75ff97b9ef51bd53c781f4992d6f2393f7571cf994b7ad23f90895071e3afd4b

Analysis

max time kernel
150s
max time network
120s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
28-04-2024 12:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
Size

203KB
MD5

4634f3182a76687cfbfc14aa296e9c9f
SHA1

62844fe8dc8d44ad2d8dfb230bb57d1399dd5d87
SHA256

75ff97b9ef51bd53c781f4992d6f2393f7571cf994b7ad23f90895071e3afd4b
SHA512

c9d602b2d25843c537a414371847315f7ac8d8641f3d77cba1693aeafc895deab200a0693f9ef35b5a3a46d6efd9f3c4c5e7f1e0d1ba7e7f9679dd751999811f
SSDEEP

3072:4fAyzj6yyRhFgl9xEzOPeL4TmuzwvwVKMV8/9fggeE+YgtyIGp/NGu:iAyzCRhFQxYO2LmwKDY3EEL

Score

10^/10

evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Renames multiple (63) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

xQkggQog.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\International\Geo\Nation	xQkggQog.exe

Executes dropped EXE 2 IoCs

Processes:

xQkggQog.exetgcsAwwM.exe

pid process

2812 xQkggQog.exe
2540 tgcsAwwM.exe

Loads dropped DLL 20 IoCs

Processes:

2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exexQkggQog.exe

pid	process
2964	2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
2964	2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
2964	2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
2964	2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
2812	xQkggQog.exe
2812	xQkggQog.exe
2812	xQkggQog.exe
2812	xQkggQog.exe
2812	xQkggQog.exe
2812	xQkggQog.exe
2812	xQkggQog.exe
2812	xQkggQog.exe
2812	xQkggQog.exe
2812	xQkggQog.exe
2812	xQkggQog.exe
2812	xQkggQog.exe
2812	xQkggQog.exe
2812	xQkggQog.exe
2812	xQkggQog.exe
2812	xQkggQog.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exexQkggQog.exetgcsAwwM.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\xQkggQog.exe = "C:\\Users\\Admin\\KIIAsMoI\\xQkggQog.exe"	2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\tgcsAwwM.exe = "C:\\ProgramData\\nakEwEYQ\\tgcsAwwM.exe"	2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\xQkggQog.exe = "C:\\Users\\Admin\\KIIAsMoI\\xQkggQog.exe"	xQkggQog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\tgcsAwwM.exe = "C:\\ProgramData\\nakEwEYQ\\tgcsAwwM.exe"	tgcsAwwM.exe

Drops file in Windows directory 1 IoCs

Processes:

xQkggQog.exe

description ioc process

File opened for modification \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico xQkggQog.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File opened for modification	\??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico	xQkggQog.exe

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

Processes:

pid	process
1836	reg.exe
1904	reg.exe
2464	reg.exe
1352	reg.exe
1668	reg.exe
348	reg.exe
2384	reg.exe
1448	reg.exe
2956	reg.exe
1120	reg.exe
2096	reg.exe
1916	reg.exe
3020	reg.exe
1472	reg.exe
1404	reg.exe
2820	reg.exe
1900	reg.exe
2464	reg.exe
1596	reg.exe
2820	reg.exe
356	reg.exe
1556	reg.exe
1976	reg.exe
1728	reg.exe
2944	reg.exe
668	reg.exe
2852	reg.exe
1884	reg.exe
344	reg.exe
2852	reg.exe
1792	reg.exe
668	reg.exe
1608	reg.exe
1440	reg.exe
1728	reg.exe
1592	reg.exe
3036	reg.exe
1660	reg.exe
1768	reg.exe
2264	reg.exe
2380	reg.exe
1964	reg.exe
2276	reg.exe
1916	reg.exe
2848	reg.exe
412	reg.exe
1176	reg.exe
588	reg.exe
1660	reg.exe
668	reg.exe
1616	reg.exe
1980	reg.exe
788	reg.exe
1444	reg.exe
2084	reg.exe
948	reg.exe
2804	reg.exe
1668	reg.exe
576	reg.exe
2412	reg.exe
2204	reg.exe
2988	reg.exe
2272	reg.exe
1312	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe

pid	process
2964	2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
2964	2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
1280	2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
1280	2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
2784	2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
2784	2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
1544	2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
1544	2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
788	2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
788	2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
1300	2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
1300	2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
328	2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
328	2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
2528	2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
2528	2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
2728	2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
2728	2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
2196	2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
2196	2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
2924	2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
2924	2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
1460	2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
1460	2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
1520	2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
1520	2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
328	2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
328	2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
2472	2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
2472	2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
2200	2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
2200	2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
1612	2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
1612	2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
1504	2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
1504	2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
2644	2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
2644	2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
2692	2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
2692	2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
2932	2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
2932	2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
2268	2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
2268	2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
2884	2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
2884	2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
1228	2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
1228	2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
992	2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
992	2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
352	2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
352	2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
1512	2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
1512	2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
2932	2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
2932	2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
1100	2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
1100	2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
884	2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
884	2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
1632	2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
1632	2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
2764	2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
2764	2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

xQkggQog.exe

pid process

2812 xQkggQog.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

xQkggQog.exe

pid	process
2812	xQkggQog.exe
2812	xQkggQog.exe
2812	xQkggQog.exe
2812	xQkggQog.exe
2812	xQkggQog.exe
2812	xQkggQog.exe
2812	xQkggQog.exe
2812	xQkggQog.exe
2812	xQkggQog.exe
2812	xQkggQog.exe
2812	xQkggQog.exe
2812	xQkggQog.exe
2812	xQkggQog.exe
2812	xQkggQog.exe
2812	xQkggQog.exe
2812	xQkggQog.exe
2812	xQkggQog.exe
2812	xQkggQog.exe
2812	xQkggQog.exe
2812	xQkggQog.exe
2812	xQkggQog.exe
2812	xQkggQog.exe
2812	xQkggQog.exe
2812	xQkggQog.exe
2812	xQkggQog.exe
2812	xQkggQog.exe
2812	xQkggQog.exe
2812	xQkggQog.exe
2812	xQkggQog.exe
2812	xQkggQog.exe
2812	xQkggQog.exe
2812	xQkggQog.exe
2812	xQkggQog.exe
2812	xQkggQog.exe
2812	xQkggQog.exe
2812	xQkggQog.exe
2812	xQkggQog.exe
2812	xQkggQog.exe
2812	xQkggQog.exe
2812	xQkggQog.exe
2812	xQkggQog.exe
2812	xQkggQog.exe
2812	xQkggQog.exe
2812	xQkggQog.exe
2812	xQkggQog.exe
2812	xQkggQog.exe
2812	xQkggQog.exe
2812	xQkggQog.exe
2812	xQkggQog.exe
2812	xQkggQog.exe
2812	xQkggQog.exe
2812	xQkggQog.exe
2812	xQkggQog.exe
2812	xQkggQog.exe
2812	xQkggQog.exe
2812	xQkggQog.exe
2812	xQkggQog.exe
2812	xQkggQog.exe
2812	xQkggQog.exe
2812	xQkggQog.exe
2812	xQkggQog.exe
2812	xQkggQog.exe
2812	xQkggQog.exe
2812	xQkggQog.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.execmd.execmd.exe2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.execmd.execmd.exe

description	pid	process	target process
PID 2964 wrote to memory of 2812	2964	2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe	xQkggQog.exe
PID 2964 wrote to memory of 2812	2964	2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe	xQkggQog.exe
PID 2964 wrote to memory of 2812	2964	2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe	xQkggQog.exe
PID 2964 wrote to memory of 2812	2964	2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe	xQkggQog.exe
PID 2964 wrote to memory of 2540	2964	2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe	tgcsAwwM.exe
PID 2964 wrote to memory of 2540	2964	2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe	tgcsAwwM.exe
PID 2964 wrote to memory of 2540	2964	2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe	tgcsAwwM.exe
PID 2964 wrote to memory of 2540	2964	2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe	tgcsAwwM.exe
PID 2964 wrote to memory of 2828	2964	2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe	cmd.exe
PID 2964 wrote to memory of 2828	2964	2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe	cmd.exe
PID 2964 wrote to memory of 2828	2964	2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe	cmd.exe
PID 2964 wrote to memory of 2828	2964	2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe	cmd.exe
PID 2828 wrote to memory of 1280	2828	cmd.exe	2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
PID 2828 wrote to memory of 1280	2828	cmd.exe	2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
PID 2828 wrote to memory of 1280	2828	cmd.exe	2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
PID 2828 wrote to memory of 1280	2828	cmd.exe	2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
PID 2964 wrote to memory of 2732	2964	2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe	reg.exe
PID 2964 wrote to memory of 2732	2964	2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe	reg.exe
PID 2964 wrote to memory of 2732	2964	2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe	reg.exe
PID 2964 wrote to memory of 2732	2964	2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe	reg.exe
PID 2964 wrote to memory of 2572	2964	2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe	reg.exe
PID 2964 wrote to memory of 2572	2964	2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe	reg.exe
PID 2964 wrote to memory of 2572	2964	2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe	reg.exe
PID 2964 wrote to memory of 2572	2964	2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe	reg.exe
PID 2964 wrote to memory of 1312	2964	2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe	reg.exe
PID 2964 wrote to memory of 1312	2964	2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe	reg.exe
PID 2964 wrote to memory of 1312	2964	2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe	reg.exe
PID 2964 wrote to memory of 1312	2964	2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe	reg.exe
PID 2964 wrote to memory of 2468	2964	2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe	cmd.exe
PID 2964 wrote to memory of 2468	2964	2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe	cmd.exe
PID 2964 wrote to memory of 2468	2964	2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe	cmd.exe
PID 2964 wrote to memory of 2468	2964	2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe	cmd.exe
PID 2468 wrote to memory of 2464	2468	cmd.exe	cscript.exe
PID 2468 wrote to memory of 2464	2468	cmd.exe	cscript.exe
PID 2468 wrote to memory of 2464	2468	cmd.exe	cscript.exe
PID 2468 wrote to memory of 2464	2468	cmd.exe	cscript.exe
PID 1280 wrote to memory of 2608	1280	2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe	cmd.exe
PID 1280 wrote to memory of 2608	1280	2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe	cmd.exe
PID 1280 wrote to memory of 2608	1280	2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe	cmd.exe
PID 1280 wrote to memory of 2608	1280	2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe	cmd.exe
PID 2608 wrote to memory of 2784	2608	cmd.exe	2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
PID 2608 wrote to memory of 2784	2608	cmd.exe	2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
PID 2608 wrote to memory of 2784	2608	cmd.exe	2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
PID 2608 wrote to memory of 2784	2608	cmd.exe	2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
PID 1280 wrote to memory of 2928	1280	2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe	reg.exe
PID 1280 wrote to memory of 2928	1280	2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe	reg.exe
PID 1280 wrote to memory of 2928	1280	2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe	reg.exe
PID 1280 wrote to memory of 2928	1280	2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe	reg.exe
PID 1280 wrote to memory of 332	1280	2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe	reg.exe
PID 1280 wrote to memory of 332	1280	2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe	reg.exe
PID 1280 wrote to memory of 332	1280	2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe	reg.exe
PID 1280 wrote to memory of 332	1280	2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe	reg.exe
PID 1280 wrote to memory of 112	1280	2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe	reg.exe
PID 1280 wrote to memory of 112	1280	2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe	reg.exe
PID 1280 wrote to memory of 112	1280	2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe	reg.exe
PID 1280 wrote to memory of 112	1280	2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe	reg.exe
PID 1280 wrote to memory of 1940	1280	2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe	cmd.exe
PID 1280 wrote to memory of 1940	1280	2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe	cmd.exe
PID 1280 wrote to memory of 1940	1280	2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe	cmd.exe
PID 1280 wrote to memory of 1940	1280	2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe	cmd.exe
PID 1940 wrote to memory of 2140	1940	cmd.exe	cscript.exe
PID 1940 wrote to memory of 2140	1940	cmd.exe	cscript.exe
PID 1940 wrote to memory of 2140	1940	cmd.exe	cscript.exe
PID 1940 wrote to memory of 2140	1940	cmd.exe	cscript.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2964

C:\Users\Admin\KIIAsMoI\xQkggQog.exe
"C:\Users\Admin\KIIAsMoI\xQkggQog.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:2812

C:\ProgramData\nakEwEYQ\tgcsAwwM.exe
"C:\ProgramData\nakEwEYQ\tgcsAwwM.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2540

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock"
2⤵
- Suspicious use of WriteProcessMemory
PID:2828

C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1280

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock"
4⤵
- Suspicious use of WriteProcessMemory
PID:2608

C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:2784

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock"
6⤵
PID:1504

C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock
7⤵
- Suspicious behavior: EnumeratesProcesses
PID:1544

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock"
8⤵
PID:540

C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock
9⤵
- Suspicious behavior: EnumeratesProcesses
PID:788

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock"
10⤵
PID:3032

C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock
11⤵
- Suspicious behavior: EnumeratesProcesses
PID:1300

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock"
12⤵
PID:2080

C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock
13⤵
- Suspicious behavior: EnumeratesProcesses
PID:328

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock"
14⤵
PID:2548

C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock
15⤵
- Suspicious behavior: EnumeratesProcesses
PID:2528

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock"
16⤵
PID:2884

C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock
17⤵
- Suspicious behavior: EnumeratesProcesses
PID:2728

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock"
18⤵
PID:1612

C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock
19⤵
- Suspicious behavior: EnumeratesProcesses
PID:2196

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock"
20⤵
PID:2076

C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock
21⤵
- Suspicious behavior: EnumeratesProcesses
PID:2924

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock"
22⤵
PID:788

C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock
23⤵
- Suspicious behavior: EnumeratesProcesses
PID:1460

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock"
24⤵
PID:280

C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock
25⤵
- Suspicious behavior: EnumeratesProcesses
PID:1520

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock"
26⤵
PID:2908

C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock
27⤵
- Suspicious behavior: EnumeratesProcesses
PID:328

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock"
28⤵
PID:1748

C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock
29⤵
- Suspicious behavior: EnumeratesProcesses
PID:2472

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock"
30⤵
PID:2728

C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock
31⤵
- Suspicious behavior: EnumeratesProcesses
PID:2200

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock"
32⤵
PID:1980

C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock
33⤵
- Suspicious behavior: EnumeratesProcesses
PID:1612

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock"
34⤵
PID:992

C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock
35⤵
- Suspicious behavior: EnumeratesProcesses
PID:1504

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock"
36⤵
PID:668

C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock
37⤵
- Suspicious behavior: EnumeratesProcesses
PID:2644

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock"
38⤵
PID:2700

C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock
39⤵
- Suspicious behavior: EnumeratesProcesses
PID:2692

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock"
40⤵
PID:1904

C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock
41⤵
- Suspicious behavior: EnumeratesProcesses
PID:2932

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock"
42⤵
PID:2088

C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock
43⤵
- Suspicious behavior: EnumeratesProcesses
PID:2268

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock"
44⤵
PID:2256

C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock
45⤵
- Suspicious behavior: EnumeratesProcesses
PID:2884

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock"
46⤵
PID:1532

C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock
47⤵
- Suspicious behavior: EnumeratesProcesses
PID:1228

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock"
48⤵
PID:3008

C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock
49⤵
- Suspicious behavior: EnumeratesProcesses
PID:992

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock"
50⤵
PID:1688

C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock
51⤵
- Suspicious behavior: EnumeratesProcesses
PID:352

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock"
52⤵
PID:2584

C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock
53⤵
- Suspicious behavior: EnumeratesProcesses
PID:1512

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock"
54⤵
PID:1444

C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock
55⤵
- Suspicious behavior: EnumeratesProcesses
PID:2932

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock"
56⤵
PID:2260

C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock
57⤵
- Suspicious behavior: EnumeratesProcesses
PID:1100

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock"
58⤵
PID:2032

C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock
59⤵
- Suspicious behavior: EnumeratesProcesses
PID:884

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock"
60⤵
PID:2632

C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock
61⤵
- Suspicious behavior: EnumeratesProcesses
PID:1632

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock"
62⤵
PID:2376

C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock
63⤵
- Suspicious behavior: EnumeratesProcesses
PID:2764

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock"
64⤵
PID:2524

C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock
65⤵
PID:300

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock"
66⤵
PID:2004

C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock
67⤵
PID:1912

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock"
68⤵
PID:2728

C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock
69⤵
PID:1648

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock"
70⤵
PID:852

C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock
71⤵
PID:3020

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock"
72⤵
PID:2724

C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock
73⤵
PID:1580

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock"
74⤵
PID:2928

C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock
75⤵
PID:2684

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock"
76⤵
PID:112

C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock
77⤵
PID:2508

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock"
78⤵
PID:2748

C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock
79⤵
PID:2480

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock"
80⤵
PID:1832

C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock
81⤵
PID:1608

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock"
82⤵
PID:1768

C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock
83⤵
PID:2308

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock"
84⤵
PID:2628

C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock
85⤵
PID:1784

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock"
86⤵
PID:1860

C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock
87⤵
PID:1848

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock"
88⤵
PID:2744

C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock
89⤵
PID:2660

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock"
90⤵
PID:2528

C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock
91⤵
PID:2804

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock"
92⤵
PID:2224

C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock
93⤵
PID:1124

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock"
94⤵
PID:588

C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock
95⤵
PID:1008

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock"
96⤵
PID:2556

C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock
97⤵
PID:948

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock"
98⤵
PID:2440

C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock
99⤵
PID:2436

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock"
100⤵
PID:336

C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock
101⤵
PID:2788

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock"
102⤵
PID:1336

C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock
103⤵
PID:1836

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock"
104⤵
PID:2592

C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock
105⤵
PID:1552

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock"
106⤵
PID:1536

C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock
107⤵
PID:1568

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock"
108⤵
PID:1220

C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock
109⤵
PID:3032

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock"
110⤵
PID:884

C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock
111⤵
PID:1304

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock"
112⤵
PID:2772

C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock
113⤵
PID:2536

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock"
114⤵
PID:2004

C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock
115⤵
PID:2384

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock"
116⤵
PID:1100

C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock
117⤵
PID:1312

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock"
118⤵
PID:2612

C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock
119⤵
PID:112

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock"
120⤵
PID:2940

C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock
121⤵
PID:2116

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock"
122⤵
PID:2724

C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock
123⤵
PID:1976

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock"
124⤵
PID:2180

C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock
125⤵
PID:2808

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock"
126⤵
PID:984

C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock
127⤵
PID:1408

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock"
128⤵
PID:1500

C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock
129⤵
PID:1636

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock"
130⤵
PID:1304

C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock
131⤵
PID:560

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock"
132⤵
PID:1904

C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock
133⤵
PID:2680

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock"
134⤵
PID:2024

C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock
135⤵
PID:332

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock"
136⤵
PID:1152

C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock
137⤵
PID:2296

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock"
138⤵
PID:812

C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock
139⤵
PID:2204

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock"
140⤵
PID:1664

C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock
141⤵
PID:1768

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock"
142⤵
PID:1600

C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock
143⤵
PID:2844

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock"
144⤵
PID:2536

C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock
145⤵
PID:1744

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock"
146⤵
PID:1924

C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock
147⤵
PID:2252

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock"
148⤵
PID:768

C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock
149⤵
PID:2256

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock"
150⤵
PID:2076

C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock
151⤵
PID:2280

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock"
152⤵
PID:2416

C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock
153⤵
PID:572

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock"
154⤵
PID:2784

C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock
155⤵
PID:1640

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock"
156⤵
PID:1868

C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock
157⤵
PID:560

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock"
158⤵
PID:1708

C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock
159⤵
PID:984

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock"
160⤵
PID:1700

C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock
161⤵
PID:2804

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock"
162⤵
PID:2948

C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock
163⤵
PID:1660

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock"
164⤵
PID:2808

C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock
165⤵
PID:2024

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock"
166⤵
PID:2972

C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock
167⤵
PID:2756

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock"
168⤵
PID:2652

C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock
169⤵
PID:1888

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock"
170⤵
PID:1640

C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock
171⤵
PID:2804

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock"
172⤵
PID:2708

C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock
173⤵
PID:1180

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock"
174⤵
PID:872

C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock
175⤵
PID:2692

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock"
176⤵
PID:1440

C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock
177⤵
PID:1280

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock"
178⤵
PID:2432

C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock
179⤵
PID:2240

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock"
180⤵
PID:2268

C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock
181⤵
PID:2752

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock"
182⤵
PID:1284

C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock
183⤵
PID:1420

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock"
184⤵
PID:2440

C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock
185⤵
PID:2700

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock"
186⤵
PID:2020

C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock
187⤵
PID:1692

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock"
188⤵
PID:992

C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock
189⤵
PID:2380

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock"
190⤵
PID:1672

C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock
191⤵
PID:1440

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock"
192⤵
PID:2528

C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock
193⤵
PID:1556

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock"
194⤵
PID:1744

C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock
195⤵
PID:1952

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock"
196⤵
PID:2296

C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock
197⤵
PID:2924

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock"
198⤵
PID:996

C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock
199⤵
PID:2220

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock"
200⤵
PID:1556

C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock
201⤵
PID:2932

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock"
202⤵
PID:332

C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock
203⤵
PID:1540

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock"
204⤵
PID:328

C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock
205⤵
PID:1840

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock"
206⤵
PID:1200

C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock
207⤵
PID:2440

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock"
208⤵
PID:952

C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock
209⤵
PID:2240

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock"
210⤵
PID:2548

C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock
211⤵
PID:1208

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock"
212⤵
PID:2784

C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock
213⤵
PID:2368

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock"
214⤵
PID:1572

C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock
215⤵
PID:1404

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock"
216⤵
PID:1628

C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock
217⤵
PID:1564

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock"
218⤵
PID:1228

C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock
219⤵
PID:1580

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock"
220⤵
PID:2724

C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock
221⤵
PID:572

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock"
222⤵
PID:2236

C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock
223⤵
PID:356

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock"
224⤵
PID:1300

C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock
225⤵
PID:1980

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock"
226⤵
PID:2368

C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock
227⤵
PID:108

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock"
228⤵
PID:2004

C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock
229⤵
PID:2552

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock"
230⤵
PID:1400

C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock
231⤵
PID:1564

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock"
232⤵
PID:1532

C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock
233⤵
PID:1120

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock"
234⤵
PID:1440

C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock
235⤵
PID:2904

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock"
236⤵
PID:648

C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock
237⤵
PID:2240

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock"
238⤵
PID:1212

C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock
239⤵
PID:412

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock"
240⤵
PID:380

C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock
241⤵
PID:2376

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock"
242⤵
PID:1200

C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock
243⤵
PID:2636

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock"
244⤵
PID:2580

C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock
245⤵
PID:2448

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock"
246⤵
PID:1424

C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock
247⤵
PID:1952

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock"
248⤵
PID:2744

C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock
249⤵
PID:1732

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock"
250⤵
PID:2264

C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock
251⤵
PID:2956

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock"
252⤵
PID:2436

C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock
253⤵
PID:1584

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock"
254⤵
PID:1896

C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock
255⤵
PID:2632

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock"
256⤵
PID:2380

C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock
257⤵
PID:792

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock"
258⤵
PID:1872

C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock
259⤵
PID:2184

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock"
260⤵
PID:1840

C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock
261⤵
PID:1952

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock"
262⤵
PID:2472

C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock
263⤵
PID:1636

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock"
264⤵
PID:2256

C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock
265⤵
PID:1784

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock"
266⤵
PID:560

C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock
267⤵
PID:1148

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock"
268⤵
PID:1044

C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock
269⤵
PID:1456

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock"
270⤵
PID:2072

C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock
271⤵
PID:1748

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock"
272⤵
PID:3028

C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock
273⤵
PID:2796

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock"
274⤵
PID:280

C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock
275⤵
PID:2948

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock"
276⤵
PID:2156

C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock
277⤵
PID:1496

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock"
278⤵
PID:2212

C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock
279⤵
PID:2884

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock"
280⤵
PID:2420

C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock
281⤵
PID:560

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock"
282⤵
PID:2644

C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock
283⤵
PID:2636

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
284⤵
- Modifies visibility of file extensions in Explorer
PID:576

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
284⤵
PID:2184

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
284⤵
- UAC bypass
PID:2236

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
282⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2380

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
282⤵
PID:2232

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
282⤵
- UAC bypass
- Modifies registry key
PID:2804

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\XMAYMYAQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe""
282⤵
PID:2396

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
283⤵
PID:1336

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
280⤵
- Modifies visibility of file extensions in Explorer
PID:984

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
280⤵
PID:2088

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
280⤵
PID:1436

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\fQooQkQA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe""
280⤵
PID:1736

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
281⤵
PID:2012

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
278⤵
- Modifies visibility of file extensions in Explorer
PID:1744

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
278⤵
PID:2536

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
278⤵
- UAC bypass
PID:1984

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZYQMUMwU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe""
278⤵
PID:768

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
279⤵
PID:1972

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
276⤵
PID:876

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
276⤵
- Modifies registry key
PID:1884

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
276⤵
PID:2368

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\buAUQQIw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe""
276⤵
PID:2264

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
277⤵
PID:2440

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
274⤵
PID:1952

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
274⤵
PID:1892

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
274⤵
- UAC bypass
PID:2616

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\WWsAYEEM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe""
274⤵
PID:1508

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
275⤵
PID:2464

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
272⤵
- Modifies visibility of file extensions in Explorer
PID:2584

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
272⤵
PID:300

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
272⤵
- UAC bypass
PID:1440

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\KCsUookI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe""
272⤵
PID:1880

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
273⤵
PID:1220

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
270⤵
- Modifies registry key
PID:668

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
270⤵
PID:2396

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
270⤵
- UAC bypass
PID:3040

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\QcskMgsw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe""
270⤵
PID:1672

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
271⤵
PID:1536

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
268⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2852

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
268⤵
PID:2632

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
268⤵
PID:1896

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\mukQcYQs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe""
268⤵
PID:1420

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
269⤵
PID:2576

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
266⤵
PID:3036

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
266⤵
PID:1956

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
266⤵
- UAC bypass
PID:2524

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZoEgkYsY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe""
266⤵
PID:2208

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
267⤵
PID:2940

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
264⤵
PID:2512

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
264⤵
PID:788

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
264⤵
- Modifies registry key
PID:2264

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\xmMsUgMo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe""
264⤵
PID:2592

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
265⤵
PID:1728

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
262⤵
- Modifies visibility of file extensions in Explorer
PID:2372

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
262⤵
PID:684

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
262⤵
PID:2732

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\rcggcUcM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe""
262⤵
PID:2464

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
263⤵
PID:2432

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
260⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2272

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
260⤵
PID:2104

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
260⤵
- UAC bypass
- Modifies registry key
PID:1792

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\fMsUUYQQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe""
260⤵
PID:1152

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
261⤵
PID:1220

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
258⤵
- Modifies visibility of file extensions in Explorer
PID:1532

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
258⤵
PID:1672

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
258⤵
PID:2660

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\QiAYIokk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe""
258⤵
PID:1540

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
259⤵
PID:3032

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
256⤵
- Modifies visibility of file extensions in Explorer
PID:2420

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
256⤵
PID:984

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
256⤵
- UAC bypass
PID:324

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\YiAgEEcI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe""
256⤵
PID:2576

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
257⤵
PID:452

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
254⤵
PID:2628

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
254⤵
PID:2208

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
254⤵
PID:2376

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\MScQcMgM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe""
254⤵
PID:1408

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
255⤵
PID:1776

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
252⤵
PID:872

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
252⤵
PID:1868

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
252⤵
- Modifies registry key
PID:412

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\SIsUkUcI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe""
252⤵
PID:1660

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
253⤵
PID:344

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
250⤵
PID:1780

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
250⤵
PID:2464

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
250⤵
PID:2616

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\fMUwkYok.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe""
250⤵
PID:1300

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
251⤵
PID:2268

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
248⤵
- Modifies visibility of file extensions in Explorer
PID:1924

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
248⤵
PID:2904

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
248⤵
- UAC bypass
- Modifies registry key
PID:2820

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\lCosEMUk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe""
248⤵
PID:1220

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
249⤵
PID:1392

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
246⤵
PID:2396

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
246⤵
PID:2988

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
246⤵
- UAC bypass
PID:2724

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\HgcoAoYs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe""
246⤵
PID:1616

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
247⤵
PID:3032

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
244⤵
- Modifies registry key
PID:2852

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
244⤵
PID:1352

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
244⤵
- UAC bypass
PID:2252

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\HwsosIQA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe""
244⤵
PID:2608

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
245⤵
PID:2764

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
242⤵
PID:1180

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
242⤵
PID:2004

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
242⤵
PID:2840

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\CskMoIYc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe""
242⤵
PID:540

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
243⤵
PID:2940

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
240⤵
PID:2512

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
240⤵
PID:2076

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
240⤵
- UAC bypass
PID:1496

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\SAUsksUg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe""
240⤵
PID:2872

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
241⤵
PID:2424

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
238⤵
- Modifies registry key
PID:948

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
238⤵
PID:2948

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
238⤵
- UAC bypass
PID:1980

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\qSgYsgAY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe""
238⤵
PID:588

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
239⤵
PID:2220

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
236⤵
PID:1632

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
236⤵
- Modifies registry key
PID:356

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
236⤵
PID:2204

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\KesMUEgk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe""
236⤵
PID:2228

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
237⤵
PID:1940

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
234⤵
- Modifies visibility of file extensions in Explorer
PID:1592

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
234⤵
- Modifies registry key
PID:1768

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
234⤵
- UAC bypass
PID:668

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\sYUIgUYs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe""
234⤵
PID:696

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
235⤵
PID:1536

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
232⤵
PID:984

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
232⤵
PID:2088

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
232⤵
PID:1580

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tqsgYgII.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe""
232⤵
PID:2960

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
233⤵
PID:2932

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
230⤵
PID:1976

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
230⤵
PID:1552

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
230⤵
- UAC bypass
PID:2008

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\dQIgYkko.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe""
230⤵
PID:1844

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
231⤵
PID:1284

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
228⤵
PID:1496

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
228⤵
PID:1696

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
228⤵
- UAC bypass
PID:1784

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\JeIAAAEM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe""
228⤵
PID:344

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
229⤵
PID:2592

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
226⤵
PID:1472

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
226⤵
PID:1888

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
226⤵
- UAC bypass
PID:1568

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\nIoMgUUo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe""
226⤵
PID:1788

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
227⤵
PID:2268

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
224⤵
PID:1208

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
224⤵
PID:1504

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
224⤵
- UAC bypass
PID:1184

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\MoAIggos.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe""
224⤵
PID:1596

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
225⤵
PID:1940

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
222⤵
PID:332

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
222⤵
PID:3040

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
222⤵
- Modifies registry key
PID:1616

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\UQUcYUQg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe""
222⤵
PID:2572

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
223⤵
PID:2804

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
220⤵
PID:452

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
220⤵
- Modifies registry key
PID:1916

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
220⤵
- UAC bypass
PID:1044

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\aqwYIgEg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe""
220⤵
PID:2764

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
221⤵
PID:2808

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
218⤵
- Modifies registry key
PID:1352

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
218⤵
PID:1640

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
218⤵
- UAC bypass
PID:2824

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\WgIsAYwM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe""
218⤵
PID:1776

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
219⤵
PID:2664

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
216⤵
- Modifies visibility of file extensions in Explorer
PID:1660

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
216⤵
- Modifies registry key
PID:344

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
216⤵
- Modifies registry key
PID:2276

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\oKQIYcws.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe""
216⤵
PID:2280

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
217⤵
PID:1544

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
214⤵
- Modifies visibility of file extensions in Explorer
PID:2928

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
214⤵
PID:2160

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
214⤵
- UAC bypass
PID:2956

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\DawQgkAg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe""
214⤵
PID:360

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
215⤵
PID:1656

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
212⤵
- Modifies visibility of file extensions in Explorer
PID:2656

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
212⤵
- Modifies registry key
PID:1596

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
212⤵
- UAC bypass
PID:2964

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\VEoQckoo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe""
212⤵
PID:2800

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
213⤵
PID:1600

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
210⤵
- Modifies visibility of file extensions in Explorer
PID:1424

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
210⤵
PID:1688

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
210⤵
- UAC bypass
PID:1616

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\RcUoQIQs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe""
210⤵
PID:1540

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
211⤵
PID:1768

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
208⤵
- Modifies visibility of file extensions in Explorer
PID:1544

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
208⤵
PID:792

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
208⤵
PID:2760

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\fIcEsUYg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe""
208⤵
PID:1280

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
209⤵
PID:2468

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
206⤵
- Modifies visibility of file extensions in Explorer
PID:3020

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
206⤵
PID:2536

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
206⤵
- UAC bypass
PID:2196

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\SmYAYksI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe""
206⤵
PID:1864

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
207⤵
PID:2752

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
204⤵
PID:1892

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
204⤵
PID:1336

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
204⤵
PID:2084

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ioMUQEMg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe""
204⤵
PID:2212

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
205⤵
PID:1520

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
202⤵
PID:2724

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
202⤵
PID:1916

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
202⤵
PID:1460

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\gYcMEIgA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe""
202⤵
PID:2936

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
203⤵
PID:2764

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
200⤵
PID:380

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
200⤵
- Modifies registry key
PID:1660

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
200⤵
PID:2904

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\kQUUsMkU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe""
200⤵
PID:2392

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
201⤵
PID:560

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
198⤵
PID:1704

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
198⤵
- Modifies registry key
PID:3020

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
198⤵
- UAC bypass
PID:1352

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\FAYwgAgI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe""
198⤵
PID:2032

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
199⤵
PID:2872

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
196⤵
- Modifies visibility of file extensions in Explorer
PID:3008

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
196⤵
PID:2524

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
196⤵
- UAC bypass
PID:1872

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tOUIYEMI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe""
196⤵
PID:328

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
197⤵
PID:1504

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
194⤵
PID:2632

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
194⤵
PID:2780

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
194⤵
PID:2436

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\rIAEcggE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe""
194⤵
PID:1220

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
195⤵
PID:2448

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
192⤵
PID:112

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
192⤵
PID:2756

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
192⤵
PID:648

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\RkAAUwEA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe""
192⤵
PID:1624

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
193⤵
PID:2372

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
190⤵
PID:2828

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
190⤵
PID:1724

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
190⤵
PID:2324

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\cAUUsgUQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe""
190⤵
PID:984

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
191⤵
PID:2216

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
188⤵
- Modifies visibility of file extensions in Explorer
PID:764

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
188⤵
PID:1972

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
188⤵
PID:2760

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\WOYMoAck.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe""
188⤵
PID:2684

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
189⤵
PID:2840

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
186⤵
- Modifies visibility of file extensions in Explorer
PID:988

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
186⤵
PID:1596

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
186⤵
- Modifies registry key
PID:1900

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\uwoAEIUc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe""
186⤵
PID:2928

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
187⤵
PID:776

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
184⤵
- Modifies visibility of file extensions in Explorer
PID:2348

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
184⤵
- Modifies registry key
PID:2464

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
184⤵
- Modifies registry key
PID:1916

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\wMUoggQs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe""
184⤵
PID:2204

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
185⤵
PID:1688

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
182⤵
PID:2252

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
182⤵
PID:1584

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
182⤵
PID:2684

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\TcAUswAo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe""
182⤵
PID:2140

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
183⤵
PID:3008

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
180⤵
- Modifies visibility of file extensions in Explorer
PID:2536

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
180⤵
PID:788

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
180⤵
- UAC bypass
PID:2220

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\NSsAIwsU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe""
180⤵
PID:1952

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
181⤵
PID:2836

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
178⤵
PID:1916

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
178⤵
PID:1976

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
178⤵
- UAC bypass
PID:1620

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\hMsAEIwA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe""
178⤵
PID:1152

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
179⤵
PID:884

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
176⤵
PID:1568

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
176⤵
PID:2848

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
176⤵
- Modifies registry key
PID:1904

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\bmAQUQYo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe""
176⤵
PID:1728

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
177⤵
PID:1852

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
174⤵
PID:1396

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
174⤵
PID:2072

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
174⤵
PID:576

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\YoAUwAUA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe""
174⤵
PID:2584

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
175⤵
PID:2728

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
172⤵
- Modifies visibility of file extensions in Explorer
PID:1408

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
172⤵
PID:108

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
172⤵
- UAC bypass
PID:2472

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\SmAUQQYQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe""
172⤵
PID:1940

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
173⤵
PID:2940

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
170⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1728

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
170⤵
PID:2408

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
170⤵
- Modifies registry key
PID:1472

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\OqoUgAEQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe""
170⤵
PID:1532

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
171⤵
PID:380

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
168⤵
- Modifies visibility of file extensions in Explorer
PID:1880

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
168⤵
PID:996

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
168⤵
PID:2988

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\bUgUcwIs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe""
168⤵
PID:2212

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
169⤵
PID:788

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
166⤵
- Modifies visibility of file extensions in Explorer
PID:2792

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
166⤵
PID:1540

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
166⤵
PID:1504

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\dOAgEAAw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe""
166⤵
PID:2764

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
167⤵
PID:1708

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
164⤵
- Modifies visibility of file extensions in Explorer
PID:1408

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
164⤵
PID:2468

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
164⤵
PID:2116

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\lkEkgUcU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe""
164⤵
PID:3020

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
165⤵
PID:2412

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
162⤵
PID:1404

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
162⤵
PID:1704

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
162⤵
PID:2324

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\nIMYIAQg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe""
162⤵
PID:1972

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
163⤵
PID:2848

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
160⤵
PID:1044

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
160⤵
PID:300

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
160⤵
- Modifies registry key
PID:1120

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\JyYMUMsU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe""
160⤵
PID:1688

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
161⤵
PID:2672

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
158⤵
PID:2432

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
158⤵
PID:2412

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
158⤵
PID:2296

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\KCEoAgEg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe""
158⤵
PID:2924

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
159⤵
PID:2828

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
156⤵
- Modifies visibility of file extensions in Explorer
PID:1244

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
156⤵
PID:3040

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
156⤵
- UAC bypass
PID:836

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\gCQMAQoc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe""
156⤵
PID:3028

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
157⤵
PID:1604

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
154⤵
PID:1208

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
154⤵
PID:1512

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
154⤵
- UAC bypass
PID:2656

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\KeAoAAkY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe""
154⤵
PID:2584

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
155⤵
PID:2528

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
152⤵
- Modifies registry key
PID:1312

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
152⤵
PID:2440

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
152⤵
PID:452

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\WsYsIUMY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe""
152⤵
PID:2724

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
153⤵
PID:2764

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
150⤵
- Modifies visibility of file extensions in Explorer
PID:2760

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
150⤵
PID:2792

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
150⤵
- UAC bypass
PID:2608

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\HeQowAks.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe""
150⤵
PID:1940

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
151⤵
PID:2636

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
148⤵
PID:1220

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
148⤵
PID:2184

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
148⤵
- UAC bypass
PID:2632

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\pQEsYkEs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe""
148⤵
PID:876

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
149⤵
PID:1656

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
146⤵
PID:412

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
146⤵
PID:1392

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
146⤵
- UAC bypass
- Modifies registry key
PID:1176

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\pyooIoks.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe""
146⤵
PID:776

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
147⤵
PID:684

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
144⤵
PID:952

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
144⤵
PID:2944

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
144⤵
PID:1180

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\pusIYAUk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe""
144⤵
PID:2720

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
145⤵
PID:1972

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
142⤵
- Modifies visibility of file extensions in Explorer
PID:2956

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
142⤵
- Modifies registry key
PID:2988

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
142⤵
- UAC bypass
PID:2156

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\lGEAAcwQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe""
142⤵
PID:1748

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
143⤵
PID:604

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
140⤵
PID:2972

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
140⤵
PID:2132

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
140⤵
PID:1844

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\aAEMEQoA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe""
140⤵
PID:2820

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
141⤵
PID:2208

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
138⤵
- Modifies visibility of file extensions in Explorer
PID:2636

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
138⤵
- Modifies registry key
PID:668

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
138⤵
PID:1628

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\SQEwYkAI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe""
138⤵
PID:1848

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
139⤵
PID:2400

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
136⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2464

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
136⤵
PID:3008

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
136⤵
- UAC bypass
PID:1840

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\qWsEIwQg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe""
136⤵
PID:2136

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
137⤵
PID:2140

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
134⤵
PID:1444

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
134⤵
PID:1624

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
134⤵
- UAC bypass
PID:2848

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\maAEUYkg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe""
134⤵
PID:1564

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
135⤵
PID:1280

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
132⤵
- Modifies visibility of file extensions in Explorer
PID:2176

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
132⤵
PID:2396

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
132⤵
- UAC bypass
PID:2592

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\zYQIkIcU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe""
132⤵
PID:2036

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
133⤵
PID:1616

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
130⤵
PID:2584

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
130⤵
PID:2800

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
130⤵
- UAC bypass
- Modifies registry key
PID:1836

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\dKUAIsMo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe""
130⤵
PID:2508

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
131⤵
PID:576

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
128⤵
- Modifies visibility of file extensions in Explorer
PID:2432

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
128⤵
- Modifies registry key
PID:668

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
128⤵
- UAC bypass
PID:2580

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\JEMQYsgc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe""
128⤵
PID:2440

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
129⤵
PID:572

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
126⤵
PID:1704

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
126⤵
PID:2224

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
126⤵
PID:1604

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\bEAUUIYQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe""
126⤵
PID:1152

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
127⤵
PID:768

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
124⤵
PID:300

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
124⤵
PID:2948

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
124⤵
PID:3012

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\uSkoEQsk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe""
124⤵
PID:2888

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
125⤵
PID:836

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
122⤵
PID:572

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
122⤵
PID:2468

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
122⤵
PID:488

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\asgMwsoA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe""
122⤵
PID:1896

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
123⤵
PID:352

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
120⤵
- Modifies registry key
PID:1728

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
120⤵
PID:412

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
120⤵
PID:2924

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\wmcAocYc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe""
120⤵
PID:2216

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
121⤵
PID:1640

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
118⤵
PID:1736

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
118⤵
PID:2764

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
118⤵
PID:2948

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\SGskQosw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe""
118⤵
PID:1904

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
119⤵
PID:2528

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
116⤵
- Modifies visibility of file extensions in Explorer
PID:1456

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
116⤵
PID:2420

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
116⤵
PID:1840

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\GsEUYwEw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe""
116⤵
PID:2628

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
117⤵
PID:1628

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
114⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2944

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
114⤵
PID:1408

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
114⤵
- UAC bypass
PID:1544

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\rucQYkAo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe""
114⤵
PID:1780

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
115⤵
PID:2196

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
112⤵
- Modifies visibility of file extensions in Explorer
PID:2928

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
112⤵
PID:332

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
112⤵
PID:1436

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\BGgAIUIM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe""
112⤵
PID:2656

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
113⤵
PID:1776

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
110⤵
- Modifies visibility of file extensions in Explorer
PID:1520

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
110⤵
- Modifies registry key
PID:1976

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
110⤵
PID:1644

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\BkUYswMc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe""
110⤵
PID:2136

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
111⤵
PID:668

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
108⤵
PID:2024

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
108⤵
PID:1176

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
108⤵
- UAC bypass
PID:1100

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\RSMgYAYM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe""
108⤵
PID:2160

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
109⤵
PID:1284

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
106⤵
- Modifies visibility of file extensions in Explorer
PID:2840

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
106⤵
- Modifies registry key
PID:1964

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
106⤵
- UAC bypass
- Modifies registry key
PID:1440

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\yiookgQo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe""
106⤵
PID:1792

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
107⤵
PID:2728

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
104⤵
- Modifies visibility of file extensions in Explorer
PID:1508

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
104⤵
PID:2852

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
104⤵
PID:1044

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\kkMgMssg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe""
104⤵
PID:2672

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
105⤵
PID:1448

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
102⤵
- Modifies visibility of file extensions in Explorer
PID:2180

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
102⤵
PID:1668

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
102⤵
- UAC bypass
PID:2448

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\QQUscEgc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe""
102⤵
PID:2956

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
103⤵
PID:2808

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
100⤵
PID:2768

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
100⤵
PID:2696

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
100⤵
- UAC bypass
PID:2760

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\magYwgAM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe""
100⤵
PID:2776

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
101⤵
PID:2376

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
98⤵
PID:2080

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
98⤵
PID:2972

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
98⤵
- UAC bypass
- Modifies registry key
PID:2820

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\TgMMgoYA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe""
98⤵
PID:356

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
99⤵
PID:1504

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
96⤵
PID:1284

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
96⤵
PID:1392

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
96⤵
PID:1640

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\vcoIwMUY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe""
96⤵
PID:2612

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
97⤵
PID:684

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
94⤵
- Modifies visibility of file extensions in Explorer
PID:2116

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
94⤵
PID:2924

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
94⤵
- UAC bypass
PID:2216

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\vgoUgwcQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe""
94⤵
PID:2884

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
95⤵
PID:1652

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
92⤵
- Modifies registry key
PID:2384

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
92⤵
PID:2844

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
92⤵
- UAC bypass
PID:1912

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\bsUkIkAk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe""
92⤵
PID:1408

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
93⤵
PID:348

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
90⤵
- Modifies visibility of file extensions in Explorer
PID:2084

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
90⤵
PID:1904

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
90⤵
- UAC bypass
PID:660

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\dmYcsEMQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe""
90⤵
PID:1984

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
91⤵
PID:1888

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
88⤵
PID:2428

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
88⤵
- Modifies registry key
PID:2204

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
88⤵
PID:1736

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\uawEEUAU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe""
88⤵
PID:2948

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
89⤵
PID:1556

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
86⤵
PID:2936

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
86⤵
- Modifies registry key
PID:788

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
86⤵
PID:900

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\oWQgoAcU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe""
86⤵
PID:2512

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
87⤵
PID:328

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
84⤵
PID:2596

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
84⤵
PID:1532

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
84⤵
- UAC bypass
PID:1300

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\kEEYUsUo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe""
84⤵
PID:1520

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
85⤵
PID:2436

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
82⤵
PID:2228

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
82⤵
PID:2036

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
82⤵
- UAC bypass
PID:1220

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\IsoYgQQQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe""
82⤵
PID:1716

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
83⤵
PID:1604

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
80⤵
PID:1680

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
80⤵
PID:2944

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
80⤵
- Modifies registry key
PID:348

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\BQosAoEQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe""
80⤵
PID:1544

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
81⤵
PID:2212

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
78⤵
- Modifies visibility of file extensions in Explorer
PID:1664

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
78⤵
PID:1908

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
78⤵
- Modifies registry key
PID:1660

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\jMIIgsgM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe""
78⤵
PID:2224

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
79⤵
PID:560

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
76⤵
PID:2764

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
76⤵
PID:2376

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
76⤵
- UAC bypass
PID:2716

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\TwwggskU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe""
76⤵
PID:2616

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
77⤵
PID:108

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
74⤵
PID:1632

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
74⤵
PID:2632

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
74⤵
- UAC bypass
PID:328

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\diAIIkEU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe""
74⤵
PID:2908

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
75⤵
PID:2412

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
72⤵
- Modifies visibility of file extensions in Explorer
PID:1300

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
72⤵
PID:884

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
72⤵
PID:1732

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\TQAwsMAY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe""
72⤵
PID:2972

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
73⤵
PID:2720

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
70⤵
PID:2168

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
70⤵
PID:1424

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
70⤵
- UAC bypass
PID:2256

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ugMowQMw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe""
70⤵
PID:1628

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
71⤵
PID:2628

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
68⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:588

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
68⤵
PID:2752

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
68⤵
- Modifies registry key
PID:1444

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\iGkcoQkg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe""
68⤵
PID:1768

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
69⤵
PID:2840

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
66⤵
PID:2240

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
66⤵
- Modifies registry key
PID:2956

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
66⤵
- UAC bypass
PID:792

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\CocoEMAY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe""
66⤵
PID:1396

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
67⤵
PID:1448

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
64⤵
- Modifies visibility of file extensions in Explorer
PID:1744

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
64⤵
PID:2180

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
64⤵
- UAC bypass
PID:352

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\aioMUksI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe""
64⤵
PID:1664

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
65⤵
PID:1668

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
62⤵
PID:2460

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
62⤵
PID:1948

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
62⤵
PID:2768

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\aqkAgQIw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe""
62⤵
PID:2400

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
63⤵
PID:2412

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
60⤵
- Modifies visibility of file extensions in Explorer
PID:1864

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
60⤵
PID:1640

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
60⤵
PID:2820

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\XGYoIUwY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe""
60⤵
PID:2872

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
61⤵
PID:1148

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
58⤵
PID:1652

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
58⤵
PID:948

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
58⤵
PID:1704

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\DWswwMQY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe""
58⤵
PID:892

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
59⤵
PID:1840

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
56⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:3036

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
56⤵
PID:604

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
56⤵
PID:2268

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\PCwYckow.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe""
56⤵
PID:2116

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
57⤵
PID:696

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
54⤵
- Modifies visibility of file extensions in Explorer
PID:1508

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
54⤵
PID:1776

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
54⤵
- UAC bypass
PID:996

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZCUAQoIo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe""
54⤵
PID:2844

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
55⤵
PID:1872

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
52⤵
- Modifies visibility of file extensions in Explorer
PID:1940

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
52⤵
- Modifies registry key
PID:2084

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
52⤵
PID:2776

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\IgkEssAo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe""
52⤵
PID:1352

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
53⤵
PID:2548

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
50⤵
- Modifies visibility of file extensions in Explorer
PID:2644

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
50⤵
PID:668

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
50⤵
PID:2772

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\CSYoEIMg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe""
50⤵
PID:2180

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
51⤵
PID:2696

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
48⤵
PID:1500

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
48⤵
PID:2536

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
48⤵
PID:2712

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\IokwQswA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe""
48⤵
PID:1736

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
49⤵
PID:2764

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
46⤵
- Modifies visibility of file extensions in Explorer
PID:1868

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
46⤵
- Modifies registry key
PID:1980

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
46⤵
PID:2860

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\SccIgwoQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe""
46⤵
PID:572

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
47⤵
PID:1560

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
44⤵
PID:1952

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
44⤵
PID:1536

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
44⤵
PID:696

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tEYsEkIw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe""
44⤵
PID:1572

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
45⤵
PID:2308

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
42⤵
- Modifies registry key
PID:1448

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
42⤵
PID:2844

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
42⤵
- Modifies registry key
PID:2096

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\bGUgsgkQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe""
42⤵
PID:1124

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
43⤵
PID:1244

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
40⤵
PID:1928

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
40⤵
PID:108

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
40⤵
- UAC bypass
- Modifies registry key
PID:1668

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\lCkIoUUo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe""
40⤵
PID:2224

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
41⤵
PID:2236

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
38⤵
- Modifies registry key
PID:2412

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
38⤵
PID:356

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
38⤵
- UAC bypass
PID:2800

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\FEoMoAso.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe""
38⤵
PID:2468

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
39⤵
PID:1880

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
36⤵
PID:2612

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
36⤵
PID:2972

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
36⤵
PID:2720

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\RgwMQYEc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe""
36⤵
PID:1312

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
37⤵
PID:2580

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
34⤵
PID:884

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
34⤵
- Modifies registry key
PID:1404

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
34⤵
PID:1304

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\SuIMMQcQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe""
34⤵
PID:3032

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
35⤵
PID:1548

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
32⤵
PID:2212

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
32⤵
PID:604

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
32⤵
PID:3040

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\qawsIIkM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe""
32⤵
PID:1472

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
33⤵
PID:988

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
30⤵
- Modifies visibility of file extensions in Explorer
PID:2124

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
30⤵
PID:1608

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
30⤵
PID:1984

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\CYUIYcIk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe""
30⤵
PID:2260

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
31⤵
PID:560

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
28⤵
- Modifies visibility of file extensions in Explorer
PID:1664

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
28⤵
PID:112

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
28⤵
- UAC bypass
PID:1668

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\cgAYMkwo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe""
28⤵
PID:1940

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
29⤵
PID:2004

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
26⤵
PID:2080

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
26⤵
PID:2684

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
26⤵
PID:2444

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZaAUIMYw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe""
26⤵
PID:2768

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
27⤵
PID:1744

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
24⤵
- Modifies visibility of file extensions in Explorer
PID:2820

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
24⤵
PID:872

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
24⤵
PID:2348

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\zMIEoQUQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe""
24⤵
PID:2948

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
25⤵
PID:2272

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
22⤵
- Modifies visibility of file extensions in Explorer
PID:1580

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
22⤵
PID:2020

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
22⤵
PID:1212

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\nwMEEkAQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe""
22⤵
PID:1884

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
23⤵
PID:2184

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
20⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:576

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
20⤵
PID:1392

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
20⤵
PID:1952

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\TSMoMYsM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe""
20⤵
PID:2032

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
21⤵
PID:348

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
18⤵
PID:1440

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
18⤵
PID:1984

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
18⤵
- Modifies registry key
PID:1608

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\nUYswMIc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe""
18⤵
PID:2852

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
19⤵
PID:2248

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
16⤵
- Modifies visibility of file extensions in Explorer
PID:108

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
16⤵
- Modifies registry key
PID:1668

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
16⤵
PID:2132

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\qCsUsoUk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe""
16⤵
PID:1352

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
17⤵
PID:1208

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
14⤵
- Modifies visibility of file extensions in Explorer
PID:2756

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
14⤵
PID:2444

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
14⤵
PID:2956

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\GaIQcsUY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe""
14⤵
PID:2524

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
15⤵
PID:2780

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
12⤵
- Modifies visibility of file extensions in Explorer
PID:2820

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
12⤵
PID:2368

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
12⤵
PID:1976

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\KessMYMw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe""
12⤵
PID:2264

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
13⤵
PID:2712

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
10⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2848

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
10⤵
PID:1456

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
10⤵
- UAC bypass
PID:952

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\UkYAwUAk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe""
10⤵
PID:1560

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
11⤵
PID:1404

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
8⤵
- Modifies visibility of file extensions in Explorer
PID:576

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
8⤵
PID:648

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
8⤵
PID:2592

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\GakcAQIM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe""
8⤵
PID:776

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
9⤵
PID:2104

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
6⤵
- Modifies registry key
PID:1592

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
6⤵
- Modifies registry key
PID:1556

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
6⤵
PID:1444

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\bGUIUcAo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe""
6⤵
PID:2260

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
7⤵
PID:2392

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
4⤵
PID:2928

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
4⤵
PID:332

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
4⤵
- UAC bypass
PID:112

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\NOEEUssU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe""
4⤵
- Suspicious use of WriteProcessMemory
PID:1940

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
5⤵
PID:2140

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
2⤵
PID:2732

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
2⤵
PID:2572

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
2⤵
- UAC bypass
PID:1312

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\NqMYYkIE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock.exe""
2⤵
- Suspicious use of WriteProcessMemory
PID:2468

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
3⤵
PID:2464

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1283843130936061582435511727-271902145-426799255-164608130-3076879571642092879"
1⤵
PID:2536

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2105056839-81841419-1648964595-20851143108009228925403093593482021448827645"
1⤵
PID:2464

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1227111968544278417-2105593828-1761619220629549731-77641211011135068981156204625"
1⤵
PID:2536

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.exe
Filesize
218KB

MD5
748455618f1bb6cf4abc5f5036ca9040

SHA1
2c605f057af67b9a8c6ac8e77dc1cce95dfcbaeb

SHA256
6e76516879c2369372a9c193bf4fd04efc6f365875c1c7795edd71cf689ac799

SHA512
8efe1158b71a37b28276a04305b43f9524a8b1358b352848cf9c7f9e2c673f7be29ce3f999e46054c9bb6b8931d6e2695d294564201c005aa5c7f762cae0c383

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile11.bmp.exe
Filesize
249KB

MD5
2ca18f27e00c9db6d57c923e7095be88

SHA1
59780f457b58a0d2574e38d3cf671c19d17234ba

SHA256
b543b8ca2d24c807ad6778e93aff2cc337dda20463690c5acd2057a5e2123168

SHA512
92b68480bf0ebf4319dd407a997ba914bd3586bddc21340ab12019dc2a8eae019668e57e0f79f363556177abb1a9472d056051636368b4fbb72a0b3c6f120a6a

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile19.bmp.exe
Filesize
227KB

MD5
14cf860998f70243e6e115ccea4dfc30

SHA1
1d713919d4304c670e77f4c915637ea2f3906f1c

SHA256
89fd3f2aa6bd126b34a10f02362433b8cf61364e1e9cbfb94866f1d58131e877

SHA512
495ead56d12dd47e7bc0d265d2917d9dd973accbeb2e885a4bc790b741bab7e4c3f55eb13cd016f1ba5467860f1fb34b4caa9ed7238df8a09bda25db53e62e3d

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile20.bmp.exe
Filesize
236KB

MD5
565ee9239fafcde64291e6acc3ab574d

SHA1
c796dbaeb22d5e9e5eace9e3c692275859d480a6

SHA256
38d0536ce6857916c35b96ac81fd31faa1bbcfa8d189e876247f36016603510e

SHA512
8f08d29a1ecaff340d5a5233720360efa851fb44914d80f624a8ed754d6d6cd799b1d569d4c30ddae5a44230e81f9a25e74978229438e1ad094c885f2d1a802e

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile21.bmp.exe
Filesize
245KB

MD5
9bbfb6e3dea8d813046eb95d53b84240

SHA1
e78b8126e264ef0fb84be5cde5ea1ab00470bb07

SHA256
b9379df38b47f4185004960aeea83fca23b894c658050bd7c0390d24d113aa5c

SHA512
f5780811e22d5d4e932f28cbccd7b3fa3370ab41413a2f527449b42cccefad60f55ab399b2c0aa8d986cff62d379d43ce3198b38bd849af68053cd56908df575

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile24.bmp.exe
Filesize
229KB

MD5
9513f7eff1c4c010fd310eada2ab6ebf

SHA1
98c61de1b6d34edd1758d7ba340e1b01e398aae1

SHA256
7291bb118bf65e8d1d90a7a497f401658352f4ed6a0e8a02cd19a71a63f0731d

SHA512
2b14677193f028ea29a5febc0e8fe5590e89f777d0a290b53d53b3f9986e1956af3cdde0b6f3c70a56edcf66d86b95cc2b232980b1e3e1587593e0702b6ebc09

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile27.bmp.exe
Filesize
246KB

MD5
db000d781fe0af6a73ead448f9949a14

SHA1
a9fd159731a7af9c79a100e6f91507064ddbee2d

SHA256
f4ec672c2a9fdb19e4dd08991610b8cba62fc4ea5ab4cef65ee4e8fc1ba6fec1

SHA512
9a5f3c3ed70b6adc18c4343c57621c911d88ae0f3943a89f309cc2a09e674e721e649f5e20aa4469182c8a678dc5ee6c15351fcb78c196f6d335b69522d42f85

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile29.bmp.exe
Filesize
233KB

MD5
d7975ea97c24959ee71026789da8912e

SHA1
57b3e6e09b64cb0b19932377a157e0e0bfea8d79

SHA256
89964fbaf71151ce8ffbce20e3cc7ede72cf966bc47d06030328fab71dea922d

SHA512
08a624c7ea3ace5947eebbba98ce9c21bb3ea108ea706d8e49f12e55d4b3fbd279d086b45ab4a8141b5408b08230b8ebc38cd2bcc383a7607c66572d77733690

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile32.bmp.exe
Filesize
237KB

MD5
cdc77e203acefc3250d4dbe1b1ee4dc6

SHA1
0c035609b10daecc977ed25ee7860f441df8c328

SHA256
2c374f99d6721e0c565beb6e71d0ce24636b66e5dbe7b67900c26894ebb29961

SHA512
24f322ef103888ba8812bbf6572106aab0d2ebe52ecf0137885cd860dae000a41184473a21745c6b655a5896be80ece3bd5eded62e8fa420d41f3e53746f27c4

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile33.bmp.exe
Filesize
228KB

MD5
0959aec45f9375ac0e0f73214fa90ea5

SHA1
3a9c996f60c8e256c6c44034684bfe394f82a129

SHA256
3841d655dd7c287ac00b2e41f37e1085769ad7fe0e9a320c23a85e241bd88661

SHA512
1ee270023e3a84fdbb3adcd27fdfee241e93cbfdb38d9dcae9152e5aa2fa77c2d3214fc9108a7e3802356474cc07c20ec286654f3a43cd1146c208b7e95c150b

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile36.bmp.exe
Filesize
242KB

MD5
85bef6d432410ab5cb25fe50f750e9c6

SHA1
3dc6abd6a2ad474e2fac9c127d851e503010d133

SHA256
b676016fad7e9290d5096cbe6bab3d81c0694e9ebc1f9d1bc493185e1a673988

SHA512
ac75648b945b561c65530a332d7c13b4818efcca864bf24514d36a494c0b7a735758ebd49356222021efb280d48beb605c8e1852cd5791808d91c0dd9d6c100f

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile38.bmp.exe
Filesize
251KB

MD5
ae333eb1c980e8f32bc231e385d763dc

SHA1
290f37ffb488b660f4632da907707de1c836aa1f

SHA256
c1d6e41da5d77878a09918f3dc8be72ab2c00ddbd097b82eef916108fa9efdfc

SHA512
c54781b3f0ca7eabbd53f18c8e52ce9bb7269a978e2214195bacfc336d4830d7e2d4bfc2e28a4451e8281c3252581aeab434d3d39b2e02e704bf791eee00e3fe

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile40.bmp.exe
Filesize
252KB

MD5
4a2d1e17bc7b40264c8e24b830ba062a

SHA1
75954c96c613b187ee350b2cf5d86a0d9efedf21

SHA256
8a5d89775e764d2edd41cf9af48170088962a876acfe83d7015e02a4a5f596a0

SHA512
cce9e368901b9e131762dfe48443767d0f001753b004e663d35ab4c7c0fd592798add22da7cd43e35296f881a9279d1db8c51fd12ec23884d11b1e5ae7bbc8a4

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile43.bmp.exe
Filesize
246KB

MD5
ed2bddfcc18cce625e50261adcba5df3

SHA1
ebcfafc38d66a675013b874d7b543c7edef0c152

SHA256
07238f254736d9ecf80b3be6055a8a2bed1271f30137097871cb8cfcfd508f48

SHA512
5e213ed97c450c27dc63f07ea4ca4961998702ace04366b23d11e41ceee01b79f552d179134f72c9250a87a9f57472aa4a396085d037e680e809a0d45720f6ee

Download Submit
C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe
Filesize
829KB

MD5
27503fbb53ce9111d490a6355c060a4e

SHA1
e488e60347b3316c17c44dd60486f09b93105eac

SHA256
a78cf15dee0ac04c78d3a0d0b1ef0b3d74dd1b115d36b8f89791adb7aea1d71f

SHA512
ba32bc2bc306929989b96c3a317f6f5cb2b28e50561a93a6d99e44643603ab079ad633f9a66eb065c246bac07799506f84b0055abcb8437b85100d1ba5b9fdb4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\128.png.exe
Filesize
209KB

MD5
a328173fb9220a298bda458c5788268a

SHA1
fb5b0b45be3a7e10a7f5edeb5227b5bf4e80066d

SHA256
099bc6c76fc5adfff8bd0a61c2d5f5c3ebb04f4c1b4af23bb559040a49afb3c5

SHA512
91f036a7e35090b4122d3d9103881da8c141e270e2cb8d29f7e5d0a8383b40689bea4f29d0c49f7f64f1a958e394bd0968e62432a299f0bc4a4a0d15ac1c1390

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\64.png.exe
Filesize
200KB

MD5
912cf714cac4a85e9c9f2a469b3af55d

SHA1
5e1325826396ca850ff4639937e16a5d350140b1

SHA256
a04ee50b603e165f46b4b94cd3fb4422b34e6dd1f46b57be8d6fad5860d8e132

SHA512
094f01adf43d7bf903f29ca4c712a7f4586d34ee5d69f3ddc1e08ef1688707ebd9dee0b6f32f89860d0548d6fe45323948d32ed43e729b32bf6f1cad36cfe4d6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\128.png.exe
Filesize
190KB

MD5
ae1b604eabce4e516fb8e7f47e533e17

SHA1
9495865c127f575f64cb95e66adf3a113cfd6b0e

SHA256
ccebbe1076cae45ce32c45bce382e1928e8b0243d3f8205073c4969da2f961d4

SHA512
73354547765d61ca20583a072e6b4850f68d007df0b6f93d9f1169b09404dc828d7f7c1bd7be1dc4c96639157d254e3b4908dd709fcb2b79f726f12135bd7035

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-04-28_4634f3182a76687cfbfc14aa296e9c9f_virlock
Filesize
6KB

MD5
1c17c162defdab9d945161e028a65b7b

SHA1
57b06993552a571eaacddb9836b72525120b04db

SHA256
ac791b7dd63587134076d1b62f91de3710266be921b04f89c0ac4840d6531ef4

SHA512
e1ac6cd5fc6970da778931f41aad2c980829a97af12eac6c1792539bc65146f680b17ec21bbec2a4ba34e8770d563e3467ac787dbb5a81dd9dc04b7bde9b7ed5

Download Submit
C:\Users\Admin\AppData\Local\Temp\AUsYQksM.bat
Filesize
4B

MD5
d88aaeec16696460ef47ee5cdc18f647

SHA1
45c62d9dc4faabc3b4aa5de77d49f259c27cc440

SHA256
4e112896ce9b207ffcbc84704e059eb85aab54b4bda58e1ab074637dbc3a7f42

SHA512
cb62cc658145cb67673fb99c94673f9502d158371b9142e65a07bb33aa9e9a5f75e50ca3c436978ca531bfb6adf0b89edd8e92ca9b382607970ff6c1f76984c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\AYEk.exe
Filesize
404KB

MD5
fd69aef1044e23b32e440201253aba20

SHA1
b1cc62e6881083900a229ad6fcec5f3ab65ab7cf

SHA256
f0b64681c2a3fbd992bd66755e46de56cd34271244f6d3278994c0e86c0d767d

SHA512
9f3b7e735a0ab427c827c782f85cd578596899313819d680556e484fa723f5465a28232307818ad8f9482d76447e7993c81fb0003cc79bb4b0f367e082d587d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\AcwcwAYo.bat
Filesize
4B

MD5
4855b3496da3f722948bd2f3787573c5

SHA1
3ec80e9f89eda45628e09223c6d2a373fed2a152

SHA256
6254727b78d9ee295ffb1fa0ecab1c0afc0c4bd6ceefbcfd6464cdf343a1e322

SHA512
c53748bc9b6d406de49c4829619da17785732491a4c9ca39e925c5a0c12dbf701efa1ad4b2970cd1aa1940a0a7a8fd1ae60094407e7415d4b57b182ff80fc93e

Download Submit
C:\Users\Admin\AppData\Local\Temp\AgYM.ico
Filesize
4KB

MD5
f461866875e8a7fc5c0e5bcdb48c67f6

SHA1
c6831938e249f1edaa968321f00141e6d791ca56

SHA256
0b3ebd04101a5bda41f07652c3d7a4f9370a4d64c88f5de4c57909c38d30a4f7

SHA512
d4c70562238d3c95100fec69a538ddf6dd43a73a959aa07f97b151baf888eac0917236ac0a9b046dba5395516acc1ce9e777bc2c173cb1d08ed79c6663404e4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Agwi.exe
Filesize
226KB

MD5
d6b4f9a81b83bb55d272e27c825d5a8b

SHA1
402d7cd6d96a28f2efa64802dc3cfda7690bfed5

SHA256
dab71754016b9004b4cfecfa24646f9c410b2596e3a6542b9205cabb46b5851d

SHA512
c088da66d752ed99258f021f45bdb2c4b29e1c39c9be6814c3d80dc6d7063a19b5ce51015e59ca551f988841c35319ace9e0379fb1993f7fadc54c199ad5a578

Download Submit
C:\Users\Admin\AppData\Local\Temp\AiIIUEYY.bat
Filesize
4B

MD5
6d8e406772507b7a1434a6fe045bbdd4

SHA1
ba2fdc0039226087c684c26939c40807c0cbd38a

SHA256
e22c3f8dc1cbbcb7febdd72d1bf60e6df6beec382d3509e0c7f67e9daff44020

SHA512
2893a5de78e360de99b0f8f5aa03964005f1ea51349ab487886bc8a990d15e7ff061bca1d1dc1129e053898a03c2c42c51468390e74edc4fa0704575c81424bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\AicIsYIs.bat
Filesize
4B

MD5
ba01320a515470bcbc3057088d5662c7

SHA1
c5ea2a88bd957689b9acd81b8f69a27babf70a89

SHA256
bcc140f4c2477ed19726431f216b127b20f2853c463598008be0748e51765555

SHA512
23116693d39b3c66bcdf488e3aeae9de4f5e1640fcad1307fd85151bcd54cabd999a15f89563e805383ba2c1d25cba5f6d211f820e05b3aa5963bf5d479fa1de

Download Submit
C:\Users\Admin\AppData\Local\Temp\BkIMcwUw.bat
Filesize
4B

MD5
78d06a8f69d8c09582870689cb7bcde3

SHA1
fcbcd27c399723f0b7d4541130856936a0fe20ae

SHA256
88e9faa333f8a262b469f8d12b943598d86efcc7de4d3838fd1e1edeacdeb895

SHA512
cda1178915e387467042cc72c49ab15ac4f2666c8682706a2c3a5520dad27211159a2b2b12060ff28ad29dfbfdea3f8febeca2ccaf17271c2e4ac9d8ed92de8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\CEEO.exe
Filesize
808KB

MD5
a4d7681ed933ae2ca27dbfb35a2cdd45

SHA1
89f950058b095a1131b44dc28fb70be9c4106bbc

SHA256
caedaaf80cb1d840bee419f9c8dee7c0b74b2936b0e837c7f412d440207171b0

SHA512
f5f6c79e1b4907c4042dc0b1b168941947c0ace0c65a37b2204fa0f395fccfd08691926d78d80a17b58593b04f4e0d4cf37bfed8d95859563f7fecbc1e2c32a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\CKkMIkws.bat
Filesize
4B

MD5
1639879de559b630a43cc3e05fc70794

SHA1
b245e4b39088591ca14a117261ec7cd97a87bd28

SHA256
18e6a672c2322ffeaa88e58e306730927aca41df4f004a615c5c23a8e8ec9d26

SHA512
dba670cf444c582a9903fbfdefea02929351408d56a7f92f8d095e39d4aea820fbdfcbabb38310d0da765237b07380202e0649ecd0671c396a4a9b2b6babe0a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\CQIu.exe
Filesize
249KB

MD5
8014dac12bbc7a18fb23e9b2da00196e

SHA1
dce3979a7a0ba703c0a484ce6cbb8e2227ad52a6

SHA256
14e93d43e2797c3f9f6dab847f132b3f769cd8f58703deaa2ae22b414eed14d3

SHA512
30ea4cffcc7dba36b372cf89b71e69815df8a189253701122e5128d1543a952e9c7ac04c161a8062c45d0444d845325a000e099a490f53c1fdea591e26a6ad9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\CUIEoAUI.bat
Filesize
4B

MD5
56cbb1e72c162272f33115ff28bee332

SHA1
ad0e92764e04590a551cfb2c97ec95b993d5eb41

SHA256
52ef4d9479b3baaab7cd0466df9ed992bd5b7466fe271d67fa4f09c2045f446a

SHA512
2cd46d1f797f655e4bab2fdac2a48b493a58920eced33bf395d5889df5fc4b7995d0adebc698374c5e840549cabb1353a28ec7e67eebf53f67e3d8a548734d68

Download Submit
C:\Users\Admin\AppData\Local\Temp\CUcA.exe
Filesize
239KB

MD5
42f740ea438b721ec3b71c705b19bb14

SHA1
7ccbc68da51ee58901b298a998f4899c4375c074

SHA256
8073c8ec7f15da84b68f9478fedddaa193773f88b7c9ffa674577fa2c3e1ce42

SHA512
7edb8454f0a55ae3a3c5dae53af23cbe1f6a15ac3a2804965db0bfd89e06d1098fffefeb61e09d6260ecb010bd96fe7518d5acd3a7c4cd1cd53568b26df670bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\CYgW.exe
Filesize
324KB

MD5
5a34dcc78efbab65ce5055f7caa81e09

SHA1
1331fd1638f7d84931c729cb7e27aaf2a7533431

SHA256
d4edf0ed4a1c47b636e350e4c8bae671cb1fbbe73f9fd6b35282ba9af931c21a

SHA512
cdd52407813877272efe923d63b68306df07f9dc63617247f70701c32740ea9c3075e3140998453b67b94337a06b6b53a903986c643e2d259aaadcddca60aa65

Download Submit
C:\Users\Admin\AppData\Local\Temp\CwEC.exe
Filesize
241KB

MD5
092a111f9a9e66d080b1e6f67f895de6

SHA1
0f6b5d85de05f3e6e40d93307a5253b4b1a4a129

SHA256
1053afab0a178817a6ff6cab2bb29d7b3dcc6210e90994307f9c0fe9b00367aa

SHA512
32fb8deddafa0badd567652699c4eaefe2fc34d4fcb831957132498cb984c47d39e6b12f7fbd51161db1a03ab7543da2415d917cda132613a815ea79ad581ebf

Download Submit
C:\Users\Admin\AppData\Local\Temp\DIMYkYYQ.bat
Filesize
4B

MD5
b9b4385ea877228f792e8a93d0fd103a

SHA1
b56f5bf5542c0eabb1d58bc93c2d21779cfd3719

SHA256
d7b8e5eed2f06a9778492867fa0cb02cb196ec0c26e4c8a8b9b77433aa934394

SHA512
5800d173a534b3357c85ddb9142de02d6637207a9ba9b87a9889e919d81f471e08815322a6338be4efdd6dcf6dd039eaf3ed64e4ec4018730edd497cec657950

Download Submit
C:\Users\Admin\AppData\Local\Temp\DwYkMIEg.bat
Filesize
4B

MD5
71a33e23499ea7ef3790d5164439bdee

SHA1
1cbaaf93745aeb859d846e6b9a6da8f6671b6ece

SHA256
26761d649fa6a97bc06c850fc154f1d38cb47a6bd3b7876329e415f78a72c93a

SHA512
804be8e6fa7dc15838290270db43346a71efca1cd4f9630bc89776764e108d6a6e2bbf62183e2536cae738c81e1ffad7990ffd9fbfcd8a87873a3c5f07c4cbcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\DyoMsUoI.bat
Filesize
4B

MD5
6241c4836ad733318772c16b1c788fb5

SHA1
ec484382f2fe76bcb0947381ace50fe5f0e157c4

SHA256
4bda0419e166c828be79353fe823567b01d2e80cb1b14bb20a1e712160315491

SHA512
ae52b96348e695f1549e26ad88add52d18285381ec5f3993da954a460d430e7de2b8cfab17b7868c001b9fa07f91bf92ad6db150a99eb20ea03799e871524319

Download Submit
C:\Users\Admin\AppData\Local\Temp\EEoI.exe
Filesize
251KB

MD5
c023f59d8d98d4ad99a3fa5f512a58ad

SHA1
3bb428f191abad2888f5e3485dccc4c7d716fdbf

SHA256
392da5656bb2214e79cca83acea7574c723ccf01fd2366032d1d99101e84af50

SHA512
f8356760ddd3946a40d77be4af0a22e9844eea49727564d2ff1eb8059bc007d35b1bc778be67c83d1d65259faf9833b449c444ecc42aec06a01e8dd237934e04

Download Submit
C:\Users\Admin\AppData\Local\Temp\EIIs.exe
Filesize
202KB

MD5
4d8fcc68f59a7a6e68c896a54909bab6

SHA1
eb01c849744ff959fb78998e40d692d2e8e4c138

SHA256
25f3e8a5f4f0dac4007a179235f252c274c3d3895c9c08d2bdc9b8ae0a651e6c

SHA512
4e545948b3197363184d4056c1b4b720a1b8baeedf7b63e9423121ff66ed432057dbbe85c7e59f5df86bee577c06d6a11e747daedec2875ac1ee51e16cdfdcf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\EOcIMMQg.bat
Filesize
4B

MD5
a678efa931674c8eeea20c921d9ae5de

SHA1
b00c7703e59ed142510f6e315e8ed361806a3cee

SHA256
111c8c957ce1b3eb80991953c57358aba8614b55e3fa2ebed91ce6dc4e052e61

SHA512
1a7a904189bc569a64c2218aec0efada0bb2fae3912e2d78c628bf59f3969276e88bb43cb661c7c053e21434834116f52833eee20ed417f0d31479c08a2ffe9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\EQcs.exe
Filesize
946KB

MD5
8d1e33a166d63830f2c753b01eb8cbd5

SHA1
85568d8c4400dbcd8bc4cf84dc7c9e0899edb3a3

SHA256
afd6b729c28d641cf8a9818e7ac887e12265d4ae40edf916a32e8a99835040fa

SHA512
70893fa6cd0b7bb6df7ab11f054fc150cca9ea153c40b1de26c210315ec51cc48abfe79fa9caa62e66353ab28f5f865275b27c84cd17b8c80c547b2cbfd9e32d

Download Submit
C:\Users\Admin\AppData\Local\Temp\EoYM.exe
Filesize
196KB

MD5
4b6fe76ba4ed8e3a352d06c9d16ca74c

SHA1
a13795dc17b9a89f2d138ae16af46aeb18ebf278

SHA256
4fbe663e4a43fcf3d62b3aa112f73dd4a948ff3af3735d984bf25a66746cad84

SHA512
84a40e785ace115fbbdd6958b724754e7f80fc9d2a9561d156f89c8a63a8157644ccd8a501c2c7091b2da01390cf00a7bf0e764ac106df6dda4f0c295eac30bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Esse.exe
Filesize
248KB

MD5
500c223ca559684f62e2d03a2439a951

SHA1
f1c1264645b47fa6f3afccc79a69c43369cc4e67

SHA256
e7ca9d6729f5e6d3ecfad54ecf51568d9150824590544e55a37b109f2cdc80e9

SHA512
d38204099c24de8ab8decaba1a144c26126bc269d3a918e357981cb1082c98aacf0e7d9aaf205f2c75118c49c3be86365d647845ba82ecdd5f9810174f9921e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\FAAMcEUE.bat
Filesize
4B

MD5
69c07ab06ba828421eb4e2333e7bc4fc

SHA1
ca8ac8b3d2c58eee7f7d0df94ccb1b5d19f19ab9

SHA256
807f8be15b36bd7bc0494e46d191ddc25435992320ea84e614b84d90b3938250

SHA512
2774f20a08d303c41755311a59f5c4d8ab52c5361046c13a6e7b287e036c328d77727c76abd8eaf183496803f308e0364446524060c772b678a1968376ac9cbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\FMcYskMc.bat
Filesize
4B

MD5
71d102a91050b3463b205305726e0231

SHA1
8aa2fdea10b728d960a8cd8b266feb32b3ec9f56

SHA256
f0ff8daf7524fdc3551dd0fda2701ead6b78be7d0388a3fa4a0db13861ec8012

SHA512
ab4886254a436f2dc1cfc261eb920e70dff495673d64b19ac883a1759a237728a75b98ad335667ddb7ff759e4ff929844315904cb82cb5bf852ff318580fae6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\FQUogYMo.bat
Filesize
4B

MD5
5375594312cd0c22ba47096b83954fc8

SHA1
e95016725af971846092f8fbbdb8ce6d78b908eb

SHA256
12849719926953380dbb3cf5b9946df1162fef61eee12a1f631c1b1ee20b36f7

SHA512
fb00ec3f1e3ba82c77a29cc812cc55c4fe7618277c07ea76fbf87ed3f5ef9945e7051f094a4a414be0bf9489badde03709b34c14abae082a2790310c48da7eae

Download Submit
C:\Users\Admin\AppData\Local\Temp\FgYoUwcE.bat
Filesize
4B

MD5
d5747fdb77f4ae2a7a5271e511a210f5

SHA1
9fd6de98e4072afbcb7356bfafa356293a88375e

SHA256
a1ce6aec12b575a398fbccb403615fd2762e13f1d4d314bf3783489ea85662eb

SHA512
8f9e51121cc949401a792ef22461ccdb8ecb04ded726b46fbf214ec3d34746f44f7a16a414afa7b731618d5e43051d0c74685867664d4bcd00d5159dd7a08166

Download Submit
C:\Users\Admin\AppData\Local\Temp\FsAAAUMg.bat
Filesize
4B

MD5
1cd4fc9b2431c3787f0aaf1376a7516d

SHA1
bd6f20476d5e0ed0ee737f09be41ae613c96168a

SHA256
6ecf3951ad257890fa1e3275a4703d6b5fb09dbd2ac47c016d904ea53f8c4426

SHA512
743a223602396fed3eaa2808bfbaaf061145d0f57b037e70f80cd4f644e31892bd4929a595a98343253aca0f3fd96e143da679cb63a9ac1c9d7069244d736d8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\FsssAIYM.bat
Filesize
4B

MD5
96f2b62e8e8b31581943a8daf2c8e7e5

SHA1
e64e6d2dbf0cdd666c4c85f6d1e8005baf0d9319

SHA256
375373fd0a03b6245ed580951e4eb1ec5ce086bf13db939e0ba859799a8f05be

SHA512
8b0c8cd8c3162d1aeea19a60b45116a82f367ce37d26a9d6022f3cfb2f3cb92425e44a816e2f91598e794b75c8c3a92128646c7b29261b4951cfc45b5e0efaa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\GEEa.exe
Filesize
771KB

MD5
ff4a0582976455f88e9af62b8d5d3446

SHA1
364580ab9f0b65e998e4f08a40709b3e8d0f9dcd

SHA256
15c9e056066d5cfb201e8f93d87b859ebc5885dbe8672e507927999dfcc53e82

SHA512
aa8ef07fd3506233f09dc3fb9c67a2a8514b89392331c2f1bd97f9a87f9a9348f49ce0cd2d34b927552530a481b6ddb46de2601b8443da75e5d691b63b1ce943

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUIC.exe
Filesize
311KB

MD5
760808e5b14d75063468b0bb164ae200

SHA1
bb2fd00bd76742d928d188f18c8465eaf5972da7

SHA256
aa4642e7f2f88ede999eceb2557f41df848b3190e3d74abc2d3ff30cb4130a0f

SHA512
0855e068aa365613fa27cc26808cddc0ee437c9d365fd2a0556049b24cdd41afc5dd278b41bce28d7149eda63a95cc6f8cfdb0d9ca359cb7c0b0997795dd2ed0

Download Submit
C:\Users\Admin\AppData\Local\Temp\GYMcEEcA.bat
Filesize
4B

MD5
48d5f7adbebec7b3fe2519945e1a7b01

SHA1
01e7dfba470f24c5cf09f618c7f68adbb60dd14e

SHA256
924fcbcb54e16cee2716e182ff8728cd55a0a7bbd548d71eaa8367fa43f996a4

SHA512
6d9358502fd236ccbbccd92d452cf012e23db073fe0c254f3a593319801dc83fb560893848775b9b3955679a57060a0cb5cb5d6a647a39dfccded215a744f904

Download Submit
C:\Users\Admin\AppData\Local\Temp\GYcMYkkQ.bat
Filesize
4B

MD5
35cda0eac80c077dd8c4667ba796cdfa

SHA1
6d4899b5b572107b30b4a34f28cccc67270834bc

SHA256
eb50f1554d99b9a2d3c8d4cc5ee32bcc172c6dbe7e8b45adf07f930fa943dcd9

SHA512
6d882407d5fc2dd98c9b0635f481762f79d75daf097793ddc572e2b3f8e6bc20777fbc59d487ed2dea58b9dadf8546958a0fb64044746ddcadf413b18fab71cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gkgkgswg.bat
Filesize
4B

MD5
c628d40dc7f2b7e0325c61f94c642c24

SHA1
19ae16de25d0ea922ac5a47cd8f2dc0148569bbd

SHA256
ca92fe29141262a9b77343c28f0c8a8cd0e4be286c9e2c7a6fa17f15d4ed5deb

SHA512
7fb6f1de956954259f571ba1d69a7260181e83f6e6c6010dbaf9b7e4262d4395cf9352cc1e52b4eef5d6d9eb136e11ec771d688298afb4059810d505c2d43a89

Download Submit
C:\Users\Admin\AppData\Local\Temp\HkQIEoYY.bat
Filesize
4B

MD5
bcf5c8c30c18abcf038d1b95ba29fd3b

SHA1
0423932c93785d4a01f17343664bf5a01c13f1e3

SHA256
a12e3f448660f196963ddea8a0dbed95f82cba66d6566408ce76993dbbd9e9b7

SHA512
1d351bd729e2a4555c79a8920dec5e79326231f5d630169e888291309dd63d2bf2faf3dfe8cc713fcf045b501787744f8e6be328aba82d5f5e7d28e17ff777ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\IEQk.exe
Filesize
234KB

MD5
e37cf02680c8ee3750e2d971bb29aa9e

SHA1
6f30c2e8399c9830b1a8fe1a5f7fce3885c36755

SHA256
5cc842a22d6d04bfb2c0da097fc6367687c761a18251067644583777d8a443d3

SHA512
b29eb1a639454b5188a7a4ec4c5d6acd78cc1bd7053d033504d543af5b29322e3e4f20fbbad353b44a07fdd4edaae3c4a8ad54a66d8171e1ba0047a5b6b7d049

Download Submit
C:\Users\Admin\AppData\Local\Temp\IEYm.exe
Filesize
246KB

MD5
a8a7b6c102cc8c90539575fb64c3ad97

SHA1
22db5c1362a2689704b1d958157b384835cb42ad

SHA256
8059a082a05207d71e6dedc1af6206852069da859ada02fd2cd7aa623b68ac0c

SHA512
1bb0a24d6ae6145fcb1fca4a08ae60ba7c7b1bb1a1abd57fda3beee82bb633db92128728b74bdfba87dd5d9596b3e21f39e806db511c7171e407b1ea168b9165

Download Submit
C:\Users\Admin\AppData\Local\Temp\IIEA.exe
Filesize
540KB

MD5
296fae1676ff744692753d235a073eae

SHA1
838e655f255998e853b393c18f95cc82b0fbd5e3

SHA256
246460c7617ed6c8cca519eb6cf50f390cc0d42b9c4728048a97da1b56afc691

SHA512
a6ad0b06bdf283b13833f8bce37b26df5dc912bd7cad846a4a71ac0431a8076d73b00277ee659628b941fc1771eafcc2aa04fe61976650900e6702a269e3b857

Download Submit
C:\Users\Admin\AppData\Local\Temp\IIoI.exe
Filesize
187KB

MD5
79565c4517a9ccb406628426c1018224

SHA1
a938c20e508d19ed835d7d77f0d9421084cd84b6

SHA256
62dfa620a00eeaf5bad246dc12bd2cbca5e14f4414dc4fe06cace7f4091d0886

SHA512
06ec3ee3f5d5180673feb66c62fca4c732753cfda4142d82df76f4f982a62f04f6f55d9a474e2437444853f0febd4b90634a3f00168fc2b139dc219544f41181

Download Submit
C:\Users\Admin\AppData\Local\Temp\IQsa.exe
Filesize
409KB

MD5
448203d626f8c93989ce9e607587fd2c

SHA1
f05d6e6394e23a991dcbf4445092768a849e4ef9

SHA256
8639d2e591c5f5528d09c5323bba1c85ccd675f538fd5d33238cc8b094dbb94a

SHA512
1b826f0441b3e7baaa12fefe589849681bf5dc9f53c138d22c8bf893cbd73d50cf2f382b8c3af6354b2a47391bd1f70f0d02502f051e4b1cf4605d8b4bdaf6ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\IUgUAQgU.bat
Filesize
4B

MD5
c5639273b8779d9df2ccb963f950829c

SHA1
892635426c0905dcb48228be2373bd5c99b7ca85

SHA256
91e1ad8af5b1db3edf7148b7513cb7def62dd90208b9a3ff4b76be4a7a7c5f25

SHA512
41e3ecd9bc45a3929bef75f70b1146dafcb1dabcd8b2d3d886193d4c8bcaa6b4510893811f073c3c3789800f576fcb473d37f783db942e9532bf4c6744b99d71

Download Submit
C:\Users\Admin\AppData\Local\Temp\IewgskcY.bat
Filesize
4B

MD5
858aa51c931c6ac57a8dd8c232dec218

SHA1
cfa56ad9385c41849c39eda8053871a0547b5504

SHA256
accff128e34976f284d93907c645fb3115efe43f7709917376f7c31b8cdc9017

SHA512
673e00278168d2a3cc8e72b6bdc40069f76151e8074e3900f6181c7d34a697d4383bc39d155086c5772a31bff5f7791d15792e357bd3864c74f3f29ecff3903c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Iogu.exe
Filesize
492KB

MD5
ce66c135eb50ad48807462804028fc67

SHA1
c12bc6f573e8735527bb349090797719e16f448a

SHA256
cda0e732f6784c438502c46edd0fb4b4cd49f3aeaed20900ffd114ba494cd1a8

SHA512
9dc9f58897a814a79bfd20ddb4996cfe550f4b6fcdf4896c0055a924a07eac6513a279612adfd79ef95554c444ac6ec4f98415bb750ceb07720a0a2177d98102

Download Submit
C:\Users\Admin\AppData\Local\Temp\IooO.exe
Filesize
220KB

MD5
7a289362297d478d53707890b19dc5fd

SHA1
06a85bbf58d7a0d4c54f1eafcdc56a092e0e68e4

SHA256
255adffc8c44f33d7e0f980683ebb7671fcbf4acfd29531672141fd650e613ba

SHA512
44970e47a6bc01afc493f597a4ec5e9027d32f0f165f1ef0d0914ebc19ca3bcb8aeeadba6439574eda8d84bcfb0de511b979c3dcbae2894c6e15400039a6172f

Download Submit
C:\Users\Admin\AppData\Local\Temp\JAcwYgwQ.bat
Filesize
4B

MD5
9cee42560dc5b1898612d0bdea4bbd2d

SHA1
0817ca0244ba8d6e1aa0d050fbb64dac83ab1588

SHA256
525605133c8b4d4c7e6a0c8e6842a72a5a189f13e9d1e7be817fb5433a425db9

SHA512
e605ba0339d789ca10183dffea76cd364802e2da4be164589c76e379475cfdf27e163359987fb9563bf63e8dea09c2878d9b469862de383323cb441c0c283992

Download Submit
C:\Users\Admin\AppData\Local\Temp\JEUAwAsc.bat
Filesize
4B

MD5
15db39f2d06bbadb66595d5f4e60d9d7

SHA1
251e5317b41a6b73add8918397aec78e18f9bf79

SHA256
033de543e879707f65f4d963f6b3912c8b26c5d09a9fff3019321db771df3916

SHA512
341e8413413833ed27529f94cf5b0238d8267cb811f62af627f6c7305d4fcbaebe218b1ffaf2120f436ebc059b12b6406099cc8e06501f8a545d577a6f13784e

Download Submit
C:\Users\Admin\AppData\Local\Temp\JGkUookk.bat
Filesize
4B

MD5
e4edc0384f3a938c4f6cec2edbbd8fd8

SHA1
27313410bdbcf1b70390a10ddd17e5b5b7eb2ac4

SHA256
d76acb66a27d749cd7063e46eea43218935f68ae92bdd188b9ad829598d4141c

SHA512
af23d264d874ef9ba849ed4eef65621626d416fae9009f501a5fab07c4762f24f3c06cbf9103139b7be6ce05d156e5fe4d5dbd46e3402d3edfccd0b219ad6afb

Download Submit
C:\Users\Admin\AppData\Local\Temp\JMcQMMAo.bat
Filesize
4B

MD5
c218ab1825cba87fd4656eff075cf1f1

SHA1
630b3a6033227a1318c5efe0b19a700772b12f60

SHA256
2e1371e8c9337c6672c5daa5c9833c7e78ab7864ecb7fbd8ca94ee7f7bb64f85

SHA512
0d7032b10c5938ff79063262f3b6afe94bd1a54cace5390dc247b6ab09fc4b2d3ed9782c0abd62df0385e4c80271f1adfc0787a4f06d25b37a599f1ec189fd9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\JYsgMAkU.bat
Filesize
4B

MD5
f38e003695a9a3947cb7dc4ee7aa132c

SHA1
bddd5537795e43b987e8cf67ec5b1e24a63bcccc

SHA256
ed581ac21a3e284fd35c818fec32a25233204ef098ab27f07ef227c2898cab54

SHA512
9ec35555e6fe8b3bb277a3230d521fc47a81c2dac75efd6158f6ba1024a8066bd4a6882dd42eea5339414f761abe625be2c38df7c97832c59a873d452bbf04f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\JiAgkEkw.bat
Filesize
4B

MD5
476acb62031352993a48e30e294d9a9d

SHA1
41f96ba805f6c5ef660b3ca7c269feed9ed6e130

SHA256
024f746a14a4eb5c1680198eb0dfe9fc92130bbb9a91f271867cdbbae6d26592

SHA512
9c2ed4ccab59b51225b81a78d0b36b2fffc1ae03bf0b246fe626697c355af30168dfab3a9cc54f1f7a3d3b37de1738514dd9be96cae165f164fb981ff5605d38

Download Submit
C:\Users\Admin\AppData\Local\Temp\JmwokEoE.bat
Filesize
4B

MD5
8c89d02a08b586d91399734712e44042

SHA1
2fea00860a26398a82dd5bc3f22afcad28b5849a

SHA256
10c0f5e6b82c1d03fc9f613f39026cf8aa1f388d7fd0624cb8f3a481599ca265

SHA512
ddd9bf8387dbf6b5a4e8ebb177c1d24d32896bf28b74272b10a66231b19c304be446a5e8684fe6d228cd55cec260a63e3dfc6d47cf047ab89bbd313655899c52

Download Submit
C:\Users\Admin\AppData\Local\Temp\JuAEIgQw.bat
Filesize
4B

MD5
12170674edb3aff3ac7d6af9d285b014

SHA1
1ef4b53343770cf5866b432d2f05b656c84a3164

SHA256
358753459b298dc89b5a8845f0810ae9ad0dfd1c3de14b1723696813ea7486cc

SHA512
20b519b783e9adacc1c7e9b7c2db0d55e2d0d3208d8c1183c3217c8b61baee12329ac7b7ef8d473d91bcd82fe60d1364b60297703c0be8f9db2895ff4e89ff29

Download Submit
C:\Users\Admin\AppData\Local\Temp\KAUa.exe
Filesize
242KB

MD5
2a4de6c02b95dd6ae26d5eb63fae9422

SHA1
54b8581a9646193c723ab9c101fa4909198e9b7e

SHA256
4dd0d176c8e7a60074b3aadaca4d19568818c9b6f9c8302b66781ce8bee3373c

SHA512
90bd29ffae97513e114ca081c5f4b8d247be83bba4e8aac16e3a2fe8b2b69bfa473174694d264b982aac8c205866888878364b5ffb9323ba0d0b783a04ab103a

Download Submit
C:\Users\Admin\AppData\Local\Temp\KEke.ico
Filesize
4KB

MD5
e1ef4ce9101a2d621605c1804fa500f0

SHA1
0cef22e54d5a2a576dd684c456ede63193dcb1dc

SHA256
8014d06d5ea4e50a99133005861cc3f30560cba30059cdd564013941560d3fc0

SHA512
f7d40862fd6bf9ee96564cf71e952e03ef1a22f47576d62791a56bdbfbff21a21914bfa2d2cae3ca02e96cd67bf05cade3a9c67139d8ceed5788253b40a10b32

Download Submit
C:\Users\Admin\AppData\Local\Temp\KMwcYgoM.bat
Filesize
4B

MD5
51ceb85ad4fa1c1d958a1798b11e20f3

SHA1
a91cd24039ccd53e9cfac5a8037dd4f62322db53

SHA256
fb6aee7b0c02f4347b3193336a5253973224ecfed6fb6ce7eb73ffbb649d2ad6

SHA512
b01462d0520302f91e83c21b3340e9c6adf2db69d15c23a20a81fadbb5e987b676209a45d4e8cc2fb49aab2cfd10d8d46dea90234d3737a0d0a83b0970fd7b74

Download Submit
C:\Users\Admin\AppData\Local\Temp\KQoMkYww.bat
Filesize
4B

MD5
8363ea56e990fd43a7d927cb641e9969

SHA1
6913d1bfa951971ff543ba29f3b01feab4a0b5e3

SHA256
7aa990b144bceda6ca679f9bb946239ac89c60f1b96a62710e57a7f2c1b1c2bb

SHA512
857f9d6a07f71cb397ee458ba63114484891aec234b83ab43821ff9513f4011cb5718cd5519611a07a1f4909ab314635baa11a9edd42f3a41924aceb74577584

Download Submit
C:\Users\Admin\AppData\Local\Temp\KUkE.exe
Filesize
242KB

MD5
343d3ca022dcafc572c79290e618fe98

SHA1
b02919c7d51f3f5864062716fd14bb4aadfe1cbd

SHA256
e3b52138591f4c694bca7ac02405917e983a59f0c7b3c47387a222f42c020259

SHA512
f9041b27354bbcec78184ff49295e1ec29be750b809f214eada2c83e13d0294a494b83ea166a0eb8fa26e7f2d3e879cc40f70dcdb4ae118dd140f8f8416aadfa

Download Submit
C:\Users\Admin\AppData\Local\Temp\KYQoQIkU.bat
Filesize
4B

MD5
f8bfb7b819801eff32c920ef5ceb1ea8

SHA1
7d33807f5d9b18ed74af18c6b8c98513a5e39d01

SHA256
4a8a75ffd46829d660626ca9f97958c714c9f4a9180daaf3daa1bdfa62394888

SHA512
7575b25515090ad56d3e8bef5850bff8658de1dc63b0f8a3cfdc69abee009960c6d902dfac97400d520d90e9b66737178fc706e48a2300e0f767c2a127afe443

Download Submit
C:\Users\Admin\AppData\Local\Temp\KgMm.exe
Filesize
239KB

MD5
7e2881d4eaeda496ed83313209e0b002

SHA1
f9bfe965f3e0c357d67595a0d56c0a460534010f

SHA256
f9c0559c838988ef721fdaed3c6a8b9aa99444c12140fd69af045059cfa5490c

SHA512
40809a8d72ee26026fa7ff5b1e4183a41d247288203d8a06d916f046ca21f51d2c94c81461150b439e7979c5bb32a3714635d40f50f31589e2661373d0e8cc82

Download Submit
C:\Users\Admin\AppData\Local\Temp\KwMu.exe
Filesize
8.2MB

MD5
82d9440874a5f94682f2deec74a73556

SHA1
b4a64b86ff516cd51d889151eb61c5c4749d8127

SHA256
2cf1cc9d072080ea9bc320001ab1a0162180968ec6bc8e6f12d092b392418415

SHA512
b23429c7804f4c9479eab531a3c874da79709f1d63e146d357daf3b614b8b9704233df6264be104287ce57715b3c6fe4e0049395f781d67a7786055c4777b173

Download Submit
C:\Users\Admin\AppData\Local\Temp\LIQEgEwQ.bat
Filesize
4B

MD5
cfb86e0022c06e3aae7e3bad923303d8

SHA1
d91c963bc8d769cbfaa20a387e9c9f4dba724aeb

SHA256
1578003d5b1e20ea613c7569fe625dea4101a592a8e347bef4d843d445744b66

SHA512
45079756eac09a050011b5d74b8dbaed1a85049ddb452a2783a6ed04974ff6df86f39a745671266c00fdbbab7f8127160f6c6932d3d4706552b645dff072d3e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MAoEcYcA.bat
Filesize
4B

MD5
2cf2aaf1248f4eced79c38d508dc0d85

SHA1
1be0dee98a639a97ab92bbb4f03240d9becb3d1c

SHA256
32703a856faae94c72581fde6000bf2f52053ba480e1f1a9f729b17f6d1e419e

SHA512
22d5310eb72fb7b5ef90f41e78faf1abe6e7b4fe02bec93c3c0ecdd46852c27c8ee9ced2beeeb80d6f029c1874dca7f05f1a33fe78ef5faea186d93f6c104e98

Download Submit
C:\Users\Admin\AppData\Local\Temp\MCAIUwUA.bat
Filesize
4B

MD5
9059ffe4fcd9e9ced5101a44791f16eb

SHA1
79b3174affcf511e2c837669a413d1a3fe2bce41

SHA256
2f987f82c22eda35f3da9249c30a574824dc65ad3bf6d50c5150228b92facb9d

SHA512
632c0c1c3b456876b0b87010cd87c0536de08d1bae45cb9c6a4936fc7fd77105929ef906d68356e422c12aa6a64df91db1968f8d3ab82ac6a8a6f33741bb2a04

Download Submit
C:\Users\Admin\AppData\Local\Temp\MOMMcsQA.bat
Filesize
4B

MD5
4892761c1d69fb89b2bd245f7cba9551

SHA1
bcd8286a3c0bfc1cc147b0d95020d616a041a2aa

SHA256
c65e61f5415588b1e42e3f309dcc1ac6829c6a411c23a37017215c63d38dd998

SHA512
125b3f0e39a5012e499139a44d11e46932b04e603ab6d8bd367ab4a169a65e9dba8f5181b15bf4eda1ec4d1ba5feb8fef1dde01bffce8481a0fad7a88346bfae

Download Submit
C:\Users\Admin\AppData\Local\Temp\MOMsMcoI.bat
Filesize
4B

MD5
02a38bf5346ca097ad37e76cee792618

SHA1
985950cd8d12ac4172730605a1b1707f9f747e2c

SHA256
c998cbcc6e907e0688246ab3aeac979a283b6653fe1de5b12bb7eb058637999c

SHA512
1200befa1101bb3155e034973fe018e0288e7991226d5da57c2bb142eb1d0a559bd50a54292d1a9925e5cd5223b3e6734d4bb23bab4c897d582812cf7e0f5d1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\MQgO.exe
Filesize
1.1MB

MD5
2647c4817727a07b9d025497a92c68ef

SHA1
b6d28d3ab2ab18d0bcd50f4d3571ebbac0b153e7

SHA256
72f15c080ab43ac3832081713eabf946bd1ad06927f1470586f542b016843fb4

SHA512
67f86b6888608c7aa7cdb9cdba5eb0c367cbf601e85e45c0e6f53a70b8a2a6369b24ea431e86ee86660cf916b5cf75b61a09856e8b1c893a6b241f2ca9007979

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mcog.exe
Filesize
196KB

MD5
5ab00c80733bf369850e2f1e823de119

SHA1
0160541b1138aa5936a59460c3236369e882a400

SHA256
8c946b11745726cf2813a10bfbd9ec26ff714158efef5a04d129e5054a5ab04d

SHA512
40da784bf0debb8ce9e951c6005b1174ab2f9ce311b8709a06fdb2ee8d9de80069c79375e769d3b62ff08ec5943ba52796e5788bef703f27eedbc79c085fb6ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\MgkY.exe
Filesize
221KB

MD5
58dfc5bbce52928183ff48c1b83906a7

SHA1
db7998cc62529929cbcfbc0e169960c5f93f2548

SHA256
86bb8a4fecc19775830ec0c17400933adbd39061272110d13c740b08652b208f

SHA512
c94f496e1f4ffdc8dc2d07f6a1e361968b23554ded44675a735f37f0f36a0854abdbc72bb5ba9c34895f5352b0bf1709d20400d706605f505380235e861ca5f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\MgsC.exe
Filesize
193KB

MD5
bb365f66ce000af6345f441f6cb75262

SHA1
aea9c26a3822893e4d9b6924df2f4abffd479ccc

SHA256
ec16b80fc8102ef94ada9dd59e0917e4eee0f0c378aa538f3f78529461a60b2a

SHA512
74ada9d5ae0c0e7f8d01d42282c452d44bfb42ce60c46aa74927030914332cf1261b9079bf126f61a603aa2f70f0fd47438eb935a41e8afb71e1ebe493ace70f

Download Submit
C:\Users\Admin\AppData\Local\Temp\MsAy.exe
Filesize
208KB

MD5
137860a35b33e6cca8e10564ae3d4f45

SHA1
c9a0554cbc8a056f0dd5559217791376c1b716ae

SHA256
4a9952a1e9b08c853ef30f7b80645ad714c5fc68f856e11fc4eae1edfc84bfc6

SHA512
5d6d72ad607347d1b4a21656ee9827faed1fb084f757d0bd750be9be62e979c5fd8941a986e63d6e0b4d2fcf78ff6dea87bcba7dc21ff8fe7a6c141856cbd125

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mswu.exe
Filesize
984KB

MD5
7403e5472ee99d77a61e00c5d214589a

SHA1
13d71065484a5cba47cdc2e81fad96af0c2bf1ae

SHA256
d842a1390afd4ead063c2b4f0869a4ec3cd94fc45b4493f3d876b030c2d7bfb8

SHA512
66bc79f218558948097b7aede3b1c85b60e4c4e988f2767e054e2c60c930e47b41edbf2d052a0cf2d0bcf899a03e7a667d0082d57ce20c76bfc36009ade1e469

Download Submit
C:\Users\Admin\AppData\Local\Temp\MwYu.exe
Filesize
206KB

MD5
6f5a3918cdf20ef9a264e2beafec1e69

SHA1
541334aa6fcb2f59774c7be04b907a62f955ed77

SHA256
809a45db9c3cf00e58976e8542102a189d6dfc2c6722ad288e796c97a8289d44

SHA512
ee6b21518c2df4ec3241f2e89a5d0f351916d2ac26e26930b48a57be9814a407497f3e100fd47b33873460957bd61b3edffa8bc02553d43277903c90a20fee4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\NGEIIQYk.bat
Filesize
4B

MD5
6f00d784b0ec61e1ba8f834664bf68e8

SHA1
4d17dd4fa957157c57b44a2beac5b96433a422e5

SHA256
4251bf565a42e6e031cf448076ae97e537333e2f60a03d2566d660e8c0e6b695

SHA512
b18814c38aea9b0759584988eb81fa8b64856311fea8617d27c33ff9640287342862eef5ddf0ac05a42fa3775e531cc59cdf705e80d5744b4fe7b14073ab01be

Download Submit
C:\Users\Admin\AppData\Local\Temp\NQYwgUIA.bat
Filesize
4B

MD5
8855bb3899e3e1f158d2718b71e5628e

SHA1
cd877a1c955f3d30b1d695c185b9e9407fd12bee

SHA256
872f858f9d47f83d9804130f7368fb195cd534cda3378e927cfa8ea18a75acd2

SHA512
02e1fcec82215118051949571ec2f64faa3e3cc04c50a5708e8d56f6ac5a833704f90c969a7973d8da50f0d8474b4e7010fbee3a05ecdee41fe9789fdd6ad88a

Download Submit
C:\Users\Admin\AppData\Local\Temp\NeswkAwQ.bat
Filesize
4B

MD5
a28dfce43d837b226fcdf9648fcb07e0

SHA1
6be2405c4a661d449032517618413e7e28ca4df1

SHA256
d201038e388d4a5c44a1fbe5431c1bad98ea3aa7e31a5b0edf1f9bb9805d9884

SHA512
f82355f692abce51492213800ef9ffbc4d3328c684ae25cf022a0fb9349576c8149e3cc9e157faa0ac3cf832831e840593d0dc31edeff076d9b6cdcbdad6ede9

Download Submit
C:\Users\Admin\AppData\Local\Temp\NgkgkUYk.bat
Filesize
4B

MD5
e7e73533173ad3d5518558b99e3e772a

SHA1
79d8a80cf991afe3650a8e9067421b2afca74c58

SHA256
6d3ee87886c4a9f2472977d2cf08a431a70a320060cee17102d5eba7401825b6

SHA512
8b8b148ac66ca28a33f59800a206237ce0b2bd57581d2c910799c555ebe39d45848df31c37faae8e9171ba9a57f4c4b113e5d4d4780ab5c87d7b10e4d7ca8e7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\NiYMoYwE.bat
Filesize
4B

MD5
5b071c546752186dcb0fb643048a4460

SHA1
39b188daab245c61b1cc0e6a98d4edf9ac7daa16

SHA256
9ac5d4c5cbfc102cd31c0c71f7340b2dbf659a00ea1005a922821cebf232090b

SHA512
4169cb529e77cd0b0c187603f642967e78a253393f222a2520dea019249e7139967020739583c6a30570edf83a34269c45c089881c4fc7b1b676c4278c1baacf

Download Submit
C:\Users\Admin\AppData\Local\Temp\NqMYYkIE.bat
Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\NygkgUQM.bat
Filesize
4B

MD5
183e9321f57e31edf2b241f0272de635

SHA1
6d4b6091b2bef197c5e0557c0dc883e3751bd394

SHA256
17ba32688368fc1cf0c5a7b7fe93702ab82d4a0f9bd16714166b3b633fce593a

SHA512
35ff50369c725d9e66412594fe9b556594e33cc0ba2dd528440e07c64d9bc6ab28d6512792d6b6bd60f5a3c00bfb63caeb1bb3d56621cffa6c6b0b8ec6a79a23

Download Submit
C:\Users\Admin\AppData\Local\Temp\OYAS.exe
Filesize
240KB

MD5
f16fa34b478a08692548007083ce3bdd

SHA1
7b0ccd608e535bed2e81f48cc026bc34ca89de3a

SHA256
79f960221215eae8d527562585e2fc077aa727648e5aac4395ad6981d840c9aa

SHA512
bb3b34db66444524d7306b75694dee4e2bbbf6a50fbfbae0c951618c79fa7033989a820181984af14ae2d61673c8a6e9cfb333b3626677a995c4b3bfa8f62db1

Download Submit
C:\Users\Admin\AppData\Local\Temp\OcUa.exe
Filesize
248KB

MD5
936d077191f15ca930070960547f7bf8

SHA1
a0ce88d464658c876b51f39cfd540fbbfdb80980

SHA256
aa0359bf3c81005dcef12ebcf0f07b78d6093a53aa0d986768f54d9e68742367

SHA512
6a7af1c47be85233cc531714500b437893781c5be759f6e14f271f2ae022b02cfbaf230f4994e72dbd65a67ed1cad1e8de12097fb9b89c324416d35aaa7b3577

Download Submit
C:\Users\Admin\AppData\Local\Temp\OcYA.ico
Filesize
4KB

MD5
964614b7c6bd8dec1ecb413acf6395f2

SHA1
0f57a84370ac5c45dbe132bb2f167eee2eb3ce7f

SHA256
af0b1d2ebc52e65ec3f3c2f4f0c5422e6bbac40c7f561b8afe480f3eeb191405

SHA512
b660fdf67adfd09ed72e132a0b7171e2af7da2d78e81f8516adc561d8637540b290ed887db6daf8e23c5809c4b952b435a46779b91a0565a28f2de941bcff5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Okke.exe
Filesize
208KB

MD5
53b5b1f0ff825e08286c9de52b889f4f

SHA1
5dbd33b125c88a679980059603c19fb858f5587c

SHA256
d52c1c2334cc1ad163fcaed92459f1de33b4d4c7945c1bf2802d2097de886c85

SHA512
3ed1aeec8744ee974fdb0485fb4febef30ec6ccc3ee6b9986199aef14f767a55a089edfecdbdcb2e81965cf2385659b04bb3b8a471c4f792ef4a33c457a6e302

Download Submit
C:\Users\Admin\AppData\Local\Temp\OosC.exe
Filesize
234KB

MD5
f4753bf1cd7c0c5bfaef9ec0bd25d703

SHA1
7244bcdaa4bb8373d6e4724b419fa415407c437b

SHA256
00a52f65c9810dbc34c1230a80227056ebc1a8ff0570d69d4bacac30548e0029

SHA512
ef6860d3fed890f15c0f36f21f3d37f0068b03e861e224ed7fd0acafeac1bc4dd94b0a54074b05cb8a97012070b312ffd18b4d7990724fc193f8b5350ec1ea07

Download Submit
C:\Users\Admin\AppData\Local\Temp\OygIYYww.bat
Filesize
4B

MD5
fd227c0c322440ff88df1258394ca57b

SHA1
7ded6a8b94407347605897e9f5fdc73d0d3bc865

SHA256
301448db98d0f801ecc795c46b8825079ef3f8a4169e960ac555b53ece2ff0d2

SHA512
a70799acfcc1674bc7fd5398a930414c52fde9432212adffb0393ff7a5870f6179fa34f4051563947c2157d84ea973b33e470f44fd59018f4e74442ff0021dae

Download Submit
C:\Users\Admin\AppData\Local\Temp\PIgYggYM.bat
Filesize
4B

MD5
7e14cea705f5e2e30ccb2897f1c17c99

SHA1
58a121aacd38918b62b6a99b43214d7a8fd7e0c8

SHA256
ee1a1db7e0152f3560e369698981f2c4402f400b1bba071ee1f86b051eaefec3

SHA512
8d98dae393d1f0f6bcabca21e35f11faacbf390744083ccfe7cedd30c4dae888b4569f962f919ee1c2019a188bbafe3bfb511839dc02adff1fcc96be8689364a

Download Submit
C:\Users\Admin\AppData\Local\Temp\PmIocYAM.bat
Filesize
4B

MD5
997385080507081bf970761014a7a7fc

SHA1
2b3f2a8db6ab30dbeff5ddc47327892e42c4e7c2

SHA256
5c7d8fd7ac46c011ab8b1f2e5b9dd8b19e64e5203369b3d91df919b0418b1a76

SHA512
133ee2cecf3bdedbc6083ddcc0a94ae206edaa19265c59804316451c3f7d3fe6341d9459ba4cfc47aeefd5bfee0ec9fa29aeb84df5920a65affd9eb21d941d45

Download Submit
C:\Users\Admin\AppData\Local\Temp\PwUAUMoA.bat
Filesize
4B

MD5
6876ca3b3b86577c6eeb793a8165ea2e

SHA1
43cfa26104795c0404ddb9e539992e4a228d3de6

SHA256
9eaf3ec0f0a6527dd652f02ca1da826711b61cdeb74b280eeba50a9bf2ed314c

SHA512
4d59496d7ae41c07f0d3b9bb78ba47a457abb766aea3e308092aaeeecf1b60989c811016559db2e3a80acac0c8cd05e4f7cd9ab1af0795b293b5791cf970b2c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\QEIUggIQ.bat
Filesize
4B

MD5
75d53a6782894767e5034f7c8984a876

SHA1
86c9075cf8fcf90355e8d4262b98bea90f4bdcd1

SHA256
e7e71c9f04f54d367c85fd5074ddd0a620610f9146362305b70c2ef12ae074cb

SHA512
44d9c363547e1e71404f0ba44163e5d4c8d7d17553ceaeeafdfbf0284694bb5dba5773a669503a5f1770864ded2793a2af59fba70316fe6f8e1b6ed6066dde25

Download Submit
C:\Users\Admin\AppData\Local\Temp\QSAkQcwo.bat
Filesize
4B

MD5
7349e9e43bdae75c1b90f0b96944099d

SHA1
d061bba60f3ace7fd8f9257db2d180e19dc1e2d6

SHA256
a42b1428d27fb4234088b287ebe6bd97aafe7ac27f4dc99bf4d0c6699c499a64

SHA512
39141cb83e166482229df8f2e9b6e0bc77da3fb7306c27bba59b0c6a54b96aff367b837af2d1fd192c356c49f25fa3b22cd37b13c1971f6b8202d1ef61259c23

Download Submit
C:\Users\Admin\AppData\Local\Temp\QSwAQUoI.bat
Filesize
4B

MD5
fcfd6e4d42d6ad65e978b9cb2ffef357

SHA1
21164c964cb28ad8045e6b69259243799199e51e

SHA256
d7a9b34a09b2cba7c3113461d501682017df7377c82b94f093821cda65dbd2d6

SHA512
7f98e49ec5ca3c593633e9ae9f34ffbd14d33bc318a6991355d82893576b340d488455e162191eb68477e696a0314d82ea07c5b300e02a4e82d5f5a19e5a56ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\QYUC.exe
Filesize
235KB

MD5
00dfe468fa97266e745cac052ac80203

SHA1
ca95762af318ae379c712acce0709df944622c57

SHA256
793af364dd2d09e83c8bfbb975cbaeb49c36a598d092599c74a4586d9946ad4d

SHA512
cc9e9fc91e8fa879f6ddc89e271355ba22e89d8658553b88385a49593de2916a18447df2ca741dbc4876ce7b0d222ec355d0a067ecef909bcd2fbc709bdf6f04

Download Submit
C:\Users\Admin\AppData\Local\Temp\QwEU.exe
Filesize
237KB

MD5
adeff3352288e587be8b4549591e1854

SHA1
36f1d4228daf3a9f038a893baac13bff91c9c2cc

SHA256
ff12958dc02ee07281a81f10044c761e7fd088d58ae93d46fd9dd94246868738

SHA512
d2a589cc09aca25a132863adec3f6008f77d64b6a8d0c5f878318c5cbf540de88353de2cb99dd111698cabae0f718fed3ade6c2f32065cb36c81014bb04b7d8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RMAQIEcM.bat
Filesize
4B

MD5
d22230b2099082ad71222fb44ac35ec0

SHA1
7f3cab4468ca333a9c5434b76b156997a573c124

SHA256
0caa3b55a13191d10949dbf6dc2199a824046c0c0d84c608d9bf34eeca7f7bd1

SHA512
217ecee7b97a2167466846d45e81e882713534cbecadbea393a94108ff7b41b03a89fb40bdd72ae363e74f683128a8b0877279beec976281e1b75018188a0b6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RqgkgwUA.bat
Filesize
4B

MD5
0dd12677e22900f7998f9f4497fb8310

SHA1
dd0c25b906936280edddd590d78bd2802e33eb7a

SHA256
d3844e2d95e8e153597df8bf129958ff46843f6228ecac8c65e99dc3ea856962

SHA512
49073d98c08dedc59f4fbcc7f7ba71cf51a225fbc221dddbf64c8df80b2f48df55fcce663501e6814b216e7542172ec4c88fe1b64378d1cd2ec67c50eda7a673

Download Submit
C:\Users\Admin\AppData\Local\Temp\SAkI.exe
Filesize
4.1MB

MD5
ddc46098c529b6a543a63ddb2e5e3d4e

SHA1
bc23534fe2c9879ce3e52aba51fa5da5dfa7939b

SHA256
4b9d9d526bb5ed616549bd17b51f9d041686ebff6adcd493d939be5e4e0a2fd6

SHA512
0d662e3244bb120921591e0663923c96b7d490790354a36bc489f6558996a94d0f292f60c162bf6866766b72e6e346229effa717ab9368fecfefa30443ccb52d

Download Submit
C:\Users\Admin\AppData\Local\Temp\SIQe.exe
Filesize
190KB

MD5
2b885bfe3be2d9ceb1df332079743d64

SHA1
4111a3af698d47b850f8600edb64810e6a22dde0

SHA256
44a0ace5afcd7ab3ad30aa60e947aa2c9b4ab463a28395219be0649555a4be44

SHA512
a95d0606cf847596f88127985f50060c4a50670e3c2745518d18f376dc028d078df30ac7d500600f43398239d3ffc1a180a04ab0b8eb562fe466149a68e201f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\SQom.exe
Filesize
241KB

MD5
1179cff452172c9d9696f7bcaf176f14

SHA1
5a7c3a9bf772f786052785edafe4733a8819a2da

SHA256
2ace1789c70e7001bfc74f8c35900d950bbc9be627f8ddd52aa00b9d42784f5c

SHA512
038dd1076fe7ba1067e0266df2cdb3065910965ac6d04b0de9f72a139aa4a27d04be8ec726d782bcefe43cd5a3c7adc8e3752d5df0ca8379802038d6b8aa31fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\SQwk.exe
Filesize
231KB

MD5
c16aa7c0a97bda75760d6431fb5d068b

SHA1
e90edaea9a1509cce6d66021cea3e9222755b5c1

SHA256
b8483a7126ff2ebd86e668cdfd8e4b02933a4afecafb50758d1796978b2481e8

SHA512
5340ae712a891fb6aca33a9a0cf0c78ab17741b31217d6df6f0ccf427602aafcdab6f29173c299ff0b06cee0f84a905dd79241506fdf0876f8b278abd14365fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\SUkG.exe
Filesize
190KB

MD5
f8769ee1bc208f706f00b54a591c42b8

SHA1
d3a5a629abb78e10ecef05aad2a17edf5d81477f

SHA256
b45b82c9444a54cd01cfb92dc0419c6dd4ffbff348ff500cbf3c0abae58b54a1

SHA512
9455a8fe0590819dee545db36e448d1392e897e03e2d8b1ce5fda1fb3188cbed55b3bf2f365d29443326c9cf3ca1391663a06708e9d0e38be8744080e625d321

Download Submit
C:\Users\Admin\AppData\Local\Temp\SgYA.exe
Filesize
228KB

MD5
8607c3a92df4e28158dcbebfc19460c6

SHA1
d6d979492b922aa5f15f522a1abaf8aba06efe54

SHA256
b801b8d6396a9dfb9de8694297cdadb3e626ead49364044f6fc90e5ce444017e

SHA512
4cdcc751627d40744859063560ffd6ba2d10a1588c9d701294d668814ac31bd1ab749a245d6773df08f10805fc7567b824939a144720012d3d68243ddaba56fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\TiwIUMUM.bat
Filesize
4B

MD5
1eb9ac10be0f81f80b57d5676fcd5c93

SHA1
d6da45a9b7e9039740edef5c7c62751121952254

SHA256
2962fc9aeea34904b00488b7cfdb07852b52d4e25e72915cb80729f8855f68e0

SHA512
0144f696faab6a9a3af2ca899336d1d3a01398bb8547dce7db544c51a9d757ac0a4a3126201f14e2205cfe21caf6f84bed3f0790b351086f00e8278cf4d4d88b

Download Submit
C:\Users\Admin\AppData\Local\Temp\UAAm.exe
Filesize
586KB

MD5
773a34107b847a8810d284aaae0f42a3

SHA1
d2e4307b82a2c4f71bbf1d86169a7d19b17a1e43

SHA256
3414eb892125f4d6f17544bd8ed64a73ace5b8851dd530decdb0879b830ba788

SHA512
a0e4099a2be3f8aacf8ddf3945ac4ba4f561024f28b356739e729c97a129017800af58b4d9e7c13066d25535fe2b9b55ad51f6978908455534cc9702318fa694

Download Submit
C:\Users\Admin\AppData\Local\Temp\UAkU.exe
Filesize
241KB

MD5
0ab049c71b079c387f4e9e4813b9f870

SHA1
ea10ad0d4689098b850b59ff515749d7a23c0c79

SHA256
a41a1cdb276f236421b1c94dc73b05a1fadcdb4fb05d5e56fccd9aa275077d85

SHA512
3bf2fbf8606085399cd5d83d20ce15548d65894279b40eb26cd8fa53d44bae8d93a91be6c016215b5accffeb0b6e5649a7b87568f82a88ab83f8afd8b09a6884

Download Submit
C:\Users\Admin\AppData\Local\Temp\UIYq.exe
Filesize
639KB

MD5
0630af629e9218f53508497d3153a0ef

SHA1
e098f67fa90f347d5b98654b256c1ed3f93d786d

SHA256
efe49b55026a776969c4a94bc716dab01e0228209175c9f9b21082cd34241e29

SHA512
562d8df580b3d3e552aef0a4e9733169e6c5199eb688370dd854a88c45b55ca470bbd4fbc78fbf9a79f23cbc13ff78ffe7200a743dd13b23b1a15ecf544dd802

Download Submit
C:\Users\Admin\AppData\Local\Temp\UKYIosog.bat
Filesize
4B

MD5
b789afb7189f2f7537849e7114102f8f

SHA1
82e384181ccbea7673de70ffa5fce0ef61390910

SHA256
dfa9eb031aca1843decbdda5a7ed0f70430499e4857aa60bf59880f5a9213528

SHA512
a8be08f3eb68384daf697aa61872c03b8f982bc17d163ee6936f388cbce38079d6d85533248333424f77cfb7660e5c4d66217b6d031cc9801be3555e28a442f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\UQcm.exe
Filesize
197KB

MD5
a03737f065bb833db8df0c50d22d1d92

SHA1
da60e4518438df3d7cf00f626186b31167c0204b

SHA256
8f05bf61ad93c1730f459eb4a40bbb60151def03436d667bc6c2093207a4c9dc

SHA512
1c3cd32a1ccc0ba4b083a762280f21797f0b3613b1489c1bb84d42c878fb526116ab5ed018ee0daaef82440ca6eff752d2c3e2874d5026487d2eb8c4918cdd0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\UQsa.exe
Filesize
525KB

MD5
a4e9395ec14aa6d745fb2ea625398452

SHA1
a165a1fbc7855f4d695be6370ebb0764540a28ad

SHA256
3ebad4b2e7370e893a5657e3de3bd45d7d0628a1db626038b92b83c04becc647

SHA512
3d03d9197af880534b3e954a5e99116b15b8dd9ce26c9cd22d5ced7da91648015c1d34423a5af7cb79769e519100653741f74c826788e4573875dec1a5a6e45d

Download Submit
C:\Users\Admin\AppData\Local\Temp\UUUW.exe
Filesize
232KB

MD5
85c5892d8a899ff53fd81713262ae357

SHA1
762b293ae492a77789d869865d3f600a53d13fc4

SHA256
10948eb707310b8cf33a995f0023f971a907340107f6e193f41440292130133a

SHA512
de2510826811722c1cf97cf8bfb744449d0ce5031ba394d814d4e8f63032aa9ab7d55083e4f60f26d2c19142fd3604a3d2b82deae7a0f546e841d3d737ba1a43

Download Submit
C:\Users\Admin\AppData\Local\Temp\UgwEUUYY.bat
Filesize
4B

MD5
ac2024e6b7bd333758665f6fd7d5df59

SHA1
5f7bdd682c7e44ccd8170a18ed621b4783995b42

SHA256
0134823898455f0e1166100c7bb93a6f35688ef41c4f326892b7d3e103b400c8

SHA512
1a694e7f8c53759c427e3627731795ff8b7792690af1afa27b64d3c7b2f36dc90b02ca05a31baeebe6329ef5b0b8efd5ab89da85a50fb49023c2c3f3889c75a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\UokW.exe
Filesize
240KB

MD5
401524f3c2e9ceaa181bb372db141491

SHA1
84deadde0b80c2f6de966e3bd7dc1f05269019a3

SHA256
fabd41ca1e971a4aecd8b96becbd4d744b31f90661d03782868090cefcf72bc9

SHA512
8125e1df0afd0217e6638f3422d99c725ad524a2ff86196bfcc6f843b8a862e94478a0195929abe496c6e378e0345de02a4ab98bd4e2a601e945510b6edcf680

Download Submit
C:\Users\Admin\AppData\Local\Temp\UyMwcYQc.bat
Filesize
4B

MD5
d01dd1300d189c8fddcca55f9a21fd3d

SHA1
3474ad3e94d26a7ef5c8bbd89afb99bfdd9411ee

SHA256
3670509d229a2ede2516cc822577736d46a61c684faae3b8e2c4700b84217a4c

SHA512
0c16307bcc39c069db5d7e299a391f48b55913c8779f88332c9c32520fb7fb72988b8430a15fd80f2296d4822887a164a30e0f7243ff49ffeb9cc2eab3cb66a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\VAUUkIwo.bat
Filesize
4B

MD5
81e67e23abfefc1d32ba8ec87a09cbdf

SHA1
562862eb40f5944d2432d69fd296f6eb75d07ae5

SHA256
504a7bbfe7a335b5166b3a98068487f9ccfd15c53f9a5584e10bc993f47cdae9

SHA512
a7d42695ff938f05c6008b87e1b5c86ffdfbcd12f33f001ca81eab407673ea4bd3c6ab39f9b037f63f83ffc8b182ab8b572317bca92d5f275a669a5ed640c28d

Download Submit
C:\Users\Admin\AppData\Local\Temp\VAYwgwUM.bat
Filesize
4B

MD5
e66afbbf3bf2f21b10bfa685420c8519

SHA1
e57f48f4bd5f77a3500696f2292360460e3234e5

SHA256
465444bb7c9839acbea63334d05f49291e00f2bd7987e8b56fa51d0b4be9c19a

SHA512
b61a393f94b015e7291ebca8616adc882f6f26b200511e1361375c575ee02ed40e74512b7b7ee87e45520fa6315c693443699615447bffcfc2e3a43e7c6bcda0

Download Submit
C:\Users\Admin\AppData\Local\Temp\VmIYowoo.bat
Filesize
4B

MD5
98e85906bbafa5ed6e0f4936a8c07225

SHA1
466bc1a51eabd2d58cf92f5bfd71ae46f4e7e947

SHA256
c98ba50bee64593ec93bd7bea55720c6f187c037887f4c74cd6a4c1b729a3265

SHA512
98a8392bd3d5a6fc87ca4c853e948d4c1cdf8acc991a1755f701d8b2c37ab2b127e5bdd4fa46f5920a3772508730dd30327522af398395448ba6040682643230

Download Submit
C:\Users\Admin\AppData\Local\Temp\WGkYgQAk.bat
Filesize
4B

MD5
5443bc0c9ec1ff81505a3c5ee16c05aa

SHA1
b72edb95826fc7f894f6bb44c754492366f21cdc

SHA256
f19e5880c402c20cdc607e4f8610e656ea4d859edea2ef4027058ad0f9be4907

SHA512
5be3e8848bc0ac66f5e73387254c1bfdcc63243276d20921d8af45796ed59622cd86f5e3d3aaa1b1528a39563e2628ec1b46c7afa45837977cc04790f7eaf7de

Download Submit
C:\Users\Admin\AppData\Local\Temp\WIUoMgog.bat
Filesize
4B

MD5
1772141ce0c546fe77a902f6daba5a9f

SHA1
1c16a4d06a0bae9feb7427aa4dbe19707c90603a

SHA256
ef329fd03ecf883d31e4fb831a72bde0b36eb035961951a407bd5f5093284002

SHA512
c201a6b8b47e9b28ad93f5ae346220ae06e0b5651d692ac5b75e1dc4aceb3f35694e6e9cf18dd304d39e1f1f29bb6f3aeb8aaf09a81b80448def5ff58983e707

Download Submit
C:\Users\Admin\AppData\Local\Temp\WQUA.exe
Filesize
236KB

MD5
995ae3de9a7968c6f4db68148abddb89

SHA1
4d30c2d61a810a9f86909775813baba80271b1e5

SHA256
e647e401b061aba8879147e6226d8f28953fab93a2a143d65a28deffe2fa18c5

SHA512
ff2f77d35d68e9b01396ba1f657e62aa50fdb8e48598bade380d1c86168fe92749fa3a248c840a1058577a3be90916fa8a78893f938c16c086392f34ec5c095a

Download Submit
C:\Users\Admin\AppData\Local\Temp\WSgEkosE.bat
Filesize
4B

MD5
8e50eec963b226b6cd4a289a93ea29d0

SHA1
c9c96286831cf26de2c229b4dffc72bb190ff77c

SHA256
2bf74a50bd446db3c16b10fe46054bbd1167bacdd379ac8993943fa3747ee0bc

SHA512
0b8260b4d55077c7d46d9ba49aa13e768a7e4c752e30b556732f0b5783a6841758b6d30f383ddb631afa47bcb5c0728d5f623113b47344384c123c941b1c3827

Download Submit
C:\Users\Admin\AppData\Local\Temp\WUIg.exe
Filesize
244KB

MD5
7244709f7bea900264395097720effb4

SHA1
73086ab13c30e10383c4c139726860b182ff16a3

SHA256
6263412992d79f4169586f0cb9df47d2c2e4ade9e8f976d4a424111c2ec52c05

SHA512
51e5008c465536c9e3a55e9c53c3ab3a487d5a0b5bad288bd2a08b4dd03454977019fad99554338c623283eb9528421baac25444c0eea2f3147c841a36c1a171

Download Submit
C:\Users\Admin\AppData\Local\Temp\WWccYEcc.bat
Filesize
4B

MD5
19e4237670a7d588c373b946cd25d4a7

SHA1
e1e85e1de664d15b53cbf19fde34b63609405b4b

SHA256
4940f754405a5c23806411a3f971090c7443a8674bbb37f77a2c60b74f09025b

SHA512
23b58d046de54f4609f2c73874cece1eb213fafa1d82440af19a1fb0e3861158fab512a2697061a7eff80e1e49c2ea680178d8e2d68695a1aafedcd10e59c626

Download Submit
C:\Users\Admin\AppData\Local\Temp\WWscsgsI.bat
Filesize
4B

MD5
4cd8a8d51a5f56ad276658571e424514

SHA1
8014177f611f5ac6a777ddbe6a9761ed211af499

SHA256
a5d173e4a389cec66dddf35dcee7aed4bb9f00a781a0ff1b3bfc9d718066f1cc

SHA512
23a9815d2d0a1ceb5fd873755be76dda58e58752f88be0b7d9c1a714bcd5317e9823253ffe342e2d0109ba7e84036fa095e4a27df9153c983326fb9c82c1154a

Download Submit
C:\Users\Admin\AppData\Local\Temp\WYEI.exe
Filesize
231KB

MD5
e0b883dae5b7246e8b61b94421849431

SHA1
f217a6ecd7bd47c09b789568571fd13d0c8b684f

SHA256
347acc1163ccf0028baf56473325a920f84fa3519ad219316a7e81d0d23e585a

SHA512
89b0d7c607a1ffea904d77f258431f42dea7a89e3d651b0a4fea5cd9d65a648f5d22d5f369770acc58c94e03f45e2ced12b6d2f6db0b6dc6280c66e674113ec1

Download Submit
C:\Users\Admin\AppData\Local\Temp\WcMI.exe
Filesize
240KB

MD5
4eb445dad54c5a5202324cb54533f4a7

SHA1
bc5ebb1a7311bc06b5b668444ea1800ec766a426

SHA256
d9a974f952183a87b6dd132a9ee8a6ceb9667283a81e3f7df5f67b0eb261ed3d

SHA512
f2a40dcb287b12d5c25cdfd383d576a3f28e4b5606be2d2d679fbb4d54962a28b852b7b5c795e3e71e046c4ed923afbe29ae00f7e59c0d90072ba8b831ab2499

Download Submit
C:\Users\Admin\AppData\Local\Temp\WgYEMIsI.bat
Filesize
4B

MD5
7cce7d8784caba5b054081fd9711e0da

SHA1
980384a61a2f12d86e8eb1a4405e7665616caf4d

SHA256
03cdbc96a60208dfdde1ef4e9bd5ecd7917266bad3f66680aeb8b72817960cc8

SHA512
ee88b529b87479bf06731077065078d2a4de5d5cc23062b63f79434d63df8d84923f5f7b38957dff5522001fea889131d917af7986065960a23992cd598505d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\WkkQ.exe
Filesize
241KB

MD5
2a7fac36414f792d08ee7104add37d70

SHA1
13e6c10df2c23805cdc50ca2938750dc57b36d9e

SHA256
782ead73f1731ef1046992320647edc6e7e051d64c06f6d5428f53a02fc4e42b

SHA512
2f6a8d8751ad33cbe711a52cec8fca6e9ca40652868a530069bea6bfbdc2692c487c821e3a6289b4e391a877e7bdd8b913d0e4260f0fec8952c11ab3f5dd47ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\WqIMIQsg.bat
Filesize
4B

MD5
c41b5fa31970b4fa6709a535c24c4091

SHA1
ab3fba06b4014493f14861eac09b1460f4972da5

SHA256
2d3de837048f1627331e366caa96eb8b8d60384a1efd7af336e6dc48a4cf715d

SHA512
5c5a7390adf96df305b63e471a1e05a64ae518ad911faab7dd99ee3add48d5a15671cb93964d4b85d52e732231c54a705e249cfc88c321f9371b27db27084317

Download Submit
C:\Users\Admin\AppData\Local\Temp\WsEC.exe
Filesize
243KB

MD5
362a4335e671cdf2044c429ab66bb207

SHA1
5ca6e24ee5069dba02be5b04adcdce6638265a48

SHA256
5e504aae72ae038e27bd13b70d53577296aef5d675794758ba3c632eb4c4af05

SHA512
57b9c20991c607c741963424282bfbfd6c13d68b229e0bdabadb9d730f57d5001c83c958b955f4eeee2f5198243dbb12145dbc7a6135fc6a48ff210c16c4eee2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wskc.exe
Filesize
242KB

MD5
a2ec23c177cd0c04e03c98f6b7ef8865

SHA1
cbd82802c934f5337cd8892020f08da1b540bf70

SHA256
203d4f976c0932c7d65fb6c733d7bc555d3efdb4a44c9edaf45ebfaf6c36078f

SHA512
15c5c4daf0effa3c27322c00b54f1b3c3dc08da14c08169054155db97349d91347e8521bae1a6c060d0c031857d6cd075d5f00ee4c90987cba54034ea99a3a22

Download Submit
C:\Users\Admin\AppData\Local\Temp\XIIIookM.bat
Filesize
4B

MD5
f8c19b1f57667e6743bc7b5d710fb701

SHA1
5d74734a7d8cd3bba1140b9bbca21f5564d1c9be

SHA256
1665cfc1eab3813746e0bd3af7c03d8f69978ba7cf3da5302850d6528496343c

SHA512
692def75f523f1c5e430a25acce19cb28073b83fd5e9c1db95478b4ce8dca5f5918fbc41b81144a22b9045bd0cdd32086b7b0dae75120c5b09501ec72af843bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\XqEIYckU.bat
Filesize
4B

MD5
b1aa6e55f3da79f08470c2da9d422485

SHA1
15666dc4cfbc9848538be278bf8919b9126933bc

SHA256
1488e7d7bb95e9fb136d75e31d908035832ab3f79c8c1ee50b41edc8f9f15733

SHA512
7cb7172729c610cbdcd9ee570144eaec41d743529bef5054501c48c3b2ee5f45bd3eecd8bd13ccf6bcba18edb20bd42c88fdf0ba0293a381341c1bac446e2c37

Download Submit
C:\Users\Admin\AppData\Local\Temp\YAQq.exe
Filesize
241KB

MD5
23a1b40c5367177ee460daea9be81319

SHA1
44ab9ac75dca307f8b2bd57c537e23251ea570da

SHA256
2bc972884a9da0eac85b81b6333f7b21896b484fc9d6f1b768aec667972aa96a

SHA512
e58f43533af0ea49c4e25c75afb1553fa3578ca9e5a55497cafbc7f8e43dcebe849a120c7ea3007db9c136cb3aca72da39cc609929bf54456b8901fbe52884dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\YAwc.exe
Filesize
830KB

MD5
b522e9295cd8fea69557cccb81570d60

SHA1
25158e83c8c4c12daab8f5117d222e74dba615d5

SHA256
7ffcca9423fd2192751cd6c3c30a7673ad5c8cfde7dacc9dfac9bd22512f9a92

SHA512
6d2fca76cad2c5f21d380d6d9f685a2ff2b2cd2acebdc3d99d87c7ff304cbad68b1974adcbcfd6084bfea11e280d9ec58212a34c50d13a0f1319f2e64710d981

Download Submit
C:\Users\Admin\AppData\Local\Temp\YEsO.exe
Filesize
240KB

MD5
403902ca890193e668b962901bc7e9d7

SHA1
5b6bf6fd0c8e64e012ea2dcf8a46c04f7954f9ea

SHA256
f59395acc023f3081dca9eabd38a8ab3f9492ac202628d54b457205b396d19a8

SHA512
64077f9ce3b1e5af45eaad53503edfdf48bd79508c1afe447423799e3ce30fe48a04a527efdf2446b9014cd979eeb037112af0e328cc8e87b009b5278cb39004

Download Submit
C:\Users\Admin\AppData\Local\Temp\YMIEIMUc.bat
Filesize
4B

MD5
eb7966497b9a7fb5a423f01aa46f559d

SHA1
d0b85111a13bb132089bfa6839783b30886152ab

SHA256
cd54787c1a041a5854b18c4d92024297eb358dd07297548cf7973729e5451a66

SHA512
aeafbbc9087b2fad67ffc78d8afa7fa8c734f10ba8db6275f6f207f305c2067d748d27503160c1cb29f09a602e96e9dcd11c81b937b14be071ff2ca7ef436ba2

Download Submit
C:\Users\Admin\AppData\Local\Temp\YQIu.exe
Filesize
244KB

MD5
93401c9795318da4d288c09c8f039b02

SHA1
f898d71eff51f1141ebb2e23d22765bb4844d0a9

SHA256
f0d883a7dcfaa27bef73638ed8d67dd811c662e3acd645b9322904c47a846d39

SHA512
1143580a87ecf42a105931896b6b9dc67aaf4361194779730e279f736549077e22c2a863535e1470f6037ecdb6dc9dcab12a0086e0d0ea5c678dce3662796503

Download Submit
C:\Users\Admin\AppData\Local\Temp\YQYw.exe
Filesize
224KB

MD5
a80650ba18de74516d04dcaf38f29e03

SHA1
2723f09a7f71565a3ee74ea5a8ab9b1cbea6c531

SHA256
c3e871c9fd5062950c3308f5748d2a6f2b987f50be8360255f5cc56d5e533d0d

SHA512
935d680fa5f2b0701b833775bbc01b287643d0578a21764c6e470ceefd3e2bb934761f0cf45759f4282424ccb64ce5c5eff7317f710d2ec6cde53dcfdeab9d51

Download Submit
C:\Users\Admin\AppData\Local\Temp\YUcQMEII.bat
Filesize
4B

MD5
b964a36625e78f7e257aed5fb633c591

SHA1
d268495dfa9845ee4e785836cfdf6c72983a6803

SHA256
ff92e6404fc954bdfad0740884158d31d88fe38cf4e8ba1521b2029829c8b78e

SHA512
1b181d5fade87515c3142b8759f2485cd0806d0765acc57d7e1d9b2850c25a5ddeb4f19cebc265db7c002d57f493ca3144d68f18195d82ae733beaabe56a0eb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\YYku.exe
Filesize
210KB

MD5
189580af1418440d325e407f874ef531

SHA1
8e9adea17088d52618b012c9c0a85ee128ad6d23

SHA256
5ae6f6db4f68f37d24164dd1cdb626dc21a63d3b1b1dd68e3f9758d4362f9268

SHA512
a59ca508b8b4c3315113ad6160dd9f7661039be8cc2eacc852518f7e5999a7d60ac2bb2d9d49dbbe3a8f560737b6eaeac19b6ac36f12d2e820e005b0713ad1bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\YgMy.exe
Filesize
234KB

MD5
f13a43b41ac6284d8e357f95b60b7a6d

SHA1
296e3696ca726bf69ebb47cbb6e3c392a8d0e3f7

SHA256
8a77fe3fb395ae46247c27a063c7a8c0b7c4213a3676e1b0ca30de3d46854cfe

SHA512
e10e81e00338e771d71186f4ada905eded569bcc9066f450f0debfe639b16f56b8f2e5531a734dd0a1eb81de60f722aedefaae3bb5434ad16cf4829110a5a24a

Download Submit
C:\Users\Admin\AppData\Local\Temp\YkAM.exe
Filesize
642KB

MD5
fc8ccf089625d54068ac38b939de8713

SHA1
5e566add90f1cc7c965cb823a8dfddf0d917a54d

SHA256
87a3c489186e0559126ec89ea40f504b9a0956598c050b7fb4460254df931a73

SHA512
862cbba528b948f1ed351f061cdc62ef3cecada738a338ac06ce2bf0176e29ea529b923a3ca66db4d417af601881c04116fcd1d061016b9b7fe1464a9bf8616f

Download Submit
C:\Users\Admin\AppData\Local\Temp\YwAG.exe
Filesize
247KB

MD5
72ce70cb8577f17a3e93c90cefbe5119

SHA1
7a1ee05a11a4f51b318fe60b3f3cf82d5c9f0ebe

SHA256
fecae78753fa41bdaf7a025e17d9b635edd773cd71872e52aae1da841c605051

SHA512
c59b6ba2aeae24e646c3bc16e0dc6c4023c4c32aedeb1b5b59d55d37df33c6a997726ec7eba4d82d91c3dc9501c46843b9228424d913cb927db8e0e3ed7c2004

Download Submit
C:\Users\Admin\AppData\Local\Temp\YwMU.exe
Filesize
229KB

MD5
13af57fc5cb99b31e0f070e09061a2af

SHA1
fcc80ba5c53156afd2c1ca3158d571eb2326bd72

SHA256
8d027f0cff4adaba2ccabc24c7c374c97382c8066548f198c46be2f0eb98eb3a

SHA512
dc26c9b5846c2800bdf36bd5fb781cb2b02ff5801cbf12780ab648d6691e87b2f9be426a4f217160adfd3b9fc20ce7ded3bdcfa99cd549d4b6f852ef82327165

Download Submit
C:\Users\Admin\AppData\Local\Temp\YwoM.exe
Filesize
480KB

MD5
c4f80cdda6f3518e0bea8ee8d0ece1b3

SHA1
77147b53270ca78512201526fdf7b8b43b36bdf8

SHA256
f705d2bb28627f626282acdf505baf0956f5125f5efffa43560ba15f786c07a7

SHA512
78db130438c9beaf5f9e333374c1fabe2d04ef17627996d77758bfdb2a9e9dd617eab1b9ddd137c0bfd54ddb240e47bf7237aef99f4d94dc7382cda9d781ef81

Download Submit
C:\Users\Admin\AppData\Local\Temp\YyQEYksI.bat
Filesize
4B

MD5
3fc8ee577317688a52d376be7d08cd3a

SHA1
5e19b876c8eaa18f936a61c42e021595ab633be9

SHA256
1ac41a173af2e91bc3820e1f75e0cbec2fa45710fc11d9a9760d6e2e13c0838d

SHA512
00912cf463c59df9b7afda141fd97799cdd2ab43fc178b26a80a478886d40ccbe6d99cffb78f81398bb228f7e1af55b0ef738d27e30bf91bea13352e8709fed4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZAMYMIsk.bat
Filesize
4B

MD5
9854d878a26905250101b803a0eb264f

SHA1
37aa2a38f12caa38ec7dd47a8d25a56aef4dbb9f

SHA256
0f5d467e7742077a239119971677a5571de01bb2b5ed5b1bbd53c425bc5653a6

SHA512
c854078073845ed02a8b42f2913ef405c420c329f278d69d2a1d7b2d211c30ca80953cc04aacba99f49265b95214005e8c37877735e1e66447ed05163f462888

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZIEMIwgQ.bat
Filesize
4B

MD5
a4cc6daa69a5b16d9d3deb65881ac3b5

SHA1
4dccdc0838fda38c177ca4fb43f2ce0368158f2b

SHA256
a5e1642a693e73422ec5cb3beaa67889ebc1416092cc243bd112b974e2b28095

SHA512
ea544c92b7a9b083c9236ef35b992f04ef9587820e079ab1b6c8a2b0ffe75db2660a7cfe6daad3dcfa88397b5affff633d8ea002cb53384239360c101901a4fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZIgQIQEQ.bat
Filesize
4B

MD5
48e9e5e99ea37fa7cd7d18f97a261e0d

SHA1
210343ebcff18e817fc1c7217e712a69ac5f07c0

SHA256
35adb7e31f529cb4f2a2878c3e4cbde63ec1944302e5954e2f32a74b96442bf7

SHA512
46fc5e985cbd363997b594bf3cc0f8c04c80a03611cb34bc1ebaa001115a090f5d808337573dc9078cbb23c264c4e420ea70bbb7d97a4d657a849529b5366c99

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZOossYEU.bat
Filesize
4B

MD5
b2fd439d37f6b717b768edaf40ca4fe1

SHA1
97f613ad28645a6ab72652b65e3acf31dd3797d7

SHA256
db70322aefade4c72cf01b7583be76457fca93d80ecd024f2aec810a5dc08633

SHA512
81ee51facd8b7436c3f77daa9768b568898a59e89e1ae2d6b8a1bf48c6b03718f2b180d3aa77d46ef8d9a3bd7bacc9cc1c550d87abc2fd57d712872dfa04df0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZsUYogwc.bat
Filesize
4B

MD5
d4f2d9802f076d58db8c682f18b161da

SHA1
36f1c6720cdb753a32b2b01bc8a17c1b3ef19c5d

SHA256
ff7c26ba5134d5afb85b7be78029e682a4571234ebd54f53234578f961418bf1

SHA512
20cfff9f51430a726749baa59db039b42fa7610009bf1dc73316a6b76b61f353173a71162a84c7bcd929fc9ff6b153ca3025e8bdcf891ea9b1cef7336bddf509

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZuEossEY.bat
Filesize
4B

MD5
665e605bc021abdbdbf302b4794d53d0

SHA1
e5012383468a8cedbd8cea91bcbf59efe4860a7c

SHA256
098dc8f0b76def2762c96a9b50111fff333a3c943b69a0fcc36ddeeee00005fd

SHA512
e5a561fc7d6e6242fcb3898803dd8639a5f93cf3ae1f20faaaa3888d169deb008e031aa9a10935e9e8386c1757bf94edacf965dfcdf36d91c8c23dbe758e2455

Download Submit
C:\Users\Admin\AppData\Local\Temp\aIMm.exe
Filesize
242KB

MD5
3dd60cbafe9ed0c94b229e7fa655819a

SHA1
5e3dca985419a0100c08caba825ee6454a268c4a

SHA256
c94ad361f130a84fec7d0771ed04bff6ad1db5bc58875bf54444021bd8302a02

SHA512
bb2b18e854c2b4b632e0cfb032545f057e99d5d6541b73175bad67ed6837a9456ad949d5fbf4afb507033c2cf41bb35ebad221dacae209cb8bc9b178a31d1e93

Download Submit
C:\Users\Admin\AppData\Local\Temp\aMcI.exe
Filesize
199KB

MD5
ff0b820621e57402f2c8c8a09274f83b

SHA1
67b5fbb09b2112eeccfe6db570f7b21913ead9de

SHA256
51fd47884ca9d267c39dad2c4894eedeea0e37f5f28fd7748de2b7d5af909533

SHA512
d312c6779fc5a989567f28c6abfc9f0b7790123e74c53d793dfdbc5ea6f8c81fe862b3978e3271c7f043a8f2e07cd0394d35b6ae092eb09f60b9fbc58f0f564b

Download Submit
C:\Users\Admin\AppData\Local\Temp\aSAMkYUY.bat
Filesize
4B

MD5
ee65202e1e75ec6b808512ea1ee4086b

SHA1
f8ea4b170a381d81166465a3abd17fa62f67f841

SHA256
6da96065db89591911167dafe7934f5879eeb181801b03c6e572422297ba6f15

SHA512
d55675a20451e59d6f359c608cb982eef5e4d834e148158596fb091dee8fb0cf71f0f5e1e98dc0a3215ceb7473d7898c724f79aebf39893c96c3029406dd4193

Download Submit
C:\Users\Admin\AppData\Local\Temp\awwowowY.bat
Filesize
4B

MD5
c9e3face294d8c5c6bee5ed0c72b4a6d

SHA1
c566dd5caf04390647044ce8b77e39e231af83a4

SHA256
04d92b84fca13bebed08495e1637a4dc089456f00d841a9029d005c2fefe4cab

SHA512
8ef77b5839164fb5ba660832ba48650c26313e121741b05466dfe4de8092b3e5ab7532be1b8c864441dd7f6390f5d8e5ec9fee237de9e0f6fc0ba367a2d87d01

Download Submit
C:\Users\Admin\AppData\Local\Temp\cAYy.exe
Filesize
204KB

MD5
624a1ad437e012ec1d32979648de8eb1

SHA1
5e8ab47efc3d2fa6eac49a0f260be658aa7a025b

SHA256
89407f083408a8045d9d2487a29f0ff3b40e34ca6bc8428d1cb1b7fabd743535

SHA512
c1a2a05946c249b7964d362e3ebf9fd56338205096b6f8439385b5708fb657b3fe5173f33e283a7e4e30560f3f0217d71ce761be9ad422285402c271ced2456d

Download Submit
C:\Users\Admin\AppData\Local\Temp\cKMYwcEM.bat
Filesize
4B

MD5
fb1eba5c277fdc30eda9ca753c1727d5

SHA1
8106b0fc893b9cd2e548d73036ba85e4892c89d8

SHA256
103962a2733e0cb3c84190ee69885c44ea697d384df8ca45aaff75c3c9805099

SHA512
3b012e0ca8010c6847c26de1d6071f2880a0682c5f0307ee5f519f7b98515e67fcd9971b4dc202d581759759b5081362209f83ea311b84ad2e9bfa780bffe122

Download Submit
C:\Users\Admin\AppData\Local\Temp\cQMm.exe
Filesize
244KB

MD5
006ff64be3f12abb91d73f97b72db030

SHA1
e4bbd96a33f16ca88ec99494d4b9a71f6f9d38bd

SHA256
760d686a482ddf7cdfdf8c5db7e3ef5dd97efdfe0a6b2d0235ed51a0dadc5474

SHA512
0e8e0045b7824b7d142bcfde30b40ebaafbb5b0156f0f740b5b65a62f05a6bb729aba9dd30408f12bd2b0c8bbe79727b9bf36d6cdcd6032ac294cd85dc699a17

Download Submit
C:\Users\Admin\AppData\Local\Temp\cQYm.exe
Filesize
229KB

MD5
7b1a06e410b3c8f90a788fcb9ba226ab

SHA1
6d66b7c4bf5c0e1a70f198141b92ee6f47415048

SHA256
3c24db8179d785a8aef848f6a9be8b22cb70cd26452f62b4be5daf50098468d3

SHA512
fa17aaf0624471878a76f46be9e74f315ee7036c78e0912dd51d2382a416e96a13dd62145c70d29ca8477226ef59d16851089c8867abe33cb2f9577b31a46c02

Download Submit
C:\Users\Admin\AppData\Local\Temp\cYgMQEEY.bat
Filesize
4B

MD5
15bd6b4b933e924f464a4cc54680edc7

SHA1
69d54315a1e316d983a812446c02cfb5ad7794b1

SHA256
8d609fe6b8251d890b5900e4420b5003880896f100d0ca16aae143f27ece18f9

SHA512
6798f382ee269e16ef104809539091b63c87bbe600f846d06ad817923434946dfaa1c5f1e68c00e188773a6abeeb199ead5d356717cc2a482d29f867089d2269

Download Submit
C:\Users\Admin\AppData\Local\Temp\cYgy.exe
Filesize
233KB

MD5
b85db6d1b6a5868ff87a4f57f66a8d46

SHA1
b076116dab2e8f76795fd96cf8892081fefc50cb

SHA256
9ed6b28f3e576e7d1d808f8560e47ddecc1ff7474772e420ebc03c1a1587ac56

SHA512
62d75e4bf4f99c98539227f5e669271ae8815e87856989259f4cb22baccaa87ebe081e18c1b539609b86d62428cd0458545ae2a50d4acaaf78d4505bcdaf62a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\cgggMgIo.bat
Filesize
4B

MD5
a211a3ee5a598842c2f1f0f685f52f42

SHA1
905c3a66209c2783502e12c5b92ed7bd71017975

SHA256
f5928b8fdb22ccb2c6f496ff64245d277481981bc4abb4c7088c9b9e5186b265

SHA512
191d08d4eb5b6dec9e5154947f52a5b74e048097b5505bbed84e8bf017a4f985b60eeaf2e4a3ae8bcb3c19c000597d121f8094e030358082d2b60b351d28820d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ciwEgQEI.bat
Filesize
4B

MD5
27ea5f79a91f8cdb62de9d60ecea2114

SHA1
1e3babedc626623f5c0023c04704385126c7600d

SHA256
0a754091d2b3edff4e6a2f1955b8b519c54d78bad2b04d998d7e897a61496ec2

SHA512
a4dab088da62b6f431d42168a02857fcff3dbeed22d7ffce20ea24d12e6e54a4cc858c73e99d9f6b436bbda81c0533598ac8a00d409b842571d26ed3bc11a30b

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmEscgcc.bat
Filesize
4B

MD5
c1a66790d8564951d77a6b25252bf8cf

SHA1
b180f2fe87fae89c4c3b3d919f6cd3cfeba00db0

SHA256
c6fe5949207143cf2a516ce322c83d30db062a0b2a9adf128397292a9785d0a5

SHA512
512f78ce8f8dd54b716e2d275fc4f946bbb05ae14c86c0987f6536a14f075ef1012ac852322ceab2b48a8b7f7bf32ee3aa556961ce4985cc0776a9f375feb13d

Download Submit
C:\Users\Admin\AppData\Local\Temp\dIgQIMwQ.bat
Filesize
4B

MD5
1e6d5c90d634e7f5b84e00c405584705

SHA1
e2b99cbbe575c96e10d4838b53e6834c842e3e97

SHA256
343e697677c455ba546c7a9b76d1dff68ed89fdd76fdf56cd1b08c047cb68edc

SHA512
004a80cd0b7381f982d6cdf0bc55b1efba404eda9e48239b43934fc6653f79a14f7b4df1e41827d096fa6152664765b012a9fedb37816a0dfffd6d7e7595cd85

Download Submit
C:\Users\Admin\AppData\Local\Temp\dkkYwMIk.bat
Filesize
4B

MD5
36bc72fc105a8fdfca24aead83239572

SHA1
9a6b1bf4b31533d2448fbdce4763835c8d021d46

SHA256
aca462168527b61d2750f870cefcd2174e0f737b8795f651c333f366c62ce6de

SHA512
1ebcee3c465632ee29a8a3802b3cff144b80464b8da64d79331141ca24574f4864fd9636f979aa27d126f7f8436bbf1958c104acc1d72db15535fd7a27c0a597

Download Submit
C:\Users\Admin\AppData\Local\Temp\eEsy.exe
Filesize
185KB

MD5
e47d53c655d87edebaee2af4878029a6

SHA1
69d1feb64140a970e26c45f9a0f7ca1c7e1774dd

SHA256
07481c483ab81f63f7c144311ec42f8adf6938842036a2a8afb719dd6badfddb

SHA512
8389c7b692dab422b70aa6ee7e8e37cbcddcbdfba95f170af9687c8f916a39e1e4a95299c3e650d199c7835e4528fc07906b404484d2ba07c1d18ab841ec7e11

Download Submit
C:\Users\Admin\AppData\Local\Temp\eIki.exe
Filesize
183KB

MD5
4ee3b439ef8f33817fec65fc5f294de4

SHA1
0d74baa453299b461cc69cbbbdc06436af81dd9d

SHA256
de0840026c3915d9fa7608ad3c54efb107d8afa9b2a0806e23784859c69f199d

SHA512
cd7df38bd35a8a8d4d30c83c510a77511ad71d6d3a0b9268ba3c5152b49f6ad965a245b79d9e53cd15ba48d7a1562a1c3a83ae286b4c6d2e0d4a3f6c03f0dd33

Download Submit
C:\Users\Admin\AppData\Local\Temp\eMEEwwAI.bat
Filesize
4B

MD5
e73b81a110b1def1cb9f946c67f3c308

SHA1
c4f42e07e72f1c6c75e3b27a4150c2b0f5ff22ae

SHA256
fbcb13a7f2b39857eb19589d227493752e356fa9cb888a364ebc50e6f6b39e69

SHA512
0a911da15e88a2741431b40d4c4111f82d42892b0f5bd1d9aefc100c15b29c95be6a8c43de6f59cd28f5ecad69ab4d553bd7e65dc83224790c814bbca0db88e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\eMcc.exe
Filesize
1009KB

MD5
771fbd73ab4842c89513e6453d0a6081

SHA1
c61223e33fda22037ba0d1785dfefc21ae5d0aa2

SHA256
72708534cb5ae2114c5eba725414f1623488fee9386e4e26d1779671565648ab

SHA512
b53202a126f29c814eff72bf26a14a99582a3ba018f5c1e6369607800f25ee1ab93dfe503427b7e0b802e107a5b4445907c88b85aac30f515c2fff2ee857ac39

Download Submit
C:\Users\Admin\AppData\Local\Temp\eMsO.exe
Filesize
195KB

MD5
8a55748fa575c1bccd3a60aad1178b76

SHA1
011e2a767ab6b78b851851fe82583d27aeeec4f6

SHA256
bf21b67672d52bff7322ebe7f1e5fe9dce747234f5ef18ddc3b838e4c8cc37d8

SHA512
e0e8b449d2fa2c6cccceae4ecee79acd1c2ddf7d8af247c297d5d28859fc2da99a5f5d41701fcb2e8b8848430d23dabae4eefa1f3e7806f293f1d51ca6b36a77

Download Submit
C:\Users\Admin\AppData\Local\Temp\egYC.exe
Filesize
1.2MB

MD5
6aa0db98db97c3bf483d511167a18883

SHA1
264db222b5bcbc31f7ce1394f3e9386070de2285

SHA256
514497c4f10ca0a68b7ad92d36b4d17023ca24b402ba4ccf07f738659ae12acd

SHA512
cae32bf1f1ef8b64e9d1bd6fe69db514aff5315c849cc2d9137f9b4e4e25a0d3953a1e572d7a12f7de776eb11714f0007a2bd0cdfb66f9f46f5658559ef8fa04

Download Submit
C:\Users\Admin\AppData\Local\Temp\esgE.exe
Filesize
961KB

MD5
a5b219f8c45fa4e22dffe4de3ae75145

SHA1
fc602df30b58c69b06b0326034e4ce91b6e11b6e

SHA256
fc3d189f1e499269df4177786948ffa0379f18db0a17253dafdd815416f1a439

SHA512
bfedb830d7294b26348dc5eed4910107d5f93ea63b52a13f5b75938a21d209474b5e12f14ff1f53309c081bfdde081d4edfe4d018a6ca70152f483bffc5256cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\ewYM.exe
Filesize
1.7MB

MD5
bff1436eaf5255995575219fd7692325

SHA1
fba7aa4092bc6e5d8732579eb41c7ef44eea3c12

SHA256
ba8554d9afdfde3b1cc38c63ea55fb8caba731a1caeabd1ca2569a3c77cb6b29

SHA512
2463b6b154cbde44d019dba4559234a9c53ebfe804f226c1b5204aa0a2a793d9a766cd862dd94b11e091e99727593166d305758c697b8c812ffa55088e3fdd17

Download Submit
C:\Users\Admin\AppData\Local\Temp\eygwMYkY.bat
Filesize
4B

MD5
87d1c07a73c2b348436f64ecf5622e4b

SHA1
4af1aad55de10cc9512fcaed39c45a315c124902

SHA256
c853522773add2590e1374251e9728ccbcf7e836a11bb70bda814b78bffb5b59

SHA512
9e28dd09656e7c5fde3830024e05699346aa8532668e4ad5ed44c141153a47bec2f9d414443221faba068defb29af74a00e8880472d765f681eaed978d5283db

Download Submit
C:\Users\Admin\AppData\Local\Temp\fUwwMkEY.bat
Filesize
4B

MD5
b8c246861731cdc5f40d7f57f3ba77f4

SHA1
7ce8d58f94b23e920867fc473cb8fa94f3123e54

SHA256
05c95d2c2016ee70bbbb7a6b147b3a1e1f0c7e94b0c7dd3e97c0cb72649a363f

SHA512
d7585b96c8a993a507fbc951a4e8e1986ef785662443cbba6bd3f949a68955c0ba26c35b5593676313faff548b966c46f1483224b1f4862ea408c1c4450990d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\fWgAIIcA.bat
Filesize
4B

MD5
216d4c99c980f156279f8489dc3ba3d1

SHA1
dbf8645872fdf0bb312d14ff8ebf75b74b8746d2

SHA256
37f7a0260e0d942ea8d849bfa34b84cfee96c355c3546555f73f60567b520fa1

SHA512
f56dcbd1d1b7e227ea6519c2a9bdfc50c70b4e7e7cbfd6f280a68a5a348222a2d14c38766bfe6f5d8551467051fb737b3cbe5f27a1b35f3b73727a43fb6b3b2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\fasYMkcY.bat
Filesize
4B

MD5
5a4afffe54176892552d3c06c4effc50

SHA1
a5fd124f25ef68e4c8b6f8d960377e6bf29e7ef7

SHA256
256739d0140547ead92c3d76130c9b89360f8d1a835af3d6d08c8f4c3b82a5e5

SHA512
5a6f1ae723e5455a4c41ebf0e56e2108d71e1228be4b18549ddada1c85addcf8e03bec54d5a28bc082265e464f6f1f18a6b6ef632bab793dbb6f84b4917a2097

Download Submit
C:\Users\Admin\AppData\Local\Temp\fiAwkgQE.bat
Filesize
4B

MD5
44194030931ba12b83a33ae3a1fbd79d

SHA1
d56602721745dd67e0770fc0fbd5af13e4dcb54d

SHA256
c48f6b9ac79407c761295b6dee3f47d89a1c45053b27b89eb1a922c7c82cecfb

SHA512
5aac1798a9e4f1cbd1cc9e984e2381fe72786fc5f898c9c319c430b61bd5740f4b18657392d1e6fb9d3a0c6be42d5af59f50dcc3d720879fe953c46219c209d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\fmQoQAoo.bat
Filesize
4B

MD5
98b4b3b2b62ae7994dd37d902f0b202d

SHA1
d6cc99a2330963fa0f837968c264c09fc259106c

SHA256
bafe449f6f6f8fdc7332de95aefe3121ff7b373355792c2f40342a225e62c55d

SHA512
79caa931a0ca92c3ae1ef893f6aa31673ea325a398fbd81a05fc149fbd99269276bea964a65824fc83b93e4303619b9a209becd41e6bf4e6f31650bcb5f12f6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\gEoa.exe
Filesize
231KB

MD5
432c519e94b7af420c3999eb528603f3

SHA1
0e5a2eb4922119f0d18a7d8329b5efb727f3c246

SHA256
07224d5884d2911b73cb7d8bc49701e08afe1b61ae98feccb5fa8023e92c23ab

SHA512
1a6b1354fd61f55149f1deb13fa4a4da5bebe585f019aef8941e621f687a490965fe176f5f1c8e3b6bffb99fb6b4ea8448fa0573709baef4cf91906c5da66af0

Download Submit
C:\Users\Admin\AppData\Local\Temp\gSEwcowk.bat
Filesize
4B

MD5
c04dfb7e2ad7b0602481ad6efb1bd469

SHA1
d42abc7832df861afe910403ad4d60082dcab019

SHA256
46462f42f5832320cdc622c1fb7b2f56e92b87607c7bdc2e21828bd13b5600f4

SHA512
e3a3860ed835cc53ab66f7289d1e0dbca0f4497a827a918b9696d77ddd0740d9be2647d432f65f5130c7990fd37d3e4387bd73f438d701ac34487ba5b1b5af7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ggoe.exe
Filesize
291KB

MD5
b7b392ed464f3dddf4a99fc30d0325de

SHA1
3db87fcaa0840f9e3779c6f5c7ce6ae0b1aa126f

SHA256
fc80888b9e4d6e745ed00de4fc72f9718e250b30e83d8f05ef654320a0eada5a

SHA512
d8f091f6fedce8fa59f1b5e72a6f2fe307e533c25f9e8d731fd880b18fe2c87d6a212b64cb2ec37f79dc206c2b047d49522ef70ebaef27e3032f37e95440787b

Download Submit
C:\Users\Admin\AppData\Local\Temp\gocS.exe
Filesize
239KB

MD5
cce97fc5c2363627c7de8bf737e4c7ac

SHA1
da51fbe754395f7bb131844cb79034225cd0a8e9

SHA256
453288f8a1ad7b57f9646b4fd90e9e5a1f8df8f9d88ee179e5a9a8f97fd7870c

SHA512
b93a4d1d0406926ceb3ca49605d2c561c20ef9851d0ead867ca71a7de8e63f28190fd3246e9ef07b59e93c14472e2a68921a760143b1138f44dcfdeb75ac04dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\iEAO.exe
Filesize
250KB

MD5
b2e3960937e5f3193f6370701413b544

SHA1
ae4b80256a2c0bc273d8dbc784688c9f78b44037

SHA256
1471882132effa182a6341bd6893f244c9d6888de81b2fdd62d0322bebf419b1

SHA512
e390376f04c6e5076350946b0dd5161ec551a15adcf58644ced9dc49ffef545a45e06dcd9330069445515036d5c71dc3e2975a479120765ba8a326c767ce1910

Download Submit
C:\Users\Admin\AppData\Local\Temp\iEcS.exe
Filesize
247KB

MD5
08b4371888ec903167fd94c410c89e20

SHA1
2a80a58c58e65e66a020a1f6fdd978bbb8e08666

SHA256
5a3e9bf6c8cf3c2ac8515ce6105bbda28a2ff4b47f96c8e0f23fadd91b081574

SHA512
3e1d7a7e17a35f4b63cf1d2889af23ae8c30e62e9fc94a2787c79c6a7dbec42e65250aed89693363737c31e3221d8c89d6180e1a21ea7a2048c5a462cc53aab6

Download Submit
C:\Users\Admin\AppData\Local\Temp\iIQkQUYY.bat
Filesize
4B

MD5
4300369d149f0f63e077b254ace303dd

SHA1
ad741ec680d3b2454f9a1a429b2fb93a4531fbfe

SHA256
891a7e66c40c51f629b91248c586558a18dbc0a8b05c4f57ff1415371a14ebe7

SHA512
fdfaf83e9c61983cca99744d8177c567b39a429248bd00a09f58f7ed60b7899bba77406764f0a58e481ef5c29712d6e8d5c1c51ce8932ebd344cb0bc55a601d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\iUUC.exe
Filesize
796KB

MD5
714853a693be629062ef974025a94df1

SHA1
99bb282eb6af56cbc3cc41a473956e4a1bc08eec

SHA256
09010a604766af42b78e6ed0eb45e9df034afa3de1ddeed450eba6bd5877a3a2

SHA512
3dfb749579c2a703d39e42ba58a6214f447813534751033d01e8bbbd2d7dfa4932a2fcfed7ce6d26ddb56d6040d4c1470a16f1a95e57182e434413c8cf182de2

Download Submit
C:\Users\Admin\AppData\Local\Temp\iYkwMIoU.bat
Filesize
4B

MD5
befa18264f7f370b488deb6ecc6a03df

SHA1
eb32e78951d888f8676d20fc90f70cb8bda139a7

SHA256
178a267cc23a49cd625250746526c989578fa63314d7e5803c22e0e3b6dd6f6d

SHA512
f9862d26453cc88679dbbe6e08a177599f18aad84b902a30030dd08c69c053dbdb0078417610274f20f1888d99873907fd7ad29267c7919c81cd20476d67c912

Download Submit
C:\Users\Admin\AppData\Local\Temp\icYkgcMU.bat
Filesize
4B

MD5
cbd72a1157938ed9d4e9b0bcbbfd426b

SHA1
6521c1120b52b95a0395cee99a50847396f12285

SHA256
8619156b04f498a1caa804dbe049b78b554ea1d3ec1f88ac7c9280adf2f4f8fc

SHA512
6a8a1d893d8bfa7c859f743be3197f6f4e386dd0c27cb7f56fd4594d98bcb25692dea8bbfa77ef6d591bd701ecd24fa49a6a998c3999c1bc7d0fd4a338c6a19b

Download Submit
C:\Users\Admin\AppData\Local\Temp\igIk.exe
Filesize
202KB

MD5
ef9a97053f6e7bbb74d2beb221336bf5

SHA1
8d62e9864ced334985d3dd9e19924feff77210c1

SHA256
6d3c5081abfe10145098b4644149a17c56bed917ab1f94b9192fbb9e1ed013a0

SHA512
521b9500153d9f40f18663c6ef682d6205f51701c907fd0bd2bc2ee8a14affaf31c57398350b80edb85e076e61801b829527a8682583032585b27fdd773e16ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\igMEssYU.bat
Filesize
4B

MD5
005268a65615ad260f75f28d564ec4e0

SHA1
540a90128f40b4551a08f0adc9614a182def5c42

SHA256
68375441f83c38cc008390594dd9a8421fa1af4e5a767484e32e76e6069140aa

SHA512
c9d58202fb669089a7acb055e0ce0c2dd3f732ece2ee6d49e4bb0fff02a1b7070fb20603b0b94acfab0775d7eff9a671260ae5ac16a90888eeae13c45dfd5a6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\iock.exe
Filesize
1.0MB

MD5
7f60294fca894016974a3949e4338eb9

SHA1
7918a4b5fd5017a4ac60894c21968842b2c83e39

SHA256
3d45420d7edc8e5c79f3ccc61e050e356f6f0debd21c141bf3d1d5f140c5e508

SHA512
7cce7f35e3fb1d24b8cfcb732c5b8ffc989b6e4dec1503ad08dfc4ee026998c1e9625e754f82318a75ab23760a6ab2789e89e48273ad81fce8ee07ece0eda8fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\iqUAAEIo.bat
Filesize
4B

MD5
a334ab164974119d58345c84f933d526

SHA1
cd109b09e12cba66d7ec591d317117d1798a6415

SHA256
e440ba96e7a3475a570b6c1771280eab3719a74184866bf5c933c400106df263

SHA512
cac6074eead9a58d419bd618f74fc9eb408a4aa91a01d8830d1c8689d2c0e97291ed5d91e17b40c451d2993bbc9350ff49a2c11d9f0703aa15da6e1c228db042

Download Submit
C:\Users\Admin\AppData\Local\Temp\iwMYQkYw.bat
Filesize
4B

MD5
9650ec9379582251b09316aa9bf3f28a

SHA1
8173ca90821fd3d8d74c53d71eea59bc7c857770

SHA256
b244a0b2b8244b1cce5bd5dfc80fc970b18666d577a756f0b2008fed8c99bb07

SHA512
a19d1f22987dae0f38f37de30780045c8e0d078a4d1869a98d719c3ae5f747d489110aeaac37b264387f2606fe46a5d12d7465087d2017132a0b940380e7d11c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jEgMQsgg.bat
Filesize
4B

MD5
a8bd6d56bcc28f6c140c7dcf642571f2

SHA1
4e2f48a6bdb035ce35a7d20984a6cd87ea05891f

SHA256
812ef468a3aef7bcc2ce00df7113041124e5f1e10a3193143c9d941762605eb1

SHA512
eb41711bdfd42f36d1ba9567a16e996a2c55f7f0001215e1bc39119d2f63915ed4cc2bac6750dd59fc44a60595d9eb4181ca0c0e0f0aa9bdf9d458af5c4a3d73

Download Submit
C:\Users\Admin\AppData\Local\Temp\jaIwMcco.bat
Filesize
4B

MD5
46c19680aafae8a43e193c90beeb4daf

SHA1
530610ec1e929b4e5a820f4cf0aa53f2a4dfffa8

SHA256
e5506aa9e24ab2d9dee34bc45d5392915e55f9628b39f121af87dd0b31b41c12

SHA512
ed8b0b61cb04243f8cd8120430143c5c90ee1c8bb23ea59bdd4c7603d6314b942129c317ff7743f380b920aeb2f25577344217a217ab75dbb559fa6cf6cf5395

Download Submit
C:\Users\Admin\AppData\Local\Temp\jeoUsAYo.bat
Filesize
4B

MD5
7fa0f16f69d1561f0785b442e8419796

SHA1
b3a17e8ad9e6e2a9d0f76a5f011b5a4fe5c75ae2

SHA256
af8d420751c96db1e12174f557073f89bdfab52626d6054f05216394c63a3fbd

SHA512
7159c54b00c73e0f1076caef69a304d4819896ea37d53ce798d319cb0fddf534bd58da9b9f459de168dc84397093e9844bbfcb983ccf2a8372eefda9eb640619

Download Submit
C:\Users\Admin\AppData\Local\Temp\jmAUAMcY.bat
Filesize
4B

MD5
084a5b7d5f5dc67efd9d401bb82b506a

SHA1
9b07702090236c4f73a17d2d6c7a6dc782d9da95

SHA256
82feafc673a2cb2f6698426f53769fdb9e0919ed4139d98351b43ca4ec4b82e4

SHA512
e9aaeced3982d26d17c7148b0f39714484e9de4be86803e91e8c551b4281105f7383df79f8df3bf367388f9af2f8c14932056ce8d637c7fc9ed2b5ac8ee7cf15

Download Submit
C:\Users\Admin\AppData\Local\Temp\jqoscAoQ.bat
Filesize
4B

MD5
9ccc806995fc2ea70ba13adaea50b0ba

SHA1
cb3db11b8190852a779efb4c388361ce7cc8405c

SHA256
977c1cfa041ae7ffd24afb0edb5b2f2a212bca59af55466c2c5368092b46a482

SHA512
dca4226eeb515b0847f0290d23be741e80be9f250c98153c6dc5df056b38db965192312f8c8a9df4f551b04d18ee026467a4d29d5baaf51f5a573af7f794f016

Download Submit
C:\Users\Admin\AppData\Local\Temp\jwQUwQgY.bat
Filesize
4B

MD5
df2b7491cb54ef61cd735a9023f2cd8c

SHA1
88f2ec06f7a809d814d486f088e36e8f912180e8

SHA256
021296cfc0e7f3af84471f5fe3a7dfe49198f8f13022513d66f8d6cd31ed73fb

SHA512
eef28aba3812237bfe5e81303d706e834a1a296e72fac0441197b156ca7a0411519c00045c21a9b12ca081adf64d9173617d8f395a9fdd92ebc53f99c11a1243

Download Submit
C:\Users\Admin\AppData\Local\Temp\kIok.exe
Filesize
247KB

MD5
a670fa3a2d562fd65774102e04d6b8d1

SHA1
b6ee6357e35a35c03f4850f2cd7715e1fb2972b6

SHA256
a7ba8445807de8305def682e23e3aeb771b049f58342a7ecea46b262a9e8abb7

SHA512
e44940ce0b032e64d14ca000c4e4c8e1311e49a86480e4c34a8035de656772c5ad244427f246c9b55dff6db4403804ef1c1acb137acaa4cc6b84d846c88af3fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\kScMwAQU.bat
Filesize
4B

MD5
79e19fec95c517f40530198315a743f9

SHA1
b3ff4fb8d50d9c3e9c385cc46ac1ecf6be892767

SHA256
1464ab2947ee8f245409537fb54ffa88de900d3cfe1a206cab6c4a203be5061b

SHA512
421d0183c0e2197651428f4baabfe29c1c99b5a565b3379323c6e390528f7f056ce88a9f493e6689e91bc86af06ad38c5150342dabe04ffe9521506e496b2761

Download Submit
C:\Users\Admin\AppData\Local\Temp\kUgQ.exe
Filesize
2.7MB

MD5
3ed372cd4ea5ba2df50cc0e2a67c4471

SHA1
e45dfcb0d2ba3bee5431774504dfaefd177e0828

SHA256
3b8fe07116a7855e99a9b38c9615f3f6014e49931e4530d60ab1bd271905ca4f

SHA512
6e0ed8e14ea87faca41bfffc0a7bab290f8e1452351b6ac22fc52839fe7d30c0e2e9d88d21f15821b138434b4e1b2c1770be312d1102da3bf294d96b8b11ae76

Download Submit
C:\Users\Admin\AppData\Local\Temp\ksQa.exe
Filesize
236KB

MD5
630f5a08e116088d83171cbe61367473

SHA1
2673360e9354b558f95e655927893bfa463c3056

SHA256
8037a80ad6b0d7ae181ca845420f67cd89b4da9b07403a0c7f0c47b71206dad9

SHA512
8a065a40a0ee98a3ea026445e89f635644ce5de410a4a05f5781e6bf0d74f10577d774d133736ad95a28a0ebfe937585acd673eb7b09a65a7ed1008ca5862177

Download Submit
C:\Users\Admin\AppData\Local\Temp\lGQskcoY.bat
Filesize
4B

MD5
55c66b1f7b9abec9bc03ce5549344a64

SHA1
d80c12a32d926d13725b6b774817cc2b860bacc6

SHA256
3fe3aa4a39701b619ea8203154111e5e8f0e1c8fd6aff15c7e2762457a579388

SHA512
6c593a37f4e708ddda33798d72910afdadf28f20db9fb5dc393aaca5f6b1b54fdf6fc2aa9eee543f6c725431a9a8771530d6a2bdd540e3eadc119c4dd9d6a960

Download Submit
C:\Users\Admin\AppData\Local\Temp\lYsggYcQ.bat
Filesize
4B

MD5
2417f189a776d650e48420f359f78043

SHA1
f1850b9d07f0a98566ec29f8cc9fca53b40d992e

SHA256
832b537809cc1fa0be935953af5a017105b4126af6446157f67b28731a040312

SHA512
5beea8432203b4d3b2f4ee34cdd814667f86251c2d374f05453c1447bbfa26479ed7e39c830e9ecba378deb0e9c7fa8cdce901d750ff27cbf82bad6bd7137b0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\liYkwwMc.bat
Filesize
4B

MD5
38d5b2b0fede38c67eb6bc975c240206

SHA1
74f64f1d38145367790caf4d06542b709ab99e8a

SHA256
c3d442abe5626a7c8e2c610485143a0b5ffe68ae3c3ee99f310c09a074e3b03f

SHA512
7ab96d74cb6af4bf6652702e79015fbc409c793cf4e13d0fe6118d171b27659b9e992d7182604d041503cefd93f1e924216da1b0b827a57ea5126cf5aff1f5b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\mAUe.exe
Filesize
226KB

MD5
f155d2aa393d7f6407a0f0d408685cad

SHA1
48e4bc1279ab74135b8cb802baf6f954b980f510

SHA256
e4c9c0fa5b3f0da73dfeaa55ee6c4a75bdace8acadf43746d5517ae066e689cf

SHA512
d23b54a49ed0d68e70673052f3b8985535b6bc408347b937a4ef9322aa1e40df4063998dad0cfcfbe9aa5d6d578d7557cf11150a11a2570e10f2d39940a70962

Download Submit
C:\Users\Admin\AppData\Local\Temp\mEwC.exe
Filesize
300KB

MD5
95b463dadedf9ea1c867a693c37ea872

SHA1
ce474d62430269a68ab10f8c308aa297884fe5d0

SHA256
d8e92051212e76223e8c64674657bd446b4738d5444cc7c0f5ee834225de3ada

SHA512
2f35d5392b99e8541430431ea4db4da78e8eb19d40269d48763664d3158c21e0c5e6cb2a55694b57a265a3f559837d64cd71f861c38a00f2e788edfd0d091a66

Download Submit
C:\Users\Admin\AppData\Local\Temp\mEwG.exe
Filesize
199KB

MD5
8caff896fcf44bc1559d6e3cb6a04761

SHA1
7be556f47a47556fddf109359de184846927aac1

SHA256
024e823e8cb1a54e29b959de2e7aff8d25e0acc6f85da14554b06f36192bf6e1

SHA512
053141ceb77f6589efbe650cf040aaac05ed0b8e8dc9f9008a87543eefcb136dbf568c323cbfb918e27bbef9af515e745fd627b09c8c1281b580f56642889688

Download Submit
C:\Users\Admin\AppData\Local\Temp\mMkk.exe
Filesize
636KB

MD5
3855247b203daf2e53c1e48391965b86

SHA1
f5bc1f57b4fa2a21240189b059edb157747a3187

SHA256
012008610b445b0d2388c46f1851eb1434e5d3402839ee07421abd17e67af33f

SHA512
c8aaeec620b9e07446dfcf7eed663341b87eaf3610a9219de9b64e483ba7d432242d8413fe0af81cf369effe552946b3a3c246ae48632b598bfcc729330083c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\mocI.exe
Filesize
239KB

MD5
54f9a3f11740aafeed1309132a8911c1

SHA1
fe8e9a11033e608dfb668bd917c0cfbf9937c8c0

SHA256
cd6d44eb5cb475b66f444e4a44dbbda49cd04218fa1731ecd111f257516acea3

SHA512
57270d459ed2bf09946f945bf2a00cc0b6fa27357752357b52da2828e07016562cf594a9887a07b84078da5c894af156f362faf0b273b5cd5475cef9dc29d55e

Download Submit
C:\Users\Admin\AppData\Local\Temp\muAMoscM.bat
Filesize
4B

MD5
bfbd5d78acd1ca75731015ed6c7f329e

SHA1
110fa7d26ec444aab0545b3a87896bea31a7ee03

SHA256
201278907f35d7c5dd938a7f5c16ac48867c20ac593840563e5c7cb99887ba2a

SHA512
03f9cc0bdfb132ae3af04e0c50f07a9b2842aa26dff82f44716cf8c5616842597853d7edae90d88b48ba47bc143f1d31cd9b876ff9835f0c97e9a90a854a8a95

Download Submit
C:\Users\Admin\AppData\Local\Temp\oQUK.exe
Filesize
246KB

MD5
a641af7f112753dfb1115229320098b1

SHA1
01eb271f23853258a60a8e484f85b0334e857491

SHA256
0c57fe48047ff3eae6d9f5aa6357f4d1308847425365aa9d47bebc7967aaf975

SHA512
12f21bb84a4501dcee33965f6a4bc27374750f879e9eedff67227e3a851d4613e624e3e7e7e8a5a5ec630d1d39af4533bd62b4d31483d23eca4e12a9b1a28d0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\oYIowEsQ.bat
Filesize
4B

MD5
c92eab8b4b6c00def7541e59caf7539b

SHA1
4f0a9c13680e1b5edea5e3da786ba2b198c35799

SHA256
59bc11c342c03a37849d7f4659dd9c36f148e23aa073b934ff582fb525beda89

SHA512
d4f163ef5410b9ecfbe470224ed2a1f940609b3933105a2aaeb9ccd2d298de9542d8db32342bbf506acc9caac7cb7aa90b988fb4924a197035cc82a35af4aca7

Download Submit
C:\Users\Admin\AppData\Local\Temp\owUY.exe
Filesize
198KB

MD5
06f065c69e64f22ed7af83524aa11694

SHA1
f6fb2c7b19273da74b176a14c3dbd019e9ca935f

SHA256
dce3a35eec700995158ad820e217e3f533e6318eb6db760484dcc2b18cbc6cf3

SHA512
1b70cf009b9db57c6960aaa74dd58f049a7ceefff9494d3b77e036ba826070dd14ba726b8db8b7e63edc350f780ac43dbb690f3bf9da76f4068a9c8382f68aa6

Download Submit
C:\Users\Admin\AppData\Local\Temp\pWQoUMoo.bat
Filesize
4B

MD5
4d60187bcb556eb0d39778380a6f8af0

SHA1
643a478711ef2cb82db6fa1fc34b9b9fbb6ceed6

SHA256
067bae8390c6d914015533bb5f817c676f8d2961e8265b9ccdb518783ee178a7

SHA512
af5e55d3cb7b5f4ddb8a04fb48b90c6b9009a1f2c2dfd2159110b249758f355397dab234bd8bf9173403e1cf745a28661cccba149905d627fedf1f3cc91af096

Download Submit
C:\Users\Admin\AppData\Local\Temp\qEMMEYgg.bat
Filesize
4B

MD5
d33a9b719eb15f5efd03e337adcf84ef

SHA1
4a01570f9a2d1bec78a4f1100d10ef34905d9551

SHA256
f36a909e27f6985da6fe629529d854f7cbf5ee107ad2b27ac0e4a5c210fbbac4

SHA512
2d8f3485506f399fc735ff9cf7f548bd559600c72336107ac0672f367dfdeca46688be95df225ad3089582447ec9fdc0feb2408c9a9b4bda80a79c82ff77083e

Download Submit
C:\Users\Admin\AppData\Local\Temp\qEwm.exe
Filesize
246KB

MD5
efb60e8efb684e041ff2709e0c52bc4c

SHA1
d3f51735cdba9af97d7e0b6d97246ecd17cb7473

SHA256
64f2b2efe72d871c9ddf9226a93b649afa11faff4c2fb9c0dc75cffbc943394e

SHA512
7b61d01982eff3292d2cc575e44bc9360d14b7f57928d437d434b390b18c7f71c468ca280acd2c78f673125ada5ad7acc1b95fcee244fe7aa34da8ebceaa9ce7

Download Submit
C:\Users\Admin\AppData\Local\Temp\qQcg.exe
Filesize
1.9MB

MD5
3dff539220bf9588791b2c1acbdd452f

SHA1
a77a2d66de17421ebaa57d59f6a41d5508e62ea1

SHA256
afe1dacb5b63a6ca5a2675d443bae0b6cea9ba8b9660cc6650c453dd4c050016

SHA512
9cf71f96d2ae04b1aa2df4a42405bd932102ec7d2f1a2160d9eb0dbfcea34c7825b9cda70e88fd7c37621d2367266db9395403ffe3073a07bb7aed054dd641a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\qeUwMkwU.bat
Filesize
4B

MD5
6347f3e8b71b22de2c7d6f830019bb6e

SHA1
a1471b1e5a68f17077b8fc3d01e184f501d11c74

SHA256
726eacead3c9a50048cfd5b5ce97a69d884984cf4e794938a8829f2744b67170

SHA512
00dd541e8bb382913a76e9e09c631f2e0460fd58833b7b8ee00f200fcc5e754e11e95e029b110fca9354ffdf12b2f5bdb686d14b0fd32c4d552bf2a6ab1fac84

Download Submit
C:\Users\Admin\AppData\Local\Temp\qkEs.exe
Filesize
235KB

MD5
aeb0c9c7dc4749ffb8ac125bb68f175c

SHA1
6110cea2f27cf68dda2ce51b92439afaead4da1e

SHA256
e6fd5c42b1ad852f0bb0fc6ca60fc1ab96bd44447287f25fa97d314ebb52d789

SHA512
535f788b8e296b1e672b5216a5a6648e02f347b2192acc628c4e76bb2ce0bf266a19c2e84ebfe267a792fa5f2c1ff67d95d58184c52a0220de99d887477093f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\qsAA.ico
Filesize
4KB

MD5
6edd371bd7a23ec01c6a00d53f8723d1

SHA1
7b649ce267a19686d2d07a6c3ee2ca852a549ee6

SHA256
0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7

SHA512
65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\qwAa.ico
Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\rWEEoAEI.bat
Filesize
4B

MD5
495b1bbc5ef61b69c917d525dce53d8e

SHA1
06d68482e2354db440862c0cdb165cc702df8c8f

SHA256
59275058314c265c5853b8a15346b0fa1e40cba7ef60c0862eed9ecc3391e800

SHA512
74c168bcd36c07d14a58686b7251b4517b9706e3788c4a802f768b8e735cb8371a8c2f1625c8137a463010cbe7231f5f6ba8fd9529d667198b0919b3cacc85d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ruwYccow.bat
Filesize
4B

MD5
60de57fc6b1a7283e76246f6e3dd638a

SHA1
9d7bebd317bf4b604b45b93fcbe31c6adc9b9882

SHA256
75c5121471acd04313e81746e3be736c6facec834369922d0f2b359eac8da59d

SHA512
7501a4716a19a110b295d49d65a0fff80ea0224dc0fd1626c5612fc62f41ff78611672789399e62728f2f8b4ec1308b96394d3e30506e3c215e0850836b4a7e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\sEUc.exe
Filesize
1.4MB

MD5
de1ac2e7aeaa49d518472ddc595e8a1f

SHA1
232411784787b0df8baee8e16301ffd1874c5a62

SHA256
ccd40b5b758c88efa5c6d827e354f71cbb2c62cf8e9f3a7adc00d5d6a124b8fc

SHA512
ef2c8f36b41264d12dea03df90b8f88e62c539b6077b1d37bee53019523ceb7d89c91b59181cd6840dbf20d07b07be1ea337f7b46a40b24aae9c0d2aaad5664e

Download Submit
C:\Users\Admin\AppData\Local\Temp\sEka.exe
Filesize
246KB

MD5
8ddfde45d01f6c158264c4aee3f60397

SHA1
829ac0011d4b81994e8ba2ff6290671b393a2cb5

SHA256
ef335736f7fee79b4b9b6d03f967dae924b20f5fc20d9ca3cfc48d6cbc0e8581

SHA512
1f455e7c9634524eca71fccf72f43bdbd6d0103614424742e3202f3145af5585c3bd05d33c9f6a054b13998c832e29d65b54ef33f3a4b44c5170200fb93f0406

Download Submit
C:\Users\Admin\AppData\Local\Temp\sEou.exe
Filesize
2.0MB

MD5
3cd3d15e4582361710363baae6506d90

SHA1
0577f6d184d911eb622a91960d3829d840b87a95

SHA256
9affe8a9a61b12b5052842a1321373b03eacbf004374808d2b7e9e590257e1e4

SHA512
9e3af658cd049e3f359186d16ad4e10dddaf05f371a586a5ed371716bc0592614efc2ee1ec1bbbfe3cc824ca4146ab1070bad9291b0db46efe51d1233e77d400

Download Submit
C:\Users\Admin\AppData\Local\Temp\sOgsYcck.bat
Filesize
4B

MD5
db27b6eccace0d918b4ebc606ce33f9f

SHA1
9966d10f8d772e50122738046b54481d435f3f1a

SHA256
5425496309fb4553523a7a4d4e1da616ed2c1fbb4c2bef34fd2c0b16e1119284

SHA512
1b24fc52d21937a3b287c904831229a78e29cafd1e685303579c01e42b991eee595b34c7e6202a5c42ad9c051dfccd3dc27c1c42a0917046dd6841b502ec222f

Download Submit
C:\Users\Admin\AppData\Local\Temp\sYAG.exe
Filesize
252KB

MD5
5001a2189d257c3011302822e29c809e

SHA1
773f71c3aa278d272e65c47c56f24a1ffcb34181

SHA256
9b705aacd494ce1aee89d22e83543e557c4af0cab698d17de9f9d302729b3630

SHA512
41a0946fcb4db0f855a3793004b99c54dd97cd525f46d6ed92afbfff707db79c8792305bb16d7941602cdcf585e2cd905028c8994092fe6b1839e7dbd204f975

Download Submit
C:\Users\Admin\AppData\Local\Temp\sYswQAkI.bat
Filesize
4B

MD5
7ac00af29b299f7e95806c260b788072

SHA1
d5a91dfb2d5f6238e429518d4bb04b365a57def5

SHA256
8bd22f30d5bf68b2ea8f61a1de6ab70749cebc84b0d8575e557e78afb410d61a

SHA512
206d2dc361b582aa48ef85f418e0960859236ce1923884d3c6180190ec39521f1da43f2925f04071d931e85fe47b8b3abb29bdc636b9433f2f905d2222fef47b

Download Submit
C:\Users\Admin\AppData\Local\Temp\sgkA.exe
Filesize
317KB

MD5
6a9c1b717a79b10317a495b962342213

SHA1
74155ece72e50eef4917fdda2a071f12a104e2e9

SHA256
4482429f93f873ad364fd4816cd464a06545479ffe2d3fe6e69b0ffe33ffbe1b

SHA512
25b71755b842ee29895dd8ced41be056247822efa94b5f0b698da907b9de442db26119698a49aa56bcbe1de728a0c7c2a7821f2d3ab5b1975ac6d65b17355f32

Download Submit
C:\Users\Admin\AppData\Local\Temp\sgswsYwU.bat
Filesize
4B

MD5
e3c7d0d65e96493205b49e7697f0af5d

SHA1
d7f78cbe3e9eb9c86c0a55ad5be6c90ac127451d

SHA256
c9d7f9e89bc99c571aeb90e499a79269d64122e6065b181b58193dd4705d0878

SHA512
7315ac8f748bc086c0eb5c226c48d83fafef39c4495d84b0a63bc3b77b705c1b91940a235fde5a7fa05416eb6f327e70590dfab9f5cbd4681ae817ce67713e5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\sykAIEQg.bat
Filesize
4B

MD5
a5aa00a00d602c842b3632acbd5e2e94

SHA1
0d47d86fdba33473041a0418b795ee3b86723dbe

SHA256
3a98cd88897291effc2facb3ad38e06f74ba722ed999d0a4c3e4f4462c376e0a

SHA512
018f828f0241c2c2b222f9e30748077b206766959275ec0ff632573a875bee473ee015c57aa7d4933a55a95097d14b0a0c6da77d34bc859b797bef1a13d510dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\tAkgQUws.bat
Filesize
4B

MD5
045fee4c7143d6bacf482efc1cbb73a1

SHA1
687371170099c9cced57b90ec95dba6d3da923fd

SHA256
32da83626668d42e89fb148adad08a0161d5389f4b57b355549c9cb2ebf898e3

SHA512
075ee1645c2051811c6bb90a908bc1e53a97046b7d8fd4cfd93ac9b92e2a9de0581fce79885d9dc2a6424662ba1ff2d90583bd4340b39330dc00266d2a1fc383

Download Submit
C:\Users\Admin\AppData\Local\Temp\tMIMYMwA.bat
Filesize
4B

MD5
f626b00493de290248d3a4262312ef58

SHA1
595ed8581721320dd8b2a6b07ae2f81e95e0c125

SHA256
74068983f9332a2e29e065a974c466cc9c606329846ad67202b1c666572f945d

SHA512
2a094e47207d02bca6ca7930300828b302392d307fe04cf078b8132d013e1f1841b1384bc8851a893b70b89d35d8c3a2f224df8b746bf2758b5fd62b6746cef5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tgYAgIAE.bat
Filesize
4B

MD5
35398fe0e4ff8f3cca11a620845900f9

SHA1
33cd85947c771bd727ea3019420e0a47edd62813

SHA256
497394d413bbfefe4230392f7581801cd57a45dbe953f9276eab3a04354b1918

SHA512
57e1afa8a4f4a07f00866f5ae25d4019bd7587bbb8509adc2131bd4a957740b476e2b8cb195415d7a45c5300c1e556c5a68aee83cbfb2ef7efdc31cf751a54e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tgwEQkYs.bat
Filesize
4B

MD5
13e16853c9de112a18f0c37da740eb65

SHA1
47e02328ba46127b3891e31fc322e54462fa0693

SHA256
0dbd5e92b5b11518988bb054a3271d164899fe0fc1c96307a75e7e3b54327c6a

SHA512
33b1fd450fdd5f3db165bc4c5a28431cfbdb1b45c6bf732c08a17397bd29539a090b68786ade3563bf50a5f9e790310566748b2f19328a234e741095e41b2620

Download Submit
C:\Users\Admin\AppData\Local\Temp\tqYwowoM.bat
Filesize
4B

MD5
2ffb0aaed226eda976f82533851797f4

SHA1
0f98719988a05108102241afe1f079c6010f1d9e

SHA256
15503079c3ce02c9767f73b2112de2b9b5ca4ced7039bd766e843c33d79b1e14

SHA512
8102d408046f3ab4c6ecf2183f06d2d7aabb7158e80ec2b3dbc0ea49c20127fd7145d39e9394f59cf41354640d3c13a5e89fde80e94a9d2994983f161089b35e

Download Submit
C:\Users\Admin\AppData\Local\Temp\uAcE.ico
Filesize
4KB

MD5
47a169535b738bd50344df196735e258

SHA1
23b4c8041b83f0374554191d543fdce6890f4723

SHA256
ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf

SHA512
ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\uIgq.exe
Filesize
234KB

MD5
420f83ce8443356bd9f3277bb7aabaf1

SHA1
c2ab5de8c694fe39af023da4a5138b4598f041ab

SHA256
9035f8291af85956f0cc9435335bf307b77eabedfd7f4ef4c3791382a026fe44

SHA512
22a53238c3ca1f93ca4ec1c9d0ccb81bd74957f842d43362d301f66cb6d5e6011fb4a397d9f3f4a65510129ceeea79f1061296bdc192296b59f3d460347ac1bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\uUUK.exe
Filesize
186KB

MD5
086b729f146990a224a92b402475701a

SHA1
22e3ddc90a5fe8178960d3a0bb254aa7e78f0dff

SHA256
5ca383bc362129251108a543e44fc91194f805e8fda431e3d9774bd687bfdfbc

SHA512
ad4956b50f3291f888a716e4cf3a734f6520bbd4f38af5e13b7d0f53397183990a535c96631e1033f7b4b87c5d65d9302c662e3209dc6eb1dc5bac2cd4217d76

Download Submit
C:\Users\Admin\AppData\Local\Temp\ucwi.exe
Filesize
239KB

MD5
badf54a4c7b9928952d5c69b7e22c2e0

SHA1
0d40129bbb4d656a192a0ac78f6a87ac5b4667ea

SHA256
7c1a267c1563530c0178cf5f803833404ebc6b74a3b75d7fd392b24c72e469cf

SHA512
53c48417c036825e23fe74ea377d99fa35e443bd3592c45fafb300df5eb7bcfd7b8748684afe65246b737f5a762980513caecf5ed0ce3a3697bc72fa0abda83f

Download Submit
C:\Users\Admin\AppData\Local\Temp\uqEAQUoQ.bat
Filesize
4B

MD5
8a858c5404db278c037a0694ad57baaa

SHA1
6dbc73c470d851ec0a993a79fe53587fac265db9

SHA256
7db0ad67bda306432aa491378c1c7555c892e852f9057cc390f29d6854dbc7f1

SHA512
738b5e089ae3a9e6f37bccd584d14f49eb47f2fb4ff9124cb2ca44db274fe1a904ea5a53fe46565af21359ebf71f0f9ca703a2737284761aac3b16820f3f61bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\uqIkYEkc.bat
Filesize
4B

MD5
dc949cad3fdce67e33d9101d2efc2912

SHA1
a087b8d9ee4340f980b1e08e237026eee2d9d64f

SHA256
4f632f5238004dd7cff7114974cc39d2ab6b90a988b5c28e9dc4d98814ca5a14

SHA512
1b22e8e963b9eeb3db2222b7e8f17690dc8f28c474468f18e3f00fa4f689c325cd22c26bdf79c54f54f5ad70768165899d8fb66354c532b3a0043f8c1673ed16

Download Submit
C:\Users\Admin\AppData\Local\Temp\usMg.exe
Filesize
228KB

MD5
399637c52da01fe1fa0a875340982570

SHA1
0299a95439c1fb056665f764a43f49edabbf555b

SHA256
43e913940162472faad373a591ca002f5e2e030fac04af85b9e60d3b5c3cd9d5

SHA512
5516f7fa7952b7370b4cafc4991fe97e1ff65c7ba39105e1b01a40cab33bcf3230fc7e917e1ff1a88d4b8df0299feba5a41a087f8d5de4b55ea2242399106300

Download Submit
C:\Users\Admin\AppData\Local\Temp\usgwwssE.bat
Filesize
4B

MD5
acba38f4b41203088a0e768aff17905d

SHA1
708f5a1f5a9eebf00187ccced82a39a3c26aa1fe

SHA256
6c38bdcfbe2991345221022d6e4736b3040aff756d42d4e1ad15425b5c834b41

SHA512
eb305a6afc9615ddf8391d826fbf1356c4439b5189005562cbbeec41c4c496d674b6a8c6788c59cb449a8e3a0d4a9eda1f233d3f8b3a9d303bf007aab3ca353c

Download Submit
C:\Users\Admin\AppData\Local\Temp\uyEsEMAg.bat
Filesize
4B

MD5
1026bc082ea78c6882eaec3535cc7047

SHA1
d0bb2f4a6a2b75410b412b98e03069a4c1635f5b

SHA256
efa17c0816431508ef000c72786c57d39ea2e6f1d0224846c2c3399d4532da8f

SHA512
b8cee08560d4a9029d31c49c1d8c17e5bd0e26417586839b12a9175b08ab1cdea3c8c94255ac34b1799250b5aa320e51f7536071b7406192a9264780d681a120

Download Submit
C:\Users\Admin\AppData\Local\Temp\vqYAQQkw.bat
Filesize
4B

MD5
1a1210e8e9ef5217903697c0ec0cb3d1

SHA1
e64ff5501c45a57ceb52eae9712d453944f1c3df

SHA256
31a1af4f2baa8dbf84275fb012068b07c827bc5e03e7e25fe4fafb2f18117691

SHA512
bc11ed57f830cb72f8afeec63d098270a2ddbd328ee7736c0aca7cc6fc192529df517ad0b69dedcd8b0b92a1ffacb57119438eb9a34929ae74f32b29e9f05933

Download Submit
C:\Users\Admin\AppData\Local\Temp\vyQQcsUY.bat
Filesize
4B

MD5
bdd9eac3d6afaffbf3cfd11cb76cfd96

SHA1
83edff7e58145453f408e95d74b10b3d702ccb7e

SHA256
389cfe2b5bb7691b333eb3686db3653b6402dedbf72bd9f782550f3244f75ddc

SHA512
4329588c2b8f3d159e2e8bd7a8a0e7aef586191a2c30ec47c241f548dad9abae3c3ba45e6186f518d5354ff2fe63a4facc262d8ee720935684459313196f9f69

Download Submit
C:\Users\Admin\AppData\Local\Temp\wIsI.exe
Filesize
327KB

MD5
9cb6a2e9ca0506787b77b31aca20f63a

SHA1
6a06a293dc844b46268cf94e51470c8166dc0afa

SHA256
ad9eac7fc04bf081d9d77ed31a8efe2ca3ad85a22314d276d9a75f5561ad2cb9

SHA512
bd4e68675a765225028d0cd5ebe2ca441d080dde850946a651be7d125a54947e017989f14e582388d9d6ae0ef38203e995b588aaa356cc9c52ccb647059ebe66

Download Submit
C:\Users\Admin\AppData\Local\Temp\wWcEYgMg.bat
Filesize
4B

MD5
764a8922b825527261dc7e320b666e32

SHA1
066c1e006bbd4c5906b82e24c2d061fef5b6a8b0

SHA256
8947a1f8959c11fad5606e17e348989088493dbfd5bd96c9e6b4559829edd36d

SHA512
354428294e72f24180446169d6c197bc646c7e1ca61527fb90b6ef018da1ed8266bdc274f61ee8b1d255a0868be632a6c5149150ef987ea98d3e908dbfb3c685

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmcIQkMU.bat
Filesize
4B

MD5
a89f9d2086329ba8328f72c3d9846322

SHA1
f1291d8a06d74f3cdad424880228631147a8e524

SHA256
2c1ea8806352344a3953d07396ab30d3efad30441ae28c8e1b34dd08a480f678

SHA512
041bb3e8e4ff37a0aa46e6bb563debe8f5f24161a2ea3a1ac7d628a595cc76c7370523e964144cbfa3a3236886a63c6cb5aff163b0e3bb64682384d1fd661981

Download Submit
C:\Users\Admin\AppData\Local\Temp\woYs.exe
Filesize
224KB

MD5
6c98e5be92a616ad72627217d4bba3ee

SHA1
2484ec0111096819490e548591d31dc33e18a753

SHA256
3ac758bc3fccd17a6c7357de65ef5076e3d8494012b9ef8ebfab6667e73e3753

SHA512
33805b9c379ca8514a7c3d346f867654628774ec7953f659dd390d8c1723b9df2d84154ce6e8529800b89263cc96f82a8aeb25034d21dcabbaeb2f030397aadb

Download Submit
C:\Users\Admin\AppData\Local\Temp\wskQ.exe
Filesize
644KB

MD5
add35fe6ce0488ce6e51feb1e3cd4d1c

SHA1
f6bc64ecf41c3fc073e5ac353c0dded6e3b74cac

SHA256
6764264781e68dc6290107e3db3bb834d8175d3d96ac9cdefe46d347c4259a74

SHA512
05193901a85dcf6120f7ef38a9a3f65b8f76cdedcfdc2dfeb6bab08417814614fc74be61d534a52af51f80af267d949ef3b158da2e8e9f738c35d17cb120220b

Download Submit
C:\Users\Admin\AppData\Local\Temp\wwAI.exe
Filesize
238KB

MD5
9268b8d1a5926220b5d224fcb46e95d2

SHA1
79779108ee3b7107a9dde2a18831e753eca5c126

SHA256
d7b039cf82a908eb8c8551d9560e6b419f9adb57945a5ffe2e403a3e70f98b8d

SHA512
ba60b744b42e83fd1277d3b3e264c13d738d9792c535aa22807ee4fd3a08b109ea15e297fd2d7c3c5d739ebb2fd4faf41fb8754d469ceb12e1c8d08bba0b25f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\wwcQ.exe
Filesize
205KB

MD5
d111fd96f055912956c87bed0e9335d5

SHA1
ff3537cf576aa1f496630c480907026f8283bfd4

SHA256
838e011282d9e90b49e4d886099262cd22bb79c364bd0b2cf8b36658c3bb8559

SHA512
b4b41b3e76b54210c7b9df4ebef07dfd2514e0b771a15c56bb59ecdb0dbea94d3116ecfa7e9976b5c3adb28e46ff16057432d64a968efcdef7df5b1eda743354

Download Submit
C:\Users\Admin\AppData\Local\Temp\yEIQAYkY.bat
Filesize
4B

MD5
6e9aabc19fb5a6e5e7012f94a3b9e046

SHA1
55884efae77d0302ae9db8cb5f90477eb03d1394

SHA256
d4284aaa90b4977d4153c9fe5b6ab0e5cca5a80a479caa45d88a9492568f3f4f

SHA512
0cecdeedb9b7fdc953d9bb942c2144dfd016fab693f6c0e19b00c38f2ca20234f26ae51ff7afb6d39d07d0f520ee44bd51c2a7160c65164b167eb01655eb0eac

Download Submit
C:\Users\Admin\AppData\Local\Temp\yIcA.exe
Filesize
4.8MB

MD5
e76898282007499e94fc28532f348ef5

SHA1
4666dc0fdf1ad20af667d51462e7bc701407610c

SHA256
2031175d9196c78b12d132f07a1041088cb9685459517e8815357fb8c923a2e2

SHA512
582b262a9953d7147fc7e71429e28d333219d617dc54c64c690890b28c162f04242ea266af3d33f65b340655fa93a1e7ee9c78a9e94e75da196434c33da3d8e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\yMEe.exe
Filesize
244KB

MD5
30df7a350e795582ebe2f6776b009434

SHA1
95ecc115551d41617707b683dc88808346f49834

SHA256
a843f6826fb3e5de20c0fb96307955c71daffc18ed11443403dbcb705ad4cd37

SHA512
df35350b59d31e08415a70c36cc805bb87086529bb3f95748e2f4862e095d2c67c0b6aef6b405fd261fc2b6380507c096430040507c712b8713b7f206b4634dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\yUom.exe
Filesize
246KB

MD5
c5304430ded00289a4fff1b3ba30664a

SHA1
d2a369a0301d5107347c6586491795b91db00e44

SHA256
a2fc43dbd109a9a125e76cc64f059ef8e9a8100f84c3c430e86e44d220e3a707

SHA512
42ba81edce2e626d2f12b76eb780d2afd2de7faee36e2481863bd6713c408e3bbf8932d2cee09170b22b1ed1e4847827db6ab3ea577fb065a920d203df45453e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ygkS.exe
Filesize
234KB

MD5
7fb7cea43f519d72d591ab79d5f2c5b1

SHA1
bef150bd76a885756f1fa046b0553fede943cbe0

SHA256
054d46d03af6f7124836e0c4cf6dbce76c2ce36bb0ac7eb9c7fe4fcc130dd168

SHA512
8bb5658a28350b42c45f863ee60457f8fec1d47ca48ea4507a8670dc78e1310c2ba1fc9beae4d603297562511f43fc190a178ca37a6d8aa602042b6ec5abdd87

Download Submit
C:\Users\Admin\AppData\Local\Temp\ykom.exe
Filesize
470KB

MD5
5ca4048300b1bb72e370db8858ade84d

SHA1
ebce0b5074537e9144da2a7d3dabf6058a032136

SHA256
d16936e540c7d56507eda9caeba834cac906526b995de313374c02bd3c05ce17

SHA512
c4b66d99150ec4b79c575202344aea0fc5605bc82a672b8807cb9ea4d1b241efe8a5d828c6cecd5112cc5c295e7349b34b55ea2b2356307891bed98b1a143db4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ymcQUQcA.bat
Filesize
4B

MD5
12d35295ffd7f21b75c031dbcebd971e

SHA1
30a2acb0ada9ecec289db8a68c1f156cc0a61281

SHA256
3c7cc070360693fb3a82363a9d809857e7bd7cb34e5c40054a4c46c69bdff401

SHA512
8a45a7b64bed654434e1257d2a199272a0a49f76c3f6287f5299ad1effc3b67980a8262f800df2a6fffb40ffc0fccb215e0b0f8ff8a0597e391218a1c611e796

Download Submit
C:\Users\Admin\AppData\Local\Temp\ywgg.exe
Filesize
207KB

MD5
a5556afb23ac5e56bbc5e00460d0e00b

SHA1
d9a102b34812cf445c4d372dc86a10552610521e

SHA256
625f2a6648e3ca11af0c74d7698174e1c521e1c57504ef0359bdb22442599cf2

SHA512
a2119d47a84286604592d97378e7dfd49c63f2109339b5ecfaabb348d524902f687e801b8b394120b2a3068779575cde23ea999c1037953d0089465ad4f9c292

Download Submit
C:\Users\Admin\AppData\Local\Temp\zGIwYUsQ.bat
Filesize
4B

MD5
d34ba53f8646ea70ec9fc10df435214a

SHA1
5b51da1dd3d4e8ee6910d16a5f0fce736c7d4f4d

SHA256
79f9c713317d1af9179a4b714ee9e8d65c534e7be4a6c4e58155e199fcbcfde1

SHA512
68ecd1b679572a25ca2eb2d51773742fc6e88bbe7d7c27020f45496dc0034ac57ea569441c60ff6e7caf50068ef1df467aad5dab9bfbbc4cb205442b39bd8ef3

Download Submit
C:\Users\Admin\AppData\Local\Temp\zOkYwUsY.bat
Filesize
4B

MD5
c878453270ba5276531f611366a483ed

SHA1
510a29afca709eea3afebeeef62913ca81f3985f

SHA256
3af7ae3ab52fda0c5855d3385f1f691f156f993b746ea546d5d779f28fcb9b06

SHA512
92158641703662413c151c51b331b9997ad9863df852affb9f7937487ae3dbddd84942b6eb9c2f5b86ad67078e3af014c13a27bb5cb4d39ff5371051ca85b4f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\zwgIwQME.bat
Filesize
4B

MD5
56717742a7396667226e29a72a954fca

SHA1
1849b702691bd9e792d8f43217cebe643aee428b

SHA256
728586c810991b232c3c00ae42390eac924f23edc2c9d004a73c7d996c2ebab7

SHA512
24d96044f20e10ce0713924be74d0b513d5b6a2a52398c7b78168778f8ebe29b0935231e24e526e2c04f5358369c2e53d199cb4aedda6805377a3ba7a04b5a08

Download Submit
C:\Users\Admin\AppData\Roaming\RequestUse.zip.exe
Filesize
905KB

MD5
da0d3ae4e8dc4103af76edfaa0636d08

SHA1
29bc8be10e2fb0ec50946d68b78bedaa664d469a

SHA256
dcc4aec648e5e1a3b6a68de10b19df959ae7279a457a04c64b44c2a2455041cc

SHA512
f968a5a3fb164848f030eaafb2a2075a85920772918655fd9fd16ac9c787b43ac9140eb26867c0e00dd25e6149c0dd46d5c42d59a66811c41e99d9bd6150ade7

Download Submit
C:\Users\Admin\Desktop\CompleteUnpublish.xls.exe
Filesize
371KB

MD5
0189dc5fb52326f32ba9a4b3346adb84

SHA1
28aed6ae5ef1704de9015b845a845bda24b8205a

SHA256
e0ed75e01a396f9a0eb4f42d267d5dfeb04dbf6d1df3f5f0be8d6da468f5baa7

SHA512
b5b07d53006c5b390987f1746768d40b67cdbc90b5ff50e1bc602670dcb5d5b1e6c5152bb515f02a1b154bc5cd2cdb49f942fec4b77e91c04f3e0b3a2f8cc2c1

Download Submit
C:\Users\Admin\Desktop\RemoveFormat.exe
Filesize
324KB

MD5
122ea63a76f5a6b31c9fb16258a20000

SHA1
1050a05a86aa087ab95eb716f9d705009f7ffdd8

SHA256
2a3bf79a0ae21c6de8ae0e8ab5a5dabbc3aa661a5f34984340c850b80ab854b3

SHA512
ad9a34859c9424a0011d6ddbd6be4750f6ec35f1f81f146799ee2edae0a9a0d91527b1efd50653d70eed3e6be0f104ae80bb8fe517df2f864ec9747dd957d688

Download Submit
C:\Users\Admin\Downloads\WatchSearch.exe
Filesize
501KB

MD5
38e6b65b99ebc8c3e1313cb0ab57b811

SHA1
d89a0dbe2670533f34e111bc81d2dea9d92bf28a

SHA256
1cec36223df15ab5452b0a07fd9eccf4544d7ee29675056429aca2002ce6b940

SHA512
8a7533fc50bce6bcde908275dc2b346e95ef29d0585b616bc5d367aafd7f0ccf52b892a17e4cd70cf2237bdc8d6007f64e8e7cacc82bc68d2f965566fa443c4a

Download Submit
C:\Users\Admin\Pictures\OpenBackup.gif.exe
Filesize
478KB

MD5
4a84cf1e113121565d88ace957dda1f8

SHA1
d81dddeba39af3b4ebdc0886c0c87834f653447d

SHA256
89988a1ed8f05d305f09d4e10151b011678da14193a45c33291e8e1030c82db1

SHA512
dc7523b46ae56b1b90553cb653b37dc315f91470355d338a50e43dc0c4108705b5ebee0b8ded6cba3367da76739e70a55626f28b368e942b30a7ba507a869d59

Download Submit
C:\Users\Public\Pictures\Sample Pictures\Lighthouse.jpg.exe
Filesize
728KB

MD5
7302f1501fa21082e69fcb99635fce27

SHA1
004978727a8bc0958358d5cc649fdce1dc14ea50

SHA256
521e330bcdef55ed1891b44a3430ea9d77a0139969c71ed3c297e1253fad8d6c

SHA512
57a0b5bba452d2e7d1e69b205be66735632dc0e4d018ea457809163cabbf15176b914b7607d9509ffed1194d00fff555d1970d64ce24e56094f01d5136b7ed7b

Download Submit
C:\Users\Public\Pictures\Sample Pictures\Penguins.jpg.exe
Filesize
945KB

MD5
c0d5bd88d963b4485e05efaabfe4ce38

SHA1
9fe1033ab25c97d8d1be050a7944c6cdcf8ab663

SHA256
19da594c9d0643ac09a3939d97011b241c3634c5ad2e08218e612e9ba53c030d

SHA512
5c8823801bffec48c48ac177b1aaa829326cf4d58f9c0fb1d609b7a701aa907581f3b23041d22c3670a363ff841281ec2747903d4556b40c812a578a645d8ee3

Download Submit
\ProgramData\nakEwEYQ\tgcsAwwM.exe
Filesize
203KB

MD5
7b7ab20c4eb7e8128cf6403c17877fae

SHA1
9331809abb429d39d9fa6bd4b9983c8abfcfa20e

SHA256
c2463083fe7396f1187c88fc189fca43a599e20b626f6dcc034979ee8e1bd61d

SHA512
4f6a0ee7ed304711ad198872044d4a5fdde6fbb3a796d97e3e80ed1f6b7dfc8982867a754396f72df312c60c6105fbd62a61d55c1a19716e09bb6dabdfd7c001

Download Submit
\Users\Admin\KIIAsMoI\xQkggQog.exe
Filesize
189KB

MD5
a6a594c1b5e8450b56a88b089bf77a37

SHA1
7770e70cdb302ded36d6561e80f45b6267e3061d

SHA256
d53a1312666ec40ca128090b740bfda0f4a7d2de6e511c181eb4c0dd909b0836

SHA512
bd8099ae67cb862932873ed4c753f3d81bfcb2cb6486732517c905ac57747881d5de69d7e928371ad4e808e5fcde7749a60530dc9f726e11df65e1d3e94be87d

Download Submit
memory/280-292-0x0000000000260000-0x0000000000295000-memory.dmp

Filesize
212KB

Download
memory/280-293-0x0000000000260000-0x0000000000295000-memory.dmp

Filesize
212KB

Download
memory/328-152-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/328-349-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/328-185-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/328-317-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/352-621-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/352-591-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/540-104-0x0000000000340000-0x0000000000375000-memory.dmp

Filesize
212KB

Download
memory/540-103-0x0000000000340000-0x0000000000375000-memory.dmp

Filesize
212KB

Download
memory/668-436-0x0000000000320000-0x0000000000355000-memory.dmp

Filesize
212KB

Download
memory/668-435-0x0000000000320000-0x0000000000355000-memory.dmp

Filesize
212KB

Download
memory/788-137-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/788-105-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/992-411-0x0000000000120000-0x0000000000155000-memory.dmp

Filesize
212KB

Download
memory/992-568-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/992-600-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/992-413-0x0000000000120000-0x0000000000155000-memory.dmp

Filesize
212KB

Download
memory/1228-577-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1228-548-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1280-67-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1300-128-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1300-161-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1444-632-0x0000000000260000-0x0000000000295000-memory.dmp

Filesize
212KB

Download
memory/1444-631-0x0000000000260000-0x0000000000295000-memory.dmp

Filesize
212KB

Download
memory/1460-303-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1460-270-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1504-445-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1504-80-0x00000000005B0000-0x00000000005E5000-memory.dmp

Filesize
212KB

Download
memory/1504-414-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1512-612-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1520-326-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1520-294-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1532-546-0x00000000001A0000-0x00000000001D5000-memory.dmp

Filesize
212KB

Download
memory/1532-547-0x00000000001A0000-0x00000000001D5000-memory.dmp

Filesize
212KB

Download
memory/1544-114-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1544-81-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1612-389-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1612-422-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1612-221-0x0000000000160000-0x0000000000195000-memory.dmp

Filesize
212KB

Download
memory/1612-222-0x0000000000160000-0x0000000000195000-memory.dmp

Filesize
212KB

Download
memory/1688-590-0x00000000001B0000-0x00000000001E5000-memory.dmp

Filesize
212KB

Download
memory/1688-589-0x00000000001B0000-0x00000000001E5000-memory.dmp

Filesize
212KB

Download
memory/1748-339-0x0000000000160000-0x0000000000195000-memory.dmp

Filesize
212KB

Download
memory/1904-483-0x0000000000170000-0x00000000001A5000-memory.dmp

Filesize
212KB

Download
memory/1904-484-0x0000000000170000-0x00000000001A5000-memory.dmp

Filesize
212KB

Download
memory/1980-388-0x0000000000130000-0x0000000000165000-memory.dmp

Filesize
212KB

Download
memory/1980-387-0x0000000000130000-0x0000000000165000-memory.dmp

Filesize
212KB

Download
memory/2076-245-0x0000000000430000-0x0000000000465000-memory.dmp

Filesize
212KB

Download
memory/2088-506-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2088-505-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2196-223-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2196-255-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2200-363-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2200-398-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2256-526-0x0000000000180000-0x00000000001B5000-memory.dmp

Filesize
212KB

Download
memory/2268-507-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2268-536-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2472-372-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2472-340-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2528-176-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2528-208-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2540-22-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2548-174-0x0000000000440000-0x0000000000475000-memory.dmp

Filesize
212KB

Download
memory/2548-175-0x0000000000440000-0x0000000000475000-memory.dmp

Filesize
212KB

Download
memory/2584-610-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2584-611-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2608-57-0x0000000000160000-0x0000000000195000-memory.dmp

Filesize
212KB

Download
memory/2608-56-0x0000000000160000-0x0000000000195000-memory.dmp

Filesize
212KB

Download
memory/2644-468-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2692-459-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2692-494-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2700-458-0x0000000000260000-0x0000000000295000-memory.dmp

Filesize
212KB

Download
memory/2728-362-0x0000000000120000-0x0000000000155000-memory.dmp

Filesize
212KB

Download
memory/2728-232-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2784-58-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2784-90-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2828-31-0x0000000000110000-0x0000000000145000-memory.dmp

Filesize
212KB

Download
memory/2828-32-0x0000000000110000-0x0000000000145000-memory.dmp

Filesize
212KB

Download
memory/2884-198-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2884-557-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2884-199-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2884-527-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2908-316-0x00000000002A0000-0x00000000002D5000-memory.dmp

Filesize
212KB

Download
memory/2924-246-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2924-279-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2932-633-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2932-485-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2932-516-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2964-10-0x00000000005D0000-0x0000000000601000-memory.dmp

Filesize
196KB

Download
memory/2964-41-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2964-9-0x00000000005D0000-0x0000000000601000-memory.dmp

Filesize
196KB

Download
memory/2964-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2964-21-0x00000000005D0000-0x0000000000604000-memory.dmp

Filesize
208KB

Download
memory/3008-567-0x00000000001A0000-0x00000000001D5000-memory.dmp

Filesize
212KB

Download
memory/3032-127-0x0000000000180000-0x00000000001B5000-memory.dmp

Filesize
212KB

Download