cbf90b656abb4199a0f4cfa4b8fc538202540d9b672e7ea5ac9975ae51884b0d

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21-11-2024 02:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
Size

192KB
MD5

4deb641355a2ced75885248619e7e7c8
SHA1

fe46b1856c51e85ddcb128235085c3b2bd0a0f51
SHA256

cbf90b656abb4199a0f4cfa4b8fc538202540d9b672e7ea5ac9975ae51884b0d
SHA512

e7632732617e8664dc3fd05ee12fad0e258507468b1455007a8bf99f3e0494a1e0681bb6e04254c8da2338c8998cde919c0343fdb4caf14fb569fd5f3afd7991
SSDEEP

3072:PCvM7zZ8k5E8CenK4tYLt65rU3eF5qaNkQbbAppxVh:ppcrR65YObqvQSpxv

Score

10^/10

discovery evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Renames multiple (63) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

QgUsAAgM.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Control Panel\International\Geo\Nation QgUsAAgM.exe
Executes dropped EXE 2 IoCs

Processes:

QgUsAAgM.exeyYEkcEAo.exe

pid process

1988 QgUsAAgM.exe
1736 yYEkcEAo.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Control Panel\International\Geo\Nation	QgUsAAgM.exe

Loads dropped DLL 20 IoCs

Processes:

2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exeQgUsAAgM.exe

pid	process
2132	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
2132	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
2132	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
2132	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
1988	QgUsAAgM.exe
1988	QgUsAAgM.exe
1988	QgUsAAgM.exe
1988	QgUsAAgM.exe
1988	QgUsAAgM.exe
1988	QgUsAAgM.exe
1988	QgUsAAgM.exe
1988	QgUsAAgM.exe
1988	QgUsAAgM.exe
1988	QgUsAAgM.exe
1988	QgUsAAgM.exe
1988	QgUsAAgM.exe
1988	QgUsAAgM.exe
1988	QgUsAAgM.exe
1988	QgUsAAgM.exe
1988	QgUsAAgM.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

yYEkcEAo.exe2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exeQgUsAAgM.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\yYEkcEAo.exe = "C:\\ProgramData\\VQYMAgUA\\yYEkcEAo.exe"	yYEkcEAo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\QgUsAAgM.exe = "C:\\Users\\Admin\\hYUEwMUw\\QgUsAAgM.exe"	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\yYEkcEAo.exe = "C:\\ProgramData\\VQYMAgUA\\yYEkcEAo.exe"	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\QgUsAAgM.exe = "C:\\Users\\Admin\\hYUEwMUw\\QgUsAAgM.exe"	QgUsAAgM.exe

Drops file in Windows directory 1 IoCs

Processes:

QgUsAAgM.exe

description ioc process

File opened for modification \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico QgUsAAgM.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File opened for modification	\??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico	QgUsAAgM.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

reg.exereg.exereg.execscript.exereg.exe2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exereg.exereg.exe2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exereg.execmd.execscript.execmd.exereg.exereg.exereg.execmd.execmd.exereg.execmd.exereg.exe2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.execmd.exereg.exe2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exereg.exereg.exe2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exereg.exereg.exe2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exereg.exereg.execscript.exereg.execmd.exereg.execmd.exereg.execmd.exereg.execscript.exe2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.execmd.exereg.exe2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exereg.exe2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exereg.execmd.exereg.exereg.exereg.exereg.exereg.execscript.exereg.exereg.exereg.exereg.exereg.exereg.exereg.execscript.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

Processes:

pid	process
2500	reg.exe
2852	reg.exe
2664	reg.exe
1504	reg.exe
1564	reg.exe
1768	reg.exe
2428	reg.exe
1932	reg.exe
556	reg.exe
1304	reg.exe
1664	reg.exe
1128	reg.exe
2724	reg.exe
1776	reg.exe
2360	reg.exe
676	reg.exe
1212	reg.exe
316	reg.exe
2724	reg.exe
1796	reg.exe
488	reg.exe
1028	reg.exe
2304	reg.exe
1832	reg.exe
1472	reg.exe
2748	reg.exe
1100	reg.exe
1620	reg.exe
680	reg.exe
2704	reg.exe
828	reg.exe
2520	reg.exe
2256	reg.exe
3048	reg.exe
1692	reg.exe
2824	reg.exe
2128	reg.exe
1584	reg.exe
536	reg.exe
2240	reg.exe
1028	reg.exe
684	reg.exe
2796	reg.exe
3032	reg.exe
1588	reg.exe
2696	reg.exe
2004	reg.exe
2820	reg.exe
1112	reg.exe
2368	reg.exe
2528	reg.exe
2864	reg.exe
2336	reg.exe
2304	reg.exe
684	reg.exe
2760	reg.exe
568	reg.exe
308	reg.exe
1504	reg.exe
2528	reg.exe
2132	reg.exe
2516	reg.exe
1408	reg.exe
1664	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe

pid	process
2132	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
2132	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
2872	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
2872	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
2084	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
2084	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
1012	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
1012	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
2192	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
2192	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
2116	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
2116	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
1588	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
1588	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
2732	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
2732	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
2692	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
2692	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
656	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
656	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
2568	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
2568	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
1828	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
1828	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
1252	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
1252	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
2336	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
2336	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
768	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
768	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
2976	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
2976	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
2756	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
2756	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
2188	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
2188	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
2528	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
2528	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
2724	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
2724	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
2920	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
2920	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
644	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
644	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
2480	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
2480	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
1052	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
1052	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
2420	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
2420	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
1472	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
1472	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
1924	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
1924	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
2980	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
2980	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
3068	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
3068	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
3036	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
3036	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
2728	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
2728	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
2432	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
2432	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

QgUsAAgM.exe

pid process

1988 QgUsAAgM.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

QgUsAAgM.exe

pid	process
1988	QgUsAAgM.exe
1988	QgUsAAgM.exe
1988	QgUsAAgM.exe
1988	QgUsAAgM.exe
1988	QgUsAAgM.exe
1988	QgUsAAgM.exe
1988	QgUsAAgM.exe
1988	QgUsAAgM.exe
1988	QgUsAAgM.exe
1988	QgUsAAgM.exe
1988	QgUsAAgM.exe
1988	QgUsAAgM.exe
1988	QgUsAAgM.exe
1988	QgUsAAgM.exe
1988	QgUsAAgM.exe
1988	QgUsAAgM.exe
1988	QgUsAAgM.exe
1988	QgUsAAgM.exe
1988	QgUsAAgM.exe
1988	QgUsAAgM.exe
1988	QgUsAAgM.exe
1988	QgUsAAgM.exe
1988	QgUsAAgM.exe
1988	QgUsAAgM.exe
1988	QgUsAAgM.exe
1988	QgUsAAgM.exe
1988	QgUsAAgM.exe
1988	QgUsAAgM.exe
1988	QgUsAAgM.exe
1988	QgUsAAgM.exe
1988	QgUsAAgM.exe
1988	QgUsAAgM.exe
1988	QgUsAAgM.exe
1988	QgUsAAgM.exe
1988	QgUsAAgM.exe
1988	QgUsAAgM.exe
1988	QgUsAAgM.exe
1988	QgUsAAgM.exe
1988	QgUsAAgM.exe
1988	QgUsAAgM.exe
1988	QgUsAAgM.exe
1988	QgUsAAgM.exe
1988	QgUsAAgM.exe
1988	QgUsAAgM.exe
1988	QgUsAAgM.exe
1988	QgUsAAgM.exe
1988	QgUsAAgM.exe
1988	QgUsAAgM.exe
1988	QgUsAAgM.exe
1988	QgUsAAgM.exe
1988	QgUsAAgM.exe
1988	QgUsAAgM.exe
1988	QgUsAAgM.exe
1988	QgUsAAgM.exe
1988	QgUsAAgM.exe
1988	QgUsAAgM.exe
1988	QgUsAAgM.exe
1988	QgUsAAgM.exe
1988	QgUsAAgM.exe
1988	QgUsAAgM.exe
1988	QgUsAAgM.exe
1988	QgUsAAgM.exe
1988	QgUsAAgM.exe
1988	QgUsAAgM.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.execmd.execmd.exe2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.execmd.execmd.exe

description	pid	process	target process
PID 2132 wrote to memory of 1988	2132	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe	QgUsAAgM.exe
PID 2132 wrote to memory of 1988	2132	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe	QgUsAAgM.exe
PID 2132 wrote to memory of 1988	2132	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe	QgUsAAgM.exe
PID 2132 wrote to memory of 1988	2132	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe	QgUsAAgM.exe
PID 2132 wrote to memory of 1736	2132	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe	yYEkcEAo.exe
PID 2132 wrote to memory of 1736	2132	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe	yYEkcEAo.exe
PID 2132 wrote to memory of 1736	2132	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe	yYEkcEAo.exe
PID 2132 wrote to memory of 1736	2132	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe	yYEkcEAo.exe
PID 2132 wrote to memory of 2480	2132	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe	cmd.exe
PID 2132 wrote to memory of 2480	2132	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe	cmd.exe
PID 2132 wrote to memory of 2480	2132	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe	cmd.exe
PID 2132 wrote to memory of 2480	2132	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe	cmd.exe
PID 2132 wrote to memory of 2724	2132	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe	reg.exe
PID 2132 wrote to memory of 2724	2132	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe	reg.exe
PID 2132 wrote to memory of 2724	2132	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe	reg.exe
PID 2132 wrote to memory of 2724	2132	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe	reg.exe
PID 2132 wrote to memory of 2732	2132	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe	reg.exe
PID 2132 wrote to memory of 2732	2132	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe	reg.exe
PID 2132 wrote to memory of 2732	2132	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe	reg.exe
PID 2132 wrote to memory of 2732	2132	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe	reg.exe
PID 2480 wrote to memory of 2872	2480	cmd.exe	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
PID 2480 wrote to memory of 2872	2480	cmd.exe	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
PID 2480 wrote to memory of 2872	2480	cmd.exe	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
PID 2480 wrote to memory of 2872	2480	cmd.exe	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
PID 2132 wrote to memory of 2836	2132	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe	reg.exe
PID 2132 wrote to memory of 2836	2132	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe	reg.exe
PID 2132 wrote to memory of 2836	2132	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe	reg.exe
PID 2132 wrote to memory of 2836	2132	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe	reg.exe
PID 2132 wrote to memory of 3060	2132	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe	cmd.exe
PID 2132 wrote to memory of 3060	2132	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe	cmd.exe
PID 2132 wrote to memory of 3060	2132	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe	cmd.exe
PID 2132 wrote to memory of 3060	2132	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe	cmd.exe
PID 3060 wrote to memory of 2696	3060	cmd.exe	cscript.exe
PID 3060 wrote to memory of 2696	3060	cmd.exe	cscript.exe
PID 3060 wrote to memory of 2696	3060	cmd.exe	cscript.exe
PID 3060 wrote to memory of 2696	3060	cmd.exe	cscript.exe
PID 2872 wrote to memory of 1244	2872	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe	cmd.exe
PID 2872 wrote to memory of 1244	2872	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe	cmd.exe
PID 2872 wrote to memory of 1244	2872	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe	cmd.exe
PID 2872 wrote to memory of 1244	2872	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe	cmd.exe
PID 1244 wrote to memory of 2084	1244	cmd.exe	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
PID 1244 wrote to memory of 2084	1244	cmd.exe	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
PID 1244 wrote to memory of 2084	1244	cmd.exe	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
PID 1244 wrote to memory of 2084	1244	cmd.exe	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
PID 2872 wrote to memory of 1472	2872	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe	reg.exe
PID 2872 wrote to memory of 1472	2872	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe	reg.exe
PID 2872 wrote to memory of 1472	2872	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe	reg.exe
PID 2872 wrote to memory of 1472	2872	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe	reg.exe
PID 2872 wrote to memory of 2772	2872	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe	reg.exe
PID 2872 wrote to memory of 2772	2872	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe	reg.exe
PID 2872 wrote to memory of 2772	2872	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe	reg.exe
PID 2872 wrote to memory of 2772	2872	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe	reg.exe
PID 2872 wrote to memory of 1560	2872	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe	reg.exe
PID 2872 wrote to memory of 1560	2872	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe	reg.exe
PID 2872 wrote to memory of 1560	2872	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe	reg.exe
PID 2872 wrote to memory of 1560	2872	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe	reg.exe
PID 2872 wrote to memory of 2936	2872	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe	cmd.exe
PID 2872 wrote to memory of 2936	2872	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe	cmd.exe
PID 2872 wrote to memory of 2936	2872	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe	cmd.exe
PID 2872 wrote to memory of 2936	2872	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe	cmd.exe
PID 2936 wrote to memory of 2816	2936	cmd.exe	cscript.exe
PID 2936 wrote to memory of 2816	2936	cmd.exe	cscript.exe
PID 2936 wrote to memory of 2816	2936	cmd.exe	cscript.exe
PID 2936 wrote to memory of 2816	2936	cmd.exe	cscript.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2132
- C:\Users\Admin\hYUEwMUw\QgUsAAgM.exe
  "C:\Users\Admin\hYUEwMUw\QgUsAAgM.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:1988
- C:\ProgramData\VQYMAgUA\yYEkcEAo.exe
  "C:\ProgramData\VQYMAgUA\yYEkcEAo.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1736
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2480
- - C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
    C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2872
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1244
    - - C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2084
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        6⤵
        
        PID:2800
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1012
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        8⤵
        
        PID:448
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2192
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        10⤵
        
        PID:2436
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2116
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        12⤵
        
        PID:2548
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1588
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        14⤵
        
        PID:2876
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2732
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        16⤵
        
        PID:1468
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2692
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        18⤵
        
        PID:2756
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:656
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        20⤵
        
        PID:2800
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2568
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        22⤵
        
        PID:1360
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        23⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1828
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        24⤵
        
        PID:2908
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        25⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1252
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        26⤵
        
        PID:2612
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        27⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2336
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        28⤵
        
        PID:2828
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        29⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:768
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        30⤵
        
        PID:1468
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        31⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2976
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        32⤵
        
        PID:2076
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        33⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2756
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        34⤵
        System Location Discovery: System Language Discovery
        
        PID:1272
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        35⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2188
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        36⤵
        
        PID:3048
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        37⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2528
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        38⤵
        
        PID:2448
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        39⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2724
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        40⤵
        System Location Discovery: System Language Discovery
        
        PID:1884
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        41⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2920
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        42⤵
        
        PID:1248
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        43⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:644
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        44⤵
        System Location Discovery: System Language Discovery
        
        PID:3036
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        45⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2480
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        46⤵
        
        PID:2116
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        47⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1052
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        48⤵
        
        PID:2188
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        49⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2420
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        50⤵
        
        PID:1984
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        51⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1472
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        52⤵
        
        PID:1244
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        53⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1924
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        54⤵
        
        PID:864
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        55⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2980
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        56⤵
        
        PID:1680
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        57⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3068
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        58⤵
        
        PID:2560
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        59⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3036
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        60⤵
        
        PID:2736
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        61⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2728
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        62⤵
        
        PID:2592
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        63⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2432
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        64⤵
        
        PID:1492
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        65⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        66⤵
        
        PID:1664
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        67⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        68⤵
        
        PID:2568
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        69⤵
        
        PID:504
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        70⤵
        
        PID:1680
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        71⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        72⤵
        
        PID:2700
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        73⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        74⤵
        
        PID:2740
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        75⤵
        
        PID:1084
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        76⤵
        
        PID:2448
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        77⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        78⤵
        
        PID:1568
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        79⤵
        
        PID:300
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        80⤵
        
        PID:2496
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        81⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        82⤵
        
        PID:836
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        83⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        84⤵
        
        PID:2888
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        85⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        86⤵
        
        PID:1108
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        87⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        88⤵
        
        PID:2236
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        89⤵
        System Location Discovery: System Language Discovery
        
        PID:988
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        90⤵
        
        PID:2724
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        91⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        92⤵
        
        PID:1772
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        93⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        94⤵
        
        PID:1940
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        95⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        96⤵
        
        PID:2876
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        97⤵
        
        PID:448
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        98⤵
        
        PID:2920
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        99⤵
        
        PID:680
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        100⤵
        
        PID:1884
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        101⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        102⤵
        
        PID:1912
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        103⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        104⤵
        
        PID:1900
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        105⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        106⤵
        
        PID:2084
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        107⤵
        
        PID:604
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        108⤵
        
        PID:1044
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        109⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        110⤵
        
        PID:2960
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        111⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        112⤵
        
        PID:1636
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        113⤵
        
        PID:952
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        114⤵
        
        PID:676
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        115⤵
        
        PID:776
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        116⤵
        
        PID:1748
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        117⤵
        
        PID:332
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        118⤵
        
        PID:1536
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        119⤵
        
        PID:2500
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        120⤵
        
        PID:2604
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        121⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        122⤵
        
        PID:2856
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        123⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        124⤵
        
        PID:1792
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        125⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        126⤵
        
        PID:688
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        127⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        128⤵
        
        PID:2376
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        129⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        130⤵
        
        PID:2736
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        131⤵
        
        PID:1828
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        132⤵
        
        PID:2768
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        133⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        134⤵
        
        PID:3008
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        135⤵
        
        PID:2704
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        136⤵
        
        PID:2724
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        137⤵
        
        PID:1560
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        138⤵
        
        PID:604
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        139⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        140⤵
        
        PID:2352
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        141⤵
        
        PID:536
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        142⤵
        
        PID:1352
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        143⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        144⤵
        
        PID:1108
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        145⤵
        
        PID:992
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        146⤵
        
        PID:1188
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        147⤵
        
        PID:1480
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        148⤵
        
        PID:2704
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        149⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        150⤵
        
        PID:2016
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        151⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        152⤵
        
        PID:1596
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        153⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        154⤵
        
        PID:3000
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        155⤵
        System Location Discovery: System Language Discovery
        
        PID:1700
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        156⤵
        System Location Discovery: System Language Discovery
        
        PID:2700
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        157⤵
        
        PID:876
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        158⤵
        
        PID:2160
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        159⤵
        
        PID:536
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        160⤵
        
        PID:864
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        161⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        162⤵
        
        PID:1360
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        163⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        164⤵
        
        PID:2500
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        165⤵
        
        PID:2504
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        166⤵
        
        PID:776
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        167⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        168⤵
        
        PID:2984
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        169⤵
        
        PID:1224
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        170⤵
        
        PID:2820
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        171⤵
        System Location Discovery: System Language Discovery
        
        PID:2528
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        172⤵
        
        PID:1488
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        173⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        174⤵
        
        PID:1628
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        175⤵
        
        PID:556
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        176⤵
        
        PID:2364
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        177⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        178⤵
        
        PID:2740
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        179⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        180⤵
        
        PID:1884
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        181⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        182⤵
        
        PID:1032
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        183⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        184⤵
        
        PID:1528
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        185⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        186⤵
        
        PID:1616
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        187⤵
        System Location Discovery: System Language Discovery
        
        PID:3032
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        188⤵
        
        PID:2864
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        189⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        190⤵
        
        PID:840
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        191⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        192⤵
        
        PID:2716
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        193⤵
        
        PID:1292
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        194⤵
        
        PID:504
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        195⤵
        
        PID:2516
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        196⤵
        
        PID:2384
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        197⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        198⤵
        
        PID:1680
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        199⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        200⤵
        
        PID:2920
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        201⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        202⤵
        
        PID:2452
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        203⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        204⤵
        
        PID:2024
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        205⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        206⤵
        
        PID:3012
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        207⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        208⤵
        
        PID:264
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        209⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        210⤵
        
        PID:2136
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        211⤵
        
        PID:1420
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        212⤵
        
        PID:2520
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        213⤵
        
        PID:488
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        214⤵
        
        PID:2968
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        215⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        216⤵
        
        PID:1496
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        217⤵
        System Location Discovery: System Language Discovery
        
        PID:884
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        218⤵
        
        PID:1212
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        219⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        220⤵
        
        PID:3060
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        221⤵
        
        PID:1268
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        222⤵
        
        PID:1248
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        223⤵
        
        PID:3000
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        224⤵
        
        PID:2152
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        225⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        226⤵
        
        PID:2140
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        227⤵
        
        PID:2564
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        228⤵
        
        PID:2888
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        229⤵
        
        PID:1292
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        230⤵
        
        PID:2620
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        231⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        232⤵
        
        PID:2952
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        233⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        234⤵
        
        PID:1012
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        235⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        236⤵
        
        PID:1760
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        237⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        238⤵
        System Location Discovery: System Language Discovery
        
        PID:2152
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        239⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        240⤵
        
        PID:1112
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        241⤵
        
        PID:884
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        242⤵
        
        PID:2744
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        243⤵
        
        PID:536
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        244⤵
        
        PID:2668
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        245⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        246⤵
        
        PID:2312
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        247⤵
        
        PID:112
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        248⤵
        
        PID:2512
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        249⤵
        
        PID:2436
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        250⤵
        System Location Discovery: System Language Discovery
        
        PID:2756
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        251⤵
        
        PID:828
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        252⤵
        
        PID:2184
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        253⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        254⤵
        
        PID:1980
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        255⤵
        
        PID:2992
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        256⤵
        
        PID:1528
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        257⤵
        System Location Discovery: System Language Discovery
        
        PID:2388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        258⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        258⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        258⤵
        Modifies registry key
        
        PID:2852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        256⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        256⤵
        
        PID:448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        256⤵
        UAC bypass
        
        PID:2868
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\GCwcIoMM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        256⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        257⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        254⤵
        
        PID:556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        254⤵
        
        PID:2516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        254⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\aMEQIAsM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        254⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        255⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        252⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        252⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        252⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tYUkQIQg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        252⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        253⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        250⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:3048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        250⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        250⤵
        UAC bypass
        Modifies registry key
        
        PID:3032
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\zCkoMQco.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        250⤵
        
        PID:2160
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        251⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        248⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        248⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        248⤵
        Modifies registry key
        
        PID:2500
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\NQUUAYws.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        248⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        249⤵
        
        PID:876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        246⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        246⤵
        
        PID:2704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        246⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\daMoscks.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        246⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        247⤵
        
        PID:2572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        244⤵
        
        PID:264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        244⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        244⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\seEIogMM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        244⤵
        
        PID:1084
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        245⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        242⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        242⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        242⤵
        Modifies registry key
        
        PID:1212
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\gAoEQcwU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        242⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        243⤵
        
        PID:1484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        240⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        240⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        240⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2304
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\SKQssEks.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        240⤵
        
        PID:1284
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        241⤵
        
        PID:2556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        238⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        238⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        238⤵
        UAC bypass
        
        PID:836
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\gyogIooU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        238⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        239⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        236⤵
        Modifies registry key
        
        PID:2256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        236⤵
        Modifies registry key
        
        PID:2336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        236⤵
        Modifies registry key
        
        PID:1664
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\lcIYgYEs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        236⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        237⤵
        
        PID:408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        234⤵
        Modifies visibility of file extensions in Explorer
        
        PID:872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        234⤵
        
        PID:604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        234⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:1700
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\jeMIUAEA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        234⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        235⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        232⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        232⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        232⤵
        
        PID:1512
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\VgEscEQs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        232⤵
        
        PID:1844
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        233⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        230⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        230⤵
        
        PID:2548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        230⤵
        UAC bypass
        
        PID:2116
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\POAUgUIs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        230⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        231⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        228⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        228⤵
        Modifies registry key
        
        PID:2796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        228⤵
        UAC bypass
        
        PID:1616
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\LAMQskII.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        228⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        229⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        226⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        226⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        226⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\uYskQkwo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        226⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        227⤵
        
        PID:1480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        224⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        224⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        224⤵
        Modifies registry key
        
        PID:2132
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\EgIAAEUI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        224⤵
        
        PID:2432
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        225⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        222⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:2260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        222⤵
        System Location Discovery: System Language Discovery
        
        PID:2860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        222⤵
        UAC bypass
        
        PID:872
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\oyIAYEsI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        222⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        223⤵
        
        PID:1360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        220⤵
        Modifies registry key
        
        PID:568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        220⤵
        
        PID:1044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        220⤵
        UAC bypass
        
        PID:112
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\yWcMoUYU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        220⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        221⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        218⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2184
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        218⤵
        Modifies registry key
        
        PID:1832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        218⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:1612
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tYcEAwkQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        218⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        219⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        216⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        216⤵
        Modifies registry key
        
        PID:1304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        216⤵
        Modifies registry key
        
        PID:2760
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\xIUosYkQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        216⤵
        System Location Discovery: System Language Discovery
        
        PID:2800
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        217⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        214⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        214⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        214⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\pSEQMwYE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        214⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        215⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        212⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        212⤵
        
        PID:1252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        212⤵
        UAC bypass
        Modifies registry key
        
        PID:1932
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgEgkcgA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        212⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        213⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        210⤵
        System Location Discovery: System Language Discovery
        
        PID:2532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        210⤵
        
        PID:1052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        210⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:3000
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\IqggQEwI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        210⤵
        
        PID:300
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        211⤵
        
        PID:1548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        208⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        208⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        208⤵
        
        PID:1268
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\eqUYwoIM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        208⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        209⤵
        
        PID:536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        206⤵
        
        PID:992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        206⤵
        
        PID:884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        206⤵
        UAC bypass
        
        PID:1292
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\QmkkAMUA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        206⤵
        
        PID:2568
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        207⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        204⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        204⤵
        
        PID:2892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        204⤵
        UAC bypass
        
        PID:1012
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\nIcUAwsk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        204⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        205⤵
        
        PID:2480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        202⤵
        Modifies visibility of file extensions in Explorer
        
        PID:736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        202⤵
        
        PID:1272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        202⤵
        UAC bypass
        
        PID:536
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\LMgYMYEk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        202⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        203⤵
        
        PID:2740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        200⤵
        Modifies visibility of file extensions in Explorer
        
        PID:776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        200⤵
        Modifies registry key
        
        PID:2304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        200⤵
        UAC bypass
        
        PID:1128
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\bmIUQwUs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        200⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        201⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        198⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        198⤵
        
        PID:308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        198⤵
        UAC bypass
        
        PID:2528
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\PuMkwoQY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        198⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        199⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        196⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        196⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        196⤵
        
        PID:332
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\QEYQcQoY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        196⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        197⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        194⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        194⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        194⤵
        
        PID:1244
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\UyYwkgkY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        194⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        195⤵
        
        PID:2840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        192⤵
        
        PID:2432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        192⤵
        Modifies registry key
        
        PID:2428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        192⤵
        UAC bypass
        
        PID:2752
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\sMIgwUco.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        192⤵
        
        PID:1304
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        193⤵
        
        PID:644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        190⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        190⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        190⤵
        UAC bypass
        
        PID:736
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\qEgUEYEY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        190⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        191⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        188⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        188⤵
        
        PID:2480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        188⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\dWwIksAM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        188⤵
        
        PID:1128
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        189⤵
        
        PID:2612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        186⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        186⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        186⤵
        
        PID:1844
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\lssUUAok.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        186⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        187⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        184⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        184⤵
        
        PID:1232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        184⤵
        
        PID:884
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\nKsAEcAA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        184⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        185⤵
        
        PID:1212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        182⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        182⤵
        System Location Discovery: System Language Discovery
        
        PID:2204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        182⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:2692
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tAYskMQM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        182⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        183⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        180⤵
        Modifies visibility of file extensions in Explorer
        
        PID:448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        180⤵
        System Location Discovery: System Language Discovery
        
        PID:3060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        180⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\oaoEwUUo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        180⤵
        
        PID:1560
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        181⤵
        
        PID:1484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        178⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        178⤵
        
        PID:568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        178⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\qecEcssM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        178⤵
        
        PID:1104
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        179⤵
        System Location Discovery: System Language Discovery
        
        PID:828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        176⤵
        Modifies visibility of file extensions in Explorer
        
        PID:356
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        176⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        176⤵
        Modifies registry key
        
        PID:2696
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ygsYoAkw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        176⤵
        
        PID:376
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        177⤵
        
        PID:912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        174⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        174⤵
        Modifies registry key
        
        PID:1768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        174⤵
        UAC bypass
        
        PID:448
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\uIUYsEEY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        174⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        175⤵
        System Location Discovery: System Language Discovery
        
        PID:2712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        172⤵
        
        PID:992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        172⤵
        
        PID:584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        172⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\PEgEUIwk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        172⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        173⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        170⤵
        Modifies visibility of file extensions in Explorer
        
        PID:488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        170⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        170⤵
        UAC bypass
        
        PID:2532
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\VoEkcIgU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        170⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        171⤵
        
        PID:1840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        168⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        168⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        168⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\lqMccsUc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        168⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        169⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        166⤵
        
        PID:584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        166⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        166⤵
        UAC bypass
        
        PID:1948
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\JgUwEMYQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        166⤵
        
        PID:1768
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        167⤵
        
        PID:2476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        164⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        164⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        164⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\bQocUEks.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        164⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        165⤵
        System Location Discovery: System Language Discovery
        
        PID:1724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        162⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        162⤵
        
        PID:604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        162⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\SowgoEwQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        162⤵
        
        PID:2532
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        163⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        160⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        160⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        160⤵
        UAC bypass
        
        PID:2452
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\GIcUUwwI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        160⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        161⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        158⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        158⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        158⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\IMQcQMIU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        158⤵
        
        PID:2612
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        159⤵
        System Location Discovery: System Language Discovery
        
        PID:1628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        156⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        156⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        156⤵
        UAC bypass
        
        PID:2928
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\EuYkooEY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        156⤵
        
        PID:316
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        157⤵
        
        PID:1408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        154⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        154⤵
        
        PID:1188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        154⤵
        Modifies registry key
        
        PID:2824
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\NGIgcQcw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        154⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        155⤵
        System Location Discovery: System Language Discovery
        
        PID:1792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        152⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        152⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        152⤵
        UAC bypass
        Modifies registry key
        
        PID:1692
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZuwgQEUk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        152⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        153⤵
        
        PID:948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        150⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        150⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        150⤵
        
        PID:1044
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\RCIsQwAI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        150⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        151⤵
        
        PID:536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        148⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        148⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        148⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:1792
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\hcsgEYQw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        148⤵
        
        PID:2548
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        149⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        146⤵
        Modifies visibility of file extensions in Explorer
        
        PID:676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        146⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        146⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:2480
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\fUEsgEgc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        146⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        147⤵
        
        PID:2992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        144⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        144⤵
        
        PID:1588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        144⤵
        UAC bypass
        
        PID:680
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\QMsswEUA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        144⤵
        System Location Discovery: System Language Discovery
        
        PID:2904
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        145⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        142⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        142⤵
        
        PID:620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        142⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\sYMocAMA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        142⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        143⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        140⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        140⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        140⤵
        UAC bypass
        
        PID:2528
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\KAMQQkoY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        140⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        141⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        138⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        138⤵
        
        PID:556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        138⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\QUIsYIYc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        138⤵
        
        PID:1472
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        139⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        136⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        136⤵
        
        PID:356
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        136⤵
        
        PID:1028
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\FqIsUUwY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        136⤵
        
        PID:976
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        137⤵
        
        PID:332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        134⤵
        Modifies visibility of file extensions in Explorer
        
        PID:768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        134⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        134⤵
        UAC bypass
        Modifies registry key
        
        PID:676
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\jScUMEoY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        134⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        135⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        132⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        132⤵
        
        PID:1224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        132⤵
        UAC bypass
        Modifies registry key
        
        PID:1588
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\jUcAAwIw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        132⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        133⤵
        
        PID:1212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        130⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        130⤵
        Modifies registry key
        
        PID:2864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        130⤵
        UAC bypass
        
        PID:3032
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\NYIsocUM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        130⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        131⤵
        
        PID:1032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        128⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        128⤵
        Modifies registry key
        
        PID:2360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        128⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2528
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\PSgMQsAQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        128⤵
        
        PID:1052
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        129⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        126⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        126⤵
        
        PID:1468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        126⤵
        
        PID:2948
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\KmcsUwQc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        126⤵
        
        PID:1360
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        127⤵
        
        PID:1772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        124⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        124⤵
        System Location Discovery: System Language Discovery
        
        PID:2004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        124⤵
        Modifies registry key
        
        PID:1028
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\SqIcAwAY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        124⤵
        
        PID:2568
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        125⤵
        
        PID:3000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        122⤵
        
        PID:1304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        122⤵
        System Location Discovery: System Language Discovery
        
        PID:2916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        122⤵
        
        PID:768
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\gsAUgsUc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        122⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        123⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        120⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        120⤵
        
        PID:112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        120⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\quEAQokM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        120⤵
        
        PID:1836
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        121⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        118⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        118⤵
        Modifies registry key
        
        PID:2368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        118⤵
        UAC bypass
        
        PID:1580
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\fkwYkIMY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        118⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        119⤵
        
        PID:1568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        116⤵
        Modifies registry key
        
        PID:1564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        116⤵
        System Location Discovery: System Language Discovery
        
        PID:1012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        116⤵
        UAC bypass
        Modifies registry key
        
        PID:2520
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\HqgMEsAQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        116⤵
        System Location Discovery: System Language Discovery
        
        PID:2472
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        117⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        114⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        114⤵
        System Location Discovery: System Language Discovery
        
        PID:2892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        114⤵
        UAC bypass
        
        PID:2024
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\bYEIAUEU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        114⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        115⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        112⤵
        Modifies registry key
        
        PID:1664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        112⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        112⤵
        UAC bypass
        
        PID:1580
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\PeYwUAAI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        112⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        113⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        110⤵
        Modifies visibility of file extensions in Explorer
        
        PID:448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        110⤵
        System Location Discovery: System Language Discovery
        
        PID:2876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        110⤵
        UAC bypass
        
        PID:1252
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\yWEMYUsQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        110⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        111⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        108⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        108⤵
        Modifies registry key
        
        PID:2528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        108⤵
        UAC bypass
        
        PID:1052
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\oKcUsYcE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        108⤵
        System Location Discovery: System Language Discovery
        
        PID:2708
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        109⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        106⤵
        
        PID:308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        106⤵
        
        PID:680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        106⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:2564
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\KEQAMcAE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        106⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        107⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        104⤵
        System Location Discovery: System Language Discovery
        
        PID:2908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        104⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        104⤵
        UAC bypass
        
        PID:408
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\yGEcYAUU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        104⤵
        
        PID:2480
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        105⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        102⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        102⤵
        
        PID:3000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        102⤵
        
        PID:300
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\KgEoAoAQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        102⤵
        
        PID:1044
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        103⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        100⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        100⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        100⤵
        
        PID:1284
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\rugwAgoM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        100⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        101⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        98⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        98⤵
        
        PID:1512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        98⤵
        UAC bypass
        
        PID:3032
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\jIEsIMMc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        98⤵
        
        PID:2948
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        99⤵
        
        PID:860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        96⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        96⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        96⤵
        UAC bypass
        
        PID:1836
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\pyYgkgcY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        96⤵
        
        PID:332
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        97⤵
        
        PID:2928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        94⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:1052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        94⤵
        
        PID:2228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        94⤵
        UAC bypass
        
        PID:2416
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\hqEYkIgY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        94⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        95⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        92⤵
        
        PID:2500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        92⤵
        
        PID:1268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        92⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:2456
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\QuUgUMEA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        92⤵
        
        PID:112
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        93⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        90⤵
        
        PID:840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        90⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        90⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\WUMQEkYQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        90⤵
        
        PID:568
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        91⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        88⤵
        System Location Discovery: System Language Discovery
        
        PID:3040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        88⤵
        
        PID:1884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        88⤵
        
        PID:1084
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\EygAogYQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        88⤵
        
        PID:2564
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        89⤵
        
        PID:3024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        86⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        86⤵
        Modifies registry key
        
        PID:680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        86⤵
        UAC bypass
        
        PID:2856
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\WMsccEgc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        86⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        87⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        84⤵
        System Location Discovery: System Language Discovery
        
        PID:2808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        84⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        84⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\AKEMIEsw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        84⤵
        
        PID:2436
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        85⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        82⤵
        Modifies registry key
        
        PID:1112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        82⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        82⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1504
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\lqoUsMAs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        82⤵
        
        PID:1588
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        83⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        80⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        80⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        80⤵
        UAC bypass
        
        PID:2476
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\hgwMEssY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        80⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        81⤵
        
        PID:2176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        78⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        78⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        78⤵
        UAC bypass
        
        PID:3004
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZAIsgsEg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        78⤵
        
        PID:1304
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        79⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:2984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        
        PID:2432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\HkkYUYUo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        76⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        77⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        
        PID:2840
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\QEksMUQI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        74⤵
        
        PID:2552
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        75⤵
        
        PID:620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        Modifies registry key
        
        PID:1408
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\uqYAokAs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        72⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        
        PID:876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        Modifies registry key
        
        PID:1796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        UAC bypass
        
        PID:2676
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\wkQMQMEA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        70⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        
        PID:2500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        UAC bypass
        
        PID:644
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\QMUkwkYg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        68⤵
        
        PID:1764
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        
        PID:112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        
        PID:356
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        
        PID:1100
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\XMscgUUE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        66⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        UAC bypass
        Modifies registry key
        
        PID:2240
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\zQUcUUYI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        64⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\rKocIsgI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        62⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        
        PID:2504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        
        PID:2516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        Modifies registry key
        
        PID:1620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        UAC bypass
        
        PID:2892
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\LwwIQwks.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        60⤵
        
        PID:2436
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        
        PID:876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        Modifies registry key
        
        PID:1504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        
        PID:836
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\dskkYYkM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        58⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        UAC bypass
        
        PID:1464
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\EKEMkkUY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        56⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:1772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        
        PID:1840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        Modifies registry key
        
        PID:1100
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\CwcEQEIs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        54⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        UAC bypass
        
        PID:1528
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\QQoYgcgM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        52⤵
        
        PID:2984
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        System Location Discovery: System Language Discovery
        
        PID:2924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        UAC bypass
        
        PID:1836
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\egYAcswY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        50⤵
        
        PID:1048
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        
        PID:2516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        UAC bypass
        Modifies registry key
        
        PID:2748
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\zgkwoAsI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        48⤵
        
        PID:1292
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:1780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        
        PID:884
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\XqUosQwk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        46⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        Modifies registry key
        
        PID:828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        
        PID:1304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        UAC bypass
        
        PID:2192
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\HCkIQsgk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        44⤵
        
        PID:2500
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        
        PID:684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        
        PID:1352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        
        PID:2564
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\TUsUUMIU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        42⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:1568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        Modifies registry key
        
        PID:556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        System Location Discovery: System Language Discovery
        
        PID:2820
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\wgQkcYcA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        40⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        
        PID:1836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        UAC bypass
        
        PID:2856
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\SSgcEEIo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        38⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:2772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        Modifies registry key
        
        PID:2516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        UAC bypass
        Modifies registry key
        
        PID:2664
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\cqQUQQoM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        36⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:2332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        
        PID:488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\WqwUwMIo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        34⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:1820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        Modifies registry key
        
        PID:1776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        
        PID:840
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\yicoYEQY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        32⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        System Location Discovery: System Language Discovery
        
        PID:688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:684
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\bIsEkcIw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        30⤵
        
        PID:860
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:1484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        Modifies registry key
        
        PID:536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        Modifies registry key
        
        PID:2820
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\fwcIYQgg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        28⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        Modifies registry key
        
        PID:2704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        
        PID:2552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        System Location Discovery: System Language Discovery
        
        PID:2856
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\jSsQwcAY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        26⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:2432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        
        PID:2532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:2368
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\EWcocsII.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        24⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        
        PID:488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\kkwEYkcw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        22⤵
        
        PID:112
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        System Location Discovery: System Language Discovery
        
        PID:376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\GgMwEcwU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        20⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        UAC bypass
        Modifies registry key
        
        PID:308
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\YeMQEwgU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        18⤵
        
        PID:860
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\fOgQsUEc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        16⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        Modifies registry key
        
        PID:2724
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\fCEkEgQY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        14⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        
        PID:1820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        UAC bypass
        
        PID:1952
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\POsMQEkY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        12⤵
        
        PID:1112
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        
        PID:1792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        
        PID:2500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZggEcUsM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2012
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:1268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        UAC bypass
        
        PID:1668
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\uewEcMoo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        8⤵
        
        PID:1840
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:2980
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        
        PID:656
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:2968
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        
        PID:308
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\kAwQYIog.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        6⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:1248
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      Modifies registry key
      PID:1472
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:2772
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:1560
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\WmEMcwcE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2936
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:2816
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies registry key
  PID:2724
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2732
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:2836
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\aqUkooIM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3060
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:2696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile30.bmp.exe

Filesize
242KB

MD5
4ae70604696c4e213f3ffd5f2a07dc29

SHA1
aad597c58f6c76bed652a5ef0fe532c5ffa2ec65

SHA256
b40176a97ccfe5a1e33b9fe47c1a9f2722e76778e991dd89219a505e5aafde2a

SHA512
8995f3cd6e7832a04d7cc78bcae994cab16faa6311fdfc4ba20fb9cbf57ace96df31f2524eb06c5b00020b3c6c80ba39aeaca41a8f44bd78f3c7311f146f61b1

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile36.bmp.exe

Filesize
228KB

MD5
c8ce44067faed992a751badc5238d1db

SHA1
8ed60d8104f635098ef120f914c512c920669a15

SHA256
3c8167b07d5b175d7e8af4542dabfd060ca0961920b62280d2d8b2d117a882e7

SHA512
f07fcca750e1ae81ea16e0f274c36c96dcb7d8232ed6bdc7ad8f0afbf517407bcd2103cd529bd9f41df70345c5bb55dbf0aa1884f2c83b3219bbcf6df742ca5e

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile39.bmp.exe

Filesize
254KB

MD5
010d892b928a846eef234a2db4efc843

SHA1
bc04bc2f75e11b8e7476a23f15b1c84324c6b956

SHA256
40fa17899289b3541e11335f2eddd7e1b6e06504abf8970f11e4761f6395d462

SHA512
ba90ce6ba1e9a613db6bb3168d3422b1324bc50d10358f15fdebe7900dbd95b8143d0b321f39dc8b84be05511067433cf591a8bb8cfaa0c3f0fde7b6d8235274

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile42.bmp.exe

Filesize
239KB

MD5
6376c0e6eec0a17f6f908deb98e78ac6

SHA1
95fe3f65a932874241006e4f4d549c21c30382ee

SHA256
119b40ce4483ce2a2e8fbbcb3aa3d787640ed98df28131bdf6b127301d9eb000

SHA512
003b08bdaa50836dc449911ba5eb04e0630d4dda682b101e39f867a518a1c10159cadeeae3029303f45880ae3cdf24cb828fec40642e85ef6771d40e96ca9154

Download Submit
C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\vcredist_x64.exe

Filesize
651KB

MD5
3b677c132301d9b81a23b5819af06e56

SHA1
9f339d1220b1772f4e2b3a2599c02ced83f6e056

SHA256
7c15ee1794bf381cfe2b7e226de5484e02fbbf86a700244fbb09c66f5c0a39be

SHA512
5ecfd5263cb6c8ebea8314d5914273a98391177c95daf25359633ffad7de8289ebe3619b8889a8d3ccf44acec772b0551ddbbe90c533a554665e6fe4618c4c54

Download Submit
C:\ProgramData\VQYMAgUA\yYEkcEAo.exe

Filesize
179KB

MD5
e8de49da825a240dbbe3f7846318f31a

SHA1
d1b9cec85d3028a545cb141b23acc0dde1df6974

SHA256
5d2ebe6dbffd378c3c4c8e672c46e382be09c3c02c1d9a72d507613a3205440f

SHA512
0f6ee2c640154e9b6d278368fd229e5b04dfbba75b16e6bb84eb31dc452e940a89300f7cfd505fc9d6649612d47994d2f1083cc699e3147360a508fa8c1bf2ab

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\192.png.exe

Filesize
208KB

MD5
708abf0c692ebc74ed46c61cfdaa7f93

SHA1
e6e9eb5531fb8bc6ab62ddd57ef9189882b7dd83

SHA256
ed8114214432b465fb8ee911cece18333fb925db69e8264f7b4ea21b6aee1a6a

SHA512
32bbc27e828bd40008a04f36582a82fd8f4c4adf1c4acc5bc0e4340a63ab4dabdc27342c4ea5292c718dd7504d52f52c4c610de4b35d98d0c15d788f9bbcf6bb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\256.png.exe

Filesize
211KB

MD5
a16480f332cd0341f6748caa5d141f55

SHA1
d65ba357d96a98d3901386e5917dbace38f34544

SHA256
bffd0eb486e4cfee18232eb082d06b81b87dfe6a61489e8cea703322acd1b6bc

SHA512
b9d5f4082292577e69a5d1e318dd011ef7e996d19a9acd50cadb119eaf906906bb4238574766d020b531d20fc851b479f1d08d83c8ce91521c0d12ee94f1bd73

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock

Filesize
7KB

MD5
6bf9826f979c572d50358be89bf08021

SHA1
4dd8ea39f0f453b502e1490eb274aafc66ad3a8b

SHA256
e8527f554c14335fd26725ad4c59e5e305fdd64aeb251adcf96ac8f3ed64b70d

SHA512
e65b13e71f3b8e17c8175d537af111c9b74bd9b12ad5130270e093800da3bf1a257a7371aea4e50504f9af581315d0d29b06e1926e25f92510afdb5207d45556

Download Submit
C:\Users\Admin\AppData\Local\Temp\ACkEYsos.bat

Filesize
4B

MD5
576db4e3a52e064766d806bd7bd98014

SHA1
3e4962913366389868a0a9af8348c7689f5a139e

SHA256
00d8fd96ecdca8450f78686da18d2edbc2a67bb66f9f410c15164a98ca07b102

SHA512
ad30c1398148e2d371ba8593bede45cb1dca24b9cabe20d147e62bec44bb256b82cfc9b14aee72e86259b065f16d76ecc61514206aadc55ae4dd4f5d4ff3af5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\AGAcokQY.bat

Filesize
4B

MD5
863eb62f01bfe394be1dd6a29acbd048

SHA1
aa4b9503de2ebcbd3b8416e0509f16f17f03da59

SHA256
6b188282959641d5b9d36ade1615b871d994627d12b3e9b66fa8a336b3b8b971

SHA512
427bf6424b6dcaaefde7e82bc5d7a523d367d7af5fecc66e7cebfa73836be928b9a3ee758ba1941e88f0e83b072ba4ea0657d705cf27cfcf626827b3c86c2e35

Download Submit
C:\Users\Admin\AppData\Local\Temp\AMcy.exe

Filesize
747KB

MD5
d13915c657c57455ada0324a49a9fb30

SHA1
9d6ff52745250c2f2b06e1d47b31b3b897d1bcb3

SHA256
f95dcde2f894c68ab32989a5f46cd5e1f78dbab832ef2a6f434369d496e536fc

SHA512
3ad1267a549e779cf748ac18389fefe8fbe5b314c4bb454891300ca67d671fc0f7fa91ad29b4d21f2e2d86a9c9c2810a1099911343b1bfc4bef51afb07fb74e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\AMks.exe

Filesize
236KB

MD5
fe4575483495cdc16cb49f32a0852389

SHA1
28ba3baf0a9e6d119fd6fc6c34c41913e7511ba9

SHA256
1eb7115311488fbfae0a91932a92be4165d0a1b3b99fee84dd1e7dda63357236

SHA512
ce64e429b6b86c48808a15defc685c72f301d7cffc397228601c71e75df754738fa11bde94daf032e201fbfa87e746164ceebc1a49375a73cc7cf8933ab648e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\AMse.exe

Filesize
235KB

MD5
3d6e0d139df2945826c741212433b7e1

SHA1
aff17c9452e2bc1ec1a722e3649b515a9e7e8f2a

SHA256
9f3f99c4fc7a8c6b3a4eded3e5e4667b0654b108cd485c83b9c251a44c00fabc

SHA512
46c561586137db503d4019db09b24c5a429754070b37581bcfbfe5ea78b71f1e5eb7fc1f497eacbed3ab951c0a8f7b7da1c241acb41e15d33c84ee8e19e6e207

Download Submit
C:\Users\Admin\AppData\Local\Temp\AMwa.exe

Filesize
233KB

MD5
9565a37cb386ee7920aaf34558c6f348

SHA1
46aafdb14e6b16028c695f74f934eddfa71f97fd

SHA256
4e183290c77a60665566d02ff3a6cd8945ed44a80028730d6c9a105ec6303888

SHA512
95e624f4349dd848000506765031eb83c6684fa15b8e7fd1dc49454e754069b4e5b9b4152339463ceb5a24bbea5dc2f9a74c13a01085e7969f494d70fd7c1537

Download Submit
C:\Users\Admin\AppData\Local\Temp\AQIC.ico

Filesize
4KB

MD5
f461866875e8a7fc5c0e5bcdb48c67f6

SHA1
c6831938e249f1edaa968321f00141e6d791ca56

SHA256
0b3ebd04101a5bda41f07652c3d7a4f9370a4d64c88f5de4c57909c38d30a4f7

SHA512
d4c70562238d3c95100fec69a538ddf6dd43a73a959aa07f97b151baf888eac0917236ac0a9b046dba5395516acc1ce9e777bc2c173cb1d08ed79c6663404e4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\AcsU.exe

Filesize
655KB

MD5
1510499912c0f84d60b346ece3d155f2

SHA1
0b6f01c9c50307914e40d3ddc5c5f5554bf380d6

SHA256
fe63175394514074decca2eed03f6133968f449ee7480f3714df84a459879702

SHA512
bbda9f5e6cf5f6174552e0bfc0891186486ee26a815c274dda4d328e525460993d0a761b04ce1e324a52942c5048cdf7b571049f404c6ff0df1da43822890ace

Download Submit
C:\Users\Admin\AppData\Local\Temp\AgUg.exe

Filesize
227KB

MD5
8ab3fc144b28ee9d9d5c487dfd41e116

SHA1
991778ca94f81cbe1845cc329b97a3a88804b974

SHA256
09fe0cfa9360193f83c8c17bd2f1b53dd24cb9d480dbaeecd29fcd8a1a95f5ba

SHA512
751768ce1593b6370720409cb98f75b2552a2d5d69fffb6769867e11140a22e62bea130901e94f685a08a6bae02c24d1bfd985fd90f44c8c982b5edc24f9c02b

Download Submit
C:\Users\Admin\AppData\Local\Temp\AkoO.exe

Filesize
236KB

MD5
0d4923a02ba3cac96d57ab1929f2cde4

SHA1
20e81e432832322891b6cb24ea5189274b02a261

SHA256
cfc36c2c77b506d0c3e6887ef8e93e01bb9424dd37731c18064d45865c33c4f0

SHA512
900d8a16f0afcb5c0047dca8f2752e1226171992fd1bf0ac8e085c70c29cf4ddba608e39f3a05fd1af28fe166d434fb7148f015b227f76e0c511f3b7d709b79c

Download Submit
C:\Users\Admin\AppData\Local\Temp\AksW.exe

Filesize
248KB

MD5
fde1c7467aaa7d864bfe76d3a303effd

SHA1
2cbf988a7723b1934d8ca8badfd10272ce1501ad

SHA256
e25d7ffdc4926b9a7e9459e42cb06f58165c001582bfaa31299c428e076bfae2

SHA512
44c9f73cec79afef4dbbcfe8fdbc37a47002a3b909ee34e33114f9f80a5fa0fd7a14bd65165534b1e7f9c712c32e1880eceb7604c154d8a2942d057590590d7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\AoEy.exe

Filesize
638KB

MD5
edf83d1682184a3811e34f9498af54bf

SHA1
883edffd6ae9b771173cde048e71a2b3d26b571b

SHA256
a517071322a3677e199950a768df918fe1b2875574fea780f926258e275f70d7

SHA512
bd6d1be0bfa1821454378b054bc2706a0cc5b094318bf44dc989f1478e64285e9c4d912c1d77069afe4521afe888c90738ae09ecd29a33e8cdff267228943395

Download Submit
C:\Users\Admin\AppData\Local\Temp\AokC.exe

Filesize
241KB

MD5
daceaa15460496fd63548711d97a2bea

SHA1
26720c28f817497eaa6fe95c4b391df2ac44e9ba

SHA256
17ce63a93ae495b6da09cd34c60f9df07f72a51ebcaf00d48021b89e1c658731

SHA512
f074117e5753facaa14b334b5a0feb446ab501ee5df94e2653f4b01866be4446e59acf0e0126409a39642c76b24f15a4cd54c2ae4c9a42cfd389ccf4173dc689

Download Submit
C:\Users\Admin\AppData\Local\Temp\Aokq.exe

Filesize
971KB

MD5
48900e092f50293ec97dbb12bd918f1c

SHA1
c414fb686e56a5fcfca8c5ee20bc5bd19adcc8e9

SHA256
b711bc21e3de98456c735a5af02465e01d348bd070b44e3fd25eaf888f0b9869

SHA512
f257b6161eeecb63e9dd4a17a9b2a7d0140fb290ef498625de7b5bc48c538d1960b61b3125b3311bf2f71c0b16b9c2ad9f30fe25d201e45a4039c780167829b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\AsMs.exe

Filesize
229KB

MD5
5c888eb35553db03b71fe94a412daa43

SHA1
51f2f9b0e4128a67f63adef780f2775c7550a433

SHA256
c5b415a9d81fcfd3ca61c0839ba5ded9c8c0a9faf2e60fd49cc6ecca9162bda5

SHA512
f68cc49123ed42e10445b1db9604cbabbd62fce311916afb83c257bcee9b7f7d1acc017fb81e6b3d5e8e1e8710fb21d0617463a81a32051b215219bb5fc7dc6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\AssC.exe

Filesize
942KB

MD5
6ea16c4bf6ae311363e81c6f12e665e5

SHA1
5845e4501521c9278661e6c53f7b8d474e6324b4

SHA256
d9f8c61710241e23e302f5b7bc091a79ace312d1d1be8ecc413561e8247e473d

SHA512
4540d2b00dbc57b0dbfded0fe93986ed9b78b268ff51607ec8f034a5e7392d3206f0fc4bf7c9708ec342bda477a19991c3d7e24b5c98235ae8140f87f8a80de1

Download Submit
C:\Users\Admin\AppData\Local\Temp\AuAoIEQs.bat

Filesize
4B

MD5
7980ee555c28718f13418eeb9423ce82

SHA1
77e410b0bd459506cc462c48e723c4e64b4adb0d

SHA256
2476897229b1c1027cc7c26edb6d1db3ba0be40338e415e0b664a194bfefc652

SHA512
041026d69babce5ab07ab27f1889c543811403f7c19d3e7184b829c099a03733c3ee26e04a079d15ed0b79351632ea3129503836ffdac0333c6f773830d3b143

Download Submit
C:\Users\Admin\AppData\Local\Temp\AwAw.exe

Filesize
234KB

MD5
49407d7dac288c00ed5353c084904151

SHA1
10f060dc365ad1f9bc42457709ddb34d1ec3cb77

SHA256
2a0ef3ef3364e9fdd2df324701511b9d01d4918089e07d1ec9bf92bb31d60a3d

SHA512
38de3010c6e03819801bb63c8a915f291a148eb3587cd0623f46c92a51953bb03dc8a20587b2c39f2bd9308770e7672dc5dfd58382d3d4201c23be9927162dde

Download Submit
C:\Users\Admin\AppData\Local\Temp\BeIgUQcY.bat

Filesize
4B

MD5
f45285d8104201947d69924defeb7ebf

SHA1
f450d1ccab823e57905c21d9b8b438bdffabb478

SHA256
03d688c641ef824fc92857954ac0e63836b34c80284250531a675b7f550ba593

SHA512
727034409a00725842cf96d4a37684cf1a51561f893fa8b49caddc4ed1580aa820bf699933becd50b9e5f7934cc9293f2708042225659416b2d198081eaf28c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\CMAYYAQE.bat

Filesize
4B

MD5
3e0d04745d1de72d98a434abf71d7c02

SHA1
2f01a2b9aabbea076fe1d4670dac4e0d8ceb30f0

SHA256
2564fe019bfe5c1ec78b166c46dfbc8ceb910997a2e78cb7934753ab0300d800

SHA512
e2020bb90621caf738d1ea96056536cf68c7390f7ab1ffa8cdc56c12595e74be0a81e7394fd2a85eefd839bd92471e544e8dcccfae80cdd0314da329a4830868

Download Submit
C:\Users\Admin\AppData\Local\Temp\CMAg.exe

Filesize
248KB

MD5
4916f1132c25056be1c6171e5be93d90

SHA1
4e76ab7bf53aa7595c6c1e4a4a76b91efb2d46ad

SHA256
2617e038adc9bebd9edeefb580f210b9b5bf783638156e27c50cb56b3bdf14e9

SHA512
671c6eaad4326260b239a4b39aceea72bd528c862bd2c46c00ba2e9e416d49bb61936cbe770443e95260ef901580709a0541f47b85b1363d7fe17a3e4ea8be0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\CUMU.exe

Filesize
537KB

MD5
bb8eafa9f229e1be142a0714dda9bd9b

SHA1
dd424072f6030a5cddfdabead2309540e7f95415

SHA256
8e8b43309abe646c07a8a73b2b774ee5e615bc1cb8eb3a80e8ca23155cddc6d9

SHA512
be19047c65eef928a54c21c0e86d20f5fdc9198bd50c42c60b4bd00232af7819eaddcdd5399c0cfb11a09ddcc9de789409422c2d7653b13111664fb7515eb2c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\CaEoUckU.bat

Filesize
4B

MD5
545a8b229efe256e945d4d25c89217ce

SHA1
5f0845580cb81db7421e6b0bb9502ddf5ec8c16a

SHA256
e12e2e550f808dc39fe31fc8d20ab35572cf5bf2fab971822bc23131617d4b15

SHA512
abda30572188cad7973ab96a8000cc9d5f74d22dc0beda7d681af1899cead0f2fc203ba5ea162170df04a041040c4938a03e9ac667600497f618cd505702256a

Download Submit
C:\Users\Admin\AppData\Local\Temp\CckY.exe

Filesize
248KB

MD5
8474e4d67d7bfa728b3d5092dc1206ad

SHA1
f6456a216c8e33740cc4e30a4b283f27a452507a

SHA256
b2d1a2ebfbec7911da819b8dab88d42d9e3cba872459ac1e3bc8a9aae0e0a5a1

SHA512
4c9c8ea0ae851262280c3da66e82f204f2825e47cf36ae2cbe7a8a252d7fdba625b8e040e05d925532498db6c08115fd047ef3f52291d74c438dc1eb1ee2ce33

Download Submit
C:\Users\Admin\AppData\Local\Temp\CikwMcIU.bat

Filesize
4B

MD5
659d404028a05249ea183359b168bee5

SHA1
029ee46db62678bc6ed82c6bca43e9e9dc7031eb

SHA256
acd5261acd8a1a666f2f7e70ccca24d1cf3da1e13f224a9b74997fee701114df

SHA512
0edfc2f1b74c1627347b2f6030ff0c98cf694dc5726cf13bb58dc02bbe0762f670fd6cbfa4bbc78d27340337516ce608825181fbd5f28d7626abfca5ed7f4474

Download Submit
C:\Users\Admin\AppData\Local\Temp\CkcEkAwA.bat

Filesize
4B

MD5
5193ba8329045100292a11b8b22aa09b

SHA1
b6d393c804c4237d82e4eaca177267cca9c3f855

SHA256
a734fb85d946a77e800fc8c4e8da962c4681637bc9a66c710667248ae295fa58

SHA512
d9e33e563b0b0078d8e1958bb4abb4fdcc165562bf7426fd056c176c401280714eb8b00f308d9f6e8fe184da7291fc0b3ab22aafba1d21dca5e595eda7e283f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ckwg.exe

Filesize
233KB

MD5
5ce911e1ac3a08cb745ff9b9d31386e3

SHA1
25adff29688936dd3df6e9113cc2265a999b01dd

SHA256
2015d6ab44813b5f02627293f55637091bc1def764bd9c1453c2d271e6fde57a

SHA512
dc54f66bb81d57061fef615cb30b94cdc731504a9aa815f6949cc707f802e3bb7e62cd5c88e146a15d5775cc8704007f1a822056af8db680f02b3f7338245e5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\CuYAIgIM.bat

Filesize
4B

MD5
cfcdcfe723a555914d6acf2d6bf6dd0a

SHA1
798ee1f75a795ef4294c98be021f1bfb8cd4edf8

SHA256
1423bcf1652b988fb50e5c2bc7c3aca8165174aac2d45ddfd388b1a6b1483cc1

SHA512
132d20cdb0751fec907a6fbf68d0c291d4c825df8d6b9a70c68494ca91585f91db97679cef47884e82bcb9424e5ce291cab3d67644f457a5a950dc105731effc

Download Submit
C:\Users\Admin\AppData\Local\Temp\DYMAEocg.bat

Filesize
4B

MD5
f2b187ec9e1cef0687e8c98ab1b9fabf

SHA1
07335e7b3c5b2aca00ea3cac391f576eabdb572a

SHA256
006ec3d9efb4df1776f1db5fc2ab77a270b1492531ffc9dbab2067ca45547ba4

SHA512
6611fc5f82c548089bde1767c93704d7255fe8dc51e9d79bd8f69990cbdb3d9427b05ad5d8ebe105b0777aa55755e5bb127a36715ba1f08eb99169120d54eff7

Download Submit
C:\Users\Admin\AppData\Local\Temp\EAUQ.exe

Filesize
4.8MB

MD5
6b87e726cc6616db9dc8a39f59f12548

SHA1
fdf6987cf233fb9378682a20792ce03773f6104e

SHA256
c5654e3aa5e3b0eaa5e946b9dd0160300b93dcc6f8661929557bb92d2224cd7b

SHA512
3f39acc67fefea964b42113ac494e96bb308058f44b8ded9eef3fb7b27a1a293e92bc230659be1aeab3ababd4932c20e5c4bbe5dc99267235808ede60caf5304

Download Submit
C:\Users\Admin\AppData\Local\Temp\EEwE.exe

Filesize
253KB

MD5
de7dff2e4df86759a2f9108a5fbd9b0a

SHA1
430c0192532c44789005d9b484b54bc499ef54fb

SHA256
1d811fd1e7c03c497900acf2759a5ff3b0dea46309e50c5ca9161790352e30eb

SHA512
f68154e160799d62bb46ccc6276b1e7ad66ce7c5ab503c41520ec5a91909bdd13ff1cf10bf1e1b42a776a87b135080ff69d768043d7442aa643be83ac9e68021

Download Submit
C:\Users\Admin\AppData\Local\Temp\EIcUsoQQ.bat

Filesize
4B

MD5
ae37fa68c00b19dfa548f32769a4d29f

SHA1
8f3d0e21b7b43c15e3d0c2c77638dc14f502ff3f

SHA256
56e75dd81e170ab37b7cfc10b464cd198da651b2f8dadcb38014ad1d3f73c3eb

SHA512
c586bafa56077ec50cbfee5172c5f323a75016c2b940b78c2d38c649b420a7ac1382ce1e4ab9857b38b20e22af95c1d9c9b2fe2e997bec769a8a3ed1ad77d110

Download Submit
C:\Users\Admin\AppData\Local\Temp\EIkUwkUc.bat

Filesize
4B

MD5
46a9d8e570a3a94382e709a741dd4ae4

SHA1
87bc1d673ad0477a68729bd71d2c5b04cda7f1b9

SHA256
32a974e8f77cebad556b98ed961863bc8a9f129e4da415249996025ae162002f

SHA512
2bf2d585ebb800d44b312ad301a0bb977e92bf9a6d17e97fd4aa937a7cf27b9551d94e91fd9a3e5a2863ed31366c553daca171fbed157ead8b88243c0112c6cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\EUsoQgQg.bat

Filesize
4B

MD5
a0e744ba252f9363e3da298cc5c2a2e1

SHA1
f9512261b92591f7b251af5031394960c2c82aeb

SHA256
5de205a8f2f49798fc7c1170ee0e1686e40f4bed3afc9654d96436c889736791

SHA512
7ae172e500917db596d7a6a5d6bee85f8059475add187f25cdfcf3628c4252852cf05c727e4ffa3f1069cf1d8461265ae39ce501b001f523b741a7d995d72aee

Download Submit
C:\Users\Admin\AppData\Local\Temp\FGkgMMUo.bat

Filesize
4B

MD5
59d6bd414e91b76fe1beeb381f299a04

SHA1
b435ce91e1fc1a07d138c316b96651318baeb9ba

SHA256
c375fbe5ba1d6532e3c940539a5dbd1b6e7b3145225a44b390adc62bac638b27

SHA512
beac11104798713af19416bfa736b8968140a034d5f00595206091a6a2cd8c18a88b0941a9391de9753238d3c668beea884e757de5b7c6307c14860db5209c63

Download Submit
C:\Users\Admin\AppData\Local\Temp\FKwkIcYg.bat

Filesize
4B

MD5
4292d6217b22660cd96bc5cacc97cfa0

SHA1
5da080d8da5099203c4d261594ed5f493da11e67

SHA256
ea5fb8e17571bef3fbb31dee15fcae9c06d814c13a4f52642bf46eff3daf861b

SHA512
9dec0763512bbbdcd71cff2192c0cb1d99f8db39f52ab785c43451eb0425a32585d98bd2bc3ff26f69abd5531abb3114194bc1d9da1433629408c5069ff865a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\FYEwssUo.bat

Filesize
4B

MD5
f14f5b70626c35a097f9fe9b2362f7ca

SHA1
7e1bdbfe0e6f93c409b4d1c96b207e2e0ac62775

SHA256
76c89634fb7ff1ca9b184506d0a8580c2fc34b2c35caf260e5f264742de5e0e4

SHA512
f76640cbd9424e2fb99970381d71b3ddaeee4030b3d1b3ca79c2ef39a60a94ad6b20b9bd0b48e7b2c58fb1afccf75f06e3fefd41b56702dcedc8e136906bd8f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\FeYQMMsE.bat

Filesize
4B

MD5
ec40a1d9301d31ff69295008bbfaed15

SHA1
a6405120355514675dd36d5300fe174477c3a8ac

SHA256
741dcbc8d66b5342a75dc90d0f0e512222e3f56c077a472ebbd869004aad7d5b

SHA512
12c8cf8c65c1984bf79c64e6e9adaf655ce78c9cdcc47ad24be858f4d1c5730ed2e821e03d02f0c9b1fe3dac15f0c05f55dc15aa9300467473d5f465dedbea47

Download Submit
C:\Users\Admin\AppData\Local\Temp\GAwe.exe

Filesize
247KB

MD5
50f27b6d71b07364a805c41116c5fbb6

SHA1
3e13270ed79f243d7c28329cf9dee432d6ac472a

SHA256
9c491fa077b0f78afb472660cf270105e3f8671b7345c0be103c705abd010e3f

SHA512
17e0c805bd26440f9c97ba9d489ba4781c24226221f4392205831560b68e74cda33a41cddb0f94c81f72da27842bb7846558400549847790b8dc10bbe37c6611

Download Submit
C:\Users\Admin\AppData\Local\Temp\GCwYQMco.bat

Filesize
4B

MD5
1d09c93e53c8599c612909956808253e

SHA1
b4bd4bf8ccde07096693db5262a03f5ee1cbc424

SHA256
5a1fadc566c792c637bba87724f6cfc843f67f16f8b2222e053637ef56cc9c04

SHA512
c7edda43fc1ba2b230f5a87e8d6831f205f211382ffe47178b227fb71e73dbc88e54ece3941b3a1b20c5738858eceec2b316667ed65456bc0a92c192e20c103f

Download Submit
C:\Users\Admin\AppData\Local\Temp\GEQs.exe

Filesize
645KB

MD5
9c64e9c6939bec1ad46660b0125c34e3

SHA1
41078e4a098a808e727ac19f3c64130f4d25776c

SHA256
ddc9ed869962616ce340f1bd529b3b8694e4efb4b4018d162f248b63b8977f08

SHA512
66924f3f1cc4487d8686681e74347de8f72164ba49143b38a32d5d267e05333f15ac500eebf04b740edee62d90312d4f0da1e0b4d1283f1676257dc88583165a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gosq.exe

Filesize
246KB

MD5
f5c7e749cfcbe953c8cdf1c4989241ce

SHA1
0d4ce61a39bc4aa35ea31ec47ce6e3d2e9afd4c5

SHA256
2e69b32b894da75b34b513539fd4b8fa3a29eeae4e1ce94f710d5515ea456572

SHA512
a5e8912574517ee4dc4e7274f863b6916fddcebdd14f1bc9309fa35f20be91c7e5aba44eb82c0920e3f6d92499e01ca7335e536dfaa976e22b14bd5c0b4bfe39

Download Submit
C:\Users\Admin\AppData\Local\Temp\GscoUQAU.bat

Filesize
4B

MD5
e728073542399ec34c53954a64f736ec

SHA1
58a6cf2ecd3b73bbb19fdd3fc84c106fdf4c49dd

SHA256
8acb9bb46ce6e699ba8a802580d4107f41a368b7e374a0d3285984ccc6265a05

SHA512
3afc6792322334bf609ce0019146ed581c6276cde4404fbda437f6d0390c60f335d89240f7d4e2ac2ddbbc3b601946ba7d358c65726e2adb7b6c50bb2be1280a

Download Submit
C:\Users\Admin\AppData\Local\Temp\HSIcYgkY.bat

Filesize
4B

MD5
a067a2b635bafebadbe84956cc830885

SHA1
f35ce5cec26b79e047e775a6a8261f157b1f389a

SHA256
67179df83d90c02a35b255ca49ba60a1192460acbf6c97ab14cd83c2a95c4457

SHA512
9955f72bf01b70cc5d1c38b3c7b5d0c6c575da95ada999507e6c6537089833e5b7f506af263fa3da78a83cd8f7360ec4396eb804e2f3a41b554fc975e1402829

Download Submit
C:\Users\Admin\AppData\Local\Temp\HSYYIcUo.bat

Filesize
4B

MD5
c745ba2455e6821364efab0bb4713f80

SHA1
5eea4aab5c3694f3566b6384a96bb3d3f79af217

SHA256
7c5c19064fa4c635551e356cfbc514f7df914b662b3a041417eb3021995aa678

SHA512
1e070c47a3a0e47e9a55ed0c7058afe05f693db8c60968c79ca33a5fce0626512e60b4489a687bb9faff27122eea43c3c604ad0db4ea06cca99c1a22655c57ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\HWMwYMQc.bat

Filesize
4B

MD5
cbd468f1073985ddca378bb893e35806

SHA1
313a22e7ea1b9142aa6feee2e1118d6624ea9789

SHA256
37aeac36a8eda4ccacdd129aa9d80b8bc840d0982614671f56c1ed401c8870f0

SHA512
3ed0e43817cbda2edd022745bef25e1c6eec43f7992f7686daf00694b64d42a22e5a72678338a901518895129b9be1e874df8c57d7bd888b20929e1cadb11ab2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IAIG.exe

Filesize
210KB

MD5
28b0d6ee9f260e05a70ac7bfb11dd0e8

SHA1
6371be329350f970ee5a83c0f60f4b54c591f7b7

SHA256
7d2a629e1c61ba2eb65f652abdc364c2b5df1a151e6e103b1630a6ba579b71db

SHA512
94ef184bea1f4336608088861014bf8cc733bbbf24e52d5ce98844b32619978325315ac0db1ed3705463055bdc5702b9049bb880337e007ae4171646360c54fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IAYy.exe

Filesize
230KB

MD5
951a9a9ea9b752aceab8027532582303

SHA1
c3d2e2f16be28e1949f10603713166dc6d99af81

SHA256
9448fc50fce982a8090f6981d03779768bafeda526575c2f8fef76c71c9216f0

SHA512
67dd8ec36324aa5a91ed37f5e09a9b7394dec3c14f604a5988ba174af9defa8ec2522ee260d3973614421d2b05f6d38752a4060ffce99cbd3850cbd700c66c66

Download Submit
C:\Users\Admin\AppData\Local\Temp\IGsUsIwM.bat

Filesize
4B

MD5
d4891594ab92706d772674b9505a58b5

SHA1
51d960b91e0e2c0caf9006777616edb0730db30b

SHA256
b5fec1f57d5e4e0e765c8ac15541dc78005204435f367b21e822ff7281c648a8

SHA512
58c5e158a5bcad3e788aa565cba6bbe44b84c8e2bdcd95fed05772ec9522473e669073542274856b607e9a3d5df813f168319b7ff3231061ba2e006f3c55ce35

Download Submit
C:\Users\Admin\AppData\Local\Temp\IMky.exe

Filesize
200KB

MD5
227d07c137807ed491094929d7479c9a

SHA1
1ab8b1278e2027dc07476dcd7034b31aa9190e83

SHA256
6cd212c09f98d0f02f2489af35b26bce2294d082a666daf7863eb3dd3568eb4c

SHA512
a13e1097d0c025df89f7ad494fbedbe82fd6c08162cb29cf86987566116315d8a3a8143860444358f1c42618090fd8c97ae3b15fab826ecc7b745120998687ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\IQAA.exe

Filesize
818KB

MD5
a2e659d5cf3dd54389509c899d19dcd0

SHA1
16c79a22f33ab6cb322ea26df509121c038ebf86

SHA256
99501adc41e76dc52255d2acb9431ed8253024d3b14ab53ef864494b6df68aa7

SHA512
7c58574ce0524fcfd728a5f122487243ec5fae6cd60b34cef0cc260a02ef5e543dd2456a3d52a8aa377c9b47e72e6a16dd46bdf6b0194ce1dc4e610c5f1fb553

Download Submit
C:\Users\Admin\AppData\Local\Temp\IQss.exe

Filesize
419KB

MD5
430971bf3f9b239d1090a985f7e2a408

SHA1
5a15518b333c26228e93c11bf6fceb17c5da845f

SHA256
ce8c293774ac6db38e148c9313dadf5a7405596233e1f5e245a8e97f0cdc7a34

SHA512
1f4daaa3b7c483ceb2588c7a19c8faddd2309420a1b5b1453d0c0ae96e608ff12f04ec8a9391566f89f0f8cff1e008100f151585306b7b64636076d927a3c09d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IUEAoQQI.bat

Filesize
4B

MD5
8bfa4b2d5b75e808775c2c89d398c329

SHA1
57f69e657968f771c6e7b004a2ef9f68ad4a8b9c

SHA256
c2d9d26e588d99faaaa924ad6c21f70d00471c7288b1066be0de5ac1abc925dd

SHA512
922fad389d31bc016c1191407adf9ea311e66b27a935828e94d41bab222ef8c2691518c83b9a20407c5633aa38d0a75f1481d3f344dd7833d7b047de23ff79a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IUMYkMsA.bat

Filesize
4B

MD5
77c6a662a785283c997ff0afd3f15b55

SHA1
c2f6e55173e7723db933d61241b2f34200cc6349

SHA256
5176ca1bfd2adc5077d133698a3ad8edb0add6079c8384e48196bfc4845382b1

SHA512
da6a1f71e036038ddd3858b8b5ad7969767e2ba5de9d2cb02b630861c6ff9d5fe5b948b1e01a26db53e90aee3099e7915523e90417eb7c78b9c3f372defb622f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IUUEMkkI.bat

Filesize
4B

MD5
fd45ee0366e46858e84625cbb3d16372

SHA1
e836454b63d19007084223b2dda4ead2b1e1c0ce

SHA256
cf4e374e89acdb036d1f1815dbb349befb2c300e939455dfb82b5c82c9bf9fb7

SHA512
47632f6296746b43264927d05f071a59346766c24c1c6c6d6438128473993851e22e9d610bb5375e7ab57b24896a641f4a2ae7e0be7f2e042ce3a1a18b7f4c8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IUYa.exe

Filesize
231KB

MD5
560ce489b5b62fd256d27a87d627740a

SHA1
ee01ba67622c043db0a63e55151ff484fda63a6e

SHA256
68827ae4ca67715beb60b2bee72df8ed0b181341fc5e0b6dac3c0b9bbbb871df

SHA512
3a72570b5d4d8a611979906c627b0b2eec276a36b2fe7a072d5430afcfcb114f0401dd7f05cb936b1fbfd0cdbac85dec68ad29f7d6feff8553d5cb753029fcd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IYoQ.exe

Filesize
237KB

MD5
176057e49b8f482fc36572b06ca25cba

SHA1
490ac79d243bdb695636dd937b158e68e97f85b3

SHA256
afcee53b28f4ba84c58fd16449ec02d0d4cfcbdc0651881fdde2036271c2123b

SHA512
67c873e530c9f3929d408036925ae9dd3ffdad817b22cfe338035afbf0da189d38ca0d6bf72ee3ca2cc31096c82966990b23da7151abc1dbfddf4dc4ff542373

Download Submit
C:\Users\Admin\AppData\Local\Temp\IYocIsUE.bat

Filesize
4B

MD5
b8e684a4a67b20d73d7a9766ad9d7e8c

SHA1
fe4f86c0445ef41942820a7551f67aa0615b154d

SHA256
536327c030218d00b9e80530604206ee12ee54480c64623b8fbaec94b6658369

SHA512
f628e1020203d76bfe3b2800213011e6baec1058977a28c33eefd7e778e7a846ce92a056c073f44b3f024e3feac60adb8ba9562d0009c405742473214ebe7c96

Download Submit
C:\Users\Admin\AppData\Local\Temp\IYwy.ico

Filesize
4KB

MD5
e1ef4ce9101a2d621605c1804fa500f0

SHA1
0cef22e54d5a2a576dd684c456ede63193dcb1dc

SHA256
8014d06d5ea4e50a99133005861cc3f30560cba30059cdd564013941560d3fc0

SHA512
f7d40862fd6bf9ee96564cf71e952e03ef1a22f47576d62791a56bdbfbff21a21914bfa2d2cae3ca02e96cd67bf05cade3a9c67139d8ceed5788253b40a10b32

Download Submit
C:\Users\Admin\AppData\Local\Temp\IccE.exe

Filesize
1.1MB

MD5
3b986d51479a403a626980c9ed4f4382

SHA1
09cc76a86defd647e221d0bcb66fffb35a8b6f91

SHA256
adc6f32f66f7fea1561c5c778b9bf774d8f8cf9466097e7035f2931380a98a68

SHA512
4373432ed3c7760a709ffab5a07633e1b450c34fadb22cec138f084b4d26e5253a5255b5ff4afdd4d92c7e96e5973c541cf3d4ba1dce6fd1c8edf6a69d633b15

Download Submit
C:\Users\Admin\AppData\Local\Temp\IkUk.exe

Filesize
247KB

MD5
e7c830ec1a4bd7ff7e748c3353a8ea85

SHA1
a9686cf8051c787778a423a838011bd3b6d46d30

SHA256
cefc243c7b2b536ceaccf42bfc031c3b6a024a33eda87200a638f31aa50735b4

SHA512
5974ad3878299b5a110ca4a1e6513d4f76a7c85a33e4154874eabb458706bc4d5f26657dcc973bfebffd9993b5b069771d4405d0050c495e0ca583349c66de2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IoMgsQUU.bat

Filesize
4B

MD5
0607c6b81b83529266bc486261c4f1e3

SHA1
c9fafa88377b594450b15ef5a93a6c78446ee0ad

SHA256
4aba72d5e3fff14b042e483be4351c73fa5da3ef42d80238311903ad267f4bec

SHA512
57355f3461be32a7c98670b33342cbcb711715c858121089aec82598a180cdbf002ef8c74d4be20fc10f9697aa44708c867014053f64bab474f08538965880d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IoUQ.exe

Filesize
235KB

MD5
20950b0115f15ffee2b113ae6ccef636

SHA1
f4e3f7abcc650b0bed793f5ebd16b9fd025d67ff

SHA256
e273bb855c2895e8549396c9253e8b8d00bc62306a94d209abea2b50a45552bf

SHA512
bf47e5b4a872123130b486dce6bc5207d7a17b7be594bd868187a8641ba9b8662df8b221114968a2b8f4aa4b0251007b8a43ed1271cb7fb23913dbb65d28bfff

Download Submit
C:\Users\Admin\AppData\Local\Temp\JaUgUkwk.bat

Filesize
4B

MD5
c6443f1bb219bb3e5206293a8eaed2d4

SHA1
638dce71675d15463e5eb5bad2cbddf0361c46b8

SHA256
2c777a54fe98f1c167dc88c91d54cc32b3fe05cc09d0246f425e981b2e3ac1fb

SHA512
035ef90bcad6aea77d8654a01facadaaf8f1552e5d3792dc49e4bb1af6f3caeee7cd8f19550877142166d9deb7c573fac90b41587b629fa0c51f821718b89038

Download Submit
C:\Users\Admin\AppData\Local\Temp\JyMAcgEc.bat

Filesize
4B

MD5
789e61181ef87e32fc2bdab019aabe6a

SHA1
c9cdb4001f50fe91c3ea54a402e090d974a66966

SHA256
c2812123bf38ff852d914f6397b66fa865007e254758fff733b05ddaaf19ec63

SHA512
8643ae3e82fe98bf571c218023a83f314b3aff9ce86e1a122d8ee017d71d3a5f3a74bcaeb88a513b044acafb2ec04c953b1f6fbb1ad9787a27b4d4eb89b750a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\KGMkwYss.bat

Filesize
4B

MD5
2d7a47a74d5f9243ed3f579e13729325

SHA1
8b7b190a1952a724ef2a49276f0c7027f209e8ad

SHA256
07eae48301ec3b004942e87395191c4ad3221251f30f497134924950b099c965

SHA512
0858a0576a0c47651c0a3a6e9d50a63e38ed6431777994777ffbdb1b3c09d69c43e211a94908e6d62c304973c9f2ff1d1106be9d8195409e704b61cac308404c

Download Submit
C:\Users\Admin\AppData\Local\Temp\KIEs.exe

Filesize
196KB

MD5
52fbc5d0243496137a4ed873148f1149

SHA1
a2b0f3479c2d0a60725e865342ad0670ad638ca4

SHA256
efb4855b02ac8cc4c008deb57278d3e50cfa74b933c33aac951a0ab8a728b147

SHA512
f0aa371af1e8b534ade1e43391c3d54bc557b7d4911d470f008f2d2334822ee7c28916f40c691a5b48e71532c5c23e2b04a63abe0a72f1eca0d9b7b05eb1eb91

Download Submit
C:\Users\Admin\AppData\Local\Temp\KKgokoYw.bat

Filesize
4B

MD5
b780f37d3ade4bb78fcac464cceed2c9

SHA1
25f5e9b1678de729cf3000c96e8f3124df3e55ab

SHA256
d849c38861e6cecbb4e9dfbc10bcb904c60010ed83552701cfc7457d77fa8f22

SHA512
8edfbf1ae3897ee07a18b99a840d75d4e159eed72d6043aedb6277dc6e3bb27808c974390fd16d82207f6deb7625398995e469a467dfae8d5f367ad6cf075c2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\KMcccQAk.bat

Filesize
4B

MD5
88743cac2ba297bd1c31ddba741358d0

SHA1
a79bfd1d160f265e4311499e930e6728e51012ef

SHA256
11e5f705c11b33078bde686d6f295a8395835291084ef41b4744eae0cf59e948

SHA512
62017207c5847bd729c4310817723629f8d91474d15801563df2fb61f9342d9ab1a83bf6398763b32112693249f0ca1b3fd555a68c424c678f6177e6c6bc25c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\KMwk.exe

Filesize
233KB

MD5
ba8b16a8f89fa8813ca3e41121b8b85e

SHA1
d7ff0061e6baccf9f00726bb80d697e09489d710

SHA256
7e15fb6081ad46ef650f78970f15add5bbf9035da90a03e5bfe706ff09a44d41

SHA512
db34b1caa94318ba28ff55bc2c8c5fc773db6b01dd8fa54423093254e4b2deb4b93fd655c992a8a2c004310fe1487e25b4e0bd3d205bd70416c75225d3cafebd

Download Submit
C:\Users\Admin\AppData\Local\Temp\KQQy.exe

Filesize
1.1MB

MD5
5aa0725883c9bb36d08c322ecee33f88

SHA1
69e920b8b92770740dccedffc26f601f79d7f3b0

SHA256
bc59e4ec67528b6012313fdd13b34d1d97dd0c83e124da2ee0a619f12f7548a3

SHA512
1f5db7d165d50f1825004093dc9c007b60bd3621ba1fb8da2725bc25025a8cd25d7f705fa16bc93d407631ab52e3135a221e05afde60fccbae8d210fa5979055

Download Submit
C:\Users\Admin\AppData\Local\Temp\KQoc.exe

Filesize
440KB

MD5
1287bcade866fb009bfa7ca9b331034c

SHA1
337790a4c107e3583dcff97b0409735088627fc3

SHA256
80e2fbe86c050354dbc9390797923eec2aeff9289366d2b0de99b9f04c33ecf2

SHA512
2dd73a7f6bd2ec4e94d8243f4c0346412f8d27080860652be62ef3b4e174a9c9da7fc9e80ddb63a9ed7e27c071453a83cffc18f1b33e706dd92f7b50653c70b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\KgMm.exe

Filesize
236KB

MD5
053c21c6123c8cdbcd711623940fc76b

SHA1
122407de8c906f88371af66f4a05d4cf3eaaecb4

SHA256
4b624d4a225159470a6a2e027d807203e00c234589301d3815947ba6259ef970

SHA512
c3794b1c7a7683b08bf0e29cbbcd3fbc02c1f4769d149986434fe4c289fbc54cad0bf76d2e57c97711af8349d2000e30fdc6f0d97688422af866639fde4f819b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ksgg.exe

Filesize
232KB

MD5
de9d756c6e2ffbae8254b8f81f60a204

SHA1
b90c4dcfb3bbc7352f23ed365844c2cb05a94e2a

SHA256
7b6b94411d039f2f732baab6cb7944eb506f7ba718fcc029369b8260286222fa

SHA512
8f5fed35527885343d660e0a86bfbd056e97064f0025aad3ec283a60246b0cbd35cfa48db182643191fd0623c06f26105183a3f3f5dfd5fb0ca25b4640a4db8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\LAwsEsko.bat

Filesize
4B

MD5
301b54ef9dfffd2a69fa8254d1db209f

SHA1
c4b068d740fc782772c3649562952044fcc97008

SHA256
94dd988d2e9b93b9912a09ee8ec682ab647734da44f991f2ec5b927de54d0967

SHA512
69537a2448c78b3ebe98ed68a3c3b6a711d634ece12c90fa2bd8e43e9ce8c451d35f3f999abac6185808b2e38c37b2791f5f6d2eef6e8f2155857de342cc628b

Download Submit
C:\Users\Admin\AppData\Local\Temp\LGUsIUgU.bat

Filesize
4B

MD5
1816980506a0ee74bcfd5744681fc54b

SHA1
b0b6499d6ba1db04ffd28e5eca08048c71cf2f13

SHA256
f4e1e9505245856c2a185a736ea591dfa26c194cb0a68c263e3fb87b9de05d13

SHA512
8397261e0388c484d64f1721d86e017e618d8042e641a858c049ca38107bd3565f84eeb2d41ad57fd1791b2d7bd03e2371eeb5ddb61251685a297ed21914b7cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\LKUIEMMY.bat

Filesize
4B

MD5
d55ecc86e46fb8aedd283c7b95f5cd44

SHA1
4040626873810c706d185d504e2dba35acc816c8

SHA256
1012934cb526a56ad2a64b77a7e33cdaeea0d03a6af707f27e0b99f154065a24

SHA512
cdbc59f6f047d34ffbcc8a86d23e730778a139540b20efb2dee8262f89bc1680e1771a83fefea2276a21148797cbf9195e625c743d2853071937b0c2d562faf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\MUEUAYoQ.bat

Filesize
4B

MD5
5d301e2e59c4c91ab08b44c97606b32d

SHA1
589bf0fbec3ddaedef454eb8bef9b90a17089d41

SHA256
fe43f20b7c1cd881c17f28a245178d1034fa6eb6bcb2212eb37073e56ffbf2cc

SHA512
c0671a4112ce1ccd30d74f37bbb32091584e4228fa6fb20e77eb615d17f2910d475cedc94ba1a2cb943d2682050f13369a5f9d89deda4736971e5b899ab9fdc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\McoC.exe

Filesize
242KB

MD5
29005696609b92db729f56b2bb39cc28

SHA1
a15fc5c193a7d981c82db949156bb133f95f3056

SHA256
f5710ce41f41393aa749b79dd2b352edb749cb2f530f0b5f321c048db1b8b118

SHA512
6afd2ac15b23e2ee41b6f08a5f9938fd99784459614311f130f83b50a0cc668e5be89fe8d1d6ec8d4e168679ccc7efe613b179ce04fd6a405ce2d74bd22948cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\MmAAwAoc.bat

Filesize
4B

MD5
77a5484d3378e42003b66b4babd0a901

SHA1
efe66197e2f0712afa3a571bf7295a5fac3c56ba

SHA256
eec65dca8eeb53b2c9dcfae3961c0135c6c8dd43bb90078269a7bd0a0a42752b

SHA512
0c9471ed24c4fd00f7a812f7688bf05ca810b0f32fd081ceb181b1591311aa49dee607b5f729b4622fe15c15e0f6fd78dd327996785be4a93e968007a3d0be8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\MmYoIkcs.bat

Filesize
4B

MD5
b462d726e426f45ff82c5162dc27bb99

SHA1
013aae3ae88f9a6e806bbb8f20e6aaa1941da9c7

SHA256
6537ba49568860e96eccc78be3947fb3694ebf3f51508a9d8153e120c0121922

SHA512
2eec47be6476f0be117e46758c82d641e863015fd073b375ca7dcde8be2c8381ad1878af2ea29c08b9e629ae89e7b1d9f027b734a0e896a882fa6514b5f2eda2

Download Submit
C:\Users\Admin\AppData\Local\Temp\MwYw.exe

Filesize
227KB

MD5
7b728971c1e06d58a13e4b86564d771e

SHA1
36398c90db56dc051a35e97f5574e2bb38a201c7

SHA256
179f7942838c5dd87ed5467c48b0ce07fa5cc3df5f3234e151b54f4675aa831b

SHA512
b9011caf3298dfa2ce2dc406f9a5dc1e0438662984d6c7c203a0037a389097245987aa7b6611853c486e9eb3796b9edab1d046468fb325d287871d40ab61ff9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\NAYsUYAA.bat

Filesize
4B

MD5
478a35359bc7139ac5043009334b3764

SHA1
6976d2f617d1db2f74fed5117c9bd24f1495ffed

SHA256
e51ab2e2efb8f6a1b62caa229b7aa336474437da79eb9a91a3f68abd818c195f

SHA512
5088ba6bbd2a7255c0d2e950417be51c0030b4df4120c92e6b84ddb07dd5c79c3b1be01d292c79cd7af199443dce725acc99e18252260da38c41937d54893645

Download Submit
C:\Users\Admin\AppData\Local\Temp\NSQQowUI.bat

Filesize
4B

MD5
abe121df71658d816db209abcb052847

SHA1
be823fcff5411ce5582761d5a62b9b86af738e86

SHA256
3ce1f178ddd540b35d6ae79df23ace8c6b3187e7802105fc360c2cda47127231

SHA512
6a21dcdfc6af6b9591ddc53c626686ffbf24ab1d7a23086fc81b1cba6d2417f8894f10ffd067e012ea9bf3d79d8eb4b01038655907260ccd45d80da862c97cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\NeIsQsoI.bat

Filesize
4B

MD5
602defcb09c833fbb561fc33674944a9

SHA1
a630ac76ea5f7d371afd8617cade64fe816d1f8e

SHA256
66269aef3b90aceb523c0ecc8fa65ac7e8ce694d3e9e4da1fb28c608ef597de6

SHA512
2731ff75ef31376889bc32b7d535f5b293ace14a892f80e7df33f6dc5f1148df1fc3b32a3590c4ce16466eedf908857e580c8714016dcf91b293812069a0cfad

Download Submit
C:\Users\Admin\AppData\Local\Temp\OCowMIsk.bat

Filesize
4B

MD5
25eec68f7d0b877c92920e5e461b706f

SHA1
60a45757be253571b936893848706049bd8b7f94

SHA256
56051cad27658fff154a706c9f83e1d883357ef4f192081c08d6719af0f54d9b

SHA512
60e2ba2113133bf960252b75c762797f5dc4180aa00d8f4ba8d464f7d8a0e86235c9ba55bfb077240d68209a499e17d51360f78f42c504a835adf854e729c299

Download Submit
C:\Users\Admin\AppData\Local\Temp\OMQE.exe

Filesize
236KB

MD5
fb4b0632b90afc876933db9837650b12

SHA1
9270cc3b343c75d958694427c977e09157b04e21

SHA256
03b859083d4fae75c70ea1c4303f9c17a97651f8f43c041f51fc40e88bda1d01

SHA512
c8ae332f4e07bfd5a8e012c5143502510e111aa193b52eef094f3a596948101acb06f0b3f597bbea962f791e82181eb43c5853e50eb8caeaf71936911ef41deb

Download Submit
C:\Users\Admin\AppData\Local\Temp\OOEsgkUA.bat

Filesize
4B

MD5
99258e289639cd512da1f201e0d58b52

SHA1
069ac2caf999764ba3a5dd18944cf8710a0e213c

SHA256
e4934dddbce05be55ba494d24baefd209ce0fc28272e592e73da1b61b30ccb07

SHA512
ff297b0f1bf20e371ac7081d1f228e6092bc0bcfd7019241f565620a37edcd7a25be253e116043ad6bd7d775f70e7d2b8e8843fadf26a1ddf10f189e7c293a1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\OUYkggMU.bat

Filesize
4B

MD5
95552f2e1ad1ef09a041af26be551ae9

SHA1
b30a502b06d16772edc81d758e398c9733d968ab

SHA256
40eb7b3f5047ebad72920d83ed19d6db38507c7e1408e23c67393a93e06d6e7c

SHA512
216c64823721dff504330d91de224406bdea1f4353e3b5ec0c05d8a49f53455609fb75efbad017ed11861a5b8f7705152ec4c176f97c5d268e0d33938e2ab57d

Download Submit
C:\Users\Admin\AppData\Local\Temp\OsEQ.exe

Filesize
246KB

MD5
4c9b732a5ac9a196d2708fec0ec4a896

SHA1
ca01f1a0ed5c47a1034c5975f0a3ae04637e4869

SHA256
6fbbcb1219792f41da2b32933d5638b2ff4cba4a1f112576e2aab8541643d7e3

SHA512
7c906677c3b438452f394449d80b23fb46d987a2e7296b2f098ccc090d164421926d8563430d82ba9f9b39c83f7e0b34b8a0298c5086fa12c4c48db393a2675d

Download Submit
C:\Users\Admin\AppData\Local\Temp\PMEgQMMM.bat

Filesize
4B

MD5
d13b7bf2ce29e62c3a8cf9fadbd9bac2

SHA1
b6aab8e02b58182bb0d1a7d014f83a369af7be90

SHA256
ddc9ea0bf74f88ed3f4680c005363025d423800cf77e2c026b0308e120099fa7

SHA512
da62131c76d1118aef785599b2ae1f6b45b43b6011624986c46d16894ed2ae446d8450ec7c8833a4ac9ccf608b71096f07d28f9894aede6d4a3022130b76754b

Download Submit
C:\Users\Admin\AppData\Local\Temp\PswIYQQk.bat

Filesize
4B

MD5
f6445bfb7c0e29803db2a7ae9f39c42f

SHA1
2a184eae80eb8bbb642252f1f8dab0a413e1d60e

SHA256
de0e0b2342c08317e9ce3fbf94960889b3062ff48ff4f6ad4c78eb91472b091b

SHA512
fa5524d54df5991009ed2ae3820086deac0f3e4a0c27e0eb0d804caeb4ceb546b82682484e8c921603a3de8429afadd3516801906cb9789c62422fc868a1ba9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\QMMe.exe

Filesize
189KB

MD5
25d5db29bfa1d807a1b7fe2510c97a7d

SHA1
d8ca5382ee2b2c45de0f098ebf6cb9aaff8932a6

SHA256
7d1f339e44a11a877d43f92f1b5881a4cbd3cb1f3046026d9cc931f4d979f98d

SHA512
da7311c700150892c6c9de93ba83050ba52ada899943b68ed7e3f0dcdbc2c201da0e4f75b56363ab08986a6cd0fd75153351d66265de09b9078a5ec02b08c05a

Download Submit
C:\Users\Admin\AppData\Local\Temp\QQcC.exe

Filesize
248KB

MD5
8bfcb55a08662af1849aaf9fa93ee40b

SHA1
6d7be7006768c413ae787df0dc93d04b35e2028d

SHA256
52b841cafbbab93d830200f7a8fc3a56472d9645381d570a5e97b80c26ede4d5

SHA512
ed812075dc4d33b1df46683394d78a8c1eb47d41a144a05d9579272118f3e972b00639970ba4925458088e227c3105afb2331d3712c9ce74c79d7336f771b98a

Download Submit
C:\Users\Admin\AppData\Local\Temp\QYMk.exe

Filesize
227KB

MD5
93c38506040ad1c7e3704a234e90a040

SHA1
b3403af0a93f3d96c14a5bd6179641408778c777

SHA256
4b2682e378f0054055715210e8c1a1506412b5d6987f50af2a37137eee78e6c7

SHA512
bdce887920ecd7c32508c9ec5628854c516b7f691983c4d0eac3f55eface288fead9cfbdae95620f82c63fa0e87b72cfa3f2d4bdaf4bc0a5ff52c93b81342258

Download Submit
C:\Users\Admin\AppData\Local\Temp\QYci.exe

Filesize
241KB

MD5
66d8adba4ebb8f46b949167b91592050

SHA1
45a58dfe33241848112bb5e75afbd9875da29f82

SHA256
34848a493328a7c78f3710ab81cffe670bf3e1ad5c61d550e1766b771fdba3f8

SHA512
3d9915d70061234fe66bb1bb37a944aa35718760d5bbca57babcdec084d507561508e290f4f3ea189268884547f1dd59b7c7549db16cabab3fc562bf191a067c

Download Submit
C:\Users\Admin\AppData\Local\Temp\QcIG.exe

Filesize
235KB

MD5
d87ef81ee4b16e8b55ab5f4c830d0e51

SHA1
d52f370e4f35b5f701c05a3ae0825964d6112e0e

SHA256
64980f6d04d24cc3517972822bb17978a06edddc8d5115485b5ebfed8d01cda9

SHA512
612e1df87b5475212a1c4d502b2588f9b1f6a667a3bbbb6f93123b8034055965348822023cf1fbdf2712628d5541a87e51e8ad78e15563cb8a967019d5df81e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\QgUi.exe

Filesize
245KB

MD5
15cfe184438a26710efc103e5c772f8f

SHA1
2232d6421d11a69dc19cc22d9f9f498ee96326e3

SHA256
6fb858b80ab49bea4c5d9c17a9339ad4a0aa73e1fee15623286bfe15b40301d7

SHA512
5504ae297fa7fcf0a0255be0fe8051a72166c763f81e4d6f64d301d891f86bfaabd3d1c4871f84ac3dd7821f2ab9cde69be553240aa544c1166b5c8cb79cc07a

Download Submit
C:\Users\Admin\AppData\Local\Temp\REcQgEMs.bat

Filesize
4B

MD5
9b176afc9ee0963d5daa5056fdf80147

SHA1
4cd3773104f1ac25c199b4951b0dc5fba290ba9a

SHA256
f2aa7407dd2cec30dc7c1274b9f636d70f626f26a3642d5a2cab6a6d4e91ec8c

SHA512
6b380abd757c3a8f5aef45942c5c73331e9475849b69394d68e48c0e61ff914f7f2e6b9a049f7d719150fb9f219d00b838ed3652722fada4d53cfe3c1aa703f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RIkAEcMw.bat

Filesize
4B

MD5
c0a3222cfb19c1cc0e02928d4f7450c2

SHA1
71c98f7f320c8b3b4b1f06da62b559aeef111f16

SHA256
1df7a16ea3bf0137c9d7022f6d67979313fb23f770fabbe84fbf3e7ae37a4727

SHA512
62314b37667682aba247130fd6afbc7bc4f19cabce5c5b3cd9f5dfd0c1f62eedea96c6272555e9d3c7812d90397ea1fcd754141ab1517eda893c20e30b912bd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ReksEAUc.bat

Filesize
4B

MD5
d2dd0cc2bd1ba5e572491e410efa9bd6

SHA1
157c9af97fa5d0c0ab9a9eec9f7533400fdd423a

SHA256
9ba581d48a05093458ed70b2fd7f2ea656886f89eb1b6663632bb27a9559fef6

SHA512
ebdbb7e87fb6dd5cfb0a6f1003c72d7ec5c06c426d2ab34d379a9c21631afabd2ddcb8b89e5b3dad1a78ee1bd25964127490a2ff9d9ddd1fe5f6d0ac900f91aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\RmYYgAYA.bat

Filesize
4B

MD5
2e86cadb17dafcde6c38f71d2994f063

SHA1
3f72211d089dc7d425f6e1e1afc010c13859e8e6

SHA256
45227bdd272bfd1e01dc8564514a519ed7d53ddc26e5b7b85fb6d538a28a83b7

SHA512
4d2c390532e5bbee10898d25fa12ff1152d24066019f5c1d03b5334720d40bae5c9b4c92eaab6ece6afe02b1fb3384586dd99a3a5ce97b0fad1a1e9ca174f920

Download Submit
C:\Users\Admin\AppData\Local\Temp\SMAk.exe

Filesize
247KB

MD5
599620ff00eb3e59e12fdbb665fe6b9e

SHA1
181940b03159463af43e3c8ad99a1cb4aa765dc4

SHA256
ca43cbd84ebc53fc4f6c5e918bf339d6baf0a821de469013556918c594b49bb7

SHA512
0e04b3a4c04f76236c4e195c216fd247fd5537e966a797e8f40130aaa054d1cf51f9d216c6fa153f1d38cf875eb910be02e0cef130246429fa515601ff376560

Download Submit
C:\Users\Admin\AppData\Local\Temp\SUwY.exe

Filesize
190KB

MD5
5fd05c558834146e6bb0f55ae2ec197b

SHA1
c2c4651a6b74233207b067e4ecd94bbc18c2c89c

SHA256
09c2b454b3e1c09f06804d3ba3e725f2905f10df4dc9496e49b9b0955cb4c8f3

SHA512
466472f7409bd2999b417ff19c8a561a4235da84d0df16c7745a3802cb479cdb465639ee2b1a73a387cf57f6ac3af1bf213a805966f1f8847d5c971076f61470

Download Submit
C:\Users\Admin\AppData\Local\Temp\ScMw.exe

Filesize
881KB

MD5
a27ffbef3a9a21c5da107a5a15a196fd

SHA1
fb6a671ec0781964e957f527bc8e9d2569c2bd29

SHA256
1e0130203843b8df8680911d673edb93f661003fe488542b8ba79e261f975521

SHA512
3d33e4e78b05d039387760a674f8c10c7e0d2b425e4a374b9cd814e2b4bd18a52291232d654957c7f3e76ef0a292f43ab4bec5c9882289ff2ef3a6be17f3487f

Download Submit
C:\Users\Admin\AppData\Local\Temp\SgQe.exe

Filesize
196KB

MD5
f7cfbb9cc171c49429a7721f7c8be956

SHA1
2ceff59bc1145e684f47e6e2eb02371e77838d75

SHA256
254a8a7e2ecf19a3ff5cc576813fa058a1bd2c364915a2cddb26e3a5d4915527

SHA512
a42df89cebe6b40b101fd109bc26935079e1167d4182fa4876b99c7e0fe4c6691a0e173fca0ee59911cce9dce3723bb58075f9f6e998946e19998bc3a283a2ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\TOwIwEcg.bat

Filesize
4B

MD5
d2d3f13fc741644c2d70baf135ae6345

SHA1
c4b05b7ef7107b9bc7976c88028f2186f34afcc4

SHA256
706304c496bc91991cc25425e885f2d8174b9d5e907f462343d0f18b561b486d

SHA512
a6190c51c7d10eef1d77a8b8e8963592b2450ae02af61c50af40bb145bb22c139e1dd65de1899c153aabc8b199c64df017493ef66f88f2515bec4d578dff3845

Download Submit
C:\Users\Admin\AppData\Local\Temp\TaYQgowQ.bat

Filesize
4B

MD5
17df5456a8548de58b1ddf16e1c726e1

SHA1
65f770eb8fca081ee1cb37f668ab27bc5f2ba6b6

SHA256
8dde4ca20c355b5605d67b810fe47ddd9f3b590e9e678d25bf255722e2cdc4f6

SHA512
3a0aebe439f18029723e7f7e355aeafabb52dbde7423f8198273161f1ce737ce88ed7773deb4ad857d96c5e2c380665ceb6476e6f7ae422718788570b163ca82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ToEYMwoU.bat

Filesize
4B

MD5
e2230f056338a6f3750e77def1315358

SHA1
897c774b9ea15f473c18a65bd80bfeedeff3d148

SHA256
aa3c0c06b7cf538948777144c69e1fb9f4ed4f7abd1a1d4e83148c2dc41195bd

SHA512
7ef81d93c1eb76fdcd5c3433c8dcb013e010f58c5eddd7b61eea19f357be52ce777ed7d820009dfb045df877c739b765ee4c4969d7c289011e2c5048dd221194

Download Submit
C:\Users\Admin\AppData\Local\Temp\TqsgcwEw.bat

Filesize
4B

MD5
74309edf51415d19bca9f5385431d554

SHA1
c3f06992eef4434b9fc51070603e77e561edc3f8

SHA256
138a8b0f362ad19da9382de38724256fe1bad8e61f6d0f9252e4ae653345c2dd

SHA512
ffb0db225786fe61f32e89ccd2f63720026e20ae34c77fc0a9cc7939c2f064f1f80a496930915330f8807f0a5d11dce63a7ebc3d0061ca1378831794725f95fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\UAEkIIsc.bat

Filesize
4B

MD5
9e9bf787a636fe3ca780bdf947ff155d

SHA1
57e24d494e3634b5970fb3815e86505b90d9f683

SHA256
14cb23f5c9379c5f9e4c9f50f0085fc085e684d2eb67456d9217ed6cafb0eb98

SHA512
15582589d469c3d199fe649de47c9494576fc62cab3efc05207639c75dc2c003c0a7a1eaf138a47e4eff24a90f96e5b79b30600d13cdbb031cd3c94a4b2459fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\UEwy.exe

Filesize
674KB

MD5
e585a3af83ff1d13a9f9ff9aa46bd14b

SHA1
e1ca9cbe0e85179d0c8c5a4ca0dfbc53c24d1fe3

SHA256
2f65d980f95a4a7f409402cfe1d617189cbbe43c113d5ed3e5123af010f2906f

SHA512
b16cde5a00431f56b11b0df6e29cdbb1db982ffa81e6a15112d079b0032df18b35580439f0be286f84b68ec0a1f0857121a0097d286620b783c2a1f5dd734a83

Download Submit
C:\Users\Admin\AppData\Local\Temp\UMcwgMAM.bat

Filesize
4B

MD5
de267a7e7647683233f4bc7cf67a9529

SHA1
eae89510efa5cabb03b05c0ce1a34a9b8ccf3526

SHA256
178185031382a1e277898d8c57da5a657d7b7271521cb91295187e86d1b650f4

SHA512
8440114c8f9992778ee53558dff3be2d7efdd99bb5bf85ac731cbfe85b243773e5cee10a9adbe9d5ed0b7b2ea00d5d39ef80bce03d8aeeb3d4b3caf690324e9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\UUEK.exe

Filesize
237KB

MD5
bce949e6f357a67c69aca537db36ea48

SHA1
826b983b0e11696f234baf53e8f949055737fb70

SHA256
b01c93d856478ac77945d2d37c53d2791bd215dd9492460f2a71137eb92cbc46

SHA512
e696156dc4731e1a11be092f1e154762d11bc6e2bdc3f319d38010a0c9e81e9c23c91fa5e5e3e596e792acb5518004ab0e1871bf92dae94e93fd9c1212adaa81

Download Submit
C:\Users\Admin\AppData\Local\Temp\UUYk.exe

Filesize
239KB

MD5
e9f81c36958bcd07eafe0940a99a137c

SHA1
9f1c95ee45fd1de7bdc37f4ca67bb98bcbc1d371

SHA256
0a800fe14613f57fb66d8e8663c8cf06ae466fc38896a0d717a29e9440658bc6

SHA512
36aa9ae1d7549c4b4dfa67a8ffe47c3dd593ece5f491e2641b003863e5aaf1aa42b7827c335d1189eddfa2acbe0af253d76e75a233ed165ed48048a07c5881c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\UcQQ.exe

Filesize
200KB

MD5
60e046abeb1ee9cea39b55330230ab3d

SHA1
1b009218a50d05fdef1133bed006ce5e4ff52338

SHA256
fd81867ca6b866362232a96796aa65b68aca1866c7075477e48c7fac629b8c9a

SHA512
51a70a5afe65b1430666ee09c0a80a1425c5429bef4545e1ad085461081633029c2500d7017acae036bf77363e2e285aa71b066dbee40e3703c3660db9806225

Download Submit
C:\Users\Admin\AppData\Local\Temp\UikEocQY.bat

Filesize
4B

MD5
43152a7ae5619500d24201a98ef39267

SHA1
165549cfd2b124ad1517cacc68dec00ca465281a

SHA256
8fe29395dcc1c7b4e1c9d2d8cad64fa6c11a65b538ffcbeddaf206ced4520b08

SHA512
7534e0cff5259c2e8ffb622e3d5be39c2dbb5c58ec4457bad43200c9f93e0b6b8410ecdcd2a11f7ddc46f599aaa13cefdfe81a996cf5a7c7ca034ca8f37f6c5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\UkQK.exe

Filesize
241KB

MD5
ec9cb697ffbfece1a5ce86f1befc6c28

SHA1
fb65de0b2151bb70599d6f01c9352fc315b941b8

SHA256
318a6d4f95c7505e121a51de21dab069969e5599161071ed6dd82b56ec1a9855

SHA512
9d7fbc2e0c41a36006808a66bcbda3fc4d7b3243b6f94909ba353be58f25e287b191598dc39532a1fa488e3cc3d4a6cea7093bc548d4f43275d501d2dd88c438

Download Submit
C:\Users\Admin\AppData\Local\Temp\UowO.exe

Filesize
236KB

MD5
2d0a160c3138256cee74dac69a12b580

SHA1
687a9253a8f336264008fcde4b7c14c7fb1fcbfe

SHA256
6529b80b72d75aba8c1d63d6126c7ef3e0868f4a1272ad7528db0b768580572c

SHA512
3f8039d351cc9cdc153eab5e8542b0739fbbdeeef263e7d7675519ed8a1e039ac6c3f6cd14224b988696a052be41c3ec9ca302ebac396c4801179e7ca3ec94bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\UwQs.exe

Filesize
828KB

MD5
2a47e2a8266e875efc37719ad860ee8e

SHA1
f362a7e22913e69354421a158bb35d356dc78e0f

SHA256
1e9b477cf61394fe4f71464823936f84e948601890a9a680497a50524abc844c

SHA512
1ed6e31e1f72472848e02e3de8059b7f4697dca918700c77c9a687e400501983789372bd7607560e96ea9bb67553211472bce68aa1c13f478f568a36ffc57fef

Download Submit
C:\Users\Admin\AppData\Local\Temp\UwsE.exe

Filesize
573KB

MD5
ffcdfb34fa45388e418a27e67d033ed7

SHA1
08898f10624d13403eb56c6dd481756e05abd297

SHA256
5d077cec4cfddeb09de6b66db341f3df3f386bab96dc6e1cdca19fdc1cf02927

SHA512
31eaa9e95a09502f51dea60da5a543f1450df820f86f329d0777fcce2cf9fdbe27ff88cd8bde3be2f8553cab26d7c7d43111d6cea4cb947ab6f2ea9f46bdf7e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\VacYQYUY.bat

Filesize
4B

MD5
07d06dbe0bbd7309f6f4dd323da7451a

SHA1
50c35d930db09e9fc2295e6f0c8af4698b468a10

SHA256
2bd9fa0f4e302f88d370f12bd74c9f389e0f8f627cb6c755c590a11736911ead

SHA512
f6ec2437cf25df5db9c71ac6a71ebc3154177ed976b2ce56e9fd2ec467cdc258a613587d32cde0e3c956fe0ee40177fdf43b9aca8653d84b88bc87ccd77e5785

Download Submit
C:\Users\Admin\AppData\Local\Temp\WAYW.exe

Filesize
250KB

MD5
1d14cbc6b4f2b47bd9dd574deb771dc1

SHA1
fb322cf20f0d4b725d871bb1f04fb2839acfd50a

SHA256
d59b59ed0530623b779b2c69f504aff78e66eb2392fa9f14032813a659850e4e

SHA512
4f2d2b97dc7e2d3e86e661662ac813952aa123a05197c265489359bc9c6c0bad2c1283ef3a2f167a2e114330f60985e5919501089a49f17c7c459ae95381f87c

Download Submit
C:\Users\Admin\AppData\Local\Temp\WQIu.exe

Filesize
193KB

MD5
509433859233c9c5d98daedaf892eb61

SHA1
55b181e8eb35d3a6034bf2f05e601d0743858b26

SHA256
acab34eedf625ad8e7fba70f506a6a48207cffc1f4dc6760eac39ffd40cacb82

SHA512
e8d706ae3b879f4fc675ac9c5eea6180f4c6228cf74c0e006c7702d99274f69c24a4ffff8526b4974dcd33eac1bcb2f7fb7e451ce809e38803386f3845e9ba15

Download Submit
C:\Users\Admin\AppData\Local\Temp\WUUS.exe

Filesize
1009KB

MD5
e029ae3eb0301e739acee9b22f9d2460

SHA1
5d5814b7dc6e6425705035d6bb79cec057b07c4c

SHA256
aab4517aa0482ca5a1ec9ac1bdcb28ceb8a16b9eb6fde2402e909456ce96c18e

SHA512
421107ac4a1ab04a79b9bf2f444c915088ef2ab3a224977a8a921d8f8880c4dc715923d5b149374c04bcde5822c788211f25621a449384235fc8e841a4301cdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\WgAI.exe

Filesize
962KB

MD5
c49affa152ad33cb3d1f8765013da807

SHA1
639b540385399d8da4048e139fa33383d2a30b40

SHA256
c22fb4a1aedbe9064c21f1e9016d091e41be4336966acd3915f044dc1376cc4a

SHA512
6253c95201f4c8b5e44bbf23f7683ddcff2c450e5b974001812fa6fcd640194ee304dd83ed856cdb2eb34626c01ea2ee7b6d6a1cabae422cfa850edb74e92bfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\WkEY.ico

Filesize
4KB

MD5
97ff638c39767356fc81ae9ba75057e8

SHA1
92e201c9a4dc807643402f646cbb7e4433b7d713

SHA256
9367b951a0360e200345d9aa5e6895e090fc3b57ae0299c468a5b43c0c63a093

SHA512
167328960c8448b4df44606d378f050ca6c24969fbd7cc8dcfe9ddeb96ac7ccd89e507a215b4c1debff0d20a0a239d547f1e496635fa2f06afad067c30597c46

Download Submit
C:\Users\Admin\AppData\Local\Temp\WoUMUAkE.bat

Filesize
4B

MD5
86206423b3623022f2d8fce4d2c042b2

SHA1
2f04f882d62ce5c5dcbb710d09b1d643e86d79cd

SHA256
dca0a06c4b9b4e599da567859397d296811fdd707e9020266281d8a14991acbb

SHA512
a3095aae9536b78429777e38069ede75bfbf6ca91313b32b8fdea48d569b1a98dd9baf7464f5323593e11f606e027073a92eb2ce9f24b8166b4d4a2c91686a9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\WwgE.exe

Filesize
623KB

MD5
faa6828baeb3baecf655aa7f8307ab4d

SHA1
ea7490b238c2493366d3c5a8497963541f07641b

SHA256
4d4b573027e394a056eede31b6e739523605c9935c7fd100d24e4656d783c163

SHA512
f813cbb8b9e8b0e4db35d5ce981471e2d3d7ec495162954549a59fb7943e03c887fb11e6f426b1f61a41d4b4f2c2737f01aef94bbead0b08ddc9a7735d98fa03

Download Submit
C:\Users\Admin\AppData\Local\Temp\WwkY.exe

Filesize
199KB

MD5
58b18d6c296417ac7e4e4da19edd7317

SHA1
809ac1df1ea79d6b55ec9ed3bd7708024e4de0d1

SHA256
854ecddf705afb984dab75551cf997a4d0e615a36f5434cbb261156f8e3bdc4a

SHA512
04ce06de904e10558d81e2fbab2c4442b82b0862c0de67be44928499cf21ae6b2a5c88e29ce02ecd7e6de6583f8925e9edb644655c115d8dbede92fa3d0630b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\XeAksMUc.bat

Filesize
4B

MD5
131b5652c28e91d3a8687bef83b66e43

SHA1
82ed2fbeb85e06ac3e68a0734083904cb27f8afe

SHA256
d9585e8d3d647c1475aa86bbca97de8b5801b8cf3ee304c722b165b0bec25709

SHA512
ba7ef75b9be406b538a7a6ddb0c33e4bcd458541a6720493444adfa7917b1156c514222c4700fd448b7580e3f83b55a0b39a95a17d985f3fad876c63f8e376fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\XgMkoIIg.bat

Filesize
4B

MD5
097f33d73dfa18555841c047e561e9ac

SHA1
eb162a293f880718e0d8596eda776c765dd1ad0d

SHA256
4049727c512fe6001ce10494a64bfdb0281d1f1dfbd3deceb0b956f020390c8a

SHA512
80ea3240cf4fd58a58c65dc3aba4de4d855b5d7496e68e0aeabcc5b3b48338ceae0dd1ca541fba7f311e7692bcb5ce1e5dd36fecc05c59dbeb37ba6417faed45

Download Submit
C:\Users\Admin\AppData\Local\Temp\XuksUkAM.bat

Filesize
4B

MD5
8431384a0221cbca084a96d186ca3818

SHA1
9444bccae9f868e4d3721012e9c60a883d010310

SHA256
66a733707fdf112cbdeec906128e81684a6efa5cde41d11fdeee9a9d625629ca

SHA512
91632e96afcf18aa4eef1b5d15a290b57a6350765dde4b95b3a1d9d71d20f1437e18a371ab32be93328901dad159c6a4f589f59f486fd34cc3f6a60bb9f042ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\YGkkkskw.bat

Filesize
4B

MD5
815c790ee13920be11c4fdb76f1d0aa6

SHA1
1e0ce69881cf3c820ac600ac9a9d937b2cd9912b

SHA256
cd1127915ac7a310d424a4b8171777912ea0273a739b6e9d1e41be4cbcb8f2ee

SHA512
c8c164c4a0d635524d491a482a7584a9035a8040bc90c5c2cfa629932dfa17eb9db24dfc034a1957c0067edda70320eded205f67b5671b6d5b3931fdbe3fc6bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\YIMG.exe

Filesize
1.2MB

MD5
bf68e38070d214512a06357b8c2db8c6

SHA1
6c6bb9a2f515e8718f14583f19033f3607fa8fee

SHA256
da6d69faec0b97000ccb5294d622fb82ac69815e036d6c928b0310b9147dd8db

SHA512
a55cd2a2462f5266a53fbb9e42ee19213e61e27bc8e59a08fdfd62a7fea917a92d9330b05454882f8cbe7c8f305b273802e37b92faaca7aea468c45ab0040ca9

Download Submit
C:\Users\Admin\AppData\Local\Temp\YMgm.exe

Filesize
215KB

MD5
f24583695f89428b464c0a5e09352d4d

SHA1
717188f932ac212d8d902719da1c3b33f2b64b00

SHA256
e22d458b6a7fdf865f8960e9e3653cdc2038231fc027d52f14800f36556475b4

SHA512
ac6cb1e79df2a73a6f7ed88440d51aaa3733aa81235e6322c52f4c83d3cd261e92939eaa761041d60c39b585d6d0a3b4bf6e604e2c176246f9375f76c8299266

Download Submit
C:\Users\Admin\AppData\Local\Temp\YMoc.exe

Filesize
520KB

MD5
6af871dc4b4e47039b9fbbbb32b7ab36

SHA1
755285907fe75e23719e764d29b8bd26dbf7daf6

SHA256
ccd0c5e0adf348c63dc7e32a1b0e406b9eed3dd6d68dbb8106aa687940ff8e18

SHA512
ba5b363ec3b68709f3503c24c4f4d8032120941b685238893eb7b9447e3d0ec27c8385be7c8fa43c95f3078032b0bf4528abce95125891061abadda3b2e9192b

Download Submit
C:\Users\Admin\AppData\Local\Temp\YWAUQckE.bat

Filesize
4B

MD5
254bd54a94f7f35343df6ea1b4542474

SHA1
b1cde7fbace41fb839b8b79ba74b08a40ebd9380

SHA256
f6d5519bc404436ae69a7e54f650b2e34caa5a324bc698eafe0e2701d377b3e8

SHA512
8def30e0ef330b9f5cb9b1743abf19b587852e6da22a4ab9c8aa68f30de063e16fcf681552a0e2a0333ab32536b07b1201aa099ad54e364ca6f1252bbc79f5c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\YYUQ.exe

Filesize
253KB

MD5
a8d87513ef8c59f43e6797ca804ab0ee

SHA1
4f6538dfca7b8f19ebef8dcf73ae5d598010164a

SHA256
9d46381ee726d7e2797797b267e056d654735ee1bba2b510895e382be6d374e9

SHA512
5c8bee7956017d53b657824975b3866ec055f7c1c1a6ebb51031c4df4902efba0b86d2cdbe91078bf175be2c7668ec604281dca484804673ec45660fe17d8cf2

Download Submit
C:\Users\Admin\AppData\Local\Temp\YgYw.exe

Filesize
199KB

MD5
6e47039926a98cbd1511d5f48c43e9e4

SHA1
aa45fff764bbeee8702841e2dc9cbb7350d6ddc8

SHA256
02911ede248175f9db45339946d96677d637d1419870857475821ec71cc53bb7

SHA512
1086c981d0ce299a3cada699012ff12077b58a4fb223054d91342edb7d9928b3de5ad4b7d9b2f3751709fd1bed318a5f4b5f9059d92c7e5d38256a55bdf7bf0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\YkIQAkQw.bat

Filesize
4B

MD5
a08854d1cc25b5ce6433b8836c256c46

SHA1
5c60322b844297f1ec29d810a981058321daa542

SHA256
b6ab47641d43cfd9bc71d7214a4988fc22d99199594318e7ac3411d9f9e4ee91

SHA512
d5460065f18fdaff4e5ccd0e2b8c2057e56b476f95d11566d2e4bf4a416bdc733de9eab9a56625772e74c3db8da1c30f7a29e21cb2e1176a8c1637711c91eafd

Download Submit
C:\Users\Admin\AppData\Local\Temp\YkIo.exe

Filesize
248KB

MD5
f712b8899e5c8138b1c807848f8579e2

SHA1
acafc927f434ee51608ad24fd26af144ba1d8a54

SHA256
b6e95da460827a778dc57d1852ef16ec73e5b1545202c02fee0d2ee6276266b1

SHA512
6bfd0bf5e0e5634ca86aeb5e2c4246ea5f32c0c20204a2d0f64f0b6e3cefa5c8bf51b11d333ea30e9ff543f4556c87ef95a859e95d69b0441fbaf1daf99af2a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\YkQK.exe

Filesize
236KB

MD5
c529c5ad3b0cbfbbd241c75cd220bc5d

SHA1
2c9a94cdcf9af5bdd569a5f1d321e2faa72ce368

SHA256
fbe2136b70961d7149f409244983ca2c8f9f9b100e86d55607541a1751365df3

SHA512
2f779d5108a0e1ebccb5d2e12ce155d6bac287ba48c1016e604b80560d9c3d58ec02a3facf051bd1b9df814e84975795a009b627ce579d89098c3cf3f1f02896

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ykou.exe

Filesize
243KB

MD5
3fb5abb7da3ba5b3f2305d8065d375e2

SHA1
d1626711240ba54cbde33fcbbd503c5740dce3d7

SHA256
aa02869b848df2ad26526b4c95d36089e1b9e9cd0fcfc96457b1c06e9185fca5

SHA512
01ab4e6241c2587954aef76587d967437d9a464e2cb7abf53a56f8fe6f0ce3f860e56db326f8337e279adc9ac1e3fc08d68ec2396fa3a2f29c61251a9bfa2ace

Download Submit
C:\Users\Admin\AppData\Local\Temp\YoQG.exe

Filesize
810KB

MD5
af45b9c544a9f53dbcec440bfbf28954

SHA1
b737fa16268734e57ce38a9fafc69d88997005c5

SHA256
8970383dcfd32ce0f1d7efadc7ab3e6dc6a0e9e10ab7669afd70c9a0d74f76f0

SHA512
328f03e5aed7f197ca0a23950858bb37d8b2ed943d836a4fb0cdd6c11af10219bf4e722e55cfc334f5ecb4bc85961d8232d44f57eadd53799ca24de74417195b

Download Submit
C:\Users\Admin\AppData\Local\Temp\YsIsEMwo.bat

Filesize
4B

MD5
62192e33461d34305764beef1aa25b76

SHA1
3c6a39380454cbc6204f50981d0f95e4fdb4baa4

SHA256
3159f5b2cc9961e5784bb690e368fb3f29ac20cd240385ade0670808ac1c03f8

SHA512
e11ad706763384095aed471356de30a23e5d68a747c4b7cc1e4f7270a96a67224f31e5fe526c08afd7ff92f94a9c11430a3242824df15ee71596ed881b3f38b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\YsQu.ico

Filesize
4KB

MD5
47a169535b738bd50344df196735e258

SHA1
23b4c8041b83f0374554191d543fdce6890f4723

SHA256
ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf

SHA512
ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\YsQy.exe

Filesize
705KB

MD5
28225dc93cddd162e1e6cff9c1720861

SHA1
d1443b250d46a158063bb189feedcf74c605a848

SHA256
fa974f96694afae64a86555a50d5a0b3bb738cdd1ebd529b9969e8592216d116

SHA512
23656c4a495651fd315c01dd79b75581cd905f554e148ae51702e9015d8aeed2a31c822498c0ff8692f35545c8f78261a79f7147b574d53b4393445892346e83

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZCoYkAQY.bat

Filesize
4B

MD5
3c031316233d11e610fe70e80b85bfd3

SHA1
38eb85ece5ce62c3073285d870fe2267e844fdad

SHA256
79139988ebb811e191a7bd776568a6db9cd35b6baa78cc16ba666bc1d99c4f25

SHA512
b49b68dd456b585478f9d920bb3951e653881d15ad85a6ec8594418b1046e8aa12d607ce581456cb02c3e26305679d68d3f8e60c638e67462f03459d6a1c1e91

Download Submit
C:\Users\Admin\AppData\Local\Temp\aAQM.exe

Filesize
315KB

MD5
d07b599bb9f9441b51e9b3233df785d9

SHA1
49065b8e1a4cf9cd1f0d2eb0fee302329e7485a5

SHA256
44460c02dbcd8a20936ed361715b9f854cd04ad01006d7ff4486ac56738f68fe

SHA512
f5e86c0ddfbcc299f69c2d151f72d807ed98bb3f17b3f47e6758f765caf0ab660af7c3013bebd8cecb90d87657a2160b213516a8d7cfa1351a63832212ca8683

Download Submit
C:\Users\Admin\AppData\Local\Temp\aAUa.exe

Filesize
233KB

MD5
fe6e8239e9745abafab035418cce9181

SHA1
bbec35f38a0549f2035814aec5b6579b7b712c3a

SHA256
d3e1223bbda64d70abb1bf60b2b9ba7c9a720836ce407d039c7e3e3c9fec1c8f

SHA512
0f90158182b08d96fb12c80848e85e35a3dbda6fe06fc26d8e46d17840413f719772da1322be006102693241d51bed8eca330da436b41ca8dfed137496b4d8b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\aIIQgQYI.bat

Filesize
4B

MD5
b842a26671063f4d11da2439afdd0dfe

SHA1
4ad01b19155a2af14ae60b7aa56c04fbe3db4c33

SHA256
2a865d430682054e5f8386fe482e7e00e1449be74bd70d2f2aa00205e4d62471

SHA512
d149061822b050580f789468e1156f0016df5bdf198eec709d2b66584653982ba6006c010126e6dd5920cad80f6dd9192bf4b2036888b8ec2ebed0996563319a

Download Submit
C:\Users\Admin\AppData\Local\Temp\aMcs.exe

Filesize
236KB

MD5
7aab572091af355555b25e9e3a3150f6

SHA1
119e535712c327165d2f19351a60dc7a2970099c

SHA256
72c2dd93a411c73408a08487c40faeb0f0e91f5b86079cbea1769d9a1bf66c41

SHA512
0580ff2ccc8f63760d902275b07a388ca8e578d58a110bffd636c10e3c0dc828fe1de67baeb9fe789ed8c640b694ec02f3ae220db1367cdbc6b9f20e92cf57f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\aUIi.exe

Filesize
237KB

MD5
8f2d8770fd5eb08b857ea22bfe7b518a

SHA1
96ff2875cfef9f2cbce8558ce738898921f6d5cc

SHA256
53ecb374797a55a8a72db5849f9307bfe9817a456e9850deaadf1dad628ed436

SHA512
6d83e9b8fe790c3ca89ec9c14b7f8b69d1482f70982b49a294615c6f5e057b0d34bac4f006bc3ae1d0fb3bbb14573f47045a5fc1b978982ed5b16890ea10baf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\aWAgEIsM.bat

Filesize
4B

MD5
0df6cb3d5ab35062b7c07ec34bd6d60e

SHA1
6e3c8a0fb2da5c41888d90f131dca606fc4ee9fe

SHA256
73fe2ec4395b8fcb5998c16eb6d939cfae48a91968f817c1c74fd4322312b182

SHA512
c3f9745df2c6e99da604ca9de31f9344588f53c28964f96691af560579a9c361a789de1d94d2a8e2c1e8f38bea123593d2c0488b340c3217eee95221fbe2d40e

Download Submit
C:\Users\Admin\AppData\Local\Temp\aaUccQQA.bat

Filesize
4B

MD5
a8a56e29136d96da5a166d269710948d

SHA1
a4fc1764e9f9322e17f577e638b22e8325dae716

SHA256
830c9a05cb7d0e8b0c1c7099a14fd4a98f86a23f2ae9ec58a394d491c90f7a1e

SHA512
4c20d8810d63820dbf747b71d68eb58d62024a2f2852bd1588f02e1700a0b238b3d8bd450fa172274bc4743676307d16f14c95ba77504ab69a9262bb452c07c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\acIy.exe

Filesize
188KB

MD5
b71e252841a34b6e40d4d46b26cfd169

SHA1
e4f71bbd7be850fc58be5a026b40073d69b69e6e

SHA256
19b9807d0a1a8116ae13c8c9037997fdb5085684941179c4fa64d112fc2d6a0a

SHA512
be63d8481e77c01e14878e9961bf6bf6db97a89fa15de38114277c770d6718ce491c72dbfc8f9be6d205936a6c8fef1f9554769b8980859cd013b1345d168db9

Download Submit
C:\Users\Admin\AppData\Local\Temp\amgcssgU.bat

Filesize
4B

MD5
3353872b8dc6785cb2961dd29830e0f5

SHA1
cddb5d4030da54094f33409917e65080ac13dae2

SHA256
828c595b240733be8d27ea913136faca73dc40da681178e0db02d85cf8ae2e79

SHA512
291a1bc21783b20e1fed94229c797cb603e1e28c211ccfddb5935a9b1df496e0bedf0609a86bfe44fa6e578b850662928bbe0336301f186b46818acdff942b63

Download Submit
C:\Users\Admin\AppData\Local\Temp\aqUkooIM.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\awUY.exe

Filesize
245KB

MD5
bde522f49b424940c8e472f339be7a0a

SHA1
39f9540adf58d94b33cd683b2e4e687db4b34672

SHA256
5c9a6a0c40bcaf7f86d46a61f976071ef7b5f8726083286c6c32f377cfbbb3d2

SHA512
a7fcc8d3cfef3331c252f69577afcb33041290e21dd70135583e471ecf1e1271c1b23e1399e3dcfb6b6622f67811154775adec5105547b0bb98a83fab0e8bdef

Download Submit
C:\Users\Admin\AppData\Local\Temp\bEYcwQMQ.bat

Filesize
4B

MD5
3d12934fc02e33f53e032f16cac76710

SHA1
c0de0083efadc7b8ee958c1d1a208708947d5b03

SHA256
ba693be604cdfc965f5cdb11bf9e523500e39c8116ff0a4d3c3b74c0fc55b2ea

SHA512
e7ae528d7e9264cd427d9fe423bc5106e6585e76ab5ff8b00ae322f5212604cb5b5021fee332e81750b8d473d0ddd4fb14d0a7c7983951c9ceea04ef50088ed6

Download Submit
C:\Users\Admin\AppData\Local\Temp\bSoUMcIw.bat

Filesize
4B

MD5
75b37dcacea7c08e1fa33e7e6f2015c4

SHA1
85b80cda18e526a63e0858969518d0c18a2e2ba7

SHA256
cc22edd65e16da0b215b35de38f56288a48b73df9ef72f05cdffd1b23cdaaf3c

SHA512
a5f2d7410238c281e78d49cd082f9c5e27412544655db500e1f0a101df6fe518cce2a791b32efaf6c3ffa113c7cae7f5510157658b707758782ffa21b541f5b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\cEMq.exe

Filesize
192KB

MD5
ab6814d70d59c0be31cedde61d6a2d79

SHA1
df386c3a3f075e0e4f53a36c036f9e0de0c5cad9

SHA256
4a37ba99a7dfdeac96c70a7a2a631f663b073f58499fdeee64033ae0e07051a2

SHA512
0c0bc5365f2279dbc24016ff3c5a9f9a597f3977ec6cad1e6a86e4e7812a33788b9e44f09c4d3d28aa474ef214c6f9cb965c59a349645b5c245a3e9f2cafe9ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\cEsM.exe

Filesize
248KB

MD5
c699b3de6a96286c2eceedefb8700415

SHA1
822a0c1802e56e4c1594398fec9dbcd6b8301531

SHA256
1940f41a955472e599272430f6ed7af5c81ba93f8e5bc9263dd804ef3988ee54

SHA512
4d690b74167b29b8191deedc37e1a4b911bcd014899fb51b55f22c9747362fac67ab01fd6583f7791f38682d085dd53294ed4c27d434d4b159bf9b668d18feed

Download Submit
C:\Users\Admin\AppData\Local\Temp\cEss.exe

Filesize
250KB

MD5
e73bf5c800dcd0c7578d90cb91e579aa

SHA1
a27ab03b632d5d94d7e21ba736547f6c652cefdb

SHA256
0e5f3a35bc3e890263656bb68dc10819449a3cc8237f10042ec9f8abf4754c63

SHA512
c0b3997691d8420c3b740700be43847c182d8a5d856d24614c4a4938ef2b1e41de5ee80093639a2c9286d2279b14a6aae052e82801e6d312a48bc2405e3ed335

Download Submit
C:\Users\Admin\AppData\Local\Temp\cYsG.exe

Filesize
227KB

MD5
7e90ae9db5e503b22559f4e5cdb08653

SHA1
3ad66756e67a4892aa135fd49c73c4e201b42413

SHA256
c3d1e3b10f7a9fe6cd3a0e4917e6c229d5417112454f60df1db8b2bb37ba269f

SHA512
9523914e4611e3a4b09376d732a167e49bc81f7387740d61622b3d416aac439b99fa132a5ebb3a32d7b5ae091f93ec93498a34ea51571c03aa69a9c96f368b4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\cggEksos.bat

Filesize
4B

MD5
697567a0ed32f25c2dc36b99bfe7898b

SHA1
dc89c5de940232be75844d8169eeb8a74e4ed6a3

SHA256
51f9b5b2ab1ce5ad83b98dddea4a98e4e7662c9782be09eca774a65f68f34455

SHA512
b57fc54237a29898e91fd9af4a30654751bd1f14af3e82f0d266eec4cd6ed8d08563873edb8985407044be8f355088c88bdfc833d73d6fe8322e6452049b7fd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\cqkUEYEk.bat

Filesize
4B

MD5
fa06bb11e2b8473af3553c8abaff7f47

SHA1
8b6df7e3c0f7aafd72853ea29424d0d7192f3ae3

SHA256
3a2d8bcf9f6e35740630893b57bbaebf0d06aa92944e43c1fb225875fc5e9a2f

SHA512
98ae0abf25ab138e49bdb385c46cd93eb8055a7400cf3328575d547c9b8b4e9721f7eefa8d069cff5c4b160d2fec1665d1c7ff808e051f11f06758fbe7267e40

Download Submit
C:\Users\Admin\AppData\Local\Temp\cwAS.exe

Filesize
231KB

MD5
bf5deaff2f474676dfdfdac422821de3

SHA1
1bc2a05b5a750ad40e105f84ce83523d831b3ea9

SHA256
79d1ac80bbbc17d5f9594dfd30a23d32471f116d1966a20df718a7b364c53c48

SHA512
c93f0da46d5989e9dccda00905e9e4317c7ab61024e1771298a6636ab563a439f3acc28e433ef133e08aad64804afc37c15837e3c1065105f38d78cd4487ecec

Download Submit
C:\Users\Admin\AppData\Local\Temp\dIsQcogs.bat

Filesize
4B

MD5
e759f00e7ee862ae01fd178eedba489b

SHA1
983442f2eedfa30012a16f90ad117759e28dc3e0

SHA256
97621d46c31b79558b39829559eebf2eecf7bb9032f750ffc824c42ad3e80054

SHA512
715e536b9c45d3645c5ee3ebb7b02cefc82632c792c18db6bce2abfd34d04ad212e0e0a8cf25ae3e1fe5d99525cbf71ae8c951971ea6c9307d05f40f4b6c99d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\dQMkkAEw.bat

Filesize
4B

MD5
1b83285146b6389bf4ed1c10b2f5f558

SHA1
d2228d36721edd121da8ded68ebda5b6b6bd6c5d

SHA256
0897a32eb29fb2ae5da66107470467a9d734ea56229c11fe84068f9a7f8b4edf

SHA512
1bb52fca28aa9760aac72714000073d86552a4145708e99fa291d35b303aba4cafc5e6bc9f33b0ed6146d177d7e0564698980a527c8b70ef39212d693ffa887f

Download Submit
C:\Users\Admin\AppData\Local\Temp\deAUUEgY.bat

Filesize
4B

MD5
c971a2afc91ff59b7b863eebe06aa551

SHA1
00df25ecadfb75bd165e60f2c52edfb27b2741b9

SHA256
0454881afdf74aa30dc5e25655ed88945f9c316263d5720d2c46aa5e45cc11f2

SHA512
b36be8b101b577a177972046ddebaa7a5612f2d1620b6f5079aa2bd563c67637ad931ad547534fdf6c8e0c86d49832c896c8a5b49634175b1c0f2efdc4647970

Download Submit
C:\Users\Admin\AppData\Local\Temp\eMwIkcUE.bat

Filesize
4B

MD5
b4d10fa947fec9a04d0dedc5a58a871e

SHA1
7b4ff3ff91de0b59040d923631d7ec8772702f01

SHA256
36bf8d263995aa8c44de36bb211aeaff0982146aa96d259a90849bff5e7f63da

SHA512
6e5fbf6b2c292e7d241029e4f8f8ce1fbe286ba1010952a95fe2fc12526af20c014aaaca19a4a299df248c7f9d4e9caa5f5183ccd721bf6d82a9c1c769a37504

Download Submit
C:\Users\Admin\AppData\Local\Temp\eQIE.exe

Filesize
185KB

MD5
aa5335a617613a03cd6514a690326477

SHA1
2be8a22b5c5257be952288a9aa0697d00e167be9

SHA256
a5404c39bcca6f9f81e9aa507aeac3a82a7edefaccf611a1a4e3b4c020d9598a

SHA512
55a011d711574522db9ca8c635d9283cdd1810793902488d10340637caa22412d00fb0b66b082afe20779234f354b8cbca0782c4b4113a58de3afe4570c1b199

Download Submit
C:\Users\Admin\AppData\Local\Temp\eQgy.exe

Filesize
306KB

MD5
fc66e9887ba939d1e1d2613ca4ab77b5

SHA1
e6cbae021da60e15c675a1c9565cad506c9ba0bb

SHA256
939c897c2ada6e4cee18a09dfd539072b106df77a939267c66966e461ddea211

SHA512
7619eff49d641127c1443cde6f66b429dfa12b7977b780256866d5c224ba394459ee46a8bc5068c7dba0b982c9b26400e21c0ce80dc3b1a02fb575c328008de0

Download Submit
C:\Users\Admin\AppData\Local\Temp\eUEE.exe

Filesize
229KB

MD5
62b61b8b781eb97d52740451dfb3203e

SHA1
5f14c32e6b43abfb649b881258969f357772a3cd

SHA256
e16710242660dbf0987e896bbad464ac928fc4bcce51eb8a12e54cfbe3358c6a

SHA512
f8db35740f27928d747d1cb982b7fd2d021b966e275a02cae1c3c57c4812224bbf25c6156f1c1e2b55749cafe8106f763e5b6391878460fbf0e7f0b5347a1f96

Download Submit
C:\Users\Admin\AppData\Local\Temp\ekIG.exe

Filesize
1.0MB

MD5
45d1e53dd61d3fbf04c77161b6b042c0

SHA1
7ef4b6e69b113bf91f59df26c74a55c224933475

SHA256
00ec83ef9333cf1021c28abd02a0e0a142ed3edf7871c659e8a348bd9b8b0031

SHA512
76686a512fc8869eee47c165b084e1d2b1721c29504294068fbb1c56768d555da7f4631d36a55a85182ab998238266b797355a6fbd1eb23edd62c6aeced64313

Download Submit
C:\Users\Admin\AppData\Local\Temp\eoUc.exe

Filesize
231KB

MD5
02e19bbc49c8dcd4f5336fd0fadb436d

SHA1
7bd63199245cf344ad0c59d68cd86cd153a62f48

SHA256
42c70e1c63b0665ea0ab8cc64f8a8576b150b961450d44200d5cc28ea83938fa

SHA512
ee140f8b500aec6ee241b56bc4de74260da7112896796a59a1c267913d1dacfe19e0718a0a53b5276327daccc14406cf116f654f8d640c9698198b1f3c36a21e

Download Submit
C:\Users\Admin\AppData\Local\Temp\esUq.exe

Filesize
211KB

MD5
7fb38c97e64c4f79c4c94b23c02ec4f3

SHA1
0a3ba6ff1014cfe49c78b326e7551c83bf91a255

SHA256
744d85b7bbb30cbdb81466ac2d0d7dfd5de7ca8226680fd1d3f444b1a0ac2d15

SHA512
59dd396e5db708b734bb45e83748139c9d5d7686cef6ac3c0f94bb634fcfb53a9ac50a7a3f02bc2567a7277848cbc462bc0baf730b8fc86a9e6ad80c864979c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\fKMAQAgg.bat

Filesize
4B

MD5
90e66d71700fc169caf041e4dc10a718

SHA1
98cc4c7a3d1ad46f63853ae1a40dad2c72391713

SHA256
14827ead0721a2c28625fa73f26ffad118f22acb57a7265d0d1b50f013b609a3

SHA512
a9e2443d6d9a749899620a9a4a06568ee5eff77187a6d3609af1eed48b134cfcdc6024e7b2b9931c3e4d1bae4ffd4066eaf7ea270cefeec1e48c6a5a02a6207d

Download Submit
C:\Users\Admin\AppData\Local\Temp\fYAAkYUE.bat

Filesize
4B

MD5
afadb6b5b0850cb96595ad1a7b8943db

SHA1
7af506b54a13dec624fc80bf77a87ef55d557219

SHA256
a52cefa5fcbbc090921f9698401cc37b7f31bd81776ef24ca597f826e8332027

SHA512
acf56270964570bccd984a855589e2e53d0c97783f8558b68e24eee1fc31722befd39bedfab587b418e5bffaf66096dbc1acd9737a2167b20c9da3924619231f

Download Submit
C:\Users\Admin\AppData\Local\Temp\feIMcAMs.bat

Filesize
4B

MD5
74c0d55066cec550dbf8e5e5f04977c1

SHA1
2d5aef21437cfa4a4dd326c5b0d89350d53e1845

SHA256
b103e42fe073fbcbf2f78be66389faa90c055211377d223a8fad2e7bd86d4456

SHA512
9e51dfcd43ead0321ee96391d6e0e80c07bc8a9aa66c07b342498f96f52d770adb6b57a9d9047200a811ea91171dccf556a6ce9c4aed558b335556ed2e1914a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gAwq.exe

Filesize
209KB

MD5
b8397869486caa80a3f0c2681b9b6047

SHA1
07463531c873930200d3db456b249426832ca51e

SHA256
f0ebb087944b6315e2e4ed92264aafdc2e18029c4e36f1715818d0aae9621272

SHA512
11ec67301431006ec26be61896ec58bd6b39e83a159708e89524ff1bbd6a8d98c853c5bd04be884d01a14cf6c428cd7529894850b5a7c522e5aac89347836987

Download Submit
C:\Users\Admin\AppData\Local\Temp\gIcK.exe

Filesize
765KB

MD5
3e880d27469bc2db4d01d4df51a67b51

SHA1
25cca910785599de2858c5b96d3b960032d743ed

SHA256
171ccf1bb4bc0930d4e1e258a912af47a39d821693c5e70d21c08d76edceec33

SHA512
8a84c9be087399f491c0065dc7134e7a119633bf25467054cb4e9229e8af18b8dd9fe2497f6fbf8f00b4d9bb90503f8748e560d25b62e6f276dfcbabe3ec1879

Download Submit
C:\Users\Admin\AppData\Local\Temp\gUcI.exe

Filesize
233KB

MD5
b386d964f538dfb6910856d4d3e2a2a4

SHA1
676dca4c4826f157e5916c7e6bae476241c749bd

SHA256
37e63dac25cc940a54dd001033a188fcceb4bea1894f13a29b092d0e68fc63a8

SHA512
6ba9d30ff417cc5456cf4a6439a20e985eea4f4115855fd689fd8d5ecb98240d37d574e700eb881545a0f7365d9227708bd72c66db2de2dbfe056f41c9ac63d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\gUkI.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\ggoq.exe

Filesize
230KB

MD5
1aa20da2e69236834e1b9d6210a729c5

SHA1
7e793357c6aabc64278f5048f392fe5171708861

SHA256
6f59049ecc421959698ebde374bc2fca3cc1e81a5a5def593fef9ba470660761

SHA512
6194cdfa63f2d10efa0616590d85a1998948511114701904042198e4a19f26de858330db428866cfbb7aa94cf31f1739ceb999db757c9ec6f8a6a7fcf26ca5af

Download Submit
C:\Users\Admin\AppData\Local\Temp\gkwq.exe

Filesize
192KB

MD5
0a54f7c6b633305d8d92b464c53501f1

SHA1
0d9d929a340e21bee959dc2fa8f53381ba2f9c5c

SHA256
c8b288964521e1a306a208f61db58508e0911aba15f323dd915c999fc290a83e

SHA512
b63885d69d5d85f0f30ceac67b18677004aae0fdfd0f627d20b2fa1bbefa7aedf5331ea3dd82c9a87533bc8b998cc3f15358caca3d89a2e136a0966b3d8e31ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\goky.exe

Filesize
227KB

MD5
d165e25bc149093f5eca16e74b455935

SHA1
46ca7edf8c2047daf3bef12cb8ecc95f7ce9a9e9

SHA256
e7b6dba7a69a2895e078e58fb8b2b9149afd50593a9a85298ab213489f2a51dc

SHA512
00b497fd4c48567f62818d7602059bb899c5acab23c8010f8e46fbd03471d984885ff675d7a6faddb544daf2891ebcdce102761ba4bdac9671bfbd643b6577e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\hAQwUEgo.bat

Filesize
4B

MD5
327a7f44cf7cea89ca9434381b25e03b

SHA1
f99c59b089e160994ba9c42e5d297f74b68796f7

SHA256
cad48f4d9a03a5f670d4b3a8ba512a004b7a7efc25369a39a45d4fe1e5b8e3c8

SHA512
784d731c7fab6ece0b3832b446085dc3af816767ea7208594eb86ba5c9c7d2a789eac44b001e68f08efe80bf0471bfe3fc53ecf3cb651065c24a31a3acdfa4d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\hgogQIgo.bat

Filesize
4B

MD5
950af081c21f49d402bf37d466073e83

SHA1
35da9acc99458f9be35eff2d64cce12d222656d4

SHA256
ad5888b832c9ae48d6fb72c7bcf291697329ebcf5c4e1a4ebb1b33a519160613

SHA512
50a89bf8f1bfee589d76e53582495a5ec2866f18b405e62929a238715270b1fb0c09c73b99a6de439d235bf99673f5e1bacb8d289b116c405b1a9f366698f7fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\hkQkkAsU.bat

Filesize
4B

MD5
e4c991fc01ce486122d6bed193f9eb40

SHA1
7d79c2545859875d051e030686c03ee406e10c27

SHA256
bee7a45db493a892a3884304c3d7a8f78ca69e6b459c2ad69b27f23de2810d4f

SHA512
bd7b6e693abd5769b73ad20dff3dd00b3a077856993fd91ca573a7d3a9027c1344d4826b74a03cf5b84bdda9c0305cd522947208a480eec5109c4ec6e5609729

Download Submit
C:\Users\Admin\AppData\Local\Temp\iAEu.exe

Filesize
196KB

MD5
3dae8dd7a3fccb23bb64a5ae68b0119a

SHA1
1f3b1dcda65ed7d4fd1badcdf6d874ec2af15641

SHA256
8f201213b9d49a08e751da34e1c596e8cebed48254b58010f3715a857bd80a8a

SHA512
216d88c2849f4043ba7dc557d37c352fd18c538b203de5aa20e5183f423ce16abf2f5d50db55deb6092967aabce6edbf529c7a7a546e23aaa0eb06f0a800bd2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\iAkg.exe

Filesize
833KB

MD5
cccb3df45c9f5d70bb6a35d72e46ac51

SHA1
477ddce1df9c8393a820a4fae144f1e954215c8d

SHA256
31a7c8c355628f374304fdcbd35eacdaf11b280619350a6773e8511a7704e624

SHA512
6a874e89a42b6ae9bab43bafd24b303939aa7ac9484b818a447709e31cabba774a12b7d06071e004e4a4af3e64dace212f95024cc689630c6519c40dacad3a17

Download Submit
C:\Users\Admin\AppData\Local\Temp\iMcsooMA.bat

Filesize
4B

MD5
ada922fe8384549cbf6136308e72e798

SHA1
6646d21b702a789486a132a0feb2ccdab32f251c

SHA256
9cac620b712b360e9dae52ee5aa5dc0bcb8ceadd8cde64247c0d1f8f2ffba7ed

SHA512
3b57e74d08f8cad37061f232acf63d35a6e09f5dff70f1ad2955b8f6e5bcd3c189761fd17ef7830875f06e266de7ac8432c7b237d778bbccd37b4da95c8bfa81

Download Submit
C:\Users\Admin\AppData\Local\Temp\iMwQ.exe

Filesize
245KB

MD5
cdf15d804f9161f5550bcd188f8d2a03

SHA1
9b177a3a35932bea923b739b8f00a70916ac2208

SHA256
843a1138fdd3e21b86427ac8f92a7bc5b138935b47e90444a9d189b00e831e81

SHA512
c91c9ead7288889f6db40666dadd2f5c7cd5f6b761705b48a6dfadfb3d0b541867953ee305ea63fa1b195d888fe6e1ea66698faf4b206d09831970ae79ab852d

Download Submit
C:\Users\Admin\AppData\Local\Temp\iQQq.exe

Filesize
831KB

MD5
e1b57281f2260c09e3842e7cf485fa29

SHA1
4ee0314d01b6372510995f04a1446f55eb2bc2d5

SHA256
b8e19dcf0e685145694400c9711dc31d2209f1ab67d8714bcd4b43dc1022be69

SHA512
e8fba61e033af0c6def5acd079ac0c02669af926f720b4a5fb2f96cddf1a65b82cc53dc60f0c8c6be286ba7dfec5b13e5db4cf7cb53d01612f83e41eb9c702c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\icoK.exe

Filesize
240KB

MD5
13d3455fe58c17dab96ccead0891ee15

SHA1
31987431d6fdde531d5cb18ac4bfc655ec42f523

SHA256
407955b786132e4980e06014f217164268288a419cfbbffdb77eb4fe37426b50

SHA512
6b6be8ea0da7d6d3399092608a9110d13e602005c4ff74b1948d6cd73c89d3f82c8c7ac91eba9ffd4d9ddccf2e46946adfa5fb5c8f4be09335130b169ce8056b

Download Submit
C:\Users\Admin\AppData\Local\Temp\jCcQoQkI.bat

Filesize
4B

MD5
a3ac9d634a5039407ada093a59280bf8

SHA1
bacb4affcfa31134553e0bfff6f9e14715d09500

SHA256
f2a6fe4d8433570f9c03072ba6f517236eff1987c42df39bdbc3807466bae670

SHA512
46142f48f5253f5052aa3e216f22ba049fa43e072a385de5d4eb80ed6f7b213a330f96547c4d7195f85c0f6a511a74664286b0af75c2f34696d864007ce9f4cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\joUkgQIQ.bat

Filesize
4B

MD5
2b27c87d0f33bea43664b61c529c7000

SHA1
f6fe379fccdcdeeed94a4cbea679591502f82af1

SHA256
fc87140ad7a763dd80242e5fcc630e1627360872a7acf36feac6c02e325bb246

SHA512
350bf550ac9971aba7bd5ee7252bb757e41b5a3b9ef230024f45e8ad49f55c550f6ba3bffc9d9575049ca4f395a04500cfd876433f09026bd59ab42d0d793e2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jsogQgUM.bat

Filesize
4B

MD5
39a186aa0fae1ea689442ee480027466

SHA1
b64608f042202967f5517f74e6387e4e05a7a3e2

SHA256
8ac8473ee2677313198b8f19f49eae0efe03d67fe7dc2a2e0c4470c6841c2aca

SHA512
07e282cfd0623c3fdfdc6e7c0c2a5b778a83d30e9b2095ab346f517d2df791983c66b7aa762cf43d4b3d6863fe49e77dfb4906b8ab885bcab8313cf4ea23dc7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\juMgcYcA.bat

Filesize
4B

MD5
38cc9abfa6996ee54e15d579fc6f4be3

SHA1
15088e030c5a8faba665496b3e31308f4d8d279b

SHA256
c1bee247715b2004b13c485638e09dea03bfe15c1473660d19f664f4a533fffe

SHA512
57167a622856a2785ec00b23b742f5df17cea88d4e92310ec2c06f4a16d65956f45707a5706a3ec23ecdc579c56dc09e736e658789cf631ab3df6864178717c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\kQMo.exe

Filesize
1.2MB

MD5
a2160840fd74e7367c50df386fb69874

SHA1
ec0ad8608f763ea0aabf8756c13ca4996f0657e5

SHA256
b98f30abe65d5e5bcae323a3ba292e3586605e078d07e92a9240d00d38ca5c5c

SHA512
b69767bd51a7233b567f3101d1eda2c506e5f4fb3f2cc4cefc7689dd3d739dbc2ca55579c379a6d9b357189ffdf6eedda11d380ae576a362dd2660a751996d73

Download Submit
C:\Users\Admin\AppData\Local\Temp\kWQMYwog.bat

Filesize
4B

MD5
f8bb7c119745c19b1969ddcd608400ee

SHA1
95eb6acc56fe3c0f556f26e0f1b2bdc3e0b168c5

SHA256
6159a5976accfe7b0cd5d0ca0c39df2529369b93ec16a7254e107fabff77ba18

SHA512
dffcbc61b5bf6dcffc9bb8fb688cd9003d6b93ac2a30898492c661fe91c2ec8781b25c2c7667ee627846d0e31679cf4ebc90ee1ec8099f0c5ed15e05a9fb4cd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\kYEa.exe

Filesize
240KB

MD5
bfd1387cc80770ca67916beaef22c7ad

SHA1
200b608039981df21991fa4dad549f333ec137d7

SHA256
d217d64b3b2dab797fcda80b2e545611ee8919df6028621472a2dc88a14d6704

SHA512
8aa9b2f61262f9a7626a839f2f503278a065fc9aea5083f3e4d2b2d2c284e0c5369e85f53f393e418b75770e6615d0c736ed89dd6d052d774b361758d35c2b13

Download Submit
C:\Users\Admin\AppData\Local\Temp\kkYU.exe

Filesize
1018KB

MD5
dc7b2c46962c6de8ccf60df652f9cbf9

SHA1
7bc407daf258d7c2816e23f8ac87c11013292f72

SHA256
aea7913fd37a2fbc3a62e5b569c1707d13c08556485a0d87470b1314cee84143

SHA512
845a83b862abbf8e5ddd4fd742e9ec7597b81a5208fcdc541a25e3b06238e71788e7af13acd7497ee4cc6f0b173201a9167ee72461621b7feb45fc86f2f78fc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\kkoUAUsQ.bat

Filesize
4B

MD5
67704fab3566aea10f2431b96bef9d37

SHA1
e2cbf7e09f1b3ba8fe33212b32b2e2eadd5bd964

SHA256
1eb156bc98e7ce5bbce8b2a3f8435d14adbef260946fd044d5d068e42b35c062

SHA512
a096f6d2a2cdde4eda5dff92ca8edcd1861eb4cc5ec454490b6bc522dd0504d44b2c51fd5b4dde0ea2968d95ab7fb2e46f83531b5ed50cc23ab2b02ee028f310

Download Submit
C:\Users\Admin\AppData\Local\Temp\koAa.exe

Filesize
249KB

MD5
be44e5589f5af8108efcdf926f0fe0ed

SHA1
c477af8cac3a21d18186b91d0cdce847f346e29e

SHA256
dd60e7a6825bb3474b1ec4e7f8582a274a37e7b4e3c5d223481acaaf6ec3b256

SHA512
8dd4518d543391fc965c34c764ad84d1f7b23ac5dd23a90c36a04da706c42df1156e7a31bd305abf249d46c0e0bdc54d360efaef73c2553b0cc99cff47444dc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\koQYgsEw.bat

Filesize
4B

MD5
9b091865565e2b83dbf31c4f99989f56

SHA1
00edfed728043dcf38187558d42b0d0496a7f2a9

SHA256
fd01dbfb15a863c8213e40f16f277f12c74e51fbfa996a74f90992cc4b558a1d

SHA512
7d37670607debb60c5002017287e88f94b55e189198ca4272a2260d2f37bd78007f7c40d2b720a189b8fb64cd3e3c2f7eb4595396a579d203d81983cdf6120bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\lEAwQgoY.bat

Filesize
4B

MD5
74e259afd8c00c4a0c44f0737fe254c7

SHA1
288f5b49aa59d929262a530e0e5fa0dddd634f63

SHA256
ec9e3e8a139f2bb684ac7b7563691ab07e0a5236de8d64e16a1d2ae0fcd029d3

SHA512
438dd7953dfff06f263f821e9d647a85b38cb1b2a35e18f1b33d4e652ada3c38fb111de9de62360850140485c68d1b6aad7d23b491dfbfaf44d77aa4d8564482

Download Submit
C:\Users\Admin\AppData\Local\Temp\lmUIcsEQ.bat

Filesize
4B

MD5
291d8db7edcda17933a22eeba06dbc16

SHA1
904b13c4b0b703dea208e15861bebb56feb8866f

SHA256
9cd557befa8313914a85f2fd2720fa8257c88246a6b5dc7186d18e2dbc132b00

SHA512
0b68799df1539c3d46d6ae54561f3fa67e4c650da731418c0eb08c5d28995c9a50fe5727ebdc36931d6e89edd18dcdd2fc8732e67ec0b8850482a9ea0043fc85

Download Submit
C:\Users\Admin\AppData\Local\Temp\mEIK.exe

Filesize
234KB

MD5
199aa603dae2a08e8cea6200503234e4

SHA1
c2b2ea83636fb2732ccb07c494e6b16c8ee17099

SHA256
e9461dee6b6a22023277a3e7f5af4748fc5d32d96af551ee3952a6f5565a8961

SHA512
d43cc4aad671a6fe239d2786bb013441f7e289e0850be8f311b6f669c3a9aa182950221230b83dd4caa9309c7849697831b0ff5fcd4008f0232c9b51d14b4395

Download Submit
C:\Users\Admin\AppData\Local\Temp\mEswEMgY.bat

Filesize
4B

MD5
b30fcaed7acc51741cdf8ec818e51784

SHA1
7f2e9a3d3cb9f8cafeebf40aa8cd0a4680bbaca7

SHA256
e19f0906ad192327a8dc70449311fe34cd2e6a98500ab327e8396fb3ac09be46

SHA512
3c1cb9ee94f182c440a030df32d187cd810ac516a970e595f21eda24ddfa481dc118f35207d7d22e392f60819471a0a0caca4230ba58b14d0c5d516d1e2843e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\mEwe.exe

Filesize
246KB

MD5
28b9738d93f171b43d1a4d4bcd1a112d

SHA1
261c70f8f7b363354e5d97d1505e036130346dcc

SHA256
e215243f5085bdaa9e1d061d925210131a570415b22df35aefddba23d0d93b98

SHA512
81f9a23d504d7cc852a0db2d3b269e5265893f3620add352feaaf2e409599a419be24b95c020ba070c89a2068c259b80d1c4cbd982f17281ce3807d5fddd8da9

Download Submit
C:\Users\Admin\AppData\Local\Temp\mIUY.ico

Filesize
4KB

MD5
6edd371bd7a23ec01c6a00d53f8723d1

SHA1
7b649ce267a19686d2d07a6c3ee2ca852a549ee6

SHA256
0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7

SHA512
65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\mQMQ.exe

Filesize
244KB

MD5
ba0a776b54ab1f8a38b3592c5df8efcf

SHA1
c965819051d116b883557350f4bbcdd1a7db0802

SHA256
49508cd4877e0f65543c2160c5cf26118a48bd193e5cf694150d68b3bab3f012

SHA512
8335604a18746fcfa69869782e16315573ffa19653247fc8e7b44537fc53e4850db10884ac76eb969dc877e9a3f39eb5c7997e243e1f807b704495b0422886f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\mUEu.exe

Filesize
189KB

MD5
68e242c4ee91b9023bb4671745c906d9

SHA1
b9f97a98f547652a20c5dce228cc96c626fc9c33

SHA256
d0dbbe2a0ecda313d67cb5b866ee4ea71a4ac4f001e06019802f923f782d62cd

SHA512
ea0573aefb4d8d2a826adf8450afa92edf0655fb3f0620fd63231c13e7037f5f86e8d3ddaf918a503d875ab756eb0a4f529668d9df724355e534623618d6c370

Download Submit
C:\Users\Admin\AppData\Local\Temp\mYcW.exe

Filesize
199KB

MD5
2104393570f4a1feda119c48b21a84a7

SHA1
dc51f57920dfd31707617b270f321357124f108e

SHA256
d3de16957c5d27eca4b42693aa48d80db99c28c121cd9e2bb0526986c116dbdb

SHA512
f22f33b7c97f0cddd3db02913427d0c1702f243fdf6dc8f03ab09606e0e019f3b8538897027293d6a0621ae7ae59ace9c346e65b975a3e24449aed2bdd6f51e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\mwEs.exe

Filesize
220KB

MD5
d3569e2b4ad19e5e68e8d14ac7c2e820

SHA1
5dcb5848a1b6a6ae9aa3b4c336a7676e4a099409

SHA256
25383c5a0bf32f5b2b1ebbc92cd01e23a6599a652f4c257d5ef8de79a9e230e8

SHA512
65dcc933401d2dc9841df9fbeedfffe6e756a4822eda02667219a407572d8abd6f7abb3162522ccb1a7c8db0df7386cd5f82bb63b96369b7fd7a10f37cff209c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nMwYkYYQ.bat

Filesize
4B

MD5
707148bead90afa47acb067e17b1da3d

SHA1
60384ec137bdcce175c100988a333f11c26ad780

SHA256
6f4da018cda37c7d888a461b334b032006c808ea6b870c12d6ffe05342c52b83

SHA512
581d5d5ede7b5ede816897773b1bed4040eaedb8ca07dc39c6d5863846bf55df719d124757898b28e6d6e3350a212fd55481ec9c1802f1de58cc71f5426a5ad0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nqgEEgIk.bat

Filesize
4B

MD5
5f918e3ca63130f994458035fcadc99f

SHA1
362d253695e5faee37c766bffc12179b1e80f344

SHA256
ea930c33bda8c7f66e2e89ffb6485bff72e3ed33303e7f42637b13765f865802

SHA512
676307537fb76bb3bc615a64684331fba3a734cf6228395d7ed6363ec1a23fcd1bc81ed2313e84cf6eb813750b02ae34c5cc5663784e0a8793ab008f08cb752f

Download Submit
C:\Users\Admin\AppData\Local\Temp\oEsG.exe

Filesize
235KB

MD5
48011d8ae69fef22918e80efa1222e52

SHA1
b0912416c08ca3618dd188bd117b962350ac9e77

SHA256
99388eab6549532994a0084c5709ec94857c46fc1c6c9e227418f028325d5ed6

SHA512
0413871e3f547863e207c3a928d217cea152f0e9462513a6e1ead08393e9f911c2ddc508f987fa5b01fb43c141e249db2cad76eef9a0bc44785833bae737926f

Download Submit
C:\Users\Admin\AppData\Local\Temp\oIAa.exe

Filesize
200KB

MD5
1ab467b6f1b60429e694c3ddaf2ca722

SHA1
a4a13dcde854c5dcf155f4df5a7c9d3c8756b22d

SHA256
89062eaabcdb653d35fe4588810cdb6b3f6cc7e22d0a766b6fda46ee7ae446b0

SHA512
ae8d26825854f59f9c91b60c5f6e8755810fbdca8f09636ae2e0e1b23186397de1dd1a2acf1ee1eba845ad291fa616270255194e8b9ec18d0c7b58416ebf2fd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\oMEscIAc.bat

Filesize
4B

MD5
9515ae9cf0e7459ff84d97f01a7c21fb

SHA1
1fc5c8411237142372c478004038cc954b522159

SHA256
7fffc322f18a03c12cc4e7010b1ed72de8ad17bf160eab9a62553f3e0270fe70

SHA512
d39a2c640515074ce4798b2eafb7f0959f08c4d528c06a428b864d6f6efcab148dcbe09ea8106ad99dce36c577998bc8aa0c34b74ee639d7fac7815417d82515

Download Submit
C:\Users\Admin\AppData\Local\Temp\oMIg.exe

Filesize
991KB

MD5
12ec24ab48d498b4270770da56db3401

SHA1
fad311b7f5f3909328b17c0d1141dbd6b5e97f41

SHA256
f56ea6682cf63b48f80d768631fcc128b1adca028727dc90eba358011ed7c53e

SHA512
2e807fecd6de792d31f525e9f9d6f1a0a03fd4fc6cb52ec4fc3333d602e88b3386805a0d51a076cdae506c377e3915be3d81df8f7609b8336b0b9814e45b4712

Download Submit
C:\Users\Admin\AppData\Local\Temp\oUQw.exe

Filesize
245KB

MD5
1a7f1d87ce2d248f74adfde264888ded

SHA1
6c440879704f5a4389a241abe51967dd26aa9ae6

SHA256
b9016c4854aa51db491ba62701a681be1dc58fd8db388e4ea80e13d77231c050

SHA512
d9b960b8528e32babf03c4556ac46e4ec9796d3d665660b17c2b2bb0e7bb4b7a008ed2331226195962d97cc393dc4bb756664be25adc85ce5053bec0b6467b20

Download Submit
C:\Users\Admin\AppData\Local\Temp\oYwE.exe

Filesize
195KB

MD5
7716dff09d43098ab4135789cec28a29

SHA1
ded80f59cd20333a8b982efd6478aebf2199ee3b

SHA256
e8507956007a6c81a6eb06ad3f93039443cde365f12d4466a355209a314f9858

SHA512
2c4fd8db99d6363cde53b3d9cf49024b7f8d1f2f52b4f27ed290348aea81278599780ba56700010a0a7fcc109ae3b25dcbe029b5e3e1b2372008ce80ad67303c

Download Submit
C:\Users\Admin\AppData\Local\Temp\pMIEgoUQ.bat

Filesize
4B

MD5
caa593a8079ad86bed0d5f9849ff72ed

SHA1
b84d680d7f212021b23c7198b304f2c6da32aa3f

SHA256
0a36293f993ff39492d1c083bcb95101993edad75c47fbf30f8db4d9eb7cd5e1

SHA512
e60bee172f51bdb4613b3a521260c22c6ed939c1e7a9a0e2fdd1a098d0222a142d7784ca33d63b9fc76e331ff669ff44d97c1580c73fe1484358649b24c6ac41

Download Submit
C:\Users\Admin\AppData\Local\Temp\pUEEMkwk.bat

Filesize
4B

MD5
0a21133bf1fbf33d8009eb715828fceb

SHA1
2923d39e7a8285c574cf68f362b42b69db838f71

SHA256
c964e30846078a3ec9a5173e3ccb0e6005eb10899c28933a5ec138319b9d5566

SHA512
6e7e48868ac4224fcdb6c472dc63403da84000025554c5f8081405468f0095f85c0f4d658c9bb4a9bd8e39f80dc7a564e62e630abce7699d2f914c38b5a923a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\psYAoUEs.bat

Filesize
4B

MD5
daff2047fd5a0302c9a585c6b813928b

SHA1
9f68fad42330c3fd84b8936dbd1a82056669afdb

SHA256
4025b67b6a6bac39c0eae0c9ebcc0564b0ec58b7197ce211ae33d36df4788f6d

SHA512
e9f47cabd8dd4aff1f919c1dc744d0e04da2290a65b6ca5eea5e9f3385df5cf5d25d5b75ec2d1bb98b38d3a908e669ad24c318258ccc8c287676ade511b919cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\qGgkIcok.bat

Filesize
4B

MD5
9b830b600ac5ce592cc4e24ef46c66f5

SHA1
b771c9f0649d2e9376f4188cb401407150c25683

SHA256
8e3fdb696d7dfd2bdb92fe8965a291ebc4a55fd29ebc059e2cf4fa9da5208751

SHA512
9124acdee69459a8787274e7dfaf6ddfef424a400348a38428bed0d5a72abddb996b597d07812831d6b8c1e5129fb0acade38b0110469dff3a00e4a2e4e4175d

Download Submit
C:\Users\Admin\AppData\Local\Temp\qIIM.exe

Filesize
245KB

MD5
94e36e7ee2ce67dd55c54ecd3275168e

SHA1
f6bba73eef66279d7e060384cb5bf10e2510178c

SHA256
b460045e38488ba67a5ea235ef4655a49ad5020fcb3099adb707724a329992a7

SHA512
e4e23b832447a546f14a106a3239c50eec9224f4cbcce76866ad4ea552e77e63d5db2b66e1e879453d5ec8b7b371bab8e0ce94106c162f6da7611e6078726ddc

Download Submit
C:\Users\Admin\AppData\Local\Temp\qWYgoAkc.bat

Filesize
4B

MD5
19c89e88eaef38f56232ec0bb75e8105

SHA1
ee592022f29c9884d7bb733874a8e45798046488

SHA256
1bb8f0cdd18351077d11b6cb246e7d99f93869f48e289057b8fa40392779504f

SHA512
700e05278b7750642b655dbf66a4d76afa7888a83e9b887bbcf90b8c9b6c6f7281f34ce2da54cdedff29128d53cc35c7e14a4b6d7ef416a3f12d0787ace4ba45

Download Submit
C:\Users\Admin\AppData\Local\Temp\qggQAgUc.bat

Filesize
4B

MD5
7804be5e14189686f34ce7fa15937f7b

SHA1
677b4cca75f7a2d1a7beccf4778048a94da84226

SHA256
e933772a6b90722dbae404582a79a90c77d9a76a0df55e7e2ba3371cb1a60703

SHA512
15587543fce65f67272424f1a042a8eb378d7de9e3891f2553f6a150e021d12ed468ef5b05c1fac57354e89538a71a914d2df1269b889321374dbfcf4df5f085

Download Submit
C:\Users\Admin\AppData\Local\Temp\qgkkkAgY.bat

Filesize
4B

MD5
7bc3715f98e69992685f78273af55ff4

SHA1
0701ff2db56b1e789ab5c995201b01ad6b0c4d91

SHA256
6eac215353e32c0dcda0e915d0f89ef512683291abe8824de8729778b77bc51b

SHA512
383dcabfa6f791c3db5515be20a000c15772ac8a81fac29ee2c2e94e89bb5545bf02a7954fa2c457802a9b707e22e93d700e49b39bc047c5095164a57dbddbc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\rCIIUwQc.bat

Filesize
4B

MD5
60c8d56099af26fac79b3b40b1651e22

SHA1
a53b78c9b980003c8a6d34c85e9d780eddc20f5a

SHA256
8da21d0fabc2a0a3a53f99e65f316b92176c9796932b00cc8f4710e14cc19064

SHA512
bb6bd74aa10bd86fe035865728fc1e9c58a03bf1fba9e78647133508de10e63b4f9979c6b23cf7e796e4327d1044605c1908f9de8cfb5fdac6568286d85a5ef8

Download Submit
C:\Users\Admin\AppData\Local\Temp\rYsMIMMI.bat

Filesize
4B

MD5
ca7e4a2be42563201c539afffcd08824

SHA1
ef4e28502f9b0e294c50cf0eff69bbfc42dd9666

SHA256
99612fffaf77056a9e4d8b145e3bf11383ccf4ffdf101bdca1c1b7baf8ad0890

SHA512
58bcb7bfa07bb18237bf6c0aac4dbeb2c48673d8830fc225c213a6a3ac3c136fcdd2b4d7551f38a9810a6e388d630fcc2690d4df439d4e0c7a2641d86ffe1735

Download Submit
C:\Users\Admin\AppData\Local\Temp\sEQE.exe

Filesize
201KB

MD5
4ab3279db0706a64dc646993cd72e902

SHA1
691a928e8b06e63e3a6a67b505279a820ae46ab7

SHA256
0ad0452257b7b3e46bd09148879591978501d011b7625d838119cded452fe419

SHA512
09a51a17f6e1fcdeab0c04d8fede498a35193be05d6a494aa16e0f741726aee5c6a0b007c1b77f52b41eb8b1b7a24ec0c1e7573209c911ba3c911cf9714a1304

Download Submit
C:\Users\Admin\AppData\Local\Temp\sQEe.exe

Filesize
308KB

MD5
bd10599a4f3283012fa3df8b2112eeec

SHA1
fe374af2bdbbf819623de03db3014d01732ba68b

SHA256
c756c7a8c87244d3b6dfd0edf8b951f5962a23fe735875ee219af6daaf971ca5

SHA512
8edba703ddfccd131720e8801ca74992a9e55c474df79acc19964aed5b2ecd2761f5a708663c7f80ba3a79d1d6bfe167c7e42898cfb3c9d2d2ccb3fa17609437

Download Submit
C:\Users\Admin\AppData\Local\Temp\sSooksow.bat

Filesize
4B

MD5
12980dfac6e6de94b2dad89d8b13c903

SHA1
3e94cb2e6519aa6b55ab5e6dfff36f05e677adda

SHA256
dbd86aecd2bc49a9614cbb18d95150bc9b6b1c17c9a81bbcaa3bf348285cbead

SHA512
840d3f3fab1135e5e029ae7a5d8a246b7006fb78b40dc70d8941aba80d55f15949ee3ba6b9a6337ce556bb2174fd7b7a028aababb37cc007078340fdcb30cee1

Download Submit
C:\Users\Admin\AppData\Local\Temp\sUEY.exe

Filesize
1.1MB

MD5
4cd9fac1e62ae403f95a9c80e081405d

SHA1
7c40dd304a332c410ba3a3d52b553c5b0c93b387

SHA256
f7d162215f15b19d055cba7accd2b6be2cec1eca608274ff0a6a120ad283ab13

SHA512
e5122210bdf72b22255f3dbb5b787e9bcc5b0de81c5bfbb8672a13d2177ae8fc7934070b8cd4e886e24ea0a44c9724d710907069e7ad5c5056d7a3bcd4ab63cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\sUMY.exe

Filesize
240KB

MD5
8ee72e2d652f2090db04963d2ae1459c

SHA1
0ef0fa2bb2c5b2889cdec16ecd64b27c0defe358

SHA256
18cbc78a9269d45cccef670c9bd2d539cbeb4460ba4bc8188f4d5cb4d247c58f

SHA512
49c939ace460438a12ba0578ce13a0b1156c001ffb8537bba0ed369e433e74b0b7f8502e296fe64ab617621b8b6e20cff316e071e0405053335af2e60b7e000a

Download Submit
C:\Users\Admin\AppData\Local\Temp\sUsA.exe

Filesize
248KB

MD5
ed23f3bc46a6b5ffda2f31065fabd2b3

SHA1
8d9a3718b9736d549436f67c13f55988a5768b1d

SHA256
4d738e07f6c1cf8f3c93ee8a496f1f454e31367b8ba1f87589ab081eb48b90d6

SHA512
276d7efcc36ae6065875bd391b627caadf204ffc17bc367854737c314deacf5783eb2c7654a1fa652adc8cd622caeb08b3273300f08be87a4e0beafd2ba18490

Download Submit
C:\Users\Admin\AppData\Local\Temp\sYAc.exe

Filesize
945KB

MD5
c8592c1951d593d1a98314e39880403e

SHA1
9dfe21e2eed8be9b87498190a40defbabd1c7fb0

SHA256
b0e45e09e04d26e429bef2f59246456f6f8334be26ad04273ddd65f120403f6d

SHA512
4d57f9b9f633be1ba552959e3f82c1eda6119f87bbbbb6357bddfacbe8b65834632985fd043a8ef7fce56f4df5aa6a8e9abe39f77653466573988ba7dfae8df6

Download Submit
C:\Users\Admin\AppData\Local\Temp\scUG.exe

Filesize
312KB

MD5
13e357312ad755e583364451293e343b

SHA1
0067f35ea845b32559087e9e9d5c8f46c3309c61

SHA256
91becc1f8c9a43db12f31379fe5cdbe04840b6df6ddff0839093c7fd364a281f

SHA512
86a58fa3b7198e4b923a80b4a5f601cc3c9d6887025557b759a385ebabe1653374d96e3f216e7fe09e76307d5cfa5b2f55e74bcac5842831d7128260ee9e21ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\secggkAo.bat

Filesize
4B

MD5
eac105ab3459466d849f986bc538c9d2

SHA1
bb2bfc3e7b8f930fa8b5c9ff011eddd2e4bfa7ed

SHA256
ede2a57b623529ea7d83a9872c874a5107bfa61a53c38368d6c678399450f9af

SHA512
b0a1cbfa16404ad0132b44e41b49adec1c30f3fc2e204eec3ebe9f2c464e66e10831d01896a4e7b18cafae658d32f9b54fa58e9f3c936b2cb72706d3f87c9762

Download Submit
C:\Users\Admin\AppData\Local\Temp\tCgwEAwM.bat

Filesize
4B

MD5
910dc987be16e626d05fdda152144d17

SHA1
00d38e830df99f0b08d063dd418146741150a3a2

SHA256
0c5c24d423c98aef12a8a0ec137b2e98e1b5c037a03e44a6086d020cdc6ab40b

SHA512
904683b58f253c4576afc567aee6ffd265a0bc1c5b016fd618d0ec07f51558470d4dbdad3d7e12b1d7398adf74cb937457abd9ef5d49c666d4252f59d3dc1eb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tGgAEowQ.bat

Filesize
4B

MD5
37a289c6e0bdb9d7a9ce55a3cdbbcb3b

SHA1
5df1610323863e74a2ecdd3b34279524d285e833

SHA256
00e80caee1854acbb0c4370ba57308de87b5c6947f96a9c38602b05a36a02ee4

SHA512
0bee4ccf1ded1e00e0eaf9d33bc6688ae79acbea5a38b0f0218594633b476175e7585e71359839f5154aba6c7c1e839f50809c363a0eab0dcfb0deb1838957a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tUAkEQsI.bat

Filesize
4B

MD5
1d844c33dad716042205b85ee614348a

SHA1
a42c14926236fb82b3204134c6a7e43132d1cfe4

SHA256
6a3197201c11114ac116fd522090d93b8474940277f9f61422dd5cf7c1b9e18b

SHA512
20314b663a2f8d848a5f15f86f6c0b40d11392fdb2297ae6792d8ec922b063da94819e2fb8b3d1e66549985bce3ccfd1e8b41908512a0b00475e4c279a48bcbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\twQAwYUs.bat

Filesize
4B

MD5
7bbf16f0c807f1045ee24844cd7a8f80

SHA1
56e279a9aaaea2948e5de46ff28db586255be796

SHA256
1fed2b74e62c353fb40597cab2fc7238388c3e762955fc83c480366de3c04110

SHA512
b09aaa5366168bcd5af5e2e7da4734d082cb561a08f98004385437786d7fc0dac1fd53d1877eba14fec18f6e6f10cd1155387374b403aa73d09e81947c2bc8a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\uAgA.exe

Filesize
913KB

MD5
e5fb7f9a5148c848205193bdc78b57da

SHA1
104b0747ba32dd4b92da60ca91c08fe1bed4bc3f

SHA256
ab72aebd433048db23814e4f96fd2399741f3cdb574606ab698734cba154ffe8

SHA512
abe601173b2a91d3a8dc8d7d9f44953ab765c289e75a34278f930dc281c4d8ad4e285b8b4de01e937af1c20840e7e6d6503cbe3e76d389401b9e90244dbd113a

Download Submit
C:\Users\Admin\AppData\Local\Temp\uMwgAkAg.bat

Filesize
4B

MD5
767b1ecebe234d3bbf4e562f402d5afc

SHA1
ac4f60bb15275e76c32317044dc219a734d3e462

SHA256
60630ed377cfef645d54b30ae4d7f39b6574c1b439c41c7fdc4e65d9206e7fca

SHA512
e2dfde3ea562a418ec6fad7114345bb27c45f46403afcd7d020f16b1955b9790c512f0938784a6725eb3ecefa116b36d68a209db59ead2635a42621ccd78ff6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\uQIA.exe

Filesize
558KB

MD5
4eea6f30a1ebc61fd7fc2c76d5e5c66a

SHA1
ae8bdffd1cede4ed72d37bbdc7289f3636aa7b38

SHA256
bbca5c85c1239575b886538c290eeb2b45671cdbcd2ff17967d16e63fee29a45

SHA512
9163bfb02955bb1ee2751897ebc60f62d0003d742310494d665da9e13db572c101048f4f672210b6a15c99e15a7a59de557dd7c4cf2766c5d3f01e6239d4471c

Download Submit
C:\Users\Admin\AppData\Local\Temp\uScEUQwo.bat

Filesize
4B

MD5
c5303f99235e33a5b34a78295a0e0376

SHA1
2ebba828f1a49bb68b3dcb9afa0fe4a1b990d965

SHA256
3d99f5f06be11b88da8b23ecba76f70afcc2db7a583aa65fa0b31877a1f50674

SHA512
a6f71520b311e81f26dbec971cb006d4e21948c2a6a87316bcf0245c6419424caf58f9e87fd62078ee485845fb406f36c98e98f7095b81e9c8c2c0518448f0e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ucQY.exe

Filesize
223KB

MD5
e1dc4b7d7e48098fb8920ab2e3045715

SHA1
24c525a1c6892286c82db84870aa44664924e1a5

SHA256
da3bbda2a72dc501987137283baae3b41063ff32f418762b68cae3e7d69b6c1c

SHA512
c5e886f14bb671553331dcc1a2369147e32b7a8aa04c67e37a34765bf08b60df7a2190c2772bb3e73f3e75ac43f82e2677fb9c34e2c40450ed3fa65435b7fdb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ugEK.exe

Filesize
222KB

MD5
5a8188f23191d95cf2d4680c01b10fd0

SHA1
7e004f0159fb66ceaca166ffa8212027a5167aff

SHA256
9dc2f10286b129de2ec233c8ddcbc14f736cd159629a668bc70a8fe7dd91f0c3

SHA512
5b81ced2388cd171e4fb35271ff428abf1bec7836b87d8eabea272e47209aee90c8db3f0ba29b51496722e6c57e7f194aef9beaae74d0f0a3317a41e6afe34fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\uoMC.exe

Filesize
236KB

MD5
13d509492c4c65f2627eafcb61ca05f7

SHA1
80be23999486ecee8c01560c1de696d6c2399015

SHA256
f11dfdbcd583d22ac48ab971097b85f5dcb11b2b7acecabcf81a27e308c5f99f

SHA512
d5439e1a2fcd236f36d062625856b283ef7d5369474f2da749f65c5618eb90af298a9cc5e6f332524d1826aeed9da41a9e4bb0a9c9949e279b84e63bc95dcf27

Download Submit
C:\Users\Admin\AppData\Local\Temp\uwYM.exe

Filesize
247KB

MD5
599e38428b49ef293301ee19d960714c

SHA1
b4d8b8497cc3729bec0819afe040d7a9af096bb2

SHA256
14a4b686ecc06cb6a9fad0260c33725bdc2f9f245b32680cc91c17335532959f

SHA512
b4a448dc697909db1746fe7484cfdca5763f94a3b17608ab409e4c225434cbd5e8d0f623913b8c742983d5e9c077aca456150cde91fbb79963edfa1494cda060

Download Submit
C:\Users\Admin\AppData\Local\Temp\vIEUYcMI.bat

Filesize
4B

MD5
3d5f5ee804a5723a430d8f07129fd23e

SHA1
fb333fb9fb269d96681fa7d15816e15b45a08b5f

SHA256
48025291addd8bd4df16b8bebf9dc66d433a0555debf8cad82d7142991aefd34

SHA512
6c17611a3b2302660743109d2bfdcf522c963e6214da75540abb38d1e3e3cba19829b91b3136c7eee80ed3b064267993a270abe603080258dd37698648e45416

Download Submit
C:\Users\Admin\AppData\Local\Temp\vUoAUIMo.bat

Filesize
4B

MD5
16fa6b1b657216fd9a43cc2e23dd20f9

SHA1
dad1f8426232a007607763b6b721312c1455c197

SHA256
6309ba4d6212402a5745f793181a5895ca9f332201a935e3230a92eded541cfa

SHA512
b1cb4cd36b3c3f5371fc4570e377a6e79b29aea1449424bc20fa1f894b68c5bfdecb4122c039fe9b50cda6b490f497b5969b78ec757b079b5e6de6bf9aca0bba

Download Submit
C:\Users\Admin\AppData\Local\Temp\vkcEAIUg.bat

Filesize
4B

MD5
4171ddd2e1e0919d5b16d18a45d2a6c6

SHA1
01cdf22daa33a9205277fc3972e7b5fb19c00864

SHA256
cec3d0c2501502e54962a146f7d47443461a7cb86d1b69dbfff6b2524f1030ad

SHA512
cf4d3907859eaca8e473af981e009dac2af8439c775300c3e3def71392597296668d05b4948f673b4925a8ed7a9b81e0821cd3f1326f8e5f501071a55af25af2

Download Submit
C:\Users\Admin\AppData\Local\Temp\wMgC.exe

Filesize
201KB

MD5
cbc2f80cff2d4250bf36afef170269f8

SHA1
0e3f4df87cc28fb5c85db39e427ef5961a6feeb3

SHA256
4ab5ddcac45b5223c9277a2df841854dcef4244a619f466a7d2c2fc1b93a80bd

SHA512
4b88bbea1d9d626c01340861eab1ae7e6bd136a7a29ce7b75f63d829d1d14c1d8898eec5eb8248c6ab17dcd034d556ca35ef8ce857f74ce973bcb5434cdfb651

Download Submit
C:\Users\Admin\AppData\Local\Temp\weQIIgks.bat

Filesize
4B

MD5
e69a0c8c41a7ee266b9f4c8c3d106a4f

SHA1
6a061df3a9da2891c1a0363a74edb59edbac4e1c

SHA256
e7f362d6becbd931e2912781915416db2a95b58984aa9e72060afc84e2cceed9

SHA512
2fdc3cf98744058963fdc35052a1f0e65132e1597db2239afbc58c64902a1d607f9d27ef54f0368fc551cfbf4be55dbe0bf7afc037e1a667eeded21572df9f5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\wiEsIkwQ.bat

Filesize
4B

MD5
8cd60f69538f39e86485c98718e1e88c

SHA1
a7660069847ca73728ed1622048e9c3c585d2933

SHA256
9a76f95b97773c2854266d614a8104c9c038db6fbc0a14b6684b63b2a3c4a9a4

SHA512
1091cef447b0be7a394518328001052b3ce2bc2864aa992bd5dc4c28bca7e68273a0e5570ce7cb4992795d84f40a29fbaec3ca736c5d52f8ecb62aeca6833be1

Download Submit
C:\Users\Admin\AppData\Local\Temp\wkYq.exe

Filesize
228KB

MD5
6881473984828943af3da6b632edf2ba

SHA1
beea9f60f3b1ccd40bf5372e756f0015110f7ee6

SHA256
9ace5d810af1c3f2561fd389f869eaefda0ea94654eb29d7b9c28fa0fb2c65f9

SHA512
8e10b309b2fbe0b155c573b875292ddbe8d744582b8f1178068598d2a6dc7d6fb085d0425d20e4abc294634e60a44e25aebe2b25f37a069072388253a3cb8118

Download Submit
C:\Users\Admin\AppData\Local\Temp\woUE.exe

Filesize
223KB

MD5
b17763e67fb876e1d5020b8fc469b3ac

SHA1
7aef90a516d8fff3736c0ea48e1cb36aa66b537a

SHA256
4e92c5627f1e12541e179c753dad540f1c4707ad22ba1638eb9c72759baefa52

SHA512
b3670c4d1c712cb8527ce3d94af1e8f12b77f6562116f453728cb8f32dc0d5432de07d0ac08e74437b088a271045b570740e682d573b7737f879cc1f50eee6ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\xUsQUAIA.bat

Filesize
4B

MD5
f9a186ff6c323b4a5807c5d8394995f0

SHA1
afe1679a04d59044f7ff20feaaad48db6b720b31

SHA256
2fbba2ee01ed5238afbebcfd10f047d6ec19ca4ae51c8ce3f4922d46a7fa2f3b

SHA512
0b6fcb4bae38d9ba743e16f062e7400fe7a3e9d444acc70b1c22563b2a953c233b8dc45150a49a7ab30b850d14c06452f9cc68f875a7d4a293b8c8e6a9894874

Download Submit
C:\Users\Admin\AppData\Local\Temp\yAwgIAss.bat

Filesize
4B

MD5
be5c0104635c107ac1aac21ef96d28cd

SHA1
8cf6ef05710d91fa3b8471debbd2d7d3425cafbd

SHA256
eb22212ce93d53b1a40a4d2dae1e14244784939624c310e1fb1bca776d14972a

SHA512
d38910fcb567f9f098b1e658571b7badc8724fb0a55f8561ed6687317259c77e2a3ee235b63697410e1f8374573e23a2edb00aa2d825aa4b6b13aac5045415dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\yEIm.exe

Filesize
714KB

MD5
928e910e1391a4b0bf5018484045fa92

SHA1
572cdd306f3f0ff49b93f5688c04e67f8339c908

SHA256
453a5debc4b679b70f101faca0e109c98cd2ddb24fd15da38604078624de4c82

SHA512
40bd809dcc58d982d1cf797ba5db9e2de0b0dcbfb02a860580a538825de39e0f34eac97ad1cad343abc13fa79e32b02d9fa02bf62ca1815154e506dfd6d99903

Download Submit
C:\Users\Admin\AppData\Local\Temp\yUoU.exe

Filesize
4.1MB

MD5
52ac738cdeede08ef010c47a7d390e91

SHA1
f468e4417d334e2aa85a20c07a7bb27894dec62c

SHA256
c014dcaa2b81d7cc37d11e2457d6fb784783713a23c322a2564b1f4486f035e3

SHA512
b9dfd7a960bcda9a1c4eae4f7e92c7318d25bfa4db39a78224df7d8412fc8e9fd97ee584ae3e9f3684aea32d4d9abd4402f401cd30f5d61c17124806a42a4d6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\yYYU.exe

Filesize
230KB

MD5
e9fe41295853b5a1babe12be957f7ab1

SHA1
899a0dd033a670154642f558868acd53c3c1ff0d

SHA256
906403d7d9b1f94d2de60c7a9fca9d939f9d13d53ab321f3613ede9bdefa2d98

SHA512
a2ff177d71d4642e7b81a954ff945e7ab9c97d2f99ee4136dc99a53b26df4ed24a69454b9848661ad07568c88abe1d833be1239c37a6773084f831f985e28ce6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ykos.exe

Filesize
221KB

MD5
96c4271c865fb41a6f5d51993945911a

SHA1
d767a810336edde386f1f21d6397fbbfbc062ba6

SHA256
f497567504b034620ea6bdf75114db7ec5a482a53a40260a5d40a9b9ed0ee920

SHA512
95a98c111d4721290d525be3a02fd4a546bf5d3a6881edce75b8f45589aba9b6b1916eb507bf9e970c638544b995a40e73667bf42c97897e29099b13bc8308e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\yucksMAY.bat

Filesize
4B

MD5
2c81b5b205088b281f0ac332bbe2d3cf

SHA1
d5e3edd846f74512c74e6c6fd9c2196961f56231

SHA256
2fd30d0b9f81b20edf804ddb8e9a4b74c31d18aa50f6475a7466351511ae709e

SHA512
0d083cee9bd008a03031a10e163e40c70833a69390ea8a9291628e796070e037a3b9cd34a3421907ac70c7c3c8d35afb2f88113c5d949fab8402504096da52c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ywQIkMIs.bat

Filesize
4B

MD5
1ec5bdd020ea5fba0b580f257e27f41b

SHA1
cbb92ff887210a18530f1744399c8b72a888fc3e

SHA256
40e524dcb257e24a1913c8dcf1f4d86cab3e574a11db2386e0cc392029018d34

SHA512
ae8b10b7a34e1ce1041b6ffd10c1335aed82a47398c222e424519c6a25bd5a4bae39eea0031181e6b6ef20ffc39bf2cba895586f838f8d0c93b793ac312e92b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\zaYYUAQs.bat

Filesize
4B

MD5
d7aba4b2a33ee00233cd8460386dc315

SHA1
3476a8ab748c8b8e2790ec27707e8763e8c7888b

SHA256
d67d14664a6f54161e69909b44698a243c4656bf05dddb2571f452c081d40f7c

SHA512
df3cb8dae7ea3c10f133375491524fd7f4a50ba3c02729845fbe75594619078917fbcf82003c0f607b24f2c5706e5db14532c3865cb1c2cef41d1e645c9d4043

Download Submit
C:\Users\Admin\AppData\Local\Temp\zssoIksM.bat

Filesize
4B

MD5
02072f21c4aaf84ee72d25072e3ee4f1

SHA1
7b3b8464468a7442940844ebba1e9abfa8d2af1b

SHA256
bafd7dca5166219e586253509b680eaffd8942f3d2e813161dcabe35f941b225

SHA512
eb9dbb6d4d1a525cbeb6193590b14f32b4f9575fb0d579618ceced5db2dcb4b86355af8f54ee107a53c7e099440b64578a752b12a43310fad3faa8afecb98c38

Download Submit
C:\Users\Public\Music\Sample Music\Kalimba.mp3.exe

Filesize
8.2MB

MD5
6d16a8594a1100c7ecd2b9e34bf84877

SHA1
44c85864f4d8ebdacea93ee2102e449f666e8f6e

SHA256
6eb09e26d0f2ea58683d271861c8ccfe013352ae1534ba9ed5b19c79da78a548

SHA512
69839ccfa193b458333f54c6c2ba316d26ed5b74e0ea107db550e273a5e5bf1b9938d6bb6843a1fa62e64f54e1ee2f1d970868a1274fd54cc8978247a2780b65

Download Submit
\Users\Admin\hYUEwMUw\QgUsAAgM.exe

Filesize
199KB

MD5
54a0ad470f68489bb38c2a539067f6b1

SHA1
d67c0b889eb08d3d4f83ed8eb48957ff27d97f57

SHA256
059da95a45aad129be49f4b1d4a474252aeccb36720a33d1b229738f4e303877

SHA512
e0b16e977b8fa18cf6623b8cf127f98c5a1fb87a8e6502269f752b8d2fd0b5db6781d6eeac7b7171aaeb7604c0d1bc6a038c18b50c57961b8d0c4ee9704542a2

Download Submit
memory/300-876-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/448-101-0x0000000000200000-0x0000000000232000-memory.dmp

Filesize
200KB

Download
memory/504-779-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/644-509-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/656-243-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/768-355-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/836-886-0x0000000000270000-0x00000000002A2000-memory.dmp

Filesize
200KB

Download
memory/864-597-0x0000000000160000-0x0000000000192000-memory.dmp

Filesize
200KB

Download
memory/1012-111-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1052-548-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1084-836-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1108-928-0x0000000000270000-0x00000000002A2000-memory.dmp

Filesize
200KB

Download
memory/1244-578-0x0000000000160000-0x0000000000192000-memory.dmp

Filesize
200KB

Download
memory/1248-481-0x00000000005A0000-0x00000000005D2000-memory.dmp

Filesize
200KB

Download
memory/1248-480-0x00000000005A0000-0x00000000005D2000-memory.dmp

Filesize
200KB

Download
memory/1252-310-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1272-392-0x0000000000260000-0x0000000000292000-memory.dmp

Filesize
200KB

Download
memory/1360-256-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1468-345-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1468-346-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1472-587-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1492-712-0x0000000000830000-0x0000000000862000-memory.dmp

Filesize
200KB

Download
memory/1588-177-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1664-731-0x0000000000120000-0x0000000000152000-memory.dmp

Filesize
200KB

Download
memory/1680-907-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1680-618-0x00000000002B0000-0x00000000002E2000-memory.dmp

Filesize
200KB

Download
memory/1680-619-0x00000000002B0000-0x00000000002E2000-memory.dmp

Filesize
200KB

Download
memory/1736-32-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1736-621-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1828-287-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1884-458-0x0000000000120000-0x0000000000152000-memory.dmp

Filesize
200KB

Download
memory/1924-607-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1980-916-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1988-14-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1988-617-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2076-368-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2084-88-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2116-156-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2132-41-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2132-11-0x0000000000460000-0x0000000000493000-memory.dmp

Filesize
204KB

Download
memory/2132-30-0x0000000000460000-0x000000000048E000-memory.dmp

Filesize
184KB

Download
memory/2132-0-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2132-31-0x0000000000460000-0x000000000048E000-memory.dmp

Filesize
184KB

Download
memory/2132-12-0x0000000000460000-0x0000000000493000-memory.dmp

Filesize
204KB

Download
memory/2188-423-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2188-537-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2188-538-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2192-102-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2192-134-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2236-981-0x0000000077520000-0x000000007761A000-memory.dmp

Filesize
1000KB

Download
memory/2236-980-0x0000000077400000-0x000000007751F000-memory.dmp

Filesize
1.1MB

Download
memory/2260-929-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2336-332-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2388-867-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2388-895-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2420-568-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2420-539-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2432-721-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2448-436-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2448-827-0x0000000000160000-0x0000000000192000-memory.dmp

Filesize
200KB

Download
memory/2480-42-0x0000000000170000-0x00000000001A2000-memory.dmp

Filesize
200KB

Download
memory/2480-527-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2484-761-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2496-866-0x0000000000190000-0x00000000001C2000-memory.dmp

Filesize
200KB

Download
memory/2528-445-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2548-147-0x0000000000120000-0x0000000000152000-memory.dmp

Filesize
200KB

Download
memory/2568-751-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2568-265-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2624-740-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2644-817-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2692-222-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2700-789-0x0000000000160000-0x0000000000192000-memory.dmp

Filesize
200KB

Download
memory/2724-467-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2728-702-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2728-684-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2732-198-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2736-683-0x0000000000170000-0x00000000001A2000-memory.dmp

Filesize
200KB

Download
memory/2740-808-0x0000000000170000-0x00000000001A2000-memory.dmp

Filesize
200KB

Download
memory/2756-213-0x0000000000270000-0x00000000002A2000-memory.dmp

Filesize
200KB

Download
memory/2756-401-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2800-79-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2828-323-0x0000000000270000-0x00000000002A2000-memory.dmp

Filesize
200KB

Download
memory/2872-43-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2872-66-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2888-906-0x0000000000160000-0x0000000000192000-memory.dmp

Filesize
200KB

Download
memory/2888-905-0x0000000000160000-0x0000000000192000-memory.dmp

Filesize
200KB

Download
memory/2888-798-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2908-278-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2920-490-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2944-856-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2976-377-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2980-598-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2980-630-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3036-682-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3036-500-0x0000000000410000-0x0000000000442000-memory.dmp

Filesize
200KB

Download
memory/3048-414-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3068-650-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3068-620-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download