296
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\aKkIIMIU.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        28⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:2892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        
        PID:624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        UAC bypass
        
        PID:2848
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\zIMMkkEw.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        26⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        System Location Discovery: System Language Discovery
        
        PID:1376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        UAC bypass
        Modifies registry key
        
        PID:2768
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\psAAgwcg.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        24⤵
        System Location Discovery: System Language Discovery
        
        PID:2728
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        System Location Discovery: System Language Discovery
        
        PID:2236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        
        PID:564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        UAC bypass
        
        PID:2376
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\fWckIEcM.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        22⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        System Location Discovery: System Language Discovery
        
        PID:2248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        
        PID:1772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        UAC bypass
        Modifies registry key
        
        PID:1032
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\VwkIYQsk.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        20⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        Modifies registry key
        
        PID:480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        
        PID:340
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\oIkwsIAI.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        18⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:1508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        
        PID:2628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        UAC bypass
        
        PID:1252
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\UmoMkAgM.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        16⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:1516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:2828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        
        PID:1908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        UAC bypass
        
        PID:2592
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\gucYwUMM.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:796
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        
        PID:2332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\QssYsMgk.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        12⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        UAC bypass
        
        PID:2420
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZyocogAU.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        10⤵
        
        PID:1264
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        Modifies registry key
        
        PID:3056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        UAC bypass
        Modifies registry key
        
        PID:1952
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\lOMwMEEw.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2440
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:1328
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3008
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:2996
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        UAC bypass
        
        PID:2988
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\VyUUwQsU.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        6⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:2244
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:2952
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:2628
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      PID:2960
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\dGogEowk.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2856
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:284
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies registry key
  PID:2772
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies registry key
  PID:2780
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:2816
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\sgEMMYEA.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2168
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:2944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.exe

Filesize
310KB

MD5
690f1074c8c09feb32e62fe96dc038f6

SHA1
4b9b2c5c241cba7d8e941f49423e1334c2edc9bd

SHA256
941116c064d38668d7f673f228297521f21fddd611047ef67ea521f1704f1b26

SHA512
48b5ea455359125ecdda1268ce6b58a2894cdbbbb7d3ff1dff1cc42ba75d13be2d98d2602ee2f3bdbb76611140778db093ad68cd01221604794cb45bd204ec56

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png.exe

Filesize
246KB

MD5
5ddfe5f3ff73b9a9c399472f60657cbb

SHA1
47f31a5853d89b9d8a9bb19172049bc0b6ab0e11

SHA256
87a1c98afbb8feef86bc1b03b7a979c6abcb2368530849d2ab6fd884372910e2

SHA512
f55f87702f8d3c5f8f27cefc8178097cc661e5b8f53fbb9dad8ef452c5b1dd743f1ebb4ac0dc1a2232e24840db8e61e895db5fc147556d6da2fec30cede86bd2

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.exe

Filesize
233KB

MD5
315f729c759acd3aa0ad36709e31a703

SHA1
54f918514300c38c2e584e665c224d31dd259c34

SHA256
b1bfdb4489767c8f04fd2ad51c079b6920c2a039404dfce58afd8923cd997e54

SHA512
4af32d39666b13934a6469349a03dbe2d5b87439982a74d2f22743ee8b8a6ce3f241d9170a1595dfc08afc9d2439635da87bfb219687a57f68098770811eb9c9

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.exe

Filesize
241KB

MD5
15df52bf9c6a3f2ab9879d2161358382

SHA1
caf605a9720d57d292bbfdd08ce2354b6c2042f5

SHA256
c544257c24cdd0a6245b2342f4dfffde5b8bd686a781bfe7b44c5f27b678e521

SHA512
98a6369e7624665e5b5083a85ad151ade09382c98036dcccff32e4fee1ad1ef537dcec74878300d5bd1131a6512c5bdb8324dca5e88f36767537cdd9b25ba5ee

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.exe

Filesize
330KB

MD5
946abaefce89552c4ae4056c802c5ef5

SHA1
9409fe7eb70da697b4ed977ae6c4ae8d404b1e0f

SHA256
4f64c3524bea0e23171bff96b671d59c6ab2b554c1e44e1cbe0a98fa28818464

SHA512
9b74ba9cfa33bd24f21926833274a2c1e732ef94da7b0dc30aff59fe1e0548ee54273d58487b85eeaab780f20e4c8b467852c60ed4b69cbdacb719f424a13f85

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile10.bmp.exe

Filesize
240KB

MD5
222be15bf1f394ec29145d08e67ef8d0

SHA1
79e52fb17ecfcee3424cae92f00d97e22120aa17

SHA256
4d48897bee39a3fc930e01d4d719a5bb6222681769a7dd7959577b11bf9aaccd

SHA512
c36e26e7e353a8cbf75f5e867fd085dd3498cdaf2859e7cfacc6e60aa4fbb56c25b5bcf0006dcce2a2f569c2f9e0112ea67492360c1e6fe47e22cbf9e8a2c17c

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile11.bmp.exe

Filesize
244KB

MD5
0c63f991d5861b499d0c9e65dd3d6c01

SHA1
2393f02c78b69ab543f140a77e851ae888d06af7

SHA256
7dc2fe41d960fad69851b747e4cea040526a128f3e247d929cf0f7d3ad6d85cd

SHA512
756ad9d4b5a209350bf7584eceebe6ce6c909ada64d35ff217daaf083a7b87813d8802833dc4dfe81403b20a929d768db6e2c2b22f5591605cb1da5b931e8391

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile12.bmp.exe

Filesize
257KB

MD5
c7a8270d4235046031a41610d53c7cb7

SHA1
910d0039b93a8fc204cd8608611a6fe36d420fbf

SHA256
e430d3192de72cbffb9645022ee5813967ddb53c1bdeb4e9bdde2c7f3b924be1

SHA512
0b5b9564cf31b512aa67266ca9db5eca7dca2717754e461d4f7ecce72c796f28363ad63947954a1c47a3c7e53ed05f427caebb604d54181eebb2dbbd34ea24c0

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile13.bmp.exe

Filesize
240KB

MD5
98b0e7cea6af566724e30a876c0e4668

SHA1
84860c4fd7cfd0dfa4cce828ef46d515fadcc261

SHA256
df9c2716b6e35df5ef376b305abaa6466f43d0e450c53ea047a6fb842df7bc5d

SHA512
d0f3643a024d67572e112a846db55428c47dd35c12aed5de3436bb6e613f68c2c0d4559d1e33750e4dbe9ff605bbd07e4fdc160f04ba8af1b3f131e2d9cf6f68

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile14.bmp.exe

Filesize
250KB

MD5
c6b82a7e9ccd1f0db057b67aaf4ce30a

SHA1
7e11442ec69b435a8cb25444afe463d6c7cd3a21

SHA256
dfae920641c08e14ff2096e517f6443dad0e8b5f8c78c6964df6bade15e9a439

SHA512
7050d67d0b8ab18afadbdeb19fdfcb834571dc195d5e2c5a6dbf2dff9a4f9bc75325073aef54036ae4d6e4ad4ca9398058456e5c70ee6af2d39a5ffa7c11b6a6

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile15.bmp.exe

Filesize
246KB

MD5
36f87355ab81cae28a541cbd82699b98

SHA1
958b3e602a24f810bcab478eeff1700e9bbe4c9b

SHA256
3525ea1fd5fd502aed9f49206fbd59fda1d6a10c0e868ee2b63834eff9894923

SHA512
c885fc624cb59aaafc5f350ac3b204e844112d5a1fe3d52f73214879d7c45def1e985d2936c8cfcf3c13d34df2568b7ffdf1faad0feffc6b0ac5a71f0b2124bc

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile16.bmp.exe

Filesize
231KB

MD5
8a158183d378a0fbfb15211a60172a84

SHA1
7aa9fe93a7bd5418dcde4fef746440d7666cfdd5

SHA256
157d4a8b7883ba63f1a51bdf72338506872042b99ba1b3c6af391e0e9dd67936

SHA512
664c30c45ba351773f2ac95da0a59adb8f61f6ef7b85ff89075050b1c265cf3996fdecd3a5f2742bddcd488054646a6cee62f01b99424237a753dcd8213e47c8

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile17.bmp.exe

Filesize
231KB

MD5
90eab30f1f8e52a9a8c24e3054eba788

SHA1
a96034081725777c3d90513cd26c5372ad643a3e

SHA256
249bda90b8734923098eab1f6b5b1ee12e29829bee8ed3fa3d78e0500b85020a

SHA512
1138b86fa852d050d8a330eea9d9e6eb7446e71b69b718e59e2e7202ad0c60e496317c945fd9174dfc7f87454ed76ea759c69a9d2582b9d9812517773915ad9f

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile18.bmp.exe

Filesize
252KB

MD5
b5235cc4a213a5f010260c1d1e4985d8

SHA1
60466a9a6d88343e756c4d06a6b764722a7eb0e9

SHA256
7392a55e5f476770f73c103b8b5b9727d52a8c783ae380c7e4901ec8fab60e7c

SHA512
dbca0ba70e303884fbb040efbf2980b4c0ea007e400de3735c89015cec43633247571d552c1fe613dab6ad72a2c107c5161acd646679254d72c9d6b42e72b59f

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile19.bmp.exe

Filesize
233KB

MD5
ef36408cd8bea03a708d90adb08a32fd

SHA1
494b6462008676a3a878473260691263e26bcf5f

SHA256
9166e2d81d6e3bb938fcf7a72bc99a1348c9f74f34a7a09ca7ffae7a5fc8428a

SHA512
3ddd501230bf6d0944ae359e8a53600c0d898ced3f2c42f16d046e3d46bfb62839975f81cf57ee6226d9b46b217657ebefdd0c1abbc53e61bf899494fb57f5a9

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile20.bmp.exe

Filesize
239KB

MD5
6ee08ceab7d0bdc15c3d29b6b5354782

SHA1
9d116af532d9205133706c513404b010f22de35c

SHA256
39e99c29d27f66a95b5c6381ec8cbb19fa70db48f14458e22110eb2445a22db9

SHA512
7b4097928dce432c818dbf6e5fec0f4c6a58d41ba4884b26c63329399b48ff7b6fb459be38c7e86403c0467ed029aff29eaef0f8482a381c4d7c5238f3bf6907

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile21.bmp.exe

Filesize
245KB

MD5
8454f0ddacd65f6b7f83ea022b4164c5

SHA1
450eaf37d6817569e4d4a4a0eab21b9bbd089fb1

SHA256
3e6e9c71ad91ffdd095bb64a37d0cf362ccc637f57c2802732beb7b7e4628b16

SHA512
039f4823de5456002da555614ffe80af68680fb31ccca5ae3a340dbe2556e25effadf65ba748b160a62f85721aa54f4097d25fa5a82f775d8aebb9cedec9453a

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile22.bmp.exe

Filesize
231KB

MD5
e2c2402588f08204dd4fd310fd4b038a

SHA1
8f96566456a919b656b7a57f4b9c3d64d2017542

SHA256
4e373650c4701261684eb188385f31e1dfb6eec55a5239565865a2aafe8fcd3f

SHA512
e30e70f73405841b86858af4ea58bc2e6984c4b9f7dd0d2040030d48de56447a8c74ac6d6cff7c34c3aee5abae8e22adf46cb9c2c37db03611e7b52e644ea861

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile23.bmp.exe

Filesize
240KB

MD5
fd85f973509cf4fea9915a2fbfbc2fc8

SHA1
dd6ee04c34d1bb995f87763ec987d441dd83dc72

SHA256
19394a5bb28e87c521349c4661b5a592540fbaca3b14877a033169a8bdaefc63

SHA512
7f817e087115d298513f73f106e8ddba5152ed6d0b4c6103a710324dd402e5b06f6b29804f292fdc1f537c1726a02e751b78337bbeded2151030d7e65a59bca9

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile24.bmp.exe

Filesize
235KB

MD5
1aeac7b7f7e003138be18ce14c0932ee

SHA1
5e4c0e6e0705214fdc49adf14e921e6576872f88

SHA256
d9a723da58772a734c7f1080ab8c82eca410b37f1a7027b8786f8822925c23bc

SHA512
e836da3e116e2b88815b7927dfdf268056f4a977307be1751afbc484ff7206aba54d80e33974b98af73e4c89aedc4b106cd2bffc55c864681f673faf09d8ac8d

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile25.bmp.exe

Filesize
244KB

MD5
2893e25cae4569c0485854db38e689aa

SHA1
bb2afa0d235f9e3d46b122c3d82fc8e28192e2d4

SHA256
59616b3c36b943e9af067ffcfee2f096a7112d38cd4763f73f21a1b19e993d67

SHA512
3a73f8d1b0a1db827fdbd93b0aa00a39ee0787563e54ba5a2a018809269a4e20c9ea2a53cc0022793852a5ba08465ef725367d69a3e9747e762180b47a86202f

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile26.bmp.exe

Filesize
242KB

MD5
30e46f17448d993f73e83ba755c2164d

SHA1
18bbcf62bd70406c0f0696c5291633f277f94cfa

SHA256
dd0d5eca95919848ee5f3ea2ba1453b21e38c185500b245b77304e66f03f1fb7

SHA512
5a9178be93b6b59a06527608c12d5f2ecc47e7d9d8b8312ea8ffa021046fc250e3f65a30a6d84d0031f246934d3ec7eafe5d8a5b934e96e29237a76f3ac78f07

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile27.bmp.exe

Filesize
232KB

MD5
5e33d99b82d02df47a2b7f6caa9e4894

SHA1
64a37e6e715abcbcb500fc1089c1f18f66a750f7

SHA256
89bb3c9fff6507e596706a1b8883e32b35a38e968956e9ef7c06e4406b43943c

SHA512
83cb3e37918d457add5ca8b0c44b479819108e1f8c03e8ab34b6345b6f9916b91fcea61840b2018abe1b04c404976d667032d3c284a6d152008421e03cba3e4e

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile29.bmp.exe

Filesize
247KB

MD5
be4276ee18bc3ae5925b1ba5ba38ad18

SHA1
054f5334c5d9a51f3055cfcdb3dc9f49e01ef693

SHA256
290acb1dbadac2ce37422d427acb810a113b5d53e8ead6d73d6aca4aa04933a5

SHA512
f04b23c9c0ea639a977e55ba311c79ba27b8338ead693891a5e2a1e85db13bc607b8d12b81280bcad55535aa3e47e3a271a9c70ac81df4a1aff5d56c9a0e238a

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile30.bmp.exe

Filesize
241KB

MD5
b37df810ef2b9b41b8d7c563c1d89536

SHA1
f0bafb936372e98dcbf395def18737c04399f80c

SHA256
3ab4d786be3fa7fde2599aa5d1eec4c701a99e4b83d71be936fb07271080a558

SHA512
22cfbb0b505cf57b4587465f35eb29c506a540881cdd4c80db3d3ad03634be6798dace0f01f74371e4a32c81e50a3d860e558c2f0dc035b6a742ef42df816c0a

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile31.bmp.exe

Filesize
244KB

MD5
2feadad5d2d9baaca0649130c39a2388

SHA1
2cd0cfdf1bf1367e3ff17c1002b9e0112ebb9133

SHA256
62f46a7daefec0673ad39e9ee38bb403c1b7a33701fbfc367853b08fa3fc2507

SHA512
0063d390e289b015a422c4dd10c9f7a3de2a16f2e2587bb41ab22671e0b9e35e8354f969d8c4d2413a9ac72754b97794cfc2928f111e4e80e37f0a4df9666da7

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile32.bmp.exe

Filesize
230KB

MD5
a4dd1fdb327f79954f4ba27103a58706

SHA1
8cee96ef2c4610c05ed19f2d269fae6b420a0daf

SHA256
2756279549b49282d77163b507f228f885f473607390fa8915368113cbf04b88

SHA512
21885f12b204d2f486c0877b00004839e9abc8963d3a2f44737fafc9015030d234091a7cb416794d538924436c4d87d9d43611ef89e040727e27917058de54c3

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile33.bmp.exe

Filesize
244KB

MD5
18629bbab03abb557cefe279b4f62ecd

SHA1
6a3fcd9a02c518bf23ecb97a484350dbabc668da

SHA256
0bbada6c1c1f7abffa221e222b40344fd651cd3cb492967ef2ca05cb808314f9

SHA512
70ab9c75c7807b9faebffe94c5dc15d206d254f58c2796e9cb73bd34205036c1328798a03e5c7bd56bd1f492afef7063f6e58a5a12591d68c802cfc90f4ec360

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile34.bmp.exe

Filesize
238KB

MD5
6509ac5248d4cb396302839d7ad9ea97

SHA1
c2ad334c868acd3a24e9d9ec4496740f096c3ab0

SHA256
be73161960c93d5c65856b777fc712ec66cc6b1d564bd6eab363f473c348d0f8

SHA512
543fb21ad42ec595418c19465c93c1766e8161283e6baa80f25961c1a08304efa0c32194e24ed2fded20dddc661f3ccc9a91bcbf78c11348ff9f4b245120ff7a

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile35.bmp.exe

Filesize
226KB

MD5
6de92c09fa30ff054120cb2d1c1f1678

SHA1
6120a9de3e2a3ff2178759e354f1a3e28aa58bd1

SHA256
aa0d34d960f910b5461f58cd94ad013c623440aa3f8affeb3ba29aaf82f0a05d

SHA512
cd81266119e98fa3f39dd412e17f6c92534add56500e4f6bb41a295741c734c8f334223d2818d28a7a76fa295f794cd07c89d2f1727a1456be2d0828ee476321

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile36.bmp.exe

Filesize
244KB

MD5
e4636375c9873718e8e230e397f31907

SHA1
328250c20674455302d967b681b13ce67872b149

SHA256
6be66d8171c3b629664ed9cd2e9b823704e3990438bb2ab98544f333e2396504

SHA512
2ab9063062594facf43b534a22a2814d1a19d7fffc18f790684a1301df5be729ca256b24b384ec72cfced03a4382175ececfc575835dbf1f5886bda2d8388522

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile37.bmp.exe

Filesize
230KB

MD5
c6ff6402a85bc98b0b2cdc7a74950234

SHA1
8137ce879589391fb36f856e5e369a75dbfe80cf

SHA256
32450b55436ce6d1303d7cb4dc3966ecffbc8beedaa9093c6fb4d684c9fdc91f

SHA512
6c53c8aba851b0a78762bfd8f164d9fa7ce42d839436609b1b7f567b7997624859e2373439340bcc9f9381758e1d9bfccc48b7d8a51589b06c4f601b053302a7

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile38.bmp.exe

Filesize
235KB

MD5
8d810d3aaf5f9de076fef02d98ce65b8

SHA1
e8a079982c33d2413d65e7d9b0d2fa32e7286bd2

SHA256
de0ffd088581471eae33bfdcbea522bfcf8c02cc6aa3ce9bd630c92641aa46e2

SHA512
6a1bd48e53ef863f1143d564c687a7fa527fac259eb15ab76fa4775babf0f50e6b8143a0f53583160c7a2de63386188f19aa9d81603c31769546139b37a9b7ad

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile38.bmp.exe

Filesize
238KB

MD5
8ceac62cb11d7aac8d4d0b758201c691

SHA1
8b3b5d0d8b24e00df690b560daf07076e771dcee

SHA256
42c4157e028dbe33e8b1076e8ba79884e416834b8ecf1126e5d857b5eaa4a188

SHA512
91f1a9ce932c3b2a1e61b5a988d36016832207d90bc174660df277d6f0828986ca4191eefc86a43008ce17d0c159a95b4d8e4eace82e02d42a2f91f54388bc02

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile39.bmp.exe

Filesize
240KB

MD5
21eed770f0016f70059ccf6cc47692e7

SHA1
322526c638e3693d115994b20dc4a7d8fd9ce01c

SHA256
02d4ff4939806f84f91a2bba842e927f6203f77243789a181dd847496e2a0605

SHA512
f54ab4342fa56614b5e56048d431cb05599fe8d322325496d9b8f2243bedeb5901b61b14d5a130b7ec3e409a8735c3af196ec4db52096efaf02261142d0e96bc

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile40.bmp.exe

Filesize
228KB

MD5
843fab692365aef68e93db9250f021d2

SHA1
45a41d5d30fee430332fbfbb8a4232af74fd5af0

SHA256
4d8fac7b7ea699f87f548e89d8829e74831b8beeb8d47be0baab6d848985d202

SHA512
78e68177260ae10ec606b78f762aa5b675cb26c6c8710018168f3230f15cce7f4b8d86e99913cb68d0caf5fd33222c0fb8d75cd2395e628dceacf4e4584513a5

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile41.bmp.exe

Filesize
245KB

MD5
4173a422e33a26f64e633e2d8677ca6f

SHA1
a20ea7df132b440a9c7311cc77764f3e6185a4f4

SHA256
1ac7c2575d23acaeb780ae3fc1a11431fbbdbe7e5b21854b6b292040125d9325

SHA512
3c30522c1bbdf81695d6da2276e925e648e9c5a93af905f4f2cadcb1c0ae3bd401a3937be963a753d1cb1740ea6b9571ee87d9a2f46d323595bfc7c6913d5cf9

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile42.bmp.exe

Filesize
226KB

MD5
abda60505837f8fa2c994280d8716f48

SHA1
bc51567276c785ae3d0ceab63fb1721107378d76

SHA256
1152bef404b37021fcfa54deaaaffa354b84c070efb3f3471960a343d0a5740c

SHA512
b60afe70b83fc425fb8b3bab7e1a3b35e8868fa52bbdbaab97c9d1344181b9817903619bc4eeb9fd184f49982fafca8f1dd80cd161fb605b56d197620545dd31

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile43.bmp.exe

Filesize
230KB

MD5
0365b33b94abd03412f945fb61b6a202

SHA1
3dacca9fc7df271ad63733e5c36e74d50d68f74f

SHA256
896f6146ec878839d525b5e411450b2020c26e837b4fdcfcdad3d48e2e705d7f

SHA512
44ff7ca3e1f5cf3c70e7bf87d79bb503ea24ebd7185bd610e9579fe75f3087331388570d550acb83d1aab09b726907a7f81058c17ade50da6c19f99fc286cec7

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile44.bmp.exe

Filesize
232KB

MD5
1549649d4672a1f08cd567621cc877b3

SHA1
2d7642d770ea78780515c7e6eaae71cdd633b9e7

SHA256
22b8320568fa49d74e71aee4081c60659850f4c83de2bc08fce291741b2be764

SHA512
65e5caa80c185bdde08c2a8529d5656dce98016af592105d29476ccecfe6ef1391c9bb19f900cbed54ad5291e5545dfe039f53569e649f00445671dbd0d216f0

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\guest.bmp.exe

Filesize
230KB

MD5
4700cefda86fde63d0559d3fb653e1a0

SHA1
7e4a998d79e8f5625bcb6412340980a938f3e2fd

SHA256
116da468160ed45c554d48fd71228f83bac412c968bea462205d21251e136260

SHA512
47ada7aacf4e889a18118312ed249f24449dc2ff1622f6be92ce261f72d788ba98a25fcffa374d9179cf441f6b25a9ce871fa29fa199269cf7959335113a0fb6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\256.png.exe

Filesize
199KB

MD5
b9da40e5b11e1b063ba1984b67b9a79f

SHA1
08bfc5c07ca31cfe734c6baa5519f4c0e028569b

SHA256
d473fd6ac0771202809e0f75b6bb9e2738e87fe6b8b5985869ce389cd4fd9c7c

SHA512
ce8db6e038612685a3ec974273ced99dc3b89e959fd22d4358fc86959c21a5676993052c0e55af882d85b32e54d4cd2896c4ee0270ef14e9915fa817746fe0d3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\32.png.exe

Filesize
197KB

MD5
6b7a098ce76418806042c753ae0e5cdf

SHA1
9960f39a3ddd8768417f30e4b91b33d9d0ccac80

SHA256
5f298656c078869bc5a29b6dce1d62a97fc2e58b07bc304d4ca333883c8e80b8

SHA512
7e051a9a568ba90cb81bc8741b1521cf4a472c39947ea7227c25dad574a819083904f3e519a7a80f36f0a13541d6b09973ba0503defd726b3b7dce9209b9b87c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\48.png.exe

Filesize
194KB

MD5
2f0a2ba47b1a65f71b98eb153ffa6878

SHA1
1e77d5aa9623477202c19075f93084e47437e32d

SHA256
745a9023f0531e1bda4c820897b3b6f6efd75caee23842ae692c54cefb493b5c

SHA512
f27bc4bded873770c9f98ce9392aa6945e916b97a9bff802932322e0e8cf7ae5fa9988b72016593fa3fd5962ddc358113286e4eac4caa3eb694a8511213678a1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\64.png.exe

Filesize
188KB

MD5
e5c8f85dc646da00ca23153cf80cff31

SHA1
15ca4ab0c46f58f83cdbf75220ccc235f148469c

SHA256
4aa4245abc637688d2b471b31728739875536e14d65fee70ef69a7d127714f74

SHA512
a3c7b0f71113282a24bd8ee2c2847ebaf523b61bc9644bc00af18c7bee3489ff0c1f72c9f48abdce0f875e214e4beebce083563aaf2360bd50e4e42f18977e40

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\96.png.exe

Filesize
181KB

MD5
ff0df9c92c033feba49ca15f81d7847d

SHA1
2a718cfd3c81e3c0430151694c315e10f0243ef1

SHA256
aff11be9ac37fdaaa92aaaf4085bd9082891b4c0162d97208dc5206cbeaff1c5

SHA512
813ab120660e197fb02a6afda1cf0053178e698d007e58732d78bae3ea1d042023cda4e79e94ca681c745962f7433a69013f45b1a25641f47f8f1a3177f76d41

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons\256.png.exe

Filesize
206KB

MD5
a56a8014950f997a28b1a2d5601c5464

SHA1
263c0d14bdb58a5fb1bfe9abafbc91a0989b60e1

SHA256
53106ed9ba09363fc1112efd917a3905122ce1a62d95a70241b6f698770d570a

SHA512
26fde10feb3e7cad23db730266d4bbb57463873b91bcae8ac73e702fa2ddb5a7c6252fc15a534508324aa35067d75399ab3eb58965a908638c6d63cc7e3c7e98

Download Submit
C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock

Filesize
3KB

MD5
f914e6e58fabc9e45dce8645ff188bde

SHA1
e16ba069be4ac338fbfb731d5dca60685300ffdb

SHA256
51d110882b29e686326a7f942b829e9d1df5c0deb804b59f4e62bab84cdac26b

SHA512
2f3924f255c453ee32bdbced2ca690ef6ed2ef1b09dfb4922bc8db48071c174d7217916109c63ff1a38b09714b5d5f3557dd6aae8edc99e775bf3fefa7d046b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\AAcs.exe

Filesize
1.1MB

MD5
b19e1e9b3fc6b64adf378f0bfbe0b5b7

SHA1
9a62d777d2d6b59088d874f9ac53112f8a4ad44d

SHA256
bbed271ccb57afae920895ea62649b64b6779d45a9bdbcec3b011888093edd6f

SHA512
319282cebe7b0ddde1de21c5c497224c9a830f97078a0b870073dabb32b3f2b22af2f6b96aae01011a669087163e661de5008f7c64fa41d0d920f29ef02c3307

Download Submit
C:\Users\Admin\AppData\Local\Temp\AKoocUIg.bat

Filesize
4B

MD5
3b3341ae32f67853784863034c5f4237

SHA1
107f8c7a1ccbea8912f1dd54dd086fe4abc8da7e

SHA256
def26094551efaf291a96b1598012d4f9a141735fc844994bb1074e5613e26c2

SHA512
3101db9554b402e929da2229830018066ccd9cd85c5872c51b610e424bd8756f31d3b0f158eff2b0cb11e4f7b46df160d18fa447918dbcd788f8d6a726bb62b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\AYQgcsoo.bat

Filesize
4B

MD5
da5381d6463c8e3b8b861787ac13e857

SHA1
26abcccc2e88895ccd40282960ac9ee90ea6d466

SHA256
2c7e92efce9b3043dc56c4819132ab07e2f57a5ec24b4a4334815dccb4db75ec

SHA512
f1389d0cf75b590b5737b6051e19a2dd443e242d49d8efa0449627e3bd56ffce07c3b2a34f73090e223bfd5875d73f5838b18487565646a3d07f38b9e34d6bd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\AcYcMEMI.bat

Filesize
4B

MD5
f0c4c25049e17ea66a7480e871365b20

SHA1
536553d84fd490e8e84e8b0f920d0418982d06f9

SHA256
bf8efa028e5fb59729a3b19d2ea51c1b9944c8726b6984894a09462b3be43e23

SHA512
f07ff49cd63435ea488fddb1721a964695e440c7dc6abeff62e78ace595c618e96bc415b17e7ae1129c6dcc7614377b971537e727c1acfc44993c2289cfdf4b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Aowu.exe

Filesize
815KB

MD5
ecb6eacc3c79ddb28d69c0cd7f9bb769

SHA1
306dee2201dd9c5f5c808c5ae8cb792751e3dd50

SHA256
846a026346194da9ce2ee4c7278a11af8174aac7ad996df58249124a672a8a7a

SHA512
c1aa4c66ae5441a3d3ba5a8b2b245860aa5f3ce96e317016ec3225761c23777eccd4fe53b3c8481b4288ab9bfbd47515fcbd12f2bfcf9ecd38946ad38bc1b683

Download Submit
C:\Users\Admin\AppData\Local\Temp\AsEe.exe

Filesize
199KB

MD5
12dd53d0bfdb54fa09fb6325c4011864

SHA1
d0d92fa36e7650b7411cfae395e6ced8f72f68c8

SHA256
8ee63fe400ae85dba7c82d0b02da589704a3f7008e6bdba1e3374e8de6c7f1aa

SHA512
339aa639029acf6a6f5337fdb539258eb4979155a90faed575416357c30d8518924cadee310d5ca12281e1bf04bdb3568c803d24fc04cf8b9c887134202e7332

Download Submit
C:\Users\Admin\AppData\Local\Temp\BWkwkcYo.bat

Filesize
4B

MD5
f54e33eaf9f0b4457459863521cf8ad1

SHA1
f74de7723f1156c594fb19616e279715e0db6343

SHA256
ea0c6c6573fb4625ca13ee9a5326b73ce2aa3efc2c4290763ea9bb4963179e7e

SHA512
b62e4df1e57027e4b76cfefe9d454c77e1cfeb86ac4d3ade641a2f42081f6dc9e6a8a356634ba32beda1c83531f40177c61093725c8016b2b86335e3db635cef

Download Submit
C:\Users\Admin\AppData\Local\Temp\BooUUYkQ.bat

Filesize
4B

MD5
74edf20bb948024be71c202d5c8c1609

SHA1
fb4fe664ff868fb6a3d8a00801509c10837e5c98

SHA256
12d6a419ce42b0c172acfcded8a79b987c2f33875ff770c7d6efcbfa256b872b

SHA512
349e4df9eec0db48b7beabece1c44fb8adc6af7c84ffc05e1398999a3496a4245ccb3c00ddd60d04d108ad9125626de14b127b3542a47f2fdee339de33cc3067

Download Submit
C:\Users\Admin\AppData\Local\Temp\CQws.exe

Filesize
1.0MB

MD5
0fa0d8d3f184cf1da274ccd8fa3cd54f

SHA1
a88501fbf988438adc49f7f32aefe43056ef084d

SHA256
b3e236d539a6ae4c1d48aa3261fb580b7457aa96b4d84df526bc4471b55ef4f0

SHA512
0bb71ff0ce92a493e2145ce1592f49fca4a7077bc76da1c30b396ef6375e43181b87e9e0fa0a9d81bfbd985ef25a68eb100cc100b3d11105fe6ed7865d1e4b8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\CYoy.ico

Filesize
4KB

MD5
47a169535b738bd50344df196735e258

SHA1
23b4c8041b83f0374554191d543fdce6890f4723

SHA256
ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf

SHA512
ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\CgcY.exe

Filesize
246KB

MD5
bb9a8401853a448dc8190b1a88e28f99

SHA1
48f147dabf83930c332b20e14c1abe9af41b9f5c

SHA256
7d277fd2ddc70147d03074af4ca0c1e5c2ad8df04e96f08ecfb1d2341929173c

SHA512
7518ec2fe1a49ba5e772e0ae4fb42ac2414171609643c520f397d1a9288e8a7e1c534f546cecaf8be9a252889a16feef1fcaf513cdf3bc56da76c7ea17fc3435

Download Submit
C:\Users\Admin\AppData\Local\Temp\DuoQwwss.bat

Filesize
4B

MD5
6e4825de0ee1cb2c51b689e12e5e8f90

SHA1
33a9b070abe0d28dca9f646a295c06e42a5f7ed9

SHA256
f901d947bb9b494b6919282b7cfed5647e10867a80323a5d53729e7132a4b3f9

SHA512
e0d00f83bd2211f7c0b36a5e0fc51528cda00eb6e01a438c911e5e069be8067af9a9601b048834bf4801888c7563c789516c44e98c582bac8e5382f8b3195224

Download Submit
C:\Users\Admin\AppData\Local\Temp\EGEQIIcQ.bat

Filesize
4B

MD5
9a0ad9927d9f9af448120d08bea25c5c

SHA1
f32570f6da9d632617ca77ce9ce0bcbe1de0cbd1

SHA256
fca8002076d80edff7f258fca2d0e132a044b54cf11ac4602dd334f7faa48736

SHA512
bf7fd5c2646e82fbbeed6605bd617d3639a9722cf1f605ae02f84be4eef6628091f83353624de8349852a8e76689176d16b477a0788cc0e2680980e81bf053a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\EWoEMoEU.bat

Filesize
4B

MD5
7defb3a0dc498b4cc60e99dd984de8ee

SHA1
f64cb416cc5817efffdd204e0c3b2062229ce198

SHA256
51e37a3147e4bdbd3fbfb25ef50e6fcff56a9f17eef16e145342aa357974a66b

SHA512
57c90536b840c475a0cef8136d3f47ff26eadaf55465e6e4aa31ca7f0e5f6279c2e9da94501239827ef6fc2d1eb041a57ffad8527068f8bb46b05e0e6e1da3b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\EcgS.exe

Filesize
207KB

MD5
c637833c34b5ca6938363823f089ad0d

SHA1
9c3a2240e00ef00da5009657871f6c92ca3b34c9

SHA256
cca9f0f0afa23c5e8aea4c8b84d7039627d00d243cc1f3ae55798474a152dbf9

SHA512
452aca4912ca33d1d3548443b0d66397cff4026b5f2d10bbb4cb2497a1c73924e710d27629f94d93129535e3b2564c01f81498da78443990ad9d30fbdb0baae0

Download Submit
C:\Users\Admin\AppData\Local\Temp\EcwY.ico

Filesize
4KB

MD5
f461866875e8a7fc5c0e5bcdb48c67f6

SHA1
c6831938e249f1edaa968321f00141e6d791ca56

SHA256
0b3ebd04101a5bda41f07652c3d7a4f9370a4d64c88f5de4c57909c38d30a4f7

SHA512
d4c70562238d3c95100fec69a538ddf6dd43a73a959aa07f97b151baf888eac0917236ac0a9b046dba5395516acc1ce9e777bc2c173cb1d08ed79c6663404e4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Egok.exe

Filesize
197KB

MD5
2cfe701217c502c690d358f268a04d30

SHA1
6a215e54efe20d98ba6e908036cbb04d9edf6fb1

SHA256
a83196388839f86ba41854c155d14c58ef152df1506148ca95092b062126eb0a

SHA512
7e54a7b40b2c07abbca4f3fca3f8d7e96ec359b11b99d406cef16f50290aa12c73dcf9302ccfd7dab8bd5b32d24f54604cdd50236fba3b1d48e68a5f297c7c4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\FMAwosII.bat

Filesize
4B

MD5
762253ff97b9d1ee23f5094f791f3a51

SHA1
abea679802ac16e5b97f4b7840de465007952658

SHA256
8e4bf5123e17ce4122544906599d9db12ba34b9701d519847b978822a0ff9963

SHA512
99fc0272ab024c42120d8d9804b3c149bbd70b13880442ac1a50be1ef52012ca6ab783d88f85b83259f475d6ec0f0663a78b8f2a8ea623815b16c164b5d8c808

Download Submit
C:\Users\Admin\AppData\Local\Temp\FqQIoMYU.bat

Filesize
4B

MD5
72be6b10f86fcc32eb72bbf07460ddf8

SHA1
53576f1df23fc73effa5c2330c57d4524a86de0c

SHA256
be2a555fb67e4b66a034479d5702182687e19fae5793eda72f5d325a8092bf64

SHA512
5f1e434ecfd96d721fb8c5553374028dadea694f95fb2a90e8d41aed898315bbbc064c519e092ae287587ef9c731f641583c3376613e75270b6b334ea3a52e86

Download Submit
C:\Users\Admin\AppData\Local\Temp\GEoW.exe

Filesize
230KB

MD5
4cfcef3db7aa73a56e72b1e7b882ebda

SHA1
61a22848495bd7a60da7c5baa01c9b7270e66da4

SHA256
0c55f4a048c81e50138133091843fb70da26e5d8085d8f566a327b8c0ef9b820

SHA512
f1498c7d2a1b575c1790132df7058e59af4593f96efeb8096488d78a99a9d6e2abd7aa17186e4c626709e21457b02bc54b87ddbbf8fd0de37459ac43f50fc029

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUwm.exe

Filesize
235KB

MD5
7db15795c833e00e1ac98db7637be52e

SHA1
a0b3f424c145644d1bdf0c5fde9fa2c377243d36

SHA256
05c417a3899cb83cf8c9994782c63686ffe4b80cdcdc733e6ad0ed5caaf1c9f6

SHA512
481b9592dbe363fa74ffbdd797d0f3516a4748cb076cca274fcafb392073527586ab28384695a50a3da729b8324e1878b17ae8399b44dfdc3c6a97fbb14945d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ggoy.exe

Filesize
247KB

MD5
d6b91d6c5447df3e78cce1e419d20097

SHA1
fe6eb973d9a23ac2b9b8a3335963f9038dee319a

SHA256
bf2667cf299f171d6e03c6bce7fb79289087d806c7814969f13d3e82aff8a7db

SHA512
f3cdcf35aab047fab3d732677d4d12684dc2e73324fff58b54baffbc310aaeb024cf26437b4686c7ef79ca412a52fb060ecca97ac37a572e9de63da241c6b1cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\GwsEsMEU.bat

Filesize
4B

MD5
80ef8f420346123ae85a6497453654f2

SHA1
a4fc7c6481d90479c5d941cd988defc02f9ff330

SHA256
59a2601ed777856c3ef4a774ad24f131e4c7714bbc52ae81485aa6ed31df93fc

SHA512
95daa78519d95fc4adccbe3718dca73c321218cc0594a2af62a195e45d5c7f2f5c94b3e342c7faa4ea24e441f255b16fc90623f822c70ef7050d877356291272

Download Submit
C:\Users\Admin\AppData\Local\Temp\HOYMkYkc.bat

Filesize
4B

MD5
0f2f2438a9f3cd813d123a3b74f870f0

SHA1
9bc47d0bf1489b75426ea8b82ba930a45c59c5a0

SHA256
2deba0d28a9be990ad51b03c6d0699fe627f794186275e04871aaed6abae9363

SHA512
30cd957c630a3aebc1a88cbe00bc38754760bd98ffb0ecbcf14e184f7609949312dfb761174aadbfaeca0e317f9c0445779a70332d46cbb4c514c9ee7098572b

Download Submit
C:\Users\Admin\AppData\Local\Temp\HkMkcMcA.bat

Filesize
4B

MD5
9fd5a339275746ef5fbeb585d57eb165

SHA1
d4f0c75c322497e402930212c45142aca7839056

SHA256
ea288012a375fde6703e2e1ff1c266f4cac560da8d575ada31ab689d5fddbb16

SHA512
f463496b7143a250f614e81fad554738ee1299dbdc8b6fbb6a6af3b98639d6cfed74fb2e94d35682f34490dcf89bc80ca43d046d869139f022d27cc6401ef810

Download Submit
C:\Users\Admin\AppData\Local\Temp\ICoUEQcM.bat

Filesize
4B

MD5
39dc52c72d9bb04e7866c0aa0fc5dee0

SHA1
82a7da0a92a10fd05778771b8fd552fb1ff0d809

SHA256
bb55e4608c5bd377659c51afcf2812b1f28408f2f84f917579667f8ef2c6752e

SHA512
c93fe4eca2d870208e7f22f1e197795cbe317be23d5722dbadb7cbd7a25bfe543529da6fc6c9b59d3e7255fdf4326f005e2621ed01764fed367ba913511d4abd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IEse.exe

Filesize
208KB

MD5
4ba0f935d5465eacc68e62dafa4a68fe

SHA1
aedd1f913d2bca2251f7d8087e55698052a9433a

SHA256
aa249ee60c8658faaf74a0a28fd3900e732af28445799bf27a5b4a2796e87e78

SHA512
48120d1ee427f186fbd414de4f775a9ed036fa5d12812daeb09ac1c7701e763fb5729e0c846174e5a649df14608040134257e19225121aa5de582f1ceaa012ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\IMgw.exe

Filesize
237KB

MD5
966662f6797ad112ef5c0b390e806c5b

SHA1
9876c20d2fc186104e0af92c382707bc01aaba14

SHA256
c75f9b5c428599850a1f033fcb82935e5113d10128170de8c35bd2c25faa2828

SHA512
fcef02dc419e47ec858d03e91154db69e5eb140e8027abebe4502a6387fbb4f13d28f1d2bf494797ddf0b14172a4b9e9e2933a90165bb6caafcf109d9aaa5337

Download Submit
C:\Users\Admin\AppData\Local\Temp\IUQm.exe

Filesize
816KB

MD5
8eb4392028c86f4ee4ca300d220caedf

SHA1
933d3294bb050ea8582ed8ca7de49635cf82a9c9

SHA256
3b44320fd151a663e5d7a6765331da13ecc73d9c7a07d17fe4a6bddcb9b4258a

SHA512
6b55a4b82d47e86054db42af7a688b1b2577878c996fb173361ea6d9956e8bb428a32c7ea458df856945697131575104b8639f0ff61b392f3abfe79566987871

Download Submit
C:\Users\Admin\AppData\Local\Temp\IgMe.exe

Filesize
240KB

MD5
2e92efe19221e26054b2668199bb76c2

SHA1
5063aba0f490f900b90a62c830831cbd203e4839

SHA256
28c063cc2bd8d6d32253bca3cce2c98477fec5774004cf7af72377eb51f13e51

SHA512
984ea210d4d3e61a3b815d0b5328e1c2063126ce16b91d1f480fec19373c0b14ba442b444d2b3a7673e7d4e3af30d11213fbf76516a25b28cc60e1feca131585

Download Submit
C:\Users\Admin\AppData\Local\Temp\IgkK.exe

Filesize
234KB

MD5
4705072dc2684088d4f0f6bb8d8f49bf

SHA1
7779cb160fcc0502b35f8df99010323668bdd841

SHA256
04ea424c0a2626a28d4b73217bf2e4458869150096f94c0f5f99e54cd8b34d74

SHA512
4a9e00da386787cb9527070251d84daba12e599e16cbd7423b340407a0099d8530183b2d39ef82fa6ebeb6112571d437af346ebdc64248007f88b5cb667f2acd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IsEo.exe

Filesize
229KB

MD5
e583c3bdd8d80fb5bba5fde722e1299f

SHA1
441e47bd0c322fa508464c0e6dffd5ef3b0f15ae

SHA256
d4e7ee1a435dc9713400bfda75e332d719bd5cb126bb0311232f772b99817749

SHA512
34d83d3b1fa5cd57a72830530c3c5850ae189a83a98495fd10ead3cde0e660151011912b592347897457d4b74cbaa8c54df613b03e0ae8242df81112b06be189

Download Submit
C:\Users\Admin\AppData\Local\Temp\IwUU.exe

Filesize
234KB

MD5
0e24278c649c63aef6d273d4135756af

SHA1
3adb223cad73f7460dc245dab7baf26e1e06e1f5

SHA256
37f152928d46b780badb9f99ed1558feef297c94474fb4f15fb6e51b572b016e

SHA512
2f2bbe349cd5ae5e62641d468f390b24ecf1b140a2aa50a72178613ad47eb96a912d0abaf45fc507bb97b9881a26c36b52ae414dabcbb0038ebf0f326b8e0db0

Download Submit
C:\Users\Admin\AppData\Local\Temp\JQYUQIQg.bat

Filesize
4B

MD5
499632948bd76db61b297267110cff37

SHA1
98edbd0dfe53024b964199fb4d38dcb073f5ea67

SHA256
52cc25db1619f2c326d8715d0bd6401e96f16a8c0a50d3aac4409251dc43a1ab

SHA512
0c79c1c57deeedcc2002bf07a8ee30a107abd8720cdf3699b69883dfc1029940e35641e2557ae2b2897b4e15f225ac2ddd1e37bebf2ca5ac1f09b9c3ce4923ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\JaQccEwE.bat

Filesize
4B

MD5
4abc300b40ce6d4d9007fa1486fda56e

SHA1
63a76974e8ea6d9fceb6264d9a0eaeb8b58db7e4

SHA256
bcfbf1a90aa7d07dacaf20778be42b4b5121a8a3719aff5f6e579ae3a7f7c283

SHA512
e6cb7178bb0c691b3f68387426984940173acdec0230e4c7ccfac3d429ec0bea4a55424205bfda69a0185fd9e384ad0a0ef871ff8b725aa677ba09b991f37632

Download Submit
C:\Users\Admin\AppData\Local\Temp\KEAY.exe

Filesize
1023KB

MD5
47cd5dceb579a9666a168486e14be7d0

SHA1
dd5ce706d41dc5e2cc3189cd085c559a5ed9231c

SHA256
bba0cef6caa7c269d89712c5db00d18a00122bc5365206b06729361fdbb14a89

SHA512
4d7089774a642442ca8e7b503eae560821b413fe9ef1e99805ca5911ab1091a93a513e1b01d71d363480b6626b703612094fe0f0904b3800ba99572a3898755d

Download Submit
C:\Users\Admin\AppData\Local\Temp\KcIIYAAM.bat

Filesize
4B

MD5
a9e7a8f0d770fa3b2e0cd56490b0b084

SHA1
9c21e3095c87a77a3d1f004aa89e7a47bf295e83

SHA256
581ea2e548aa9c71c000a076c55996c3bf7c137090763b89e9fecf59c129182b

SHA512
9407443c1c000479a38b07d268bb53330ce47c69196467fd1a64372357a83209c0b1b79f006a3a54485794bc91917decbb02aaf0565818af4c0548900b5f4aab

Download Submit
C:\Users\Admin\AppData\Local\Temp\KkUIIkIg.bat

Filesize
4B

MD5
7aaed0d8cf1bcc1a876812e09326766b

SHA1
111f46354c9e8b8023bc2ac1fb050014c6a6ad4a

SHA256
403e8e5c4733d5b542ba14ff19ab05ff54a797bad79fdeb7e9c6ca1b913b9f8f

SHA512
45f55c7364b90203896f233630cafea81e54761385d23c2d0849bdee95f86c669584ec00fff6a82e3101283be8542695af4e54ef61b012132393765edeb11e90

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kssc.exe

Filesize
193KB

MD5
d7a39851207572f15284b0c2362e73d0

SHA1
8c9ff2d065cf8f76acf39a8082333766d5824ebb

SHA256
7bd5ba6cfaaa0353073704d13015e8cfafe938d3335446517e1e8c2500230e5a

SHA512
d617f6f787ca832f640c46d8e9bfc240db1b5e72e2fcb436cba82099bd159a53ab2d09d7a4f71184a061e1d3c4c98b2ed2508c0d27d78b7efd287757471d9cd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\LYMccgkE.bat

Filesize
4B

MD5
700611e74e52acc4965f2230e9a94e3b

SHA1
b6c8ea3f06a2024ed6299df2587af2a2a8465f7c

SHA256
31038487b51c30d363dc57de374861a8e4fc9f0c704deb1168fef037b652950e

SHA512
080bab967201edfcbe71b2ea0a16f5c0bedf8a13558395022d26ce6fb9abfba42e77b9aa49080714b268ec97cd11dfbadff5dd2bf2bebd4fe6e348916f73662a

Download Submit
C:\Users\Admin\AppData\Local\Temp\LiYcEEYM.bat

Filesize
4B

MD5
add07286643d08a1bb8d0794da6fb0f8

SHA1
09dac443a83ce6b18f702a4298c9e5893d0dd416

SHA256
b97e6c719a7bcdd8e2fadbe3f1a10fb4b9dcf6e414240cea2fc7b87045714d33

SHA512
aec774236370f47fa43ec44039f073b346e73450d3447462dfb0ced5fe3d4523a6215078145c7beb9a0c075bc95a0eaf2ae2c78d81b76cf61dc9069ab51eac40

Download Submit
C:\Users\Admin\AppData\Local\Temp\LmMwwYsw.bat

Filesize
4B

MD5
1e9ddef88470915e55e8e72ace58800d

SHA1
e47ac030465a24749fba24d59899af0b4fc09b14

SHA256
ffda1f7ccba7120e2249f9bbee9f6e1ae45b1b7b5d22066e64b52c0c0a1c46d8

SHA512
df927bbabaf75845342519a2a09f93acd0fce796cb39ff93790c57e34dfa43fcfb983e9e565d45d82a8b544ca6ed798fc6c5dd253f7c7ae9485a8817615be344

Download Submit
C:\Users\Admin\AppData\Local\Temp\MQoe.exe

Filesize
246KB

MD5
b4b7bcd4e71f4525a262134b325c9267

SHA1
dd53fd1cf336210c0fcec3c4ee0f7b39c2f2aa89

SHA256
949bccd33dc16e7dbbe8aa338a4d5d46f768717b7b8d667fb0973b76d9b7d81c

SHA512
4a4a2058ff4796862c9fefd286cdeafaf40aabd9cb7bbd40fee0f1aaf4df17a40c5c3da855ce8af827aea91cb6f5ef9b878ae3132e7071eee3116b625d55671e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MUwIswMM.bat

Filesize
4B

MD5
6714f751be4148cfa5bec5918a40549b

SHA1
b6bb7947226f902847f384e4d4a868ce9cde2eef

SHA256
1d80cd15c4b9f96501132acd2d5a6401b4069216ecd7b0e4c4b9239bb4cadf80

SHA512
9830c3fb21dd8b815236e4292351480cd269d71d4e1445fdb85ad46cb448bef3c4e96e1430e37ad5c909fb5b4d14eaa62648ed346b1a34ef64636a6fabe1f86e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MaQwkcwc.bat

Filesize
4B

MD5
ac4c4e3b086e7aa706c08ad78de231f2

SHA1
4b3b5649783cc0eb5d9b015c32b4269fafee1e8f

SHA256
ef0f0b8b523b1f4f6478fff26bda03721cf4b50f52615a3d535e6e7a3d37c8de

SHA512
6135571116cc23afa3a82e236cddc23fd9e2897d3a7dd5c8a6daf5f4436eb03c871f1c33fca471b6998c0a8f223e70494be3c3a0d7a5db0c81b91b2a1c85ce87

Download Submit
C:\Users\Admin\AppData\Local\Temp\NUUksMIA.bat

Filesize
4B

MD5
52267b84b85d3450344a82d95fed4571

SHA1
f37088d5402a71ca742b497b1c040577f84a30f6

SHA256
dca451d22bc3e92e5a7fc9107e982dcf5d6c27db50730798baaf93db03cba66f

SHA512
9ccbc0cb4bd653517103f72ac3541b72cba84af5984cae2e7531b174b9f4af99e56d015d732af38ef1ddb3f82333eafa081b59cedbd9e5dc4c522fc416f46177

Download Submit
C:\Users\Admin\AppData\Local\Temp\OCEMAkws.bat

Filesize
4B

MD5
de5caaf4bb38a895ab7e48ebad953c93

SHA1
a00a67458cbd403cb3a01f721373a955c40300b6

SHA256
7607ca12081a24fc1f084ada26979bd1b1b56f000bf4565e8cc66f4cd5143aef

SHA512
a72e54966909e0f8d2e53cf1d3278b175c2ad3562f5e0f49745b8fb8499a8a4770aa662bf30afcfa888db10c410a7179bd66092b6eab041b15a5788e62addd7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\OUIs.exe

Filesize
619KB

MD5
7a1791504531471ebe42568ec0b06c9c

SHA1
ff9506a0197336f686cd2f7b1e27261a2a15f0ca

SHA256
805c1ea0ceb5db063a9f6c374533c76106b1030502f55c785e011eb35938e2cc

SHA512
f441e23fa98a1f3a3860d08eb6e386d1ac987db1b6550b79ce6d2ccb107c228097538d09bd415d7e20b47383759d6e87fdaff665afff10555323eb05e61a7eb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\POwMIwUA.bat

Filesize
4B

MD5
7e3c6ebd66f38996c9ae3230340a07be

SHA1
2dd65bf8876c57658af8a191998035faa8f6cefe

SHA256
5fb8d9e22f08b342502f62afa9be5d405a184d3a19820f8fa28abf65178d5775

SHA512
b8f37a41b47e5b9860e8b27db61f970adadd8990ef8fe05a2701dd2b2780839578c002990b5d66433c697cf8fec917002a3574fabddcb20ab07a3b662d8f515d

Download Submit
C:\Users\Admin\AppData\Local\Temp\PkkwcAgs.bat

Filesize
4B

MD5
cf782f3540f8c67ce32ed018135255ff

SHA1
d99b49a997ce7e44a972f2212eea521927ed02b5

SHA256
d28758e17fe9ce30d7bf08b01a1a517a2f2bb0145dbe03d0b713a558fdd73fe0

SHA512
72be2b65614a2153cc9c1345a40bbf215615c40af2865dc5ff359a5daff9218f993c51f1eb3d5bf58c86f1ee3bfa4b15160159fbe128d98c42066a77c42fc356

Download Submit
C:\Users\Admin\AppData\Local\Temp\PuAokUso.bat

Filesize
4B

MD5
f98399b691c31aa9daf25d0ad13d445d

SHA1
136a81cc735a485d2cf99a8d888abc7c0b7dcc4a

SHA256
ac41ff6e0584d197162aee711b2c48bda57162e9717494fdb028b553dd4cd9c1

SHA512
4223c3c8da74470c67fa15200bcd5ca4a1150eaa0955cadfe4e2295ee8cb441ddeca610eaf7944c76f8d15ab312fbba7ecd5126db97d826b086281be5e505fb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\QAYQUEQE.bat

Filesize
4B

MD5
bc77c078f244ffd7430975e4b63a93c4

SHA1
88fbeea8722bc743aa13e0cbe125742e26e1962d

SHA256
3d0e12430f078d44bf618823e8dfa4ef93e0ff1c6306582dd88b5c4bac47634c

SHA512
6a99b48c0721f152f2a628e8713cb9cb1149935f0ef1332fefcc31fa8d87d04fc15b9733e73eebd784f3ee420c11a52df9178cab0299ab7c6925442b7d12941b

Download Submit
C:\Users\Admin\AppData\Local\Temp\QIUG.ico

Filesize
4KB

MD5
5647ff3b5b2783a651f5b591c0405149

SHA1
4af7969d82a8e97cf4e358fa791730892efe952b

SHA256
590a5b0123fdd03506ad4dd613caeffe4af69d9886e85e46cbde4557a3d2d3db

SHA512
cb4fd29dcd552a1e56c5231e75576359ce3b06b0001debf69b142f5234074c18fd44be2258df79013d4ef4e62890d09522814b3144000f211606eb8a5aee8e5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\QUQi.exe

Filesize
200KB

MD5
4ea9e45dd9e2aec64b43107a9243cdb4

SHA1
36222acd813d0da194998a47ddce622a19feab85

SHA256
2b724ea134e2811bb0a88be5e5dbc52f0d850c5415048382b0436bb838584832

SHA512
e012c5e8c276012e91d0e29b3d6c0bf3eeed3e5d3cd538e46416e203ea4eff56e9190e1fc3ea25774018fcd25cd687d7678eb47b9b12e4bfcd03f9fda68b5c63

Download Submit
C:\Users\Admin\AppData\Local\Temp\QoUI.exe

Filesize
238KB

MD5
4ad9434fd516b1d9dea2ded37e756ed2

SHA1
a5eebaca9e5aeb56b5c8595d9c665405c2dc3b00

SHA256
cdd957d4d91adae137d371ebae741177038e5dedadf84bb981bc6b3ba5f5ffa7

SHA512
795688f7c6e87e648267b9d1e087e3d09aaebcc419bf8cdbeedc6146fde72847af85ff77c0da9f4e32a328a722448a73c66c2f69278002043948f66034d0f7ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\RKMIMoUo.bat

Filesize
4B

MD5
50562772901bccaac23b1309827d75ae

SHA1
2b29bd820e1ddaf73c67fe15db01ed2a87e9a9a2

SHA256
d15cf63b4a9e9b24f2efcf51d750e09465592fb72891bcd596dff7457d37611c

SHA512
f665cbb7101f77d7e837c5d9f27b84969dc21e896a138693e6b6c2f60725be27dc53a75cf24533fe80cf08f77b6363c081f0741880ce533659d6190b44f26d93

Download Submit
C:\Users\Admin\AppData\Local\Temp\ROoEYAkI.bat

Filesize
4B

MD5
e74e6a94c820664636a669f04a968104

SHA1
427ab8320fe265d2c1706db5007870af59152256

SHA256
4cbdd10700a057c3668323d096f24e7b3996fb59aa5b51cf96cc2020e06b4dae

SHA512
18852e027c58482d8940401e6165c911e87fe550408b04020c8d4c8dba042377a32ca5c35aa0a83c062796ab5afcddc7691d741a8d16bff3c9cd46eb013fbb58

Download Submit
C:\Users\Admin\AppData\Local\Temp\SYQO.exe

Filesize
226KB

MD5
ca47fcf5f78f0e8df786b0b45f712a37

SHA1
2411dafe765c8d70ab8c1bf3b76a78f0261a382a

SHA256
ce83bea34f9907e76db5594f77687352a3341451fdc85f4d7a76bb10dbb3972d

SHA512
bdd060ec71040bd1c452dc76069d7a5a63bb446893215ed8b1dd669f4bb6c807511d8c634607030fc9e76cd7ba5bbd0b9375bb497e53a4a842cbff29f4b9a2b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\SaggYAwc.bat

Filesize
4B

MD5
10c70216ab17ecb1007923c4670eb7ad

SHA1
858d662b08a1e7a74c3bb28369678241ab469ec3

SHA256
5cf08e1e67923b4efa2c9b3419d9d964729469cfbd0e5e800be5829a82adf7fb

SHA512
40362987a58d5975a972ad1157f1c373403b32fd8c9a2485acf7d639d32b62cc5ebf02a651261b4eafce9ace0b952ddc8d99ecf6a59f5ef690101fe9e26c0818

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sokc.exe

Filesize
203KB

MD5
a42f21ac67eddfdfcbc30b28ba50a390

SHA1
28f6202bf0a4c38301075249773d4b690e14ea8c

SHA256
36dea1d2b7fb4e08c816692546e27c3b748d534ba52478614b29c89d3d87b724

SHA512
df0be446959638fa09a98f624be7343e69daedac8ad99d3372c5c18709f88c1e7f384676cf2f11d6daed92b866909b1c712d5db12b0f4f3dc0648f8c5810b044

Download Submit
C:\Users\Admin\AppData\Local\Temp\SwEQgMwc.bat

Filesize
4B

MD5
e25ace412bb23b709cf8a4134a67830a

SHA1
ab9c747ccec86dc5ffd2f9857426acb01380391c

SHA256
6d289d003e40c905c04ce505784154f1594f063470788d8c43c9ff8f1a8e5701

SHA512
d42b1dcb326fb8e1e8859d2c2048391ae606230a8e51111f0c94530732b35ae93cb55d87d38de067a8db54afa9e2c706d234eb83c6e20ba5809576991f4a8cf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\TMcUAwQM.bat

Filesize
4B

MD5
40213bda35bd7f57c0d912e7dd04e50c

SHA1
55b86eb8f14beba3d6a65e96c5c45eb138898adc

SHA256
310c53c07e828db217ab6c0707cb7007b7d457914db333c0b6a79728a5776ffd

SHA512
0529c7a66e19c5135c6ba8b79ffc1ebb991e4579f7cc7f95f3a3303de0ef291d3ee5077ec4db3a86b8de8c74e9efd67c95a9a912d96ee5b709d419f44fc21a4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\TyQEAUMQ.bat

Filesize
4B

MD5
c69f4970d7a83afe4e60d6674b6ad6a1

SHA1
e9256eba4f0ab63b30ab6c2219d41a690c85414a

SHA256
4af2b6c6ef19df5586c5c67f22676a8abdb2b36dfa05496a89ba1575e848e24e

SHA512
4276c089d37ba59d820814af3e234f11146157b6e0e99fc935a207ac0226bd358e5c7c9e716ceb9ac4759f9f56468203be2be791d770beb932c476248afc22e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\UGcIAIIY.bat

Filesize
4B

MD5
e5597d6af6fd7163ee77213c48bdd9f8

SHA1
55f792834be344b70c3ad39f34910825fb7d04a4

SHA256
3c2ded237ef802ce68c5ad6adf6d60e5aec562953dc2631d3f63efc9fc003dc1

SHA512
af773d771054fed748dd8f681f8a481f88a6d65286e6381e9daac5211c6823f375a476c565f90443a4e6c565a9f4fd0113c864ded17d5bc0e9119079c0ac6435

Download Submit
C:\Users\Admin\AppData\Local\Temp\UIkS.exe

Filesize
197KB

MD5
7bc4977086960938a48229d2fd5c4d54

SHA1
786677559d3a90719eadd4b2d494f77b636dc5b5

SHA256
e461ecaea53704fac7698695cd97509e76b5ce99ac4b683d68d0c931860d81d7

SHA512
f61cbcf879a08341db4debcc3d1b8b540c177dfb6e7faa89d5996be3c408af6537f4c9ee0ec0ce09e438b42620903e0cb5838b73b1351ccbdf0eba0a44cb3edf

Download Submit
C:\Users\Admin\AppData\Local\Temp\UYgQggUQ.bat

Filesize
4B

MD5
90c2f4b3ca685fec636b41f2c5c94764

SHA1
1a7c4e4461d4a81d3ac8cb8da29f8c957ba036c8

SHA256
b4cc41ebde6cdf41b48e310d49a8e878fbf4547acaed80ad893189a17ba95550

SHA512
4d710173daa2071402ddffbecfa1d4a1639ae87c7db7ac0081b7a92df2606f08b2b843fbe1747730d3b98c30b170b25446cd258a29eac8778f47bb94327be1f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\UYkG.exe

Filesize
245KB

MD5
1f7984501107937c25117b9a19d4e53f

SHA1
9c18c486c3a6f4266b1c5259543edc83012b4033

SHA256
88f25dabed063300f53747b60a1af3fffea6b0253e7a0880941c6beee926cbca

SHA512
1e14f4b9816b2414eccbc01be62bfa7e905f6c9a6cc7c3e461cc92c4f6f7b75d850c7a9df63f4bcfbddc829645334c63b2ea37735ce09c9188a5ee571887e63f

Download Submit
C:\Users\Admin\AppData\Local\Temp\UogC.exe

Filesize
242KB

MD5
540298c92fd29d8715fee27b8459b355

SHA1
78ea904cafd9e1bba5eecf1a6dd6d6a8ae41c91e

SHA256
8f5a77f9d1b4fe04461796f89e747c14ab844c0c4b20b860b6f5ac7598832fce

SHA512
9d7c3f5cc43d9e5876c514894572fbab2e9d875b339c09e22b77e63abc9ede0eece0e1bd34043c5ed6b30f562ae3569c1933b80fa81a9d0a73cb4a28cf00d5c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\UsUS.exe

Filesize
769KB

MD5
0e8e1811465ab5a7841dc1da73da1762

SHA1
fd3fb2e6fa7c0607eeb33bcf3ffbcefca2e60809

SHA256
584db3ddbb07fc50dec053c12fa0c9907f73cc4bb28a18b5942014ab7ab8cab5

SHA512
3dd97bf2ea025e0aa9cc171d3f653d612d9b877dba626511b9506a8936d92df7a77db905eac67f66000a33cd28903e0d24738bd8a519c121637292704d5ed5a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\UskQkoso.bat

Filesize
4B

MD5
e6084aa853fd1324c14add0c9e9ff49b

SHA1
80b2bcdb509a4dbe4b47672a5d60cc1b49206033

SHA256
6ad359b63e6d5b5a2db991e3a09674c2fb4cf2f6f87321d918c8c3eff2589868

SHA512
7061c51e7047605680ee49c0127f58db6427aa8db8b0d60f3b18798b47ba45b8364a6d949707ae95a97c1edb2b54af9f537bfb3a909bed05b09105e48ee12f51

Download Submit
C:\Users\Admin\AppData\Local\Temp\UsoS.exe

Filesize
649KB

MD5
8376d45961f643bacf968306f4d78037

SHA1
b936d4e58b9e207aedf31028b0764c38475a7edd

SHA256
ce7218a952bc2eb3415f93a55de96e1e424aa0555fb350b2c771e1f1ef4eb804

SHA512
b960a117c9f0fa45a47b48ec24f9d162176b9f71007abacb6e313f21934293db7b0f6717b74674d15f3f69c229b606b9ab61ae8507cc85dffc9d3949e49966e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\UwQYsQcA.bat

Filesize
4B

MD5
9ad4fadd09d8340bbe7d47b277438261

SHA1
4c7928bf5021c513af07bf1aaaf0dd6a5009b98c

SHA256
6f09bb8482278544ba11af8c70aaa83f26ec72953a91e58d46edbde953865675

SHA512
88e3ee7f2c170ac8c28f316dda21bf1ac8a80d35c927d79317035b39eb864fefa6ac4743780246c2b018e13615f6f8ea112fba53c5f742c297076ba293239ef8

Download Submit
C:\Users\Admin\AppData\Local\Temp\VKwckgQA.bat

Filesize
4B

MD5
929d1a42269d0369f4c100de975da124

SHA1
338a2fa191a408bd752534981efa38bcc01ba3f3

SHA256
946f86db52137779f40ebecaf43e7e0d1e45061d15e9a604dedd38f6c665481f

SHA512
3189a83da03553b060e0c8c99269aba4900434bf02894df252efc08e7bf7bff58296643765ad08078d2ba4747a95b11c5e2c77fdab04af606b799c5eaa95ef8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\WUIe.exe

Filesize
229KB

MD5
8829f014f69b28fe2800a96c74a18cc8

SHA1
550e4643b3164d7f2511ee770cc6a2c2586ba627

SHA256
d05225f7e8b7e7addad9dbc9d952947650a45d016648f548fe4b4799dcf86a8e

SHA512
aade0b09b7fbdfebb6d481f16e1625edd8033f681a48386c5dd7f2faf6a64b9ae22b366c0cbfc2323f2164edf2a13c5d1bbbdf0abaccbcea7aec5fc2538a12bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\WaIQsYUg.bat

Filesize
4B

MD5
691d80806ef3739058d49668b2b7f534

SHA1
b97fa25402f2f7b1468a9766896fa4874bccc0dc

SHA256
2f240b2350b21e424bb4f3baf265c9a83ce6765ae6c972b120449184533552a9

SHA512
8430c0b6daf736d4a18ef21e66142e8a658833ee83d44ec62642c29a29609af9c006903c437c8744f107cb542f079d85fff1cb20373b6af554fca413f30dc74b

Download Submit
C:\Users\Admin\AppData\Local\Temp\WacEoUwI.bat

Filesize
4B

MD5
a63e35fa3a6ff2af3ec713aefd7cc981

SHA1
3849c777fab3a9eefcd61766a59d905bf27ed968

SHA256
ed2fbc3f06f80016f992789eb39411348ee350e54fbc58ed4ed639243d5f85f0

SHA512
b1e070253eb706abd7cbf86bc4318be57df64f940422a488dd024ca62ff84950947685035de6701a0d4e1680d9fabe5fdbd0d6e81665d58ac5bdc92c35e1c998

Download Submit
C:\Users\Admin\AppData\Local\Temp\WgIc.exe

Filesize
236KB

MD5
1c1291e43d70d7bd175789811775ab7d

SHA1
74984cfa2c03d98bffabbe7b36e76cdb973c9d0c

SHA256
4ab251e7ebaa427210dcaa7c69481ccfd6157f70b8c936481cb60ef097d8e194

SHA512
27366f3ebd83ad0547378dadbd4f81e5de8f46d8390ec920abeddd7450f5d266e424400af85e6f5378b61fab00275e8595124cb6f7ffaad02fdc6381c570faad

Download Submit
C:\Users\Admin\AppData\Local\Temp\WsEk.exe

Filesize
240KB

MD5
3fa1200a49114618da504ba68fe510e4

SHA1
30416c996542a1302b12c71013a0ad37726b8805

SHA256
ab9d79776775a85fb446dede37b43f975172f08390e5263b3bc330c39865714b

SHA512
16a6db19dee36b901911aa1624fa785cc7a1e246aa13c3a18817b420b5cd117575f1741979a69f9774c34a79b901ca82f55dc56a219a4743ba2eff4b1cf00aa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\XuwoMkoQ.bat

Filesize
4B

MD5
27aa37f0bacd357592274582b6c2b8cb

SHA1
d2c787e92a27c37001ba10cd76fbe2b854289eb5

SHA256
1a37e30858783577b33c4513e74f8c4b845d3297648374e06977628138b3eb00

SHA512
210fb284d4f2ea41d7ebbbaa053bf0508bbe524f3af7773873bede13d536db4cbca3cafb5f7b8f5bcce4006e728d292939eed454c9b775e98b939f39587a3522

Download Submit
C:\Users\Admin\AppData\Local\Temp\YsQW.exe

Filesize
231KB

MD5
45039983fadeaecb1b90137a9dbe7c5b

SHA1
e33a7e9c0370487cc31abb6260a3dd13177bde23

SHA256
37120b4bf0410c8ea42aa0cdae967ac9e0e800f7f40364cd6687f60faf22888e

SHA512
33a412f56bf8a64e0b127de5c8a82bb45cb82fd2b6736b830a2f78ddc726100b23d554120471b3d6bf9e7fffa4e5e27031a8cd6891107b96213ab3fe858ee5c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\YwYE.exe

Filesize
198KB

MD5
36f03e192c14fb6948fe03bac6541495

SHA1
0fd5d50d5e4050dc0ff44f6ee98c66b54a19cd7d

SHA256
89ea2d0cfe88ee024ee0b963d9bf94d62a4b81e29ce5d996cf09c23418147909

SHA512
0776284ecae0fc55d07597477a0ca9f89366059db62530f2d588abf863cbced063954099fb0bb49431089730f2164fae5919a6d6551ce81f59f4db43b9f1d90e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZcEgckAA.bat

Filesize
4B

MD5
94906423f1d4a633b5e0513e37625412

SHA1
38628b9257afabe3eee763558dee8ec0364092a9

SHA256
a5facb209542b45e05aaa115f5e45fdf26e944c2c913b65aa601cef8f55a5414

SHA512
4340716defac1ff66d8e04154743b749e1494a68fcaa6a447068721f35efbd0d8970da88e43d117a31c9d7df757867c8d2cba0278aaa0253d699d9823a7913ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZoQgAcIg.bat

Filesize
4B

MD5
a9ae6312ce8e6159106556c921f071e9

SHA1
2bbe63466dab9357aeff557edce5ee89e703a9b0

SHA256
801ca2d7726e05577179d719ab16e43254c316f1d44d2545f66d2e6f03d8daa3

SHA512
6a8c5e449ffe309cfb66bae7c50afaa0be6f1c6aeb8f982253490b41299bb1863d6381a89eabaa7239a2233cc453fc12fadc342a680cd26a26ea956dac881807

Download Submit
C:\Users\Admin\AppData\Local\Temp\bOMocQUY.bat

Filesize
4B

MD5
f85aeafef935d9226e8ecdf33e36ac03

SHA1
9d9283d18ecd28485d9132f7277f94989ea43e48

SHA256
6a8beb8811710c8ba45d4df455dff57219255b9b0a1d372ca723a5cdaf6784e3

SHA512
9f73b2bfd3fc86771f4a549f29d86d80a6d44434b434df734cb57851507380def18f0f18de54eb212cc6b3359a23229d70ebee0be303e37deb5dfde530a02270

Download Submit
C:\Users\Admin\AppData\Local\Temp\bQMEYYUQ.bat

Filesize
4B

MD5
e8ec3510d5fb2b48fb766d20292354ad

SHA1
4b1b4cecfe5a377ff6354cc315b7539e94014882

SHA256
11e3b1959eb60a87cf3f631688477d07fbc8fe232ed0054bf0e864cdc3316732

SHA512
fa86c266f2b7845d8a050495c5b7290c32abc0798312654c6dc7609126d1479c5dcca41218447b030daf4329c87a3674a4f4321740e3ecb765c310fa6ecadd3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\bcMsIQEQ.bat

Filesize
4B

MD5
468ed70929708926ac24e456bf039260

SHA1
f657f3d9f5273fe281493a924605bc1061435bad

SHA256
01cd0da7e5b2d78f99c57b129ed874652e4a61eea2f5fbbfa8d0011403c53f3d

SHA512
35939ef793f4e1fb2c14f2dfe8068a05c31d5afe33a4a97eede3a82ef44593027932c9cd60e8293e7337751945a4074cef36dd2f1efda048bf5aff3f78a82042

Download Submit
C:\Users\Admin\AppData\Local\Temp\bekIAEkg.bat

Filesize
4B

MD5
ac86e9cdb2725f79b89a6d2f6ebafb38

SHA1
c2ebb12f8716dc219ac8b9a9e5e5f5fc8038df0a

SHA256
30376b5358f13338de89ea01321688050bc542c3f81a70ba0ce597398312b30b

SHA512
961ae09a5bd26c7102e9434b2dc35d94ae48b3d63cea4b90f9222c203e37f6ee3fd4c93f4616926511fc865a35a7b86a138c040aa9ffd650d42370e4369f2030

Download Submit
C:\Users\Admin\AppData\Local\Temp\cAAe.exe

Filesize
223KB

MD5
640315efd928cd6f37918792c4131cea

SHA1
22f95ec994f3dd7027a2bbbf864e4bac9bf7e40e

SHA256
f1d40aaf2c5b771e2b9a8197b9124fdcf9bfba2b7940ee4ac060fb03007a0159

SHA512
643fb611d0e98c4c29ff766f1d7efe198a1430af41cdf9e58dfca13dd887c01e88cf9e0bf5cc94daf30ea9cb20cfec418f89595dad7616630f0adc770e1000a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\cEco.exe

Filesize
213KB

MD5
3f3ece750924645fb22234139b0ebd17

SHA1
a6d1ee1dd4d5818786e8289725d5529bfe234921

SHA256
f1a8e978fbd5140015c948bf6a17347c8da4ebb6ca27918f28b22e7a924560b9

SHA512
20fba2b0fd47743c452d10d83012bf4a8c3c92a579682a71f53c6d4cd4547e94f98cedc399dab4c65f6da842aa7a5040ae17222b548725e238e1492faf02c636

Download Submit
C:\Users\Admin\AppData\Local\Temp\cSYkwggU.bat

Filesize
4B

MD5
c1449ba6e3efa91f7da305e3ae4cb15e

SHA1
5a619abda39e6dd7909aa2f23bf762afef37a7d1

SHA256
021265c09eab6a1faa4b099a398daa3513ed84118cd75009e8a1a096a57583b3

SHA512
31c5dcbc4ecd18f7dcb4dfed769f0bc7108864c0640b2961c40f6df11a76f4986d76b81d53e7e1ff964799fd07b663286d8aa4b7fb3a8a37dceb7d7deb4df9fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ccoq.exe

Filesize
320KB

MD5
a39ab9153770095748584f01090cdcc6

SHA1
4a6c377e40360831f9bd2f1b6ace15a8c4250837

SHA256
6216030390746108fa8026757922a1e314820e9f043c7d4f86fe1c491a57b244

SHA512
13edda9ff404348ae8bc00b153828c37f050b6b0062866c517b210a5564a59f75d2d52cd24f51e92ebdda44f0c1c2c8bf6c6e6516a04dc1705ad29e2a240f1b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ccsY.exe

Filesize
230KB

MD5
86391c6e9275e2aebfa1effadd3a7c23

SHA1
0ce89dde3a8fa3ad5f11946efc3c24fd3cf5ad1d

SHA256
66fdfc4fbcbb2a2118f1b5b4c7233c969e30be2011f1a9898df7dac6841db981

SHA512
d231526c85e015294334650ba0c41060ea1bd3e0b4ce3c56ffbd09e216ed69c14365f9a0e0d7ddcfe748d9c175d682b29fecb624bc8915e0f305079859e24d73

Download Submit
C:\Users\Admin\AppData\Local\Temp\cgkssoYU.bat

Filesize
4B

MD5
74a838dfa83726f36a2ae071805b2766

SHA1
3b4b853c6df15954ad13623d9df6db6dbcbf28f4

SHA256
d7007ae4191ffd23c95b907b1ea5de45cf03f161c73336831cf3f447634c20b2

SHA512
75b68ec36733b8246dfdc889db86cecc17ca4da6e36636e638bfd476da92ef650844df3ccd1515f07320a671e91e56d7df95386f4b12653a037a596a114eed33

Download Submit
C:\Users\Admin\AppData\Local\Temp\cqQAYIEA.bat

Filesize
4B

MD5
d3ff3aeafda206f27d762c8d7cf78c49

SHA1
fdee87cc302464f545e6f1a715a4b99d942ac07c

SHA256
f28763d8407d6294364dca2e728e7ad22b414197cbf530b65b63fecb518fe71b

SHA512
a59cca6bcae9083fcad5c0b52e66092b27b5d294e8ea32a9d79e9eacaad4578fd80e426db4ba5c0be37eed8234cd08116ee7d341d86624e9ed9dfb0fb0acd9b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\csss.exe

Filesize
247KB

MD5
ec1b46cc587749b3b03234a9ae941653

SHA1
62eb0ab4d99d320fd58c3a4a986db2be2c5081ec

SHA256
149ea52ce2edb6cfbab356138ed294ca033f1f2f0b0214b9a490f45ce1a06bb6

SHA512
0cde07fd2b337db979d3a1f03491889dab0fd6377de38cc02def7e0cf6f0f447b4dce45e2c73d99cf4687d06da5ddfb38373e33cba1afb2f21228d8595b1be58

Download Submit
C:\Users\Admin\AppData\Local\Temp\cwEW.exe

Filesize
237KB

MD5
c2ddeb8eda97762bc5dc8ba2bdcdb21d

SHA1
7e4cba4fa89e87497214055fc84ca37907baf048

SHA256
19d952fe7052140263efe9999f01ef1c6c03878bf9fc5cff57cabbe7b1ac1f51

SHA512
89a4f39741d1c17fc3e3fbe9b1f094c39c1163c638d2cc0b52e8fce18b170cb7b1ea8e1bef7b6cb75e5e165d7701b13948578b96652de0dea0b76a6d8c20a1da

Download Submit
C:\Users\Admin\AppData\Local\Temp\eCkcwYQk.bat

Filesize
4B

MD5
9ef6deddc4389d08225eec6e5ef9a24f

SHA1
b59564f3ec8d57151ea539650b197bc20824d82c

SHA256
37a35f9595e1aaea15a9ea7b99e87d1e9ffdd8113cbbc3893b8426de2150749e

SHA512
6f4a59988ffe27c87555f4a41be8ea654003035c6cf4e0eb840d057c19ec9e119bfe207f4ad254d2f7b798bdc3091a97f6b454d72e83c4a02109aafebddfd6c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gCAoIEYM.bat

Filesize
4B

MD5
942744ead65d6504202db96de8e944d8

SHA1
3cbdc1a65262edf34e3e19bad64554bba4581ffb

SHA256
6c34aec07981fabe0358e53a4c7274c54416b6987a49b58cebea5fbb06c89c72

SHA512
4f2e609b1d1397e3bd7cb45c45d6a95a0faef69a2ca8efd165ab4708c43a5bcbebc9eb7022c16d034cc3a72d6d1efdcfec1b7645332c11d1aea5fe624e1d178f

Download Submit
C:\Users\Admin\AppData\Local\Temp\gEAw.ico

Filesize
4KB

MD5
964614b7c6bd8dec1ecb413acf6395f2

SHA1
0f57a84370ac5c45dbe132bb2f167eee2eb3ce7f

SHA256
af0b1d2ebc52e65ec3f3c2f4f0c5422e6bbac40c7f561b8afe480f3eeb191405

SHA512
b660fdf67adfd09ed72e132a0b7171e2af7da2d78e81f8516adc561d8637540b290ed887db6daf8e23c5809c4b952b435a46779b91a0565a28f2de941bcff5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\gIIC.ico

Filesize
4KB

MD5
6edd371bd7a23ec01c6a00d53f8723d1

SHA1
7b649ce267a19686d2d07a6c3ee2ca852a549ee6

SHA256
0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7

SHA512
65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ggYMIgsw.bat

Filesize
4B

MD5
7de4880b30e37ab2e21de9d662fb196d

SHA1
ed2f0d7daeb9117690f77f5584cabd78d6e116ad

SHA256
290ade203988a73515749edaf4a7b7a6fb0ccdc481c82423be1933e3975dd8ff

SHA512
d749cc911537a0b74d65a9df9adfcf635ee9ae08a11c683b8bb26d4323f50887832929d4eb0f2cd1bd5e06ae1aefb209c424fcab8b24265f0c36cbdcd7efc42d

Download Submit
C:\Users\Admin\AppData\Local\Temp\gsgs.exe

Filesize
221KB

MD5
e313b7f137c2e137f3f86291377ddf81

SHA1
ec7e345917a4dcf261f60e1d1972a51288404b0b

SHA256
6591c4bab0f2f9ebc6633e4557a6d2ba7ae47e74bcfe12bb6561f0ca48336aec

SHA512
72378233ad2bf12c8040d05fe15cfdc4f2f9b6e948fc8d8f9eacf80c69bbe74c02b74ea3bf6f72a8584ad34825f56a5af4494e45aaa2d32db71f104097a4be9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsokgIoc.bat

Filesize
4B

MD5
656e56ce54bd72ba9ee1cf7cd34b9056

SHA1
7b15d8f641bfcafebb8b73bdda188e624ae26165

SHA256
f4f5c609c43e4d149c2078d60a7bb4d5427c936001311962aeeac44a4f826bac

SHA512
bfa8ef02c57e2ac1fa77d36fbcd0115c71405927dfa5e9d0b86debb05f3510b1e8bf775101c2b7d7a9a9b16f60d82ae092d704aee7f96f61c1b42aa80d3b201d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ioAkckoM.bat

Filesize
4B

MD5
174dbb810ab1c6f53ce711a7e408fc1b

SHA1
3095965550216e02dfdd482b8490942176ed2376

SHA256
2a3e958e05c7ed966960100402c40db66797fd9527ac32f55ee5c05ad135eec4

SHA512
aed7902e65ffceb80b3b939d64f70e6a243e8923cbacc48d5a86b4d103d2a34442a8a37217efe381b0728563c77df04873085afb39b67ec6b07e3aebc32e228d

Download Submit
C:\Users\Admin\AppData\Local\Temp\iswe.exe

Filesize
191KB

MD5
824dac7b4ed86c7dc3437a9bb9ea1d97

SHA1
0f06a387b090e4dbe9a7c8abb94bf642f1b2b4ea

SHA256
98920900f0ee7febc8245e2b793cef14a441eecaff4d7bfa7d99f0cbf8d93d49

SHA512
c541cb27fd6478025ed185a0496acd534419d3025fbe1a11d9b2120a7f45010df268a6f8f03400072c953af22bb2a295ce6d45489d689a8a150c5c23b32f0a95

Download Submit
C:\Users\Admin\AppData\Local\Temp\jAwUUoso.bat

Filesize
4B

MD5
c620c257ff668ce52c9eb0942a391842

SHA1
69a619bd7b77fc26e5f3521a3262548d569b10a4

SHA256
4f8af80e95b7477d5fa0512d35f5b8d5fefe4d8baf7549f1fcb0073950623f3d

SHA512
612ec189971f2be2e356f6ff6f9678ff372efb64553f69777affa816325c629070824037189b2b90745fc6b0d00492b725ca71391e2df2ea623ef6ed90223644

Download Submit
C:\Users\Admin\AppData\Local\Temp\jScgosIA.bat

Filesize
4B

MD5
f1907446041921d2ba7f5f88d774377d

SHA1
25bbc98212baed5defce0765c504a0cc7d15f0c6

SHA256
5170cc4c0c6a47327a9752116a9be5bd7412597b494b2c00f5642fc778dad021

SHA512
7b859acbdfe5bff6924459b5117d7e8d7c03e9708ea65ec1d40ee347d361098ece7b4f7e044cb98d83e860d8a58c9c08c7eb40c1fbc0ee880fac1f3607ddb8dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\jSgsowUo.bat

Filesize
4B

MD5
e11720c9d7f20500b707020592469844

SHA1
00a7ba5d7856126fd3a308ef4d8e83430b59d3f3

SHA256
42e385459088c081ab61024028263412ef9f1742a47d5acced74e6194d6e3038

SHA512
b7ee82d148c847854187838e7887633264008560208a9fbefba260976ef76d3698e4e2d0a69e1bd93ae9fc657e044408524cf4acd0683aea30b0bceb07ccb564

Download Submit
C:\Users\Admin\AppData\Local\Temp\kwcI.exe

Filesize
205KB

MD5
e0925e62c5e042814c124fba5f4ae4d3

SHA1
a1c228686ce6fd554b623d6b3791022ae018fc1e

SHA256
be20637c5c347ff61a536d8462fba97c8c2696c75fa03455b0a6f400ccaeb561

SHA512
999e519fc7557e493d9ef91a15f4f14408206c9bc7a8a3e65f057e1c6af95a397bdb95d50c2e6905caf221f241dde7fd5f9a35c1891a76db8212a9e2db783d36

Download Submit
C:\Users\Admin\AppData\Local\Temp\kwwu.exe

Filesize
183KB

MD5
8a3c825b9e24b0d4162896fd0880b273

SHA1
b699f72c01e896073acae20254504106a78490f1

SHA256
226066394fd95573b3b47a9c62d9720c964a3e3cd750d2a3255258911db27add

SHA512
ecb7d0c23ab9dfc8ec84d33823e9fd048d6542ffc0ef51b0b1e75568bfa456773cd3423356a4cf8f583a062705707ef60760a1de56d066c4788fcff4f2ffd49d

Download Submit
C:\Users\Admin\AppData\Local\Temp\lgwwYQIc.bat

Filesize
4B

MD5
1fa44d03960a391058404311895581f9

SHA1
c26d57c7e8fe49c7688a4e0d614a83d23594b57d

SHA256
23b1ffaf42c4b107c79b7ca20c7227b30419b52fbb934a5a0a4ea76ff32c5353

SHA512
271b07bf0270194398dea5cbc9eb2e4d6f40d6931bdaf267e2df8cbe308b0e3fe06badae4e619ff1dd644d338e0eeecaec738120ca5b710db1cc101ddc5cbfc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\mgYu.exe

Filesize
209KB

MD5
9f74738f548daed940a8a4589cc5c0d3

SHA1
cebe63f52eace64c6ad541be12c9262a005a96bc

SHA256
f2350c7eeef753889058c025caaead2b428cacf71f3388c7bfa8230e7ecb2369

SHA512
4a6b59b9414c1ac1b884e4f6d9cd34991f4752db46509531793fe9016cfb2cb6f810c47ca7ccf48436381123470e58ae46bbe7e78c53fc8866784d43d870a8bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\mggkYscE.bat

Filesize
4B

MD5
ee72bb5d906d5ef3505d978edfb9b4bd

SHA1
01fb0887adbab5f66eb6d56e5715da37f3cb9027

SHA256
6bc7d60ede4a6204a43ebae5ee74fb4de6e21403c7630a5da226eaf3215ad047

SHA512
4d00d374bc825c8d155a51baeb4f372b88635fa21ec70d92bc82b9b8bb9048ab2bf3e8caf91c1a481eb6a4752f9c80863222f177766da78b81479af1e40ad7c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\mikYgsko.bat

Filesize
4B

MD5
68930db2d24d918b8effdc070781af6c

SHA1
9b71894c5c33e6179646ad5d15867a6de59fc7f7

SHA256
643bdf736f868b40135f938af9c71ef5cc2c92018b0cf7e93b827e381d54f5c0

SHA512
a643bc05691d9d6faeb583202df5c9470da4811fb8d910898b3c4384edf5860ee797eb2f8cb6b8ae2814b93c0ef5f20ddbe168d7f08a5cab4f6ae679ea447cd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\mkss.exe

Filesize
652KB

MD5
ebb325e5b11b2cca7589574b6d0ec7d1

SHA1
378463846c5df296a5f2b0b596aa61cfd791002f

SHA256
fbea86de534ad5941eb6cff67f9137251167626bb911080bf5bca3a864eb450b

SHA512
021b2177f1b78a7dd1f416ee678a3e8414b8d591158c627f75ab49e54857c6e226afb0bfdb125068921878926697ff5e8fb3daea4b3e42075140c1844dc595c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\mmEEgYcw.bat

Filesize
4B

MD5
127c0d548693c16bd7d40f1d83ed46bb

SHA1
9b35fab93fab4ccdd7764dbe27d046b437982391

SHA256
da8dd5dbf55573519b5b9816f1754807d16f7ba5c17b90686641f473422abb1c

SHA512
5890c51eb6f0c076acd407fde68bf00e2c333a0a239d7554529355b20bac5446399baedb4dadfe40e4ac53ef55588437f260938d64fbb6b75a2500d9439bb9a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\mqgYgMoM.bat

Filesize
4B

MD5
47458d105ea02e7554ba08185c21d2f3

SHA1
83e0c0ac178f086fbc09a5b01ab702612079c67f

SHA256
93b2c328e3f712f69537a61f17cfe666507e4afdfb37df9eedcbde8cc8b79aeb

SHA512
b55f9155f0898497763db575e7f9c9451e6f4a2d28b028b3022218b53f2906e01ad7145237aa7072a5f1477184dffa2e9d5a5c3b5a5246f2321a71ad1eb04ddf

Download Submit
C:\Users\Admin\AppData\Local\Temp\msoS.exe

Filesize
231KB

MD5
2ed9ad06aa441e563d3a8d5d6199ed0f

SHA1
b563126d0099d89ffefdcb1b9129cd4206f84e45

SHA256
718dbec19496283c6de26c998fbb444579dc97a217161b71d69847d3cbf68d32

SHA512
f65bc77d57dfdfcce67c0297fc052a45211ed7c8e1cecd2f20d8ca78519f8e009d53b3535a81d1878318681460b5a99db65ee6851a25ef3f592dd201445506d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\muswkAMg.bat

Filesize
4B

MD5
69b2a141a0059591a93057849bd22f9d

SHA1
00d39186eac874e82439f05412084a94c2c0bda4

SHA256
9d326e7127b1f14841ca40f6b1d9e89fc182386bbd5116f769113456a17b5dfc

SHA512
7d1aae39cdf13dd45656f303b6e351b0e27e34a4a10f78c9c95798d8f02ea8f744cad38aa118be840e6fd9b303eac0a3641a1e0e375d7735de7b1d64b3babfc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\mwQy.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\oAIG.exe

Filesize
227KB

MD5
4022009a5c73c124f0486829fe96492b

SHA1
ff7cd1c340650f7a21f5471902bc335fce4b85f2

SHA256
73d3821d4ac57de8e3b60a11c110d38be244a6260fd1b2b92f7ee2786b2ce4c5

SHA512
ad1cb7fc8c01ae0983c9ac18ea58b3119b491b176fec1964e5b805c2932f58ca7c008a15bc03f6de17f0b86cbccd5962de7205f5203a2258a3533f6e8550bc0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\oAIUEQsw.bat

Filesize
4B

MD5
afdc15f22295ccd6e9b057927037d161

SHA1
c01a6aed6917dae2f74ac7fec9ed5cf3dbacf793

SHA256
0d15d53a6e930f3c51aa9241e1f16812f83258f221cd9d562f15681a1c04798e

SHA512
b5e8fa693287c2a9f95992ba76fbbf70c698f44c886fadddc3a054c52108a034c61cb576d47c76a0ebb65503a98b9d91229bceedd4fffd88aeb549d150e26a6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\oCMkAAsQ.bat

Filesize
4B

MD5
e356f0978094eb71d0304c1abff67ba6

SHA1
f15f9cd2d62177dc1263774b2571baeb9cd68f5b

SHA256
eced96322d096e56bd47e795658d8263ac57c95ffca98dc7359387992158f206

SHA512
172a2d903faf0d7bd08048cacefc161fd3daae213aae40a9b87a118e2fbc769026b3879c719def60d0b79efb07dde62516bf21984856a4593d0c964c35e8d6be

Download Submit
C:\Users\Admin\AppData\Local\Temp\oQUY.exe

Filesize
234KB

MD5
c4799b5a728ee1d96cb714f972a8ae29

SHA1
795121f67a6cf90b3ba68153d9de20b3e51e17a3

SHA256
eab25b104e8b662cd683dce706a6321c4d84bda3e23134f5d48a0b8f44976a03

SHA512
f3f98ee171b3813ffe465e67a23b0148885b74c73134d2301f1aef071f7d648ab9f1a89f89ededfc074d48b8876158db78e232cff26a22c150088b38fe2796a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\okUM.exe

Filesize
1.0MB

MD5
46c54e8f38d2bab79a1c08b337e13f31

SHA1
5b6ee6fdac4d91c71f15d22c03ff8056bc953854

SHA256
53fb863ad866062d70bce93d2f5cd00b4e7d96e43c00a79e7d4411294abea8aa

SHA512
198705e7732db4b6f10191c724689d0d08c5f2c1d6e9e9ae75198ce5c5206779cc2adf0a38edf4eb37243bff6ebe81b96fb51081618d9c995fc3ec9a1ecbc232

Download Submit
C:\Users\Admin\AppData\Local\Temp\ookI.exe

Filesize
196KB

MD5
bd435ceba8b0beaac035dc51a1df7c1d

SHA1
5ca2919ce8968db2472cb76d219dbb173dbf9403

SHA256
f0fb58bcde0f8dcb1e70ed0e265c0bf7d53aed84142ad4e1089bd6d010b9c09f

SHA512
7d1e023679214f0a5d9646757c80818240878fc1d58767f3ec79e612720351e98974699d1627b7b2137cd24d4d03e2740b8e27a4e480717ef3a8baf3e55149ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\osIMIssI.bat

Filesize
4B

MD5
de81bfd86133310b2dd12cf68228b9ee

SHA1
65eff8cc356ec3e48890994756fff29d7e1b1ab5

SHA256
0cad7bc557b6fdb88486af1c759a9477d9f748abe9ad2df2cf4e9a3139b1cab0

SHA512
bd6e7a1f40029cc7d577c0ad8d40949544a90386082ad5d005a98c61c6868c4f3fbe40d1ebded61075843602b8e0a666f089d08282dc9cc8d2bd7164e81a28c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\oyUoYkEI.bat

Filesize
4B

MD5
3eb3f2576fabec2dbfe5ae6758cbdc00

SHA1
b81ed16c60a3c84566fd4879b8f7962037ef2d0b

SHA256
fffc15686c3c548d09f3f707d2e71deea8a737844454de0a2e5309e7e088ab7f

SHA512
25a29f8ac53240aabfffec45d3844dd75491d9fd99bb25bf2af16e34910710bf6ac5c709d9796d2bfb5d5c53531c66c4b8dd4fde8a8e212d5800d747bc4cb158

Download Submit
C:\Users\Admin\AppData\Local\Temp\qAsC.exe

Filesize
327KB

MD5
aa5dcb087cb8b53f05344847c545b906

SHA1
4cb6d6d75d68c807951b037440a79daa2e4756a6

SHA256
a957c0a0da92288203366077ab654e3204cc30b89908d269e60e675bf03b7297

SHA512
edcf22e0876fec5ed581d37662630df5bd49e0e2aa672319ace4f67765cea586b067aa1ede53425aaa3b7a44c6a4363222f7472858d7123cc64d32d7b652a1fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\qIgE.exe

Filesize
239KB

MD5
a255a5f2e6115af13de129d51bafbcc8

SHA1
6a0caf855d7a056eb826c213b24dc9c52971d836

SHA256
1264e226b2346a90e41247d413c72f03ca949679ff169c9f3dd4d49bf38f58c2

SHA512
f92a32f45a6cf073b85149f51e38a0c5a97c72bb15c14810318aed641c74ad047c5e1d7ad1b9931560d90dcca68dc8c1b457a7cff3ecb36b1e8664b3c856f763

Download Submit
C:\Users\Admin\AppData\Local\Temp\qMYa.exe

Filesize
208KB

MD5
5ffc0ca0c5c0abe4cfa6c691162a028f

SHA1
a92e1e5b6f06458ca6ef25c96c065bf7ee578917

SHA256
82f6c6be2c5ff988a4da130725d518b986e8fc72b6fecc6b9b06bfd2b518429e

SHA512
f41c7052409b244ca95f733f74ef35c422a7f463066f697aec9c8f86469c888172d50649056dff53d354b94b6947b060ddf29592274072b765be934043004983

Download Submit
C:\Users\Admin\AppData\Local\Temp\qQogUkQo.bat

Filesize
4B

MD5
3e9a7c7805ba396fca77df09ea3874e3

SHA1
3cbf205b16e35242a072fdb09cb3f46de0796fba

SHA256
85923bb85eaf94952ae03f37f76f5d09711db500ef78a837e3013f5c27e650e0

SHA512
0f75df442cf5b0cb9504f9c958cde8b2f5123ecdba99d29ead5374ec658c40de937041fdeacecdb273b99b1cd09075224394d2a08cbcf63820ef842f2a617352

Download Submit
C:\Users\Admin\AppData\Local\Temp\qYkK.exe

Filesize
205KB

MD5
e7d79c2e17689bbb5f18230948defe5e

SHA1
99a43e29febba32ac3b88e67d51856e88b06c476

SHA256
0c4a62e3fa068df44c9b55f3f1a2d00de24b697b533d119ce053c7e21a71bcb9

SHA512
fa14dd5615ba88abafb718163eac42ef90f6b759043e3d6c191f7e4dd0567aa3c00bb17c7fd65a559d64a42772b522e4eac2df5646c04a0d529d1fc47576ac26

Download Submit
C:\Users\Admin\AppData\Local\Temp\qgQi.exe

Filesize
228KB

MD5
e04227592ad9c743372d88323983e388

SHA1
e653b43eb6dc94efe5609ff022a02f1198472411

SHA256
9f6cbbf6b133163e2a47870a288b00da8ceeb785798b57096c81382575cb3fc2

SHA512
6cb69cb510ffd018ff3d6c0048d857383032b64ad63db05d6abe2d2e78b2d07936a46b30e1a820acd461f3332f628808a04b1797e7a28956cbbf49e9ffaccc5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\qgUM.exe

Filesize
641KB

MD5
f1f588ca814a49d00b7e2f82a5a22807

SHA1
938d1c611599313045e139a98e692b6220741648

SHA256
c43c62cf7deee7ba99d28d83c303224f84132dbdb8c0284d9faa088bce030ec3

SHA512
c9f3987e0193e961dad3439526b7d798184d0e6932ab7713dd36ba97d2653ea3b5b82a5bd244679ec4bfa582f06508f1fbb44f55298fe8e46284a51f6704a4f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\qgsK.exe

Filesize
242KB

MD5
5156fa09e42806666cadbdb0227b859d

SHA1
de40c18c550d27f4a0a049dca385ab4463234800

SHA256
7f041cc4a859591c7ca07f856bbfe0042170548f864bd7f8f7d8743a7a8d858a

SHA512
db23cd242ba2370f44fc0dfaaefd20cdfd2418391df446c292cd0f1d01e2d8400e2e762ec8e14c106e866785b9eae2c6a5fb2e68803490af52be6c2153d8b548

Download Submit
C:\Users\Admin\AppData\Local\Temp\rSsYsgcI.bat

Filesize
4B

MD5
78ab1bcdddb133345a0a707a2336c7ba

SHA1
41518f1f74c281997b71cfb744ff650fed541a6a

SHA256
2baa3cd51033d975801df4672fbdca4b0bab2a6871f672e9ce12131e555f95dd

SHA512
4be7c43138ac6f5147478d910e19e4a9c36533eb47bc4af7eda381ebeeb346802b22e2402e223dfa581b0d9b614cf24ca25c68a4e6b84d9c2f06b28f18b9c02d

Download Submit
C:\Users\Admin\AppData\Local\Temp\sMEEoMoA.bat

Filesize
4B

MD5
334a3b63c1a1dfde0b4e1a0c8670ef64

SHA1
94fdc71f4cadb048c46e4ccb19017f99fd3b89e0

SHA256
693b6db871f06dae25d551742f5b1f644b300a02a063d5b9e9a18e550635a818

SHA512
5e5b305dc9e670ebbc110fbb1e2e1a6fe848eb3781c79f94d59025c81dc66ef46455fcf344b80a4e7ff87982011df5b1d0136e750342bbefe54df41dc38cf19c

Download Submit
C:\Users\Admin\AppData\Local\Temp\sgEMMYEA.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\sgQK.exe

Filesize
656KB

MD5
abaa3189c9d9927710136fe1ddcc609b

SHA1
dd313472773a5484a1d5efe951d8d47a9557e19e

SHA256
91e4e5d2483d695d15af97da31413e8e3a0e9e4ef443c120476f3ddf27b6c9a8

SHA512
a7f10cc87a5e02e46dc4c23858327463c206fed05a28a8862779ae1bd2aded36f9b94183bf6a61547eaae5eb0c96b4d41c8e7c2ddad78ba22895548437949aa4

Download Submit
C:\Users\Admin\AppData\Local\Temp\skMAosUo.bat

Filesize
4B

MD5
d2bd9280dc26dd91f70ebe6ce92dac15

SHA1
f6c623275df678880973885ece294c2fd8fd5c69

SHA256
e209e8b5fc24692ae399f9b924d3a6c236939fee4472ac55fdccfb1d5d132995

SHA512
9bf1720c41f2752a508aee5a489d44758f3dc83f53c0e5eb8904081e6650c733456175e2deb4907874b795f04d08b6e1f93e6175a151b2a3cfd9f17bfcbbe150

Download Submit
C:\Users\Admin\AppData\Local\Temp\uMMI.exe

Filesize
247KB

MD5
6e2cfef03be15357cd6692a38383cea3

SHA1
16f78555ad8ec75ff669b3649ebc953aa031786b

SHA256
63d3a6d8144be71ae0acd770cc16ffa608bfcbfe9b9e206b1fa7cea8f9ce9df5

SHA512
b86c7cd98e4a6b45eb8e0f6ac492d569023c350b34792f0e81326f81ff83e4964a9d5f070a4647d2120983db7f768fd3c2f7c0b745f4c653fa3f520fb3bf70dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\uUEM.exe

Filesize
244KB

MD5
a2c44621a135c18385010e4d453a27a3

SHA1
e6df01a00942770272148ff83e3559f9348dd3c9

SHA256
8c92849e18df018527caaae1f26a22db79781aea1e2e0c69958b444536f5b6b3

SHA512
e07a2d5ac814d95fe1630ac313f9095939a25975f42fae11c1ec349121e0115bc7cd6490a8caa26b04824c8df6ffb3f281453243fe0c195f181e1329961870fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\uosI.exe

Filesize
234KB

MD5
017b0023c20b47b9804c026c3b442093

SHA1
dc6c51e889759428873738a39065b7b020de96c4

SHA256
b22545ebe1a3f12dd717646ee0eb8e6c67f16d652d54bf313d5de19c20e1cba4

SHA512
96ae386ed17a591456f7481a83959f8bc712365f1856b29fb4889d5f16b22e6809d48773a44e2e87fb32f9a2618e2095956b63e0153284c7be50ff983b8c63aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\vWgkkIYg.bat

Filesize
4B

MD5
0524ec22995794dfcf6ea9b20f3149d8

SHA1
40bcece548fa9252f2f33c8734cc92ca82e0c115

SHA256
4eaf7884481ffbe64d90ef3c930c9d1692c80e142a0404ad93b1c24fea59b0a6

SHA512
6c4667479806143ea9fc17b0ef4f7f83f1f5e8473c4ee76bdbcc4a436ee3430fea916051dbea0f097776bad7f57823d6c7e1e246f2b596974b0565766062e481

Download Submit
C:\Users\Admin\AppData\Local\Temp\voEokYEE.bat

Filesize
4B

MD5
595fee354b741ce5c1b998ba268fd2ae

SHA1
6c2bd5dd8d6e258bc5a3fc914e5169da2400ff73

SHA256
90b531a93f9b72caffaaf4608581f39df8b7332070001041d7d955f58bf5a418

SHA512
94ed6ed53a52d308754b44a86661ee36becaa75af9b293b0a9c87206bc4e582161312f829ffb3890f823e7eb0176815ae5a6189628501493db87045ecd45d32e

Download Submit
C:\Users\Admin\AppData\Local\Temp\wAMI.exe

Filesize
219KB

MD5
63a314e3d347357530c55ca3d050bd01

SHA1
7744cca016105bb2b4898d4f8b2c04b86812cef6

SHA256
9f23aa96c11d9966cc61d74b550b9fc6ba1927fc83ad76c72934f8bb9f0d786b

SHA512
c197ebb824908886848dc430de2a232a8aeafb9ab2511b3d587920fc344a27dafc7365dd249beb4c7fb03f677b380b99d8e577917436b6caf31dc6bc3c5f6473

Download Submit
C:\Users\Admin\AppData\Local\Temp\wAYA.exe

Filesize
190KB

MD5
9f102cfa82257668628115852b74afd1

SHA1
ac7df0afc41d5b308d83b12f67560d749abd6d55

SHA256
11fe2dc94f31ff5685f2253f52c262d9820bb5b519938ca51ad77851cb33134a

SHA512
c835114fd4e173292f79c433802dfee0f99293eec59aea8e36d8d5995f478bc4a335831d339e492541525d47240456c0ac883b559dd7933ee70da1e590120184

Download Submit
C:\Users\Admin\AppData\Local\Temp\wIoa.exe

Filesize
237KB

MD5
2f4361c2dab70d514311c2d26734440b

SHA1
17dbe4fb55e83877ae4171d69eb35376625e0bb5

SHA256
d7c3c3ea01b37acd13453c7e9dd19b4256468540cd048e863f9502744a0d5a3c

SHA512
c21cbafc94b42d83ea586a2e0f7b5d8a73d81545d3ff39ec05ccfeb9577c01b8d63500ffd7d8d48408b13bcbb7b34a08213fad24e5893b2cf84c8bd26c983844

Download Submit
C:\Users\Admin\AppData\Local\Temp\wcUw.exe

Filesize
227KB

MD5
4c721332077ec2e4bebcc60d700c9ed9

SHA1
2d767329e0ac445e4a482270a61f8ff5c1d2ef8d

SHA256
f2cad8e7e7cd986eef3736e7d87f3e787318cbbbb9abf8bb7049bcbd75403ea4

SHA512
de28d6d95bc9e308f9cdb074845edfa200c18e1250144307f3010ec91a950a662fd36d9c254bf71d277dcb6a850448a4c1e8e534356d5c1af642729ea53ff77a

Download Submit
C:\Users\Admin\AppData\Local\Temp\wowA.exe

Filesize
240KB

MD5
01f944d9f74535e05bcc5ee1fd1bcb24

SHA1
3427d9cda1a71ba2b18737af2c9ab4ce2b66dc2a

SHA256
7f9a8948a914e53a952af6f7fe5a871540111798c226e6b67acc2fb53cfe01c7

SHA512
fdfa1be13ad5c914cf4cb291314fa8d067f813b1f959b6b50bdcea68392788663b349e947fafbb22cad2140033961d8ac467cc994acd2ff5efebb55a051be931

Download Submit
C:\Users\Admin\AppData\Local\Temp\xuowscAM.bat

Filesize
4B

MD5
877d874cfbf6bcf867a9464f5e16ba1b

SHA1
3ae167367fda930f9d4fb3fa13305dd9a9526f57

SHA256
ce800921736197d5bb30792a978f3673408357a2c76e309806e3895c5284cf07

SHA512
5a0ff15b324bf724587ad79c3ec4e8fc8e223025f9fffaea2b8b77ec9d7c8f52d162127bb262842cf55cdf05db1c000cca822bc4e6c995a0e85b9db20b4ae575

Download Submit
C:\Users\Admin\AppData\Local\Temp\yEYg.exe

Filesize
1.2MB

MD5
1c73e100ad96a48c22828ab63206157a

SHA1
3051095959b528312a92e8ce9be63629653b5c53

SHA256
d85d6779ea6510c80d226746181ac6c6b1471fd715d09ec5eec2020b48692dbc

SHA512
58f73b0a44533baa312cb745e636fbed410b681948f5b411426e2a6be6cac873fda15dd675a9aa40021463211e635f11149de1568c4780339f75b46546aa0a96

Download Submit
C:\Users\Admin\AppData\Local\Temp\ycwO.exe

Filesize
246KB

MD5
97abf2740646b9f6da9551222dd9e7be

SHA1
5fbf79161f71c0671c6c5f34a351b9603901fd2f

SHA256
b9c099be2c9b87c410399aa248a3dd149123d1e81098a761cae6e840abea732d

SHA512
6954a129d5036271891af7eca5bbe78f380f760cff9934cf48f429eaaeee9f5790e262b7c01dc29ab383c1a609dfc61ade6e384080a91c618937966007237825

Download Submit
C:\Users\Admin\AppData\Local\Temp\ygce.exe

Filesize
227KB

MD5
25bb70123336d2ccdd4bc719cbea009c

SHA1
d7ed7831d32a1e1ae6fe6ae1c75951b090e09f5c

SHA256
612fdd03348258dba48296f7d01b96bc3f14daffb72d5ba0d3a381084a521488

SHA512
b8271978bdd9b27710a6f5c28492396c941fa1f0c530af15b3f85311afd43507c675e99c1f4ede9b00f734b4457db95befa32b44b7be58c53d7012699a14ac84

Download Submit
C:\Users\Admin\AppData\Local\Temp\ykwm.exe

Filesize
234KB

MD5
5cd53ddfed2dbb9e0cf52287e9cc60f7

SHA1
b45cda7edfea054d1961436e3623019ffaa937c7

SHA256
1db133348b18001eb7d5144c5653883c09e651230614c3f0d1b054253a7f6e06

SHA512
28d7437f8ca434c507afc4fa4aab30e5f9818db947ca9ceea6add98c6c99aca52419f24a0a6ef186e4155f156e42504aa1235c9304f272f3c50d83bee8110366

Download Submit
C:\Users\Admin\AppData\Local\Temp\ysUC.exe

Filesize
241KB

MD5
6a6f29dd994ae152e6d692fa67cbc88a

SHA1
8d4d5b9db873c4f5dd0fcc6359fc77ae9afdfb04

SHA256
e475e7b7f13c39741fa31e87fe85d43ed849140051c297ba4f1da9b207965064

SHA512
095e758b607e3731b2f01583405d51d21cb64addcdbd05b201ff972ad03482b5c280f649d4f92c5862daf654c587b45bdf6ce09fe88d02327de1893a3d3d4441

Download Submit
C:\Users\Admin\AppData\Local\Temp\zaEkwsMk.bat

Filesize
4B

MD5
e555c0071c4d425cb6ef73d867947a99

SHA1
1a0a3fc65fc4d8015a75308e72cd56c2f184d61c

SHA256
4d0449baab735b9adf0a74e53a244a7ff09ecafcfcb9a6f90c598897d4f35609

SHA512
d2fe83ff1ff72e0178e9c76105118cee2c5cda3da9fbcc1cc6b6156eb2934ebd64c52cdd55ad71ecd96c33680801980d650271a6f337bf7aae04e6b84c926133

Download Submit
C:\Users\Admin\AppData\Roaming\StartPush.jpg.exe

Filesize
1.5MB

MD5
57559cb116fb64e092b6e680cd463c1a

SHA1
7cdaa7a029cdadbba28b1a14cb99eb20ea339586

SHA256
9d52965590d28c7c22cc51af8c5a7572c2b1ac1d92a0985834494f4668575f1a

SHA512
9def172849e77753fa1268a0ba7dbd469d15db06a043a1453f5a559163f1defe25d87a90e73e00dd629ffe1fd806a5ea82076b1a01ea8f740840026b31ed49b6

Download Submit
C:\Users\Admin\Desktop\FormatHide.jpg.exe

Filesize
777KB

MD5
1a8fd6e2e25ec1c12c31593deb447fa3

SHA1
b0672c90e14071503b0d55829062d485fdee4671

SHA256
403eacd05829799b98c0579811f3de6b7bfe3cb973fa9790f098beab4e899faa

SHA512
7a1bd35621d4846a7cadffb6504e631bb539eed66da3811b9b0fcd26bf3e9f89b39ac987625f2ca6d76f2dd10bdf61cd3b54d84f9d6df1ddea185acc899a8d09

Download Submit
C:\Users\Admin\Desktop\ResumeConfirm.gif.exe

Filesize
858KB

MD5
b96a5e0f110a9322ae428e1256ce1011

SHA1
4b321a6f56a588d77850c2917580b28eab05839d

SHA256
ac7d9186408f302c8ecc88c983313598f2451f12379c07c034ce5254fa80ece2

SHA512
68e0e05f7fe04ac1141946e2c490627103ac037c6e986e60c37a1961cc10970329b0c2293aa60c5ef000cdb5cccbf461c41c5e907a5667fd62750fb49c176d5a

Download Submit
C:\Users\Admin\Documents\OutNew.pdf.exe

Filesize
1.5MB

MD5
fd02d5afaf55eceeeff9ddc0f7bcd8bb

SHA1
8422b1a0961b5b5dde69cbbb9902aa471abf6824

SHA256
707cefb7a68734ee8a864ccaf60fee29ac082c2e5d3c94413acf2da163664b77

SHA512
fb9b2022e2dfda17ac03ed7480e9f809aa4351dab3b75db66e3508a39860bf41b7c61ae0792a81ea12afd96598361f60dace229591d154038eda4a3b50895dea

Download Submit
C:\Users\Admin\Documents\ResetCompare.doc.exe

Filesize
608KB

MD5
e97ca5aabc4a977223b123eecf9fba14

SHA1
be9b88001a4a911507a5128c2da1485961f81df6

SHA256
b437da4d2de75a77fecc2245831dca50d1a678793a7eaea1147255c8a07dc594

SHA512
aae7158f2da0341d4b3269fdeec64cc01b859399a437f9bd753e3d95b72714de5d78976b8f4a0cfdcb2b62676cfbb369fcc3c58d8a81d5bdc5c6ea1d6a90b4f7

Download Submit
C:\Users\Admin\Downloads\ConnectSave.exe

Filesize
1.4MB

MD5
58134e6293712e6da795335bf36e987c

SHA1
cf78182746689eaef2ddc32c58b5bdc90d55a5b3

SHA256
0c410209ebb6dee450604db36d3a3b2bb1e4a2ef85ca5cb99fe5e923ae096c55

SHA512
cbdc9f91eb4b761336b88636362bd5cfa57e43978b2d8e2a64b20b7e04582d69dcb47e1995ef93bb9ac95b0076e670b39857a2f6a08db64d16f6bd903dbf88a2

Download Submit
C:\Users\Admin\Downloads\UnprotectTrace.bmp.exe

Filesize
1.3MB

MD5
8afd312cbd7419ee06553739e99921c2

SHA1
bc77147e8d60bce0ee56a11fc0bf2e03e0aad0a3

SHA256
b98b07910e8795c75ccf064e6ef4dde0cd20f55635c9afedac1cdf5f8387fb66

SHA512
86b7c38539d6ca110a832504aa1483ffccbaa14428514c4e9dee5f840872b0fd64ce88389600a291e639f002a83460dc1018b168cda172bba7440a20e96db143

Download Submit
C:\Users\Admin\Music\ConvertFromClose.mp3.exe

Filesize
366KB

MD5
f95491f92d1f796cfa00e51e2c3b4aec

SHA1
f43aa39742699f619df7f468b5907efc0bc81bd2

SHA256
ea3ef057c531938e6f400fa93d13ca8bb35aec843632c9a71a9272adb3102287

SHA512
79f6c89dfb321e2cf7bfcbff8aa5832c9093c56bf26afa6e22e61012fcc8ed455009cf28726406a845b6e25680c3d53d5df617070bd12ffe531dcb4b902636b5

Download Submit
C:\Users\Admin\Music\ImportReset.png.exe

Filesize
572KB

MD5
5919b9284ef846f6541c4c479b3488c7

SHA1
53ab705a82c6f3153f7b460fc223cf3283847dc8

SHA256
88ac2c01b89e1392931ab152cefe99b33c8c500a7a44060a274fde718dff33ba

SHA512
1b79a13b64b21fc76f5ac6edd0a84d28b525b9ccbc73d0994ebec205e52bc9ffaca2868433c30f4514b64372c3c4104dac26fdf522862a641aa0a0f4768256e6

Download Submit
C:\Users\Admin\Music\RegisterConvert.xls.exe

Filesize
511KB

MD5
b38147c1b0988f018e51d19c98962795

SHA1
1724785e0f949171345440bf35528dcbb1296363

SHA256
746055a1f72cb99b08b751212b0377fdf5b9e0bbca0834e4a81182a8ab89be9b

SHA512
38e44136d2758db6382623af8af64d1ad0cdec5d45ebc4dcaced6de9b274cdccc8ff4073b3300135d220d752795a77363827b7ddc0cdcecd941269456cf6c900

Download Submit
C:\Users\Admin\Music\UseSearch.pdf.exe

Filesize
404KB

MD5
28f9c91e5166a9a030e16ed6a8608016

SHA1
ef76f36a84335750358b70fd4425abb62868768c

SHA256
6caee35a8ecdb84ddc556ec83ec25cfda86b4a54868e8a7cb47ea6de970ae53a

SHA512
4e9df60b66b6a324b580518c5cd74549b90c4d840e12e35b42399cf93f89564448c393bb9c54d871651aa7d5d26bfbb21b8e6e283ff8a138213eec093bb4fdb8

Download Submit
C:\Users\Admin\Pictures\MeasureUnblock.bmp.exe

Filesize
777KB

MD5
74c7bdfe13febc069c529506a61378af

SHA1
1ae96b71a178dfbd9d809a182d5b2a57a54cb4f8

SHA256
0746ace58fc69099ff23a2a29ce7ba4636710507beebbf44a3f83cd9b7fd24bd

SHA512
ff676b541ed8e500d6f6d300bd7d914ca9224fb1848eee0c78f07b5d5e6da15a2166d6d88c4cfdf6acad11350f17aa1743b6debc83c13f3a2ab8265cd3a6c97c

Download Submit
C:\Users\Admin\Pictures\My Wallpaper.jpg.exe

Filesize
227KB

MD5
8bb41a776adf39beed35a5e7c5d47c3c

SHA1
18683acad09465fb41e5e7c9bb6a45b0ab165e3b

SHA256
b0a03e2e20da388d78c3993e1edac6e45d0fe8de4e1b6148c2e33dc8e6da18a1

SHA512
5dac471702c18619a03dec3bd104fe58f4f33a21daff5d770bb550ad8c31fb3b51191045bf2ae7067c8063690d61bfd6b2f77bd38d724bfc631c0b294f5cb356

Download Submit
C:\Users\Public\Music\Sample Music\Kalimba.mp3.exe

Filesize
8.2MB

MD5
7cb82797a1f7137d418033492a89f7bc

SHA1
fa547ad66e0c873848a865f5b22b9f03462d825b

SHA256
ca10ac22a0288722ef07e0cd6a49f1ba8095c40262e2d747aab04810e3a17698

SHA512
ceceaccfb7aaaef72c1577b87d0df15d3508d446a78acd462665beafc1c19c9e863c1ea0b367057f092fe39689c947625ee1e49779efc1733f1c4f021d9a508d

Download Submit
C:\Users\Public\Music\Sample Music\Maid with the Flaxen Hair.mp3.exe

Filesize
4.1MB

MD5
474300b1d98b5c859075fe9b91ff5bfd

SHA1
de56ea2fb31e5636afb0a30e2baf31d5942a6379

SHA256
4b6ccc9b785c31c5ec1c025a025603a6bccb97e0653c7f9baff8b8a7be99485b

SHA512
6015373ad10f9bbc46bdddb7c1133784e1b477e8b1e1952f50176b464d5d204bb920dd2927cc153507c9f0f24142e0f873faed9bf98aa2fb7b0917520b72ef56

Download Submit
C:\Users\Public\Music\Sample Music\Sleep Away.mp3.exe

Filesize
4.8MB

MD5
24c1144bdbe501a16a220fac55d42195

SHA1
34cc328a6c4c1619435ee23b238dfab0332199eb

SHA256
de4967438a3b1a5533f43860bed1525ef1a9e8f742b7bc2ca16404ad843a4194

SHA512
da4c463d816b3d86b2925d180d5e3f20080ef76226b6878b1bce33083377ead63c0663490a9d23a23d39c55e7393135b168cdff679153d1c102d6069751614a0

Download Submit
C:\Users\Public\Pictures\Sample Pictures\Jellyfish.jpg.exe

Filesize
958KB

MD5
c655c1cbdb11286722b8a515974d236b

SHA1
5489ea9d34fa8f8907bbebaa3398555a13f5ffa1

SHA256
c96b54ec9eba44178e4b465ce4196f817d7244c307551ffbe2b03159bf3e82ad

SHA512
c4df3acbbc3204ef7ec60b06b133c64afe192f00e9f419ed70fe9dac391820eaac6fb85204735cd77dc79eb842414e8ed5652a6c608de6a71f64d4946f80c946

Download Submit
C:\Users\Public\Pictures\Sample Pictures\Lighthouse.jpg.exe

Filesize
742KB

MD5
2531590353c48e4c2fa31d44ddd5f724

SHA1
bf6c02642272ba99570e765fbb054c943c6a420b

SHA256
9c084be35dbb1aa4422dfae52573f28865d3811bdf165ce29057e693e89217dd

SHA512
dc43cb4794c07b7f0e2517ae651e0b26040e3efdc84d0ded5846692815e3c51ccb49754625fcd258170a5fe9fa550a9d43bfa63accc3f991054476b9963dd994

Download Submit
C:\Users\Public\Pictures\Sample Pictures\Penguins.jpg.exe

Filesize
960KB

MD5
6548ee956e688c22bf04daa1091bf39b

SHA1
9765587e27d42d1e3f741a148d7578205b5b1d10

SHA256
dab5610f623863fb7df9129f5163dfe9bece13b2bcd626ecf3cbaa3008addd0b

SHA512
7caee4bf183046e8067f16afe2487b5c15548e0f899d58c8feb97e9cc436c6210c4936ea1c9e38a266287866461f170ec44dd83e67f9c377210af3ccdf97becb

Download Submit
C:\Users\Public\Pictures\Sample Pictures\Tulips.jpg.exe

Filesize
791KB

MD5
a229c6cb1618e975f9b6b9fcf22ba574

SHA1
6ca057be33360300207bbc95f75b3fdb4b7ccaee

SHA256
dab10e28c4a7ffc27bb44073d8c89d5bd3e7713818d3050f16b0a5b0b8dcfb29

SHA512
19ed998bf687919733718ede2608b14e1a58713d67de0d67b371c84c5f52fb8dab4269096daa4251b458e89f86ef23466db09b7ff32152f63f34759e0d43ab1d

Download Submit
\ProgramData\tQsEoYYk\WcgswAcU.exe

Filesize
199KB

MD5
4cbdff0b77556a9a9f0c8113059d0cf0

SHA1
4e0a279e60b394945eecab219d998b53143d2a2a

SHA256
bd1ffb31ef95a156ad3deaca459d04bcfb6ab825e86e4356334b12f100b4b47e

SHA512
f2fd5d97fbd40376c21c4bd135439c0a194405edb7c1961247acd293b087c4f7748ce881d76699a0690cef7ec2ccc7eaef8a628e1797e17d292fe7e80a4661b1

Download Submit
\Users\Admin\LoosQAoY\FOgMAUko.exe

Filesize
184KB

MD5
78ba438a15b263e82e6362310c4f05a6

SHA1
17f3ebb96a6e488e2ee4afc36ec0378a3a7bd6be

SHA256
61bf4400a0f117aee282a0405757bfa8478ebb3c75af99276d0eb262ec0d4078

SHA512
f758fbeaf374021be5495ff813bf9ef90f4a2aa1830b543a5e0e6536ddae38c6cfe13aa4f8f35fedf75171dd00dc6a127c0896dd7d1ab84f8d8a6b0839334fe0

Download Submit
memory/296-661-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/296-628-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/296-520-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/296-491-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/316-105-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/316-135-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/340-354-0x0000000000110000-0x0000000000146000-memory.dmp

Filesize
216KB

Download
memory/340-355-0x0000000000110000-0x0000000000146000-memory.dmp

Filesize
216KB

Download
memory/600-238-0x0000000000170000-0x00000000001A6000-memory.dmp

Filesize
216KB

Download
memory/600-239-0x0000000000170000-0x00000000001A6000-memory.dmp

Filesize
216KB

Download
memory/680-490-0x0000000000170000-0x00000000001A6000-memory.dmp

Filesize
216KB

Download
memory/740-589-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/740-617-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/796-806-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1032-409-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1048-159-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1048-787-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1048-815-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1108-90-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1108-58-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1304-724-0x0000000000120000-0x0000000000156000-memory.dmp

Filesize
216KB

Download
memory/1320-270-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1320-240-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1472-530-0x0000000000140000-0x0000000000176000-memory.dmp

Filesize
216KB

Download
memory/1516-470-0x0000000000260000-0x0000000000296000-memory.dmp

Filesize
216KB

Download
memory/1516-638-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1584-540-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1604-825-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1652-400-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1652-435-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1680-150-0x0000000000370000-0x00000000003A6000-memory.dmp

Filesize
216KB

Download
memory/1764-558-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1764-531-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1948-627-0x0000000000270000-0x00000000002A6000-memory.dmp

Filesize
216KB

Download
memory/2012-754-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2020-81-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2020-114-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2036-786-0x0000000002280000-0x00000000022B6000-memory.dmp

Filesize
216KB

Download
memory/2036-785-0x0000000002280000-0x00000000022B6000-memory.dmp

Filesize
216KB

Download
memory/2124-500-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2152-796-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2152-764-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2176-629-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2176-19-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2232-20-0x0000000000470000-0x00000000004A3000-memory.dmp

Filesize
204KB

Download
memory/2232-4-0x0000000000470000-0x000000000049F000-memory.dmp

Filesize
188KB

Download
memory/2232-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2232-41-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2236-180-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2332-284-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2332-316-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2368-744-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2368-743-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2372-399-0x0000000000410000-0x0000000000446000-memory.dmp

Filesize
216KB

Download
memory/2380-773-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2380-745-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2380-386-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2380-356-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2388-425-0x0000000000120000-0x0000000000156000-memory.dmp

Filesize
216KB

Download
memory/2388-599-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2388-424-0x0000000000120000-0x0000000000156000-memory.dmp

Filesize
216KB

Download
memory/2392-56-0x0000000002280000-0x00000000022B6000-memory.dmp

Filesize
216KB

Download
memory/2392-57-0x0000000002280000-0x00000000022B6000-memory.dmp

Filesize
216KB

Download
memory/2396-365-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2416-104-0x0000000000180000-0x00000000001B6000-memory.dmp

Filesize
216KB

Download
memory/2416-103-0x0000000000180000-0x00000000001B6000-memory.dmp

Filesize
216KB

Download
memory/2420-293-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2496-640-0x00000000773B0000-0x00000000774AA000-memory.dmp

Filesize
1000KB

Download
memory/2556-577-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2648-651-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2648-29-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2656-193-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2656-223-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2660-283-0x00000000001A0000-0x00000000001D6000-memory.dmp

Filesize
216KB

Download
memory/2676-32-0x0000000000160000-0x0000000000196000-memory.dmp

Filesize
216KB

Download
memory/2704-307-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2704-733-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2704-341-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2716-479-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2756-588-0x0000000000210000-0x0000000000246000-memory.dmp

Filesize
216KB

Download
memory/2756-448-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2776-652-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2776-680-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2784-33-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2784-67-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2812-650-0x0000000000290000-0x00000000002C6000-memory.dmp

Filesize
216KB

Download
memory/2832-426-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2832-457-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2840-714-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2864-705-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2884-306-0x0000000000120000-0x0000000000156000-memory.dmp

Filesize
216KB

Download
memory/2948-80-0x00000000001E0000-0x0000000000216000-memory.dmp

Filesize
216KB

Download
memory/2956-332-0x0000000000320000-0x0000000000356000-memory.dmp

Filesize
216KB

Download
memory/2956-331-0x0000000000320000-0x0000000000356000-memory.dmp

Filesize
216KB

Download
memory/2968-249-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2976-568-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3044-202-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download